By: Can Cui

In December 2011, a Michigan employer’s motion for summary judgment on a job applicant’s right to privacy claim was denied over questions asked in a routine pre-employment medical exam conducted by an independently owned medical clinic.  Garlitz v. Alpena Regional Medical Center, No. 10-13874-BC., 2011 WL 6016498, at *13 (E.D. Mich. Dec. 2, 2011).  See David Goldstein, Hospital’s Post-Offer Medical Questions May Violate ADA, Title VII, and Employee Privacy Rights, Healthcare Employment Counsel (Dec. 12, 2011), http://www.healthcareemploymentcounsel.com/2011/12/12/hospitals_post-offer_medical_questions_may_violate_ada_title_vii_and_employees_privacy_rights/.

 

Acknowledging that “[w]hen acting as an employer rather than as a sovereign, the government enjoys greater latitude to inquire into personal matters of its employees,” Garlitz, 2011 WL 6016498, at *15 (citing NASA v. Nelson, 131 S. Ct. 746, 757-58 (2011)), the District Court is not willing to let “public employees surrender their constitutional rights when they accept a position with the government,” Id. at *15, and held that “the information sought [by the government employer] regarding Plaintiff’s sexual life [must be] relevant to Plaintiff’s job performance or related to her job functions.”  Id. at *16.

 

This case distinguishes itself from Nelson because, unlike in Nelson, where the information seeking was reasonably aimed at identifying capable employees who would faithfully conduct the Government’s business, the “inquiry into . . . ‘private sexual life’ is [not] ‘related’ to the job.”  Id. at *16.  Therefore, although the government does not have to show its questions were necessary or the least restrictive means of furthering its interests, as established in Nelson, a minimum level of “relatedness” is required.

 

One may argue that Norman-Bloodsaw v. Lawrence Berkeley Laboratory, 135 F.3d 1260 (9th Cir. 1998) has made a comeback in this case, at least in the government employer context.  This case is different from Norman-Bloodsaw in at least two significant ways.  In Norman-Bloodsaw, blood and urine samples were taken and tested for various conditions without the plaintiffs’ knowledge and consent, while in this case, only questions about pregnancy, abortion, sexual activity, birth control and similar subjects were asked in a written form.  Indeed, although the 9th Circuit recognized both the right to information privacy and the Fourth Amendment right in Norman-Bloodsaw, it felt that “it would not make sense to examine the collection of medical information under two different approaches,” and analyzed “under the rubric of [the Fourth] Amendment.”  Id.  Here, a Fourth Amendment argument may not be as strong unless one believes that questioning should be considered a “search” under the Fourth Amendment.

 

To the extent that some commentators may think that Nelson could be decided merely by concluding that questionnaires to collect information, without any evidence of disclosure, do not implicate the constitutional right to privacy, e.g., Daniel J. Solove & Paul M. Schwartz, Information Privacy Law 1025 (4th ed. 2011), this case seems to have answered that question in the negative.

 

So the takeaway message for human resources is: HR staff are well advised to review and/or revise their pre-employment medical screening process to make sure that the subject matter of not only tests conducted but also questions asked is related to the job, because courts may be looking more closely at routine policies and procedures concerning screening and hiring.  If you cannot find relatedness between a screening question and a specific job function, you’d better leave the question out of the hiring process.

 

Eastern District of Michigan’s opinion in Garlitz is available here: http://www.healthcareemploymentcounsel.com/examining-room/GarlitzVsAlpena.pdf.

New Telecommunications Provider Aims to Enforce Privacy Rights against Government Surveillance through Consumer Autonomy

By Sofia Rahman

CNET reports that the first ISP executive to challenge the government’s demands for consumer information via national security letters is now in the process of creating what could be the most serious and consistent pushback to government surveillance: “a telecommunications provider designed from its inception to shield its customers from surveillance.”

http://news.cnet.com/8301-31921_3-57412225-281/this-internet-provider-pledges-to-put-your-privacy-first-always/

