Blog

During the third PRG meeting of the Spring 2022 semester, the following topic were discussed.

This week, the Algorithmic Accountability Act of 2022 has been introduced. It’s a bill requiring new transparency and accountability for automated decision systems. Requirements include conducting impact assessments for bias, effectiveness, and other factors. It also creates, for the first time, a public repository at the Federal Trade Commission of these systems and adds 75 staff to the commission to enforce the law.

The Senate confirmed the nominations of two new members for the Privacy and Civil Liberties Oversight Board (PCLOB), a federal privacy watchdog tasked with ensuring the federal government’s counterterrorism efforts don’t trample on privacy and civil liberties. The agency, having been ineffective for quite some time due to vacancies, can now fully function again.

Seton Hall University School of Law’s Gibbons Institute of Law, Science & Technology and Institute for Privacy Protection are co-hosting a virtual conference on Big Tech and Antitrust to explore these issues from U.S., EU, and international perspectives with leading academics, practitioners, and former regulators.

In its efforts to collect information on the use of “standard technical measures” to address copyright infringement, the U.S. Copyright Office is meaning to hold a plenary hearing on automated filters on February 22^nd.

On February 3^rd, the Illinois Supreme Court filed an opinion holding that people can sue their employers for damages under the State’s privacy law, the Biometric Information Privacy Act (BIPA). The decision means that employers do not have a powerful weapon at their disposal when it comes to defending privacy claims.

The IRS has announced that it will “transition away” from using third-party facial recognition services for the verification of taxpayers’ identities, effectively ending a contract with facial recognition company ID.me that had received widespread criticism.

Duke Law Journal is organizing an event about automating the administrative state.

Israeli police has been using a spy software (Pegasus) to spy on its own citizens, including political activists involved in the Black Flag and Balfour demonstrations that took place against former Prime Minister Netanyahu last year.

A lawsuit challenges facial recognition as unconstitutional and illegal in Indian state Telangana, the most surveilled state in the world, according to Amnesty International.

For the first time, a German lower Court granted a data subject compensation under Article 82 GDPR for non-material damages suffered because of an unauthorized third-party access to the subject’s personal data. Furthermore, the Court found that the defendant company is obligated to compensate all material future damages resulting from the breach. 

A Human Rights Coalition is urging the Senate to drop the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT, S.3538). According to the Coalition, EARN IT will in fact make it harder for law enforcement to protect children and result in online censorship disproportionately impacting marginalized communities.

As Meta disclosed regulatory risks to its investors, the media spun that into a withdrawal from Europe threat. Meta issued a press release clarifying that they are not threatening to leave Europe but disclosed that continuing uncertainty over EU-US data transfer mechanisms poses a threat to their ability to serve European consumers.

(Compiled by Student Fellow Ge’ez Engidashet)

During the second PRG meeting of the Spring 2022 semester, the following topics were discussed.

In Germany, Twitter is challenging a provision in an anti-hate speech regulation. The regulation mandates social media firms to report serious criminal offences to German authorities. In reporting to the authorities, Twitter must transfer user data even though no crime has yet been committed. Twitter is arguing that this law impinges upon German citizens’ individual liberties and transforms social media firms into informal criminal prosecutors.

The Israeli Privacy Protection Authority issued its final paper regarding privacy protection officers.

Crisis Text Line, a non-profit messaging service is under fire for making use of anonymous data drawn from the conversations of its users to build a for-profit machine learning system. This platform’s mission is to help users in the context of mental health crises.

Distributed Denial-of-Service (DDoS) activities increased at record rates in 2021. The gaming industry has been one of the main victims of these attacks. Microsoft played an important role in curtailing many of these cyberattacks.

Bank Indonesia was also targeted by a ransomware attack at the beginning of 2022. The cybercriminals acquired non-essential data which belonged to the employees of the Bank. The Conti ransomware group claimed responsibility over the attack. As of the end of the month of January, the Conti group was still threatening to leak the data it had stolen.

Video game corporations may increasingly resort to facial recognition technologies. For instance, Tencent announced last year that it would use facial recognition systems in order to comply with China’s gaming regulations which aim to decrease the amount of time that minors spend on these devices.

