Tag: Information Privacy Law Spring 2013

Catalina Carmona

For quite some time now, both industry and privacy advocates have pointed out the need of reforming the Electronic Communications Privacy Act (ECPA). The main argument is that the act, which was passed in 1986, cannot adequately respond to new technologies, and leaves important loopholes for privacy to be disrupted.

For example, ECPA only requests law enforcement authorities to have a warrant when searching through email that has not been opened, and is less than 180 days old. For older emails, no warrant is required. In times in which people no longer store their emails in their hard drives, but on the cloud or a server, this poses serious threats to privacy.

In November 2012, the Senate Judiciary Committee approved a reform to ECPA, which would now require law enforcement authorities to obtain a warrant in all cases when searching through email.

http://www.nytimes.com/2012/11/30/technology/senate-committee-approves-stricter-privacy-for-e-mail.html?_r=0

The Committee approved this bill despite strong opposition from enforcement agencies. In fact, just a few days before this proposal was approved, Patrick Leahy, the Democratic chairman of the Senate Judiciary Committee, who also took part in the drafting of the original version of ECPA, was ready to go through with a version that would allow several agencies –including the Securities and Exchange Commission and the Federal Communications Commission– to access email without a warrant. The FBI and Homeland Security would have even greater powers under the Act, as they could even fully access online accounts without a judge authorization, or notification to the owner of the account.

http://news.cnet.com/8301-13578_3-57552225-38/senate-bill-rewrite-lets-feds-read-your-e-mail-without-warrants/?part=rss&subj=news

The online community has enthusiastically received the reforms to ECPA, and now awaits the final vote on the Senate, which is expected to happen some time this year.

(See, for example: https://www.cdt.org/pr_statement/senate-committee-takes-historic-step-privacy and https://www.netnanny.com/blog/the-ecpa-and-your-online-privacy/ )

But the bill will still need to overcome the resistance from more conservative groups, who believe that public safety should have a stronger stance when analyzing online privacy.

Zachary King

This past Sunday 60 Minutes aired a report about the enormous amount of mistakes made by credit reporting agencies.  (http://www.cbsnews.com/8301-18560_162-57567957/40-million-mistakes-is-your-credit-report-accurate/).

In the report Steve Kroft cites to a newly released 8-year long study conducted by the FTC into the big 3 credit reporting agencies (Experian, TransUnion, and Equifax) saying that 40 million Americans have an error on their credit reports and 20 million have a mistake significant enough to lower their credit score. This translates to one in every five adults with an error, which the Ohio attorney general has called “unconscionable.”

The segment explains the harms faced by individuals with mistakes on their credit records. The show concentrates on one woman who had a six year battle with the big three companies. She was denied credit and couldn’t refinance her mortgage or undersign a loan for her children. When she ordered her credit reports there was nothing alarming. She only found out what the problem was by peaking at her file at a bank when nobody was looking. She learned that the credit reports that banks get are different from what the consumer can get. In her case the large debts of a woman with the same first name, but a completely different last name from a different state somehow got added to her file. While it seems like this would be easy to fix, it turns out that it was impossible. The companies refuse to undergo the reasonable investigations required by the FCRA. 60 Minutes interviewed former employees of Experian who said that they did not have the power to do even the most basic investigation and were instructed to always take the word of the creditor to be true. The only way that she was able to finally prevail was by filing a lawsuit. The show says that the credit reporting companies are not interested in improving their policies. They reason that it is cheaper to every so often pay $ 1 million in punitive damages than it would be to implement a system that is in line with the basic fair information practice principles.

60 Minutes explained this story as “a horror story worthy of Hitchcock or Kafka.” While these analogies aren’t bad, what is more apt is the movie Brazil, where a fly gets jammed in a typewriter causing a slight change in a name printed on a government document, which sets into place a very unfortunate series of events. Rather than give spoilers, you should watch the movie (http://www.imdb.com/title/tt0088846/). In any event, now that there is some press about the practices of the credit reporting agencies, perhaps changes will be made and we can avoid the path that is currently set towards Terry Gilliam’s dystopian bureaucratic vision captured in Brazil.