Nicholas Merrill’s proposed telecommunications provider will provide budget-friendly national mobile and internet service which places consumers first by giving them substantial control over their data and collaborating with public interest organizations like the ACLU and EFF to presumptively challenge seemingly unconstitutional government demands for consumer records. The ISP would be run by Merrill’s non-profit, the Calyx Institute, whose primary goal is to “use every legal and technical means available to protect the privacy of customer data.” The key to Merrill’s approach is making it impossible for the ISP to comply with the FBI’s requests for data, such as stored communications, by allowing consumers to encrypt their information from Calyx itself:

“Through other partnerships, we are poised to offer Internet service in 70 markets in the US using wireless spectrum which we will bundle with end-to-end encrypted Virtual Private Network (VPN) technology in order to keep the customer’s data as private as possible. The next products on the roadmap include hosted email and cloud storage/sync systems that utilize public key cryptography so that only the user possesses the key required to decrypt their email or files. This means that the provider (Calyx) will not be able to read your email or files even if it wanted to. And if Calyx can’t read it, it can’t be targeted by unconstitutional surveillance tactics.”

Calyx would be able to avoid compliance with FBI demands this way because the Communications Assistance for Law Enforcement Act of 1994 (CALEA) states that ISPs cannot be forced to decrypt communications if they don’t actually possess the necessary information. While the FBI has expressed concern about this type of “Going Dark” obstacle inherent to an ISP, the ACLU has embraced Calyx as the rare exception to the major telecommunications providers like Verizon and AT&T which have been unwilling to publicly challenge the government’s demands and have instead handed over billions of consumer records.

Although the government could still evade Calyx’s encryption-based protections by other surveillance methods such as remote installation of spyware or keyloggers, Calyx could still address the government’s controversial ability to prohibit ISPs from providing notice to consumers whose information the government has requested, which renders it near impossible for consumers’ to establish standing in court to assert their privacy rights.  With consumers in charge of their own data, the government may be unable to avoid notifying or alerting consumers in the course of surveillance.

Merrill was motivated by his unique experience as a former ISP-executive to confront the government’s ability to restructure the power dynamics of privacy, including the government’s ironic ability to force anonymity in order to acquire confidential information.

In 2004, the FBI sent Merrill a secret NSL (which at the time required no prior judicial review though Congress narrowly addressed this in 2005) demanding that he provide them with confidential customer data and forbidding him from disclosing the FBI’s demand to anyone. Merrill refused to comply and instead sued the FBI and Department of Justice.  In order to file suit, Merrill violated the non-disclosure order by hiring the ACLU but litigated the case anonymously and the Washington Post made its first exception to its prohibition on anonymous op-eds in order to publish his piece decrying government secrecy and the usurpation and repression of his identity: “I resent being conscripted as a secret informer for the government and being made to mislead those who are close to me, especially because I have doubts about the legitimacy of the underlying investigation.”

Merrill was prohibited from revealing his identity for six years as the case (known in its most recent form as Doe v. Holder) made its way through the courts and various changes in the Bush and Obama administrations. But Merrill’s persistence led to the first legal victory against the gag orders, with the courts twice finding that they were unconstitutional under the First Amendment: in 2004, because they constituted prior restraints on content-based speech, and in 2008, because they wrongly burdened recipients with challenging the gag orders in the first instance rather than requiring the government to bear the burden of demonstrating the need for non-disclosure. In a 2010 settlement, the FBI allowed Merrill to reveal his identity but kept in place the gag order on the redacted contents of the NSL. In a follow-up Washington Post op-ed, Merrill wrote that the forced anonymity took a debilitating toll on his personal life because he was prohibited from confiding in family and friends.

Calyx may have the potential not only to restore agency of the right of anonymity to recipients of government surveillance demands, but also to assuage consumers who have resorted to anonymous remailers like Hushmail and Mailinator because they lack confidence in the privacy of their standard communications accounts. Calyx has received popular support in forums like Reddit and has a $2 million fundraising goal to start operating later this year.

Emily Millner

As New York Builds Its Health Information Exchange, New And Complex Privacy Issues Arise.

 

The move towards implementation of health information exchange (HIE) introduces new concerns regarding patient privacy. New York State is building a health information exchange that uploads the entire history of a patient’s medical records to a centralized network. The New York eHealth Collaborative together with the New York State Department of Health have established the Statewide Health Information Network of New York Policy Committee.