Unity Technologies is attempting to create “digital twins” of people. These twins are essentially clones of real-life objects or persons. They exist and interact in a virtual sphere. The creators of these technologies are trying to simulate human behaviour and action through these digital twins. Ultimately, by using large amounts of data, Unity’s objective is to generate a “digital twin of the world”.

State lawmakers in Massachusetts are trying to pass a new privacy bill, the Massachusetts Information Privacy and Security Act.

In San Francisco, the mayor is suggesting a new ballot measure for the upcoming June election which would empower the police department to make use of live surveillance without prior approval in certain circumstances to prevent crime or harm. For example, police would have the authority to deploy real-time surveillance in certain neighborhoods.

In India, the Modi government is planning to reduce carbon emissions by promoting the use and sale of electric vehicles. The government is attempting to reach this goal through a “battery swapping” policy. This policy would allow drivers of electric vehicles to replace their batteries for already charged batteries at “swap stations”.

New Chinese draft provisions and propositions regarding the “deep synthesis” of Internet content have been issued.

In Tel Aviv, researchers have developed a novel method for lie detection by resorting to software, electrodes and algorithmic techniques.

Anduril Industries recently announced its new contract with the U.S Special Operations Command (SOCOM). Anduril will be supporting SOCOM’s “unmanned systems” and help counter military threats. 

Lastly, the Belgian Data Protection Agency decided that the Transparency and Consent Framework (a framework which manages user preferences for targeted advertising) is non-compliant with the GDPR. The Interactive Advertising Bureau Europe (IAB) has been fined in light of these violations.

(Compiled by Student Fellow Natasha Petrof)

Welcome to the Spring 2022 from the Privacy Research Group student fellows! The first PRG meeting was January 26 and we covered the following news items:

On the legal front, more than the privacy one, Justice Stephen Breyer announced his retirement. Breyer has served on the court for 27 years.

The United States Federal Reserve Board released a discussion paper on central bank digital currency. This report was published on January 20.

At the end of 2021 the European Commission presented a proposal of new laws on political advertising and microtargeting, a tool that allows candidates and parties to tailor communications to small groups of people through the use of datamining techniques.

The Austrian Data Protection Authority decided that the use of Google Analytics violates GDPR.

The creator of Bulli Bai, an app that puts Indian Muslim women up for “online auction,” was arrested in Delhi.

Two years ago, an employee of the Bharatiya Janata Party’s Information Technology Cell Tweeted about the existence of a a secret app called Tek Fog, that made it possible to do things like “hijack” the trending section of Twitter and Facebook; phish inactive WhatsApp accounts; and harass private citizens. An investigation by Ayushman Kaul and Devesh Kumar has been published by The Wire.

The United States Internal Revenue Service plans to require a “video selfie” with ID.me registration. (Update: The IRS is exploring “alternatives”.)

Google will be blocking targeted advertising for people under 18.

Google has been talking about replacing tracking cookies with “FloC.” They recently changed directions and are now replacing tracking cookies with “Topics API.”

Two ex-aides of former Israeli Prime Minister Benjamin Netantyahu had their phones illegally searched by police. The two ex-aides had been accused of trying to intimidate a witness for a trial against Netanyahu. The Supreme Court of Israel said that this search was “unacceptable,” but decided to approve the search regardless.

Microsoft is buying Activision Blizzard. This may bring up exciting antitrust scrutiny in the future.

A bill proposed in New York State to ban geofence and keyword search warrants was reintroduced to the New York State Assembly and Senate.

Police in Mainz (Germany) gained access to data from Luca, an app used for COVID-tracing, and used it to locate possible witnesses.

(Compiled by Student Fellow Molly de Blanc)

The Privacy Law Scholars Conference is inviting submission of abstracts for its 15th annual conference (PLSC 2022), which will be held in person on Thursday and Friday, June 2 and 3, 2022 at Northeastern University in Boston, MA. Abstracts are due by 5 PM ET on January 31, 2022.