Jessica Heimler

http://www.nytimes.com/2013/02/07/technology/personaltech/protecting-your-privacy-on-the-new-facebook.html?smid=tw-nytimes

With Facebook consistently rolling out new features and subsequent privacy settings, many people may be unaware as to how to best protect their online information. This article, which appeared on February 6, 2013 in the New York Times. The article suggests four questions to ask yourself so as to best be able to format your privacy settings. First is “How You Would Like To Be Found.” It gives tips on how to disable search engines from linking to your facebook timeline and how to determine what the privacy settings are for something posted by a friend. The next question is “what do you want the world to know about you?” It urges readers to reconsider including seemingly harmless pieces of information, such as gender and birthday, which can be exploited by hackers. The article also identifies online tools which can identify pieces of information, such as profanity, and gives you the option of deleting it from your profile. Third asks “do you mind being tracked by advertisers?” and explains how to remove targeted advertising from your homepage. Finally, the article asks “Whom do you want to befriend?” and asks readers to carefully consider who they create connections with over Facebook. It identifies two more pieces of software that can prevent a Facebook friend’s actions from displaying pieces of your own information publicly.

This article is an important read even for those who think they have a good handle on Facebook’s privacy settings. The new version of Facebook, released this past December, will allow all users–including strangers–to search for pieces of information such as what you do and where you go. It is imperative that users know how to protect this information in the best way possible.

Akiva Miller

The approaches to privacy regulation taken by Europe and the United States are often seen as being at odds with one another. The European regulatory scheme is characterized as overarching, comprehensive, principled, centrally-controlled, and more protective of citizen’s rights, whereas the US regulatory system is characterized as a patchwork of sector-specific laws and regulations, lacking in unitary concepts, driven by a combination of FTC action and self-regulation by the industries, and less-protective of citizens’ rights. (See, for example: http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html?_r=1& ,  which was featured in last week’s PRG blog post).

However, this impression may need to be revisited following closer scrutiny of the drafting process of the EU’s new Data Protection Regulation.  As technology news site GigaOm reports, a recent examination of the proposed amendments to the draft Data Protection Regulation conducted by Max Schmers, and Austrian Law student and vocal critic of Facebook, casts light on the extent to which US commercial interests are influencing the drafting process.  Schmers’s examination shows how language coming from from lobbyists for US-based commercial giants Amazon and eBay, as well as the American Chamber of Commerce, have been copy-and-pasted directly into the opinion submitted by the European Parliament’s Committee on the Internal Market and Consumer Protection to amend the proposed General Data Protection Regulation. According to the report, these suggested changes water-down the original protections of European citizens’ rights in favor of American business.

http://gigaom.com/2013/02/11/amazon-ebay-privacy-lobbying-sparks-cut-and-paste-crowdsourcing-drive/

So perhaps the guiding hands behind privacy regulation in the US and Europe are not so vastly different after all? If true, this information is a vivid reminder that Europe’s principled approach to privacy does not necessarily translate into tougher privacy safeguards for citizens. It should also serve as a food for thought for advocates of comprehensive privacy legislation in the United States and elsewhere around the world.

Information on the proposed General Data Protection Regulation can be found at: http://ec.europa.eu/justice/newsroom/data-protection/news/130206_en.htm

The proposed amendments by the Committee on the Internal Market and Consumer Protection  can be found at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-496.497%2b02%2bDOC%2bPDF%2bV0%2f%2fEN

Peter Kauffman

http://www.nytimes.com/2012/06/13/technology/ftc-levies-first-fine-over-internet-data.html

Last June, the Federal Trade Commission assessed an $800,000 penalty on Spokeo, a data collection agency, for distributing personal information as a way for potential employers to screen job applicants. According to the above New York Times article, this was “the F.T.C.’s first case addressing the sale of Internet and social media data for use in employment screening.” Like the Google buzz case and the Path settlement discussed in the “FTC is getting serious about regulating mobile privacy” blog post, this indicates the FTC’s willingness to aggressively curb social media sites’ abilities to disseminate their users’ private information. Unlike those two cases, the FTC assessed the fine against Spokeo under the Fair Credit Reporting Act.

Based on this case, institutions can be considered consumer reporting agencies despite their best attempts to not fall under that label. In 2010, Spokeo changed its terms of service to state that it “was not a ‘consumer reporting agency’ and that consumers could not use its profiles for purposes that were covered by the Fair Credit Reporting Act.” Similar to the Google Buzz case, the FTC faulted the company for insufficient notice to subscribers about such a change in its practice. The FTC then argued that the “coherent people profiles” Spokeo made available—which included an individual’s marital status, hobbies, ethnicity, religion, and photos—constituted a “consumer report” under the definition in 15 U.S.C. § 1681b(d). This case highlighted an interesting strategy the FTC can employ in its quest to protect dissemination of social media users’ private information.