The committee’s primary task will be to create and update policies that protect personal health information while expanding the state’s ability to share electronic health records between healthcare providers as well as consumers and other health-related community organizations. The committee was established after The New York Civil Liberties Union issued a report criticizing New York State’s current privacy and security policies and procedures governing computer networks that share electronic medical records.

The committee aims to make health information both accessible and secure. One area of concern, which the committee hopes to address, is the technological infrastructure of the state’s HEI, which has been described as “an all or nothing” approach. Once a patient gives the provider consent to access his or her medical records, the provider can see everything about the patient that was ever entered into the network, regardless of whether the information is relevant to the current treatment. The committee hopes to implement a policy requiring HIEs to have the capacity to sort and segregate information so that both patients and providers have the ability to restrict access to certain portions of a medical record.

The committee works with stakeholders form across the state and from a wide variety of interest groups to develop common policies, procedures and technical approaches through an open and transparent process. The committee will continue to work towards developing a system that strikes the proper balance between accessibility and security of health information.

 

http://www.informationweek.com/news/healthcare/security-privacy/232800368

OR

http://www.ihealthbeat.org/articles/2012/4/6/ny-forms-health-data-exchange-policy-panel-after-recent-criticism.aspx

 

By: Fahd Reyaz

Genomic testing is becoming cheaper and companies are able to provide better assessments of risk for complex diseases based on an individual’s genome. As more individual’s purchase these services and have asymmetric information about their own lifestyle, environment, etc. they may consider themselves “genetically healthy” and opt into less comprehensive or lower premium insurance. On the other hand, “genetically unhealthy” individuals would opt into more comprehensive or higher premium insurance. Insurance companies would be unable to raise premiums for the “genetically unhealthy” group as a larger percentage of those “genetically unhealthy” individuals become sick relative to “genetically healthy” individuals.

An example of this is the APOE  e4 variant for Alzheimer’s disease – a, from the health insurer’s perspective, expensive disease due to the need for long-term care and nursing – individuals who find out they have the  e4 variant, which increases the likelihood of having Alzheimer’s disease later in life, would likely opt into more comprehensive health insurance. Insurance companies would be unable to raise those individuals’ premiums since GINA prohibits insurers from raising health insurance premiums based on genetic risk; one commentator referred to this as an “adverse-selection death spiral“.

The Affordable Health Care Act’s Individual Mandate would solve this issue since individuals, regardless of their prospective genetic health, would purchase insurance side by side. Recently the Supreme Court questioned the constitutionality of not only the Individual Mandate, but also the Affordable Health Care Act.

If the Individual Mandate is struck down while GINA is still enforceable, it seems likely to me that the health insurance industry will have to rethink how they price insurance.

 

Washington Post – How a $1000 test could destroy the Health insurance Industry

Julia Angwin & Jeremy Singer-Vine, Selling You on Facebook, Wall St. J. (Apr. 10, 2012), http://online.wsj.com/article/SB10001424052702303302504577327744009046230.html.

By: Randall Norman

Online privacy is a hotly debated topic right now.  Some of this attention stems from the recent release of the Obama Administration’s Consumer Privacy Bill of Rights and the other issuances of proposed methods to regulate Internet privacy by various groups.  Hopefully, at least part of the current interest in online privacy can be attributed to the awareness and concern of Internet users about the collection of their data.  Different websites and applications utilize an impressive array of techniques to monitor the online behavior and collect the personal information of users.

While the extent to which companies engage in the collection of user data varies greatly, some websites are notorious for gathering the personal information of its users.  One such infamous collector is Facebook.  Both the social networking website itself and many of the applications offered on the website are attractive to users because of the seemingly free status.  However, such websites and applications that do not charge a monetary fee are profiting from the popularity of their products by collecting the personal information of users and selling this data to online advertising companies.

Although many sites track the behavior of users, Facebook is particularly tailored to collect personal information as a social networking website.  On Facebook, users voluntarily choose to share all kinds of details about themselves, allowing the website to cater to the $28 billion online advertising industry.  Additionally, Facebook boasts over 800-million users, who provide massive amounts of personal data for collection.