This week, Twitter announced that it is banning users from posting pictures of “private individuals” against their wishes. Such private individuals, a classification that does not include public officials, will be able to request takedowns of content that features them. Such requests will be weighed along with context, newsworthiness, and other factors. 

The European Council Presidency and Members of European Parliament informally agreed this week on the Data Governance Act (DGA), which would boost data sharing to start-ups and businesses to stimulate innovation. The DGA aims to increase trust in data sharing, creates new EU rules on the neutrality of data marketplaces and facilitates the reuse of certain data held by the public sector, such as certain health, agricultural or environmental data. It sets up common European data spaces in strategic domains, such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills. However, the European Data Protection Board and the  European Data Protection Supervisor have raised concerns about the DGA’s compatibility with European personal data protection laws.

Last week, Apple filed a lawsuit against Israeli technology firm NSO Group for its surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware, which has been abused to target journalists, activists, dissidents, academics, and government officials. Apple is seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.

A recent Intercept examination of Uber’s patents revealed that the company has been experimenting with predictive algorithms to identify risky drivers. In the name of rider safety, Uber has filed patents for systems that would make deeply consequential decisions using digital processes that might be difficult or impossible to untangle.

(Compiled by Student Fellow Kathryn Taylor)

The Knight First Amendment Institute at Columbia University filed an amicus brief in a case challenging a Florida law limiting the power of social media companies to moderate speech on their platforms. The Knight Institute urges the Eleventh Circuit Court of Appeals to affirm the district court’s decision to block the law on the grounds of its constitutionality, including the law’s specific targeting of platforms perceived to have a liberal bias (e.g. Facebook and Twitter), but not of smaller, conservative-leaning platforms. In addition, the law carves out an exception to platforms which own a Florida theme park—a clear reference to Disney. 

The Surveillance Technology Oversight Project (S.T.O.P.), a privacy and civil rights group, and the Harvard Law School Cyberlaw Clinic jointly filed an amicus brief with Massachusetts Supreme Judicial Court, arguing police searches of cell tower data are unconstitutional. The filing came in Commonwealth v. Perry, supporting the defendant Jerron Perry’s appeal of his motion to dismiss evidence obtained through cell tower dumps, which included data on more than 50,000 individuals.

Québec’s updated privacy law imposes additional compliance requirements on businesses. Bill 64 requires companies to conduct privacy impact assessments for the transfer of personal information outside of Québec and appoint designated privacy officers. Québec is one of the few Canadian provinces to have a stand-alone private sector privacy law; among other obligations, it requires businesses to report to the Québec privacy regulator and notify individuals of data breaches where there is risk of “serious prejudice.” The law gives Québec’s Commission d’accès à l’information, the province’s privacy regulator, the ability to fine entities that break the law. The law’s provisions take effect from 2022-2024. 

India’s national cybersecurity coordinator is starting a project to assess privacy and security loopholes in mobile devices and apps. The project is called Indian Citizens Assistance for Mobile Privacy & Security (I-CAMPS), and it will provide a technology platform with an associated mobile application and desktop site to support Indian citizens in mitigating the vulnerabilities in their mobile handsets. Relatedly, India’s new data privacy bill is expected to be placed before parliament in the upcoming winter session. The bill has various provisions addressing privacy holistically, and proposes bringing in a single regulator for data protection in tandem with international laws. 

United States House and Senate bills (S. 2875; H.R. 5440) advancing through Congress would require critical industries to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”), which was created in 2018. High-profile cyber incidents, such as the Colonial Pipeline ransomware attack, have lawmakers pushing for mandatory cyber incident reports; the bills would require certain critical infrastructure operators designated by CISA to report incidents no later than 72-hours after the event. If passed, the legislation has the potential to give CISA more regulatory authority.

In apparent contradiction to Meta/Facebook’s announcement this summer that it would limit advertisers’ targeting of minors, the company is accused of continuing to track teens for targeting on its social platforms. This came to light in new research from Fairplay, Global Action Plan and Reset Australia, claiming that the company has retained its algorithms’ abilities to track and target kids. In response, Meta denied using the tracking data it is linking to teens’ accounts to for ad personalization purposes. 

