In honor of International Data Privacy Day, Computerworld in New Zealand has rounded up what it believes to be the 15 worst Internet privacy scandals:

These high-profile privacy scandals involve many underlying technologies, from search to social media, e-mail to voice mail, mobile phones to Webcams to GPS. But at the heart of all of these privacy scandals are companies collecting personal data without the user’s knowledge or consent and then either sharing it with third parties or simply failing to keep it safe. [...]

1. Sony CD Spyware

Sony BMG ran into a major privacy flap in fall 2005 because of the anti-piracy measures called XCP that it added to music CDs. When a customer played one of these CDs on a Windows PC, the CD installed hidden rootkit software onto the PC that communicated the CD being played and the IP address of the PC back to Sony. This so-called spyware also created vulnerabilities on PCs for worms or viruses to exploit. Critics said Sony had created a backdoor onto its customers’ machines, leading Sony to recall the CDs and offer a free removal tool for the rootkit software. Class action lawsuits were filed against Sony in Texas, New York and California. The U.S. Federal Trade Commission required Sony to pay $150 to any consumer whose PC was damaged by the software as part of a settlement for violating federal law. (Also see: Sony BMG rootkit scandal – five years later) [...]

3. AOL Search Leak

In August 2006, AOL released a file containing 20 million search keywords used by 650,000 of its users over a three-month period. The file was supposed to be anonymous data available for research purposes, but personally identifiable information was available in many of the searches making it possible to identify an individual and their search history. AOL admitted it was a mistake to release the data and removed it from its Web site after three days, but by then the data had been mirrored at sites across the Internet. AOL’s CTO Maureen Govern quit two weeks later. In September 2006, a class action lawsuit was filed – that’s still lingering in California courts — against AOL demanding $5,000 per user.

4. Google Street View Read more »

In the last year, that has been increasing focus on the use of aerial drones (also known as unmanned aerial vehicles, “UAVs”) to conduct surveillance in the United States. Last year, the Washington Post had an in-depth report of possible privacy problems with the domestic use of aerial drones, which are commonly used in military operations. (Be sure to take a look at the Post’s graphic on the specs, abilities and uses of different UAVs.) The ACLU released a report on this technology, “Protecting Privacy From Aerial Surveillance: Recommendations for Government Use of Drone Aircraft” (ACLU pdf; archive pdf). The Center for Democracy and Technology has looked into the privacy issues that can arise from commercial and domestic law enforcement use of drones.

And now, the Washington Post reports that the Electronic Frontier Foundation has filed a lawsuit against the Department of Transportation to learn more about the use of drones in the United States.

The Federal Aviation Administration has authorized the use of hundreds of drones in U.S. airspace in recent years but offered few details on who is operating them.

This week, a privacy advocacy group filed suit to force the Department of Transportation to release its records publicly.

“Drones give the government and other unmanned aircraft operators a powerful new surveillance tool to gather extensive and intrusive data on Americans’ movements and activities,” said Jennifer Lynch, attorney for the San Francisco-based Electronic Frontier Foundation, which filed the suit in U.S. District Court in Northern California. “As the government begins to make policy decisions about the use of these aircraft, the public needs to know more about how and why these drones are being used to surveil United States citizens.” Read more »

In an opinion column at the National Times in Australia, Kathryn Koromilas makes the case that online and offline individual privacy still exists:

The New York Time’s Nick Bilton announced recently that “privacy is on its deathbed”. This prediction was prompted by the “creepy” ease with which he hunted down the identity of a girl with not much more than his internet connection, the girl’s first name, a few photos, and a Facebook friend list. [...]

Yet what may surprise Bilton and others arguing that privacy is in terminal decline is the fact that many of us already guard our privacy online. For example, the results of an Asia Pacific Privacy Authority social media survey released last month revealed that most of us know how to use a site’s privacy settings. In fact, nine out of ten of us have actually changed a site’s privacy settings. Most of us only share information with people we know and only a few of us are concerned about how our information might be used by third parties. Were our information to be used in a way we had not expected, almost half of us would react rationally and deliberate whether to continue or to stop using the site altogether, before doing anything rash such as immediately deleting a Facebook account. [...] Read more »

The Department of Homeland Security’s Privacy Office has released a privacy impact assessment, “Future Attribute Screening Technology (FAST)/Passive Methods for Precision Behavioral Screening, DHS/S&T/PIA-012(a)” (DHS pdf; archive pdf); this is an update to a Privacy Impact Assessment (pdf) released in 2008. FAST, which I wrote about four years ago, seeks to divine an individual’s criminal or benign intent from a bio scan, and members of Congress have raised privacy questions concerning the technology.