Facebook largely derives its revenues either directly, or indirectly through the quizzes, games, and other applications offered, from the advertising services that use the collected data to target users with customized ads based on profile and online behavior.  In May 2012, when the company plans to go public, Facebook could potentially boast an initial public offering of more than $100 billion on the Nasdaq Stock Market.  This value illustrates the substantial demand for collected user data and underscores the extensive effect that new regulations for online privacy will have, regardless of the form adopted.

HIMSS: Increase Patient Data Breaches Despite Strict Regulations

 By: Maite Forrez

According to “2012 HIMSS Analytics Report: Security of Patient Data”, commissioned by Kroll Advisory Solutions, a heightened focus on HIPAA (Health Insurance Portability and Accountability Act) compliance has not yet resulted in better patient data security.

 

This bi-annual survey of 250 healthcare organizations shows that the percentage experiencing a patient data breach is going up. The survey asked chief information officers, health information management directors, chief privacy officers and chief security officers about the number of data breaches they knew about over the past 12 months. Findings from the survey revealed that 27% of the respondents had at least one security breach over the past year, up from 19% in 2010 and 13% in 2008.

 

According to the report, both human error and mobile devices (mobility) contribute to patient data breaches.

 

Even though 79% of respondents reported that an employee caused the security breach, only half of respondents required proof of employee training on data security policies. Two days after the report’s release, the Utah Department of Technology Services (DTS) revealed that 780,000 individuals have been affected by the theft of sensitive Medicaid information. “The Utah data breach is an example of human error because the server did not have a secure password [allowing an Eastern European hacker to circumvent DTS’s security system]”, dixit Lisa Gallagher, senior director of privacy and security for HIMSS.

 

As 31% of respondents indicated that information available on a mobile device was a factor in data breaches, it is clear that mobility of patient data also contributes to patient data security breaches. According to the report, the “use of new technologies, particular mobile devices in the workplace, have skyrocketed, creating new operational efficiencies and security vulnerabilities […]. As mobile devices proliferate in exam rooms and administrative areas, so do the associated vectors of potential attack”.

 

In its report, HIMSS urges hospitals to be more proactive about data breach prevention. “While increased regulation and better-articulated guidance have led to increases in privacy and security measures within hospitals, they also have contributed to a false sense of security within organizations that comply with these mandates”, the report states.

 

Therefore, health care organizations must go further than simply complying with regulations (i.e. HIPAA and HITECH Act) to protect health information; they also need to form policies of their own secure patient data. According to Brian Lapidus, senior vice president for Kroll, “organizations will need to constantly assess their security risk levels and evolve their policies and procedures to ensure that they are in the best possible position to protect their patients and their bottom lines”.

 

Despite the report’s result, according to others, we need to be more positive minded when it comes to resolving health privacy issues. As Ken Terry, reporter for FierceHealthIT, recently stated: “sure, there are plenty of security breaches – some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches”.

 

Robert Miller, the lead author of a study[1] recently published in Health Affairs states “what’s important is that people understand how their data are being used […]. It’s like informed consent”. However, if informed consent becomes too onerous, will health information exchange remain an impossible dream?

 

For more information, see:

–          http://www.beckershospitalreview.com/healthcare-information-technology/himss-increased-hipaa-compliance-has-yet-to-increase-data-security.html

–          http://www.fiercehealthit.com/story/himss-hospitals-must-be-more-proactive-about-data-breach-prevention/2012-04-11

–          http://www.informationweek.com/news/healthcare/security-privacy/232900128

–          http://www.fiercehealthit.com/story/health-privacy-issues-can-be-resolved-without-obstructing-care/2012-04-09

–          http://www.pcworld.com/article/253827/hospitals_seeing_more_patient_data_breaches.html

–          http://www.eweek.com/c/a/Health-Care-IT/Patient-Data-Security-Demands-Strong-Compliance-Proactive-Policies-Report-384627/

Subpoena, Search, or Incriminating Statement: Encryption Passphrases and Privacy

By Max Abend

CNET recently ran an article about a precedential case involving computer encryption. In one of only a handful of cases decided on the issue, Judge Robert Blackburn held that compelling the production of unencrypted documents in a defendant’s possession did not implicate either the Fourth or Fifth Amendments (U.S. v. Fricosu, 2012).