The United States Senate confirmed notable big tech critic and progressive antitrust reformer Jonathan Kanter to lead the Justice Department’s antitrust division. Kanter has a history of representing technology companies, such as Yelp, Microsoft, and Spotify in antitrust suits against big tech competitors. With his confirmation, Kanter will inherit a lawsuit against Google filed during the Trump administration, accusing the company of anticompetitive behavior in the digital advertising market. At this point, it’s unclear if Kanter will recuse himself from the case, given his prior involvement in suits defending Google’s rivals. Relatedly, Federal Trade Commission nominee Alvaro Bedoya signaled support for addressing big tech regulation and privacy reform (specifically discussing facial recognition technology regulation) during a Senate confirmation hearing. If appointed, Bedoya is expected to take over the FTC’s “privacy portfolio.” Bedoya’s nomination is planned to advance to a full Senate vote shortly after Thanksgiving.

(Compiled by Student Fellow Tanner Co)

A bipartisan group of House lawmakers has introduced the filter bubble Transparency Act which requires companies like Meta (then known as ‘Facebook’) and YouTube to offer a version of their platforms that runs on an “input-transparent” algorithm that doesn’t pull on user data to generate recommendations. In other words, under the proposed legislation these companies have to offer an alternative version of their apps that doesn’t manipulate a recommendation based on secret algorithms driven by user-specific data. This would give people more control over the algorithms to shape their online experience.

The Israeli military is using a facial recognition tool on Palestinians as a surveillance initiative in the occupied West Bank. This surveillance initiative rolled out over the past two years, involves in part a Smartphone technology called “Blue Wolf” that captures photos of Palestinians’ faces and matches them to a database of images so extensive. The phone app flashes in different colors to alert soldiers if a person is to be detained, arrested, or left alone. On one hand, it raises major privacy and basic human rights concerns of Palestinians however; on the other hand, it also raises a question that whether this facial recognition surveillance is accurate and reliable enough, with individuals being put in jeopardy by being misidentified? 

Google loses key appeal against €2.4 billion in European Union (‘EU’) shopping antitrust case. The General Court held that “self-preferencing” is not in itself a breach of EU antitrust law but its potential harmful effects like stifling better products made by rivals are. Google now has the option to appeal the decision before the EU’s highest court, the European Court of Justice (‘ECJ’). On the other hand, Amazon was reportedly in talks with the EU to settle the antitrust investigation relating to self-preferencing. With Google losing this key appeal in the EUshopping antitrust case it would be interesting to see how things in Amazon investigation proceed. 

Meta will delete ‘sensitive’ ads targeting groups linked to race/ethnicity, religious views, political beliefs, sexual orientation, health, etc. from its platform. However, targeting groups based on age, gender, and location is still available. 

The Dalles City Council approved a deal with Google that will enable the technology giant to build more water-guzzling data centers. However, some residents worry about the drought and secrecy of part of the arrangement. On Monday, November 08, 2021, the council unanimously approved the $28.5 million deal that will enable Google two build two more data centers. 

The online advertising industry and its trade body, “IAB Europe”, have been found to have deprived hundreds of millions of Europeans of their fundamental rights by violating General Data Protection Regulation (‘GDPR’). It is important to note that Google and the entire tracking industry rely on IAB Europe’s consent system, which has now been found to be illegal. IAB Europe created a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach at the heart of online advertising. The Belgian Data Protection Authority’s decision is a draft decision that will now be shared with some other European data protection authorities so that it can be finalized and enforced.

Google wins an appeal against £3 billion privacy case that could have allowed users to claim money from the search giant. The UK Supreme Court in the case of Lloyd v. Google LLC has blocked a planned 3.2 billion pound ($4.3 billion) British class action against Google over allegations the internet giant unlawfully tracked the personal information of millions of iPhone users. Copy of the judgment is attached here. 

(Compiled by Student Fellow Lokesh Bulchandani)

Upcoming Events

Guarini Colloquium: Regulating Global Digital Corporations – Monday November 8, 2021, 17:20 – 18:20. In this NYU Law School colloquium, Hong Shen, the author of Alibaba: Infrastructuring Global China Routledge 2021) will be joining to discuss Alibaba’s role in China’s digital economy and beyond. If you are interested in attending, please email guariniglobal@nyu.edu (NYU Law community members can attend in person).