According to DHS, “FAST seeks to improve the screening process at transportation and other critical checkpoints by developing physiological and behavior-based screening techniques that will provide additional indicators to screeners to enable them to make more informed decisions. FAST is not intended to provide ―probable cause for law enforcement processes, nor would the technology replace or pre-empt the decisions of human screeners.”

Now, according to the new PIA:

The FAST research is adding a new type of research, the Passive Methods for Precision Behavioral Screening (hereinafter FAST/Passive). The purpose of the FAST/Passive study is to build upon existing FAST research using volunteers and increase the performance of FAST primary screening procedures and to increase the ability to differentiate malintent through the inclusion of passive stimuli. The aim of the FAST/Passive study is to devise passive stimuli that will evoke malintent cues and incorporate these stimuli into the FAST screening project. [...] Read more »

There have been increasing privacy and civil liberty questions raised as the use facial recognition technology has increased in companies’ advertising and criminal investigations. As identification technology becomes cheaper and more prevalent, it could easily unmask people and track their movements. Those who were previously part of the unnamed crowd could be singled out for identification.

I’ve discussed before the increasing use of facial recognition technology in advertising, especially in “digital signage.” Most people have heard of the term connected with billboards or other screens that have cameras (and facial-recognition technology) to watch people watching ads in order to improve their marketing. The digital signs log data such as gender, approximate age and how long someone looks at an advertisement. This is supposed to help build a better billboard — one that is tailored specifically to the individual standing in front of it. However, the data-gathering and surveillance practices raise substantial privacy questions. (Disclosure: The Center for Democracy and Technology has released a set of privacy guidelines for digital signage, which I consulted on and contributed to, in the report “Building the Digital Out-Of-Home Privacy Infrastructure.”)

There are also civil liberty questions of government use of the technology. See this previous post for a discussion about the First Amendment right to free speech and how widespread identification technologies can affect that. More of my thoughts on facial recognition in this older GCN interview.

The Federal Trade Commission, which recently held a workshop of facial recognition technology, is now seeking public comment about the use of this biometric technology. The deadline for filing is Jan. 31. Here’s more from the FTC press release: Read more »

The tracking of consumers’ shopping habits (online and offline) for targeted behavioral advertising and other types of marketing is not new. There have been numerous news stories about this surveillance issue. For example, after the Wall Street Journal reported that credit-card companies Visa and MasterCard “are pushing into a new business: using what they know about people’s credit-card purchases for targeting them with ads online,” Sen. Jay Rockefeller (D-W. Va.), chairman of the Senate Commerce Committee, wrote to both MasterCard and Visa asking about the report. Also, the consumers have become interested in opt-out and Do-Not-Track remedies, including browser tools. (Read more about targeted behavioral advertising and privacy issues connected with it in a previous post.) Here are a few recent stories about the tracking of consumers’ browsing and purchases:

BusinessWeek: Big Brother Is Watching You Shop

On the Web, every click and jiggle of the mouse helps e-tailers customize sites and maximize the likelihood of a purchase. Brick-and-mortar stores have long wanted to track consumers in a similar fashion, but following atoms is a lot harder than following bits. [...]

To get a better understanding of their customers in real time, mall operators are monitoring shoppers’ behavior with devices that track mobile-phone signals, while retailers including Montblanc (CFRUY), T-Mobile (DTEGF), and Family Dollar Stores (FDO) are finding new uses for old tools such as in-store security cameras. The goal is to divine which variables affect a purchase, then act with Web-like nimbleness to deploy more salespeople, alter displays, or put out red blouses instead of blue. [...]

T-Mobile employs similar technology from San Francisco’s 3VR, a maker of security systems. Two years ago, 3VR executives realized that its cameras could be used to gather consumer data, according to the company’s CEO, Al Shipp. He says T-Mobile, in Bellevue, Wash., uses 3VR’s technology in some of its retail stores to track how people move around, how long they stand in front of displays, and which phones they pick up and for how long. T-Mobile declined to comment. Now 3VR is testing facial-recognition software that can identify shoppers’ gender and approximate age. [...] Read more »