The defendant, Ramona Fricosu was accused of being involved in an illegal mortgage scam. Pursuant to a valid warrant, the FBI searched through her home and seized, inter alia, 6 computers. One of the computers, a Toshiba laptop, had “whole disk” encryption software (PGP Desktop) enabled. Because PGP Desktop essentially makes the contents of the drive unreadable, without the use of an encryption key or passphrase, the FBI is currently unable to view any of the files on the disk. As such, the FBI applied for a writ of assistance from the court to compel Ms. Fricosu to produce the encryption key or the unencrypted contents of the disk.

The court found that Ms. Fricosu was either the owner or sole user of the computer, and that she has the ability to view the unencrypted contents of the computer’s hard disk. Because the computer was seized with a valid warrant, Judge Blackburn granted the government’s application for a writ under the All Writs Act requiring Ms. Fricosu to assist the government in executing the previously issued search warrant. Practically, this amounts to a duty on Ms. Fricosu to either give the FBI her encryption passphrase, or to decrypt the drive itself and hand over its contents. From a policy standpoint, the DOJ argued in their brief that failing to compel Ms. Fricosu would signal all potential criminals that “…encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible. While there is merit behind the argument, the same argument could be made concerning the production of actual self-incriminating testimony. That is, protecting the contents of the mind signals to criminals merely not to memorialize their thoughts in the form of a document.  In the instant case, to quote commenter Mergatroid Mania, “If she had hid the data somewhere, they could not force her to tell them where she hid it. In this case it’s on a computer, but they can force her to tell them how to get in?” (For this analogy to hold true, assume the government does not know the existence of specific data… see more below).

The ruling is interesting and arguably precedential because of the dichotomy presented. Basically, the issue is whether production of the key (or documents… throughout the rest of the post, simply “key”) is simply incident to a valid Fourth Amendment search, or whether it is a Fifth Amendment “statement.” It should be noted that the government only requests the production of the contents of the hard-drive, and that voluntary production of the key would also satisfy the command of the subpoena (but is not required as it is technically the “contents of the mind” of the defendant).

The government had a valid search warrant, so if the production of the key is simply ancillary to the larger search, then it is per se reasonable. Because it is interesting and informative for the blog, I’d like to distinguish this case from another.  The “PGP Desktop” software is unlike the standard “password protection” at issue in cases such as United States v. Andrus (483 F.3d 711). In that case, without a warrant, but with apparent consent by the defendant’s father, a co-occupant, the FBI bypassed the defendant’s password protection without knowledge of its existence. Because they bypassed the password protection, and were under no duty to question the father about his use of the computer, the FBI could not have known that the defendant had a subjective expectation of privacy, and that his father, not an actual owner or user of the computer, lacked the authority to consent to a search of it. In short, because the FBI never saw the defendant’s attempt to “lock” the computer, in the same manner that a padlock on a footlocker would be immediately apparent, it was reasonable for them to believe, ex ante, that there was no subjective expectation of privacy.

Because the government did in fact have a warrant in the Fricosu case, the following is merely hypothetical analysis. If the facts of the Fricosu case were changed to be the same as in Andrus, with the only difference being the PGP-Desktop software, it becomes clear that the FBI would be in a different boat. Presumably, the FBI used the same investigative software to try and image the Fricosu’s computer, and was stuck when the contents came up unreadable. The FBI then would be well informed that the plaintiff took affirmative steps to ensure the privacy of that information. That is, while the password protection at issue in Andrus was not “clearly” analogous to a lock (see the dissent for a refutation of this argument), PGP-Desktop is unequivocally a “lock.” Breaking through such lock, (hypothetically) without a warrant would violate Ms. Fricosu’s clear subjective expectation of privacy. The Andrus Court concluded “tentatively” that computers are “often a repository for private information the computer’s owner does not intent to share with others.” As such, it seems dubious that the 10^th Circuit or any other court would not find such an expectation of privacy as reasonable (see also the existence of ECPA).

Now, non-hypothetically, many (including Ms. Fricosu) argue that compelling production of the encryption key would be tantamount to a self-incriminating statement, and a violation of the 5^th Amendment protection.