News Items 

Facebook announced that it plans to shut down its decade-old facial recognition system this month due to Societal Concerns. Facebook’s facial-recognition software had allowed it to build one of the largest repositories of digital photos in the world. This decision will result in deleting the face scan data of more than one billion users and effectively eliminating a feature that has fueled privacy concerns, government investigations, a class-action lawsuit and regulatory woes.

Yahoo is pulling out of China, ending its few remaining operations, as the country’s new strict regulations over data and gaming go into effect. Yahoo will be joining LinkedIn and Epic Games’ Fortnite to announce downsize China operations in the past month. The new Chinese data regulation requires a security assessment from a government authority, as well as certain contractual clauses about the government’s access to people’s personal data and restrictions on where that data can be stored. Also, a new gaming law attempts to prevent anyone under 18 years old from playing more than three hours of video games a week.

Facial recognition firm Clearview AI has been ordered to cease collecting photos of Australians from the internet and destroy all images and facial templates belonging to individuals living in Australia by the country’s national privacy regulator after it was revealed police in some states had trialed the technology. Clearview, which claims to have scraped 10 billion images of people from social media sites in order to identify them in other photos, sells its technology to law enforcement agencies. Following an investigation, Australia’s privacy regulator has found that the company breached citizens’ privacy according to the Australians Privacy Act 1988. 

Last week, India’s Supreme Court ordered an independent probe into reports that the government used the NSO’s surveillance software “Pegasus” to spy illegally on journalists, activists, and political opponents. The top court appointed a three-member committee to investigate the allegation, and its report will be submitted in two months.

Meta (Facebook’s owner) denies a claim by the Kazakhstan government that it had been granted exclusive privileges to remove ‘harmful’ content from Facebook. The Kazakh government had published what it called a “joint statement” with Facebook, alleging that it granted exclusive access to Facebook’s content reporting system that would streamline the process of removing content deemed illegal by Kazakhstan. In response, Meta spokesman Ben McConaghy said Facebook had dedicated online channels for governments to report content that they believe violates local law, and that “This process is the same in Kazakhstan as it is for other countries around the world,” additionally, he added that the government released their own statement, independent from Facebook. 

(Compiled by Student Fellow Amit Shoval)

Donald Trump’s new social network, Truth Social, has been reported to be a thinly disguised variant of the Mastodon social network codebase.  Mastodon is free software that anyone can use as long as they comply with Mastodon’s license terms, which Truth Social may be in violation of.

Donald Trumps social media company will be funded by a special purpose acquisition corporation (SPAC).  Michael Ohlrogge here at NYU has recently released a paper on the subject.

YouTube, Snap, and TikTok executives testified before the Senate Commerce Committee.  The senators were particularly concerned with the platforms’ impact on young people, reflecting concerns that have percolated around Facebook in recent days. 

Senators Gary Peters (D-MI) and Rob Portman (R-OH), the Chair and Ranking Member of the Homeland Security and Governmental Affairs Committee (HSGAC), introduced legislation to secure and protect information handled by federal contractors using AI technology.  The bill would require OMB to establish and consult the Artificial Intelligence Hygiene Working Group to ensure that government contractors are securing data like biometrics that preserve privacy rights and national security.

Senator Ron Wyden (D-OR) penned an op-ed in Just Security calling for the end of secret laws, given the evolution of government surveillance and markets for private information.

The Journal of Online Trust and Safety is launching its inaugural issue this week. ILI Fellow Aniket Kesari will be featured!

According to Microsoft, a victim of the SolarWinds hack, the group behind the attack, Nobelium, is targeting technology companies that sell and provide cloud services. 

A cyberattack disrupted the sale of heavily subsidised gasoline in Iran on Tuesday, state media reported, causing long queues at gas stations across the country weeks before the anniversary of 2019 street protests that followed fuel price hikes.