Post by: Diana [Isabel] Ajuria

http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html?_r=0

This article, Consumer Data Protection Laws, an Ocean Apart, posted February 2, 2013 in the New York Times is focused on the differences between the American and European systems of privacy laws and speaks to several issues that have been addressed in class. First, the American system is described as very piecemeal, with a greater focus on certain industries, including medical records and credit reports, for example. This is in no doubt partially due to how privacy law in the United States was developed, emerging in  the Warren & Brandeis article and implemented through the Prosser torts.  The European system has grown out of a more blanket regulatory approach that guarantees certain rights. Now, Europe is looking to update their laws and some American tech companies are worried about how this will impact their business in Europe. For example, the article specifically mentions app companies, which we discussed in class this week, which in the United State are for the most part unregulated but would fall under protection in Europe.

Although they take different underlying approaches, common ground can be found in the idea that both the current system in the United States and in Europe seem to be inadequate to meet current privacy needs of an advanced technological age. How one feels about the expansion of the American system, such as seen in the Zimmerman article, might vary. As regarding Europe, the vice president of the European Commission mentions in the article that the “main problem is that [the] rules predate the digital age and it became increasingly clear in recent years that they needed an update.” It will be interesting to see how both countries address privacy concerns over the next decade and if one ultimately convinces the other to adopt their regulatory approach.

Post by: Abigail Augus

Regulating the collection and use of personal information though tort or contract is problematic for a host of reasons and may not provide companies with sufficient incentives to act in line with societal values and expectations. FTC enforcement, coupled with publicity and best practice guidelines, could provide those lacking incentives.

As recently discussed in the New York Times, the FTC is getting serious about regulating mobile privacy. http://www.nytimes.com/2013/02/02/technology/ftc-suggests-do-not-track-feature-for-mobile-software-and-apps.html?hp&_r=1&. Last week, the FTC made two big moves in the mobile arena: first, the FTC released a staff report detailing recommendations for the mobile industry to safeguard personal information (http://www.ftc.gov/opa/2013/02/mobileprivacy.shtm); and second, almost simultaneously, the FTC entered into a settlement agreement with Path through which it fined the social networking company $800,000 and required it to create a comprehensive privacy program along with independent monitoring for the next 20 years (http://www.ftc.gov/opa/2013/02/path.shtm). Similar to the FTC settlement over the launch of Google Buzz, this settlement went far beyond an order to simply desist deceptive practices. Such agreements send powerful messages to other companies. As the NY Times notes, for big companies such as Google and Amazon, “the suggestions essentially carry the weight of policy.”

Though some worry about unintended consequences of these settlements, such as companies eliminating privacy policies altogether to avoid FTC action, it seems likely that the publicity of violations may incite an increasingly savvy public to demand certain protections, which, if ignored, could destroy a business. This may be exactly what caused Instagram to lose almost half its users, as discussed in the January 30th blog post, “Continuing saga of Instagram.” Given that these companies’ ability to profit is entirely dependent on users and user data, reputational threats should be incentive enough for companies both small and large to heed the recommendations of the FTC, as well as those of other organizations setting influential guidelines (see, for example, the ACLU’s guide to privacy and free speech (https://www.aclunc.org/docs/technology/privacy_and_free_speech_it’s_good_for_business,_2nd_edition.pdf) and the California Government’s recommendations for mobile privacy (http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf)).