This is a tough argument to make. In Boyd v. United States (116 U.S. 616) the court set out the “mere evidence rule” which basically stated that the government could only seize papers somehow connected directly to a crime, and not to obtain evidence to be used against a defendant in a criminal action:

Unfortunately for defendants however, this holding has been largely abrogated. The court has stated that the 5^th amendment does not protect against subpoenas for a person’s records and papers held by third parties, and that “The Fifth Amendment Privilege is a personal privilege: it adheres basically to the person, not to information that may incriminate him.” Couch v. United States, 335 U.S. 1 (1948) (upholding subpoena to defendant’s accountant for incriminating documents); In re Grand Jury Subpoena Duces Tecum, 1 F. 3d 87 – Court of Appeals, 2nd Circuit 1993 (contents of documents not privileged unless their very act of creation was compelled by government). The court recently has stated that some acts, which function as a statement of fact could be within the bounds of the Fifth Amendment privilege. In United States v. Hubbell, the defendant initially refused to acknowledge the existence of documents compelled by a subpoena. While the contents of the documents would not be protected, the very act of producing documents acknowledges that they exist, and could be in itself self-incriminating. 530 U.S. 27, 36 (2000). Judge Blackburn analyzes the Boucher line of cases, dealing with similar encryption issues. In that series of cases, the defendant himself navigated to and displayed the contents of a number of files. As such, the government viewed and knew of the existence of child pornography on the defendant’s computer. However, after seizing the computer, they were unable to access the files for evidentiary purposes due to password protection (coincidentally, also PGP Desktop). Since the encryption key was part of “the contents of the defendant’s mind,” it was protected by the Fifth Amendment, but the documents themselves were not, because, unlike Hubbell, the government already knew of their existence, and production of them would not amount to an incriminating admission. See In Re: Grand Jury Subpoena to Sebastian Boucher and In re Grand Jury Subpoena Duces Tecum, 1 F. 3d 87 – Court of Appeals, 2nd Circuit 1993.

The issue then becomes whether the production of the key is the authentication that self-incriminating documents exist (which would be privileged), or simply the production of the contents of documents known by the government to exist (which would not).  Judge Blackburn’s opinion analyzes both lines of precedent efficiently and accurately, but then applies them conclusorily. He finds that

However, in both Boucher and Subpoena Duces Tecum, the government knew of the existence of specific incriminating files as well as their contents. Moreover, in both cases, the government was at some point in possession of the incriminating documents, or a literal copy of them. In this case, presumably, the FBI doesn’t have knowledge of specific documents in existence on the computer. If they did, these files likely would have been specifically discussed in the opinion. Read not all that broadly, Judge Blackburn’s pronouncement seems to say that if the government knows that files exist on a computer, then the government can subpoena those files. That however is ludicrous… if the government knows of the existence of a computer, it is a foregone conclusion that there will be files on that computer. Such a rationale seems completely at odds with the “reasonable particularity” requirement of the original warrant that authorized the seizure of Ms. Fricosu’s computer in the first place.

It will be interesting to see how this issue ultimately gets resolved. The 10th circuit has not yet ruled on it because there has not yet been a final judgment.

The Full Text of the CNET article is available here:

http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/

 

Judge Blackburn’s opinion is freely available here: http://scholar.google.com/scholar_case?case=7486865546677786730&q=us+v.+fricosu&hl=en&as_sdt=2,33&as_vis=1

 

EU’s Article 29 Working Party adopted opinion regarding mobile geolocation services and required e.g. a prior informed consent from users. Yet The European Commission’s proposed reform of the EU’s 1995 data protection rules includes nearly nothing about geolocation.

By: Anne Aaltonen

On May 16, 2011, EU’s Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services.

According to the opinion: “A smart mobile device is very intimately linked to a specific individual. Most people tend to keep their mobile devices very close to themselves, from their pocket or bag to the night table next to their bed. It seldom happens that a person lends such a device to another person. Most people are aware that their mobile device contains a range of highly intimate information, ranging from e-mail to private pictures, from browsing history to for example a contact list. This allows the providers of geolocation based services to gain an intimate overview of habits and patterns of the owner of such a device and build extensive profiles. From a pattern of inactivity at night, the sleeping place can be deduced, and from a regular travel pattern in the morning, the location of an employer may be deduced. The pattern may also include data derived from the movement patterns of friends, based on the so-called social graph. A behavioral pattern may also include special categories of data, if it for example reveals visits to hospitals and religious places, presence at political demonstrations or presence at other specific locations revealing data about for example sex life. These profiles can be used to take decisions that significantly affect the owner.”