Parents or individuals under eighteen years old will be able to request that images of their children or themselves be removed from Google search results unless there is “compelling public interest or newsworthiness.”

Digital rights advocate Elliot Harmon, who was the Director of Communications at the Electronic Frontier Foundation, passed away Saturday.

Baltimore school-issued laptops include monitoring software that helps track when their student users begin to exhibit mental health issues. 

The Center for Democracy and Technology also has some writing on school issued devices. One of the big findings it that poor students are far more likely to be monitored than wealthy ones.  In addition, CDT raises concerns that this software can be unduly intrusive and may discourage students from expressing themselves. 

Sam Altman, a former president of the Y Combinator tech startup accelerator, has developed a cryptocurrency that would be equally distributed across the world population via a retina scan.  The project has faced backlash from the privacy community. 

PRG member Alexandre de Streel will join the Guarini Colloquium on Monday to discuss the EU’s proposals for a digital markets act and a digital services act.  If you are interested in attending, please email guariniglobal@nyu.edu (NYU Law community members can attend in person).

North Carolina prisons have prohibited physical mail including cards, photos, and correspondence in favor of digital scans of mail for inmates. 

(Prepared by Student Fellow Coordinator Justin Lee)

The Guarini Center will host a colloquium on the global data economy.  They will seek legal solutions to deal with data as a new type of asset in order to foster innovation and growth and to reduce obstacles for all stakeholders in the data economy. In a session of the colloquium, Michael Veale will discuss the EU proposal, the AI Act.  (link)

A UK court has fined a man for violating the Data Protection Act 2018 and the UK General Data Protection Regulation for using their Amazon Ring cameras to surveil their neighbor, including capturing distant conversations of the neighbor. (link)

Mark Zuckerberg has been added to a consumer protection lawsuit brought by the attorney general for the District of Columbia.  Based on ongoing investigations, Attorney General Karl Racine claims that Zuckerberg played a much more active role than previously thought.  The District can claim up to $5,000 for any of the District’s 3,000 residents who may have ben affected by the Cambridge Analytica breach, meaning that this suit may be one of the first of many in which Zuckerberg may be personally liable for substantial damages. (link)

Facebook intends to change the company’s name to focus on the ‘metaverse’, the future virtual conceptions of the internet. However, this rebranding also comes as Facebook faces intense scrutiny in the US after the whistleblower Frances Haugen revealed the company’s business practices involving manipulation of its platform and users for profit. (link)

A traffic camera in the United Kingdom fined a British motorist for driving in a bus lane despite the motorist living and commuting a 100 miles from the camera’s location in Bath. The camera had confused a shirt reading “KNITTER” for the motorist’s license plate “KN19TER” and registered a violation to the motorist’s vehicle. (link)

(Prepared by Student Fellow Maxwell Votey)

The Brazilian National Data Protection Authority (ANPD) and the Spanish Data Protection Agency (AEPD) – the administrative authorities responsible for data protection in Brazil and Spain, respectively – signed a Memorandum of Intellectual Cooperation for the protection of personal data, both at a national and transnational level. (link)

The Israeli Communications Ministry is assembling a team that will examine whether Facebook is legally responsible for its content, according to an N12 report. Based on the report, the team’s mandate will also includes assessing transparency requirements for contest takedown, and user blocking policies. (link)

Andy Parker, the father of journalist Alison Parker that was shot and killed in 2015, filed with Georgetown Law clinic a complaint to the F.T.C. against Facebook, for failing to take down violent videos of the killing from the platform. The complaint alleged that Facebook and its subsidiary Instagram unlawfully deceive consumers by allowing violent murder videos to spread and persist on its platforms, in clear violation of their Terms of Service. (link)

Former “Google Fiber” employee shares her experiences and claims that Google’s monopoly in the search and online ad business allowed it to compete against the big internet service providers. The piece later discusses the problems with monopolies in a more general way. (link)

The CIA appears to have invested $1.6 million in Wickr, an encrypted messaging app, recently purchased by Amazon. According to Vice, the investment highlights Wickr’s continuing position as an end-to-end encrypted messaging app for government agencies. (link)

(Prepared by Student Fellow Danya Amir)