Every Move You Make

By Jesse C. Glickenhaus

February 7, 2013

Artist Pierre Derks’ installation in the Hague showing rotating live streaming images—a baby in a crib, a security feed from a laundromat, a woman eating breakfast on a couch in a bathrobe—from over 800 web cameras may feel uncomfortable to watch, but does it invade people’s privacy?[1] The images are both deeply intimate and largely anonymous. Derks did not hack any computers, but rather assembled collections of unsecured webcams that are connected to the Internet and filtered and streamed them into a gallery. If one defines privacy by the public/private physical space conception, then images of “public” places such as stores or public streets would not be an intrusion. There would be no reasonable expectation of privacy in these places, and few people would be surprised to know that stores and streets have security cameras that may be viewed by other people. Helen Nissenbaum would probably agree that the context of these environments—populated by with strangers, in public spaces—privacy is not expected, and therefore images of those places might not be a prima facie violation of privacy. However, the images from inside people’s “private” spaces might violate privacy. Warren and Brandeis would be horrified at the idea of “instantaneous photography” showing live video images from inside person’s home. Such streamed images seem to violate Processor’s “intrusion upon seclusion” tort. Diane Zimmerman might argue that the benefits of the disclosures, including increased public awareness of the issue of unsecured webcams, could outweigh any potential privacy concerns. Whether or not one views Derks’ project as an invasion of privacy depends on how one views connecting a webcam to the Internet. Is this an act of self-disclosure or assumption of the risk, analogous to leaving one’s digital window curtains open, or is it closer to writing in a journal or taking a private photograph at home? Will there be a point when no reasonable person could expect his or her unsecured webcam to remain private? Until then, secure your webcams, or know that someone might be watching you.

Privacy Blog Post- Kenneth Villa

Path Settles With FTC Over Privacy Row-Will Pay $800K And Establish New Privacy Program Including Outside Audits

Tech Crunch

http://techcrunch.com/2013/02/01/path-settles-with-ftc-over-privacy-row-will-pay-800k-and-establish-new-privacy-program-including-outside-audits/

Business Week

http://www.businessweek.com/printer/articles/420272?type=bloomberg

Path, a social networking mobile app that allows users to share various types of social media content between one another, agreed to pay an $800,000 fee for violating the Children’s Online Privacy Protection Act and for misleading users with its “Add Friends” feature.

Bearing some similarities to the Google Buzz settlement, the FTC alleged that Path misled consumers, and failed to provide users with a meaningful choice regarding the collection of their personal feature.  Path had an “Add Friends” feature that allowed users to add new connections to their networks through three options: “Find friends from your contacts,” “Find friends from Facebook,” or “Invite friends to join Path by email or SMS.” However, even if users chose not to select the first option, Path automatically collected and stored personal information from the iOS address book whenever the user first launched the app and each time the user signed back into the account. Path automatically recorded the names, addresses, phone numbers, email addresses, birth dates, and Facebook and Twitter usernames of each contact. Therefore, the FTC alleged that Path’s privacy policy deceived consumers by claiming that it only automatically collected the following information about their users: IP address, operating system, browser type, address of referring site, and site activity information.

Additionally, the FTC alleged that Path had violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information of around 3,000 children who were under the age of 13, without requiring parental sign-off. Children comprised a portion of Path’s users, since it enabled children to create personal journals and upload, store and share photos, written “thoughts,” their location, and songs they were listening to.

As part of its settlement, Path agreed to pay an $800,000 fee for its violation. In addition to the fine, Path will be creating a “comprehensive privacy program,” which requires a privacy assessment from external disinterested third-party sources every other year. The assumptions made in class, that startups enjoy more flexibility with its data privacy and receive less scrutiny from the FTC, are debunked by this settlement. Despite raising $40 million in venture capital, Path is a still a small startup without a firm revenue model in place. This settlement sends a clear and strong message to young companies that data privacy must be an important consideration at the early stages of its product development cycle. Although this might initially cause companies to delay product launches, the trade-off seems to be well worth it since it will presumably lead to better protections for user data.

Another reason to justify the stiff fine is because Path violated COPPA by acquiring children’s personal information without parental consent.  Based on my previous experiences in the industry, children are typically a vulnerable age group—susceptible to stalkers, pedophiles, and child pornographists. Therefore, it is likely that this was an important consideration in establishing a settlement figure.

In conjunction with this settlement, the FTC also took the time to release a new set of guidelines for mobile developers, since mobile apps are proliferating at a fast rate and developers are increasingly obtaining large amounts of private data from its users. Some of the guidelines urge developers not to store passwords in plaintext on their servers and to designate at least one member on the team to be responsible for considering security at every state of the app’s development.

Lastly, this article signals the FTC’s increasing scrutiny and regulation of the mobile technology industry. Previously, the Federal Communications Commission (FCC) and the U.S. Food and Drug Administration (FDA) were the two primary governmental agencies that regulated the cell phone industry, the latter in charge of regulating health-related concerns with cell phone use and the former certifying wireless devices and ensuring that they comply with FCC regulations. All that is beginning to change with the increasing capabilities of mobile phones. It is likely that mobile app makers and the mobile phone industry will get increasing scrutiny from other governmental agencies in the future, most notably from the FTC.