Read more here:

http://www.infolawgroup.com/2011/05/articles/data-privacy-law-or-regulation/mobile-location-privacy-opinion-adopted-by-europes-wp29/

 

The European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy on 25 January 2012. It is strange that this reform talks very little about geolocation data.

 

Read more here:

 

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

Senator Franken’s Comment to NTIA Focuses on Location Privacy

 

Page Hubben

On April 2, Senator Al Franken, Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, wrote a letter to the National Telecommunications and Information Administration, an agency of the U.S. Department of Commerce, to comment on the Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct. One of Senator Franken’s primary focuses in the letter is location privacy, and he argues that the Location Privacy Protection Act he introduced last year provides an answer to some of the major issues.

 

Senator Franken’s main concern with location privacy is the lack of federal law governing commercial use of this data. He points out that because the Fourth Amendment does not apply to corporations, federal law allows companies to collect location information from customers and give the information to third parties. He notes that the Cable Act and the Communications Act prohibit cable and telephone service companies from disclosing customer location, but the Electronic Communications Privacy Act lets smartphone and app companies share the same information without obtaining consent.

 

The letter aligns the location privacy bill with President Obama’s recently released Consumer Privacy Bill of Rights. The President’s proposal calls for transparency, individual control, and respect for context. Senator Franken asserts that transparency is not satisfied by disclosures in a privacy policy. Accordingly, his bill requires companies to tell consumers what information will be collected and to whom it will be disclosed. To implement individual control, companies must obtain express authorization prior to collecting or disclosing location information. In Senator Franken’s view, the combination of these requirements preserves contextual integrity, because consumers can ensure that their information is used only within a specific context.

 

The letter enumerates recent events that triggered concerns over consumer privacy, such as the Carrier IQ software running secretly in mobile phones to collect location data and keystrokes. Such stories show that consumers appreciate the sensitive nature of location data, but the transition in technology has happened so rapidly that many people are unsure of when information is collected and by whom.

 

The Future of Privacy Forum, a think tank, sees these events diminishing consumer confidence and is working with industry and government agencies to create responsible privacy practices. Part of the issue in their view is that policy makers know there is a problem, but may not have a clear understanding of what is going on.

 

Nevertheless, regulation may be on the horizon. In addition to Senator Franken’s bill, Congressman Ed Markey released a draft of the Mobile Device Privacy Act earlier this year, which would require user permission to operate monitoring software on a mobile device. The Federal Trade Commission also specifically mentioned mobile data as a key area for privacy discussions, encouraging industry groups to regulate themselves.

 

Many feel that self-regulation can address consumer concerns more effectively than the government. The Future of Privacy Forum calls for app developers to create solutions, and NetChoice, an e-commerce trade group, ranked the location bill as one of the worst for companies operating online because they believe it would require a pop-up notice every time an app collects location information. Senator Franken addresses this concern directly in his letter: “[A]s I explained when I spoke on the floor of the Senate to introduce the legislation, my bill will not flood consumers with pop-up consent screens: a one-time consent screen will suffice.”

 

Criticism from business groups may be enough stall this bill, but given the growth of mobile technology and consumer unease when location data is improperly shared, this is an issue likely to stay on everyone’s radar.

Several recent NY Times articles reflect growing concerns over increasing government access to  and retention of communications and other data here in the U.S.:

 

Police Are Using Phone Tracking as a Routine Tool

By ERIC LICHTBLAU

Published: March 31, 2012

Law enforcement tracking of cellphones is a convenient surveillance tool in many situations, but it is unclear if using such technology without a warrant violates the Constitution.

 

U.S. Relaxes Limits on Use of Data in Terror Analysis

By CHARLIE SAVAGE

Published: March 22, 2012

Attorney General Eric H. Holder Jr. signed new guidelines on how analysts may access, store and search information gathered by government agencies about Americans.

 

And in the UK:

 

Britons Protest Proposal to Widen Surveillance

By ALAN COWELL

Published: April 2, 2012

Reported government plans to give intelligence services the ability to monitor the electronic communications of every person in the country drew fire on Monday.

 

Katherine J. Strandburg