Rep. Ed Markey (D-Mass), co-chairman of the House caucus on privacy, has sent letters (Markey page; archive pdf) to nine major wireless communications companies  – U.S. Cellular, Sprint Nextel, T-Mobile USA, Leap Wireless Inc./Cricket Communications, MetroPCS, Verizon Communications, AT&T, C Spire Wireless and TracFone Wireless — and asked “each about its policies and practices for sharing their customers’ mobile phone information with law enforcement agencies. Markey said in a news release that “disclosure of this personal information raises important legal and privacy concerns, particularly in the absence of consumer knowledge or consent or judicial oversight. We need more information about current wireless carrier practices in this area, including how firms may be profiting from consumers’ personal data, and I look forward to the responses from the wireless carriers.”

In the letters, Markey references a March 31 New York Times article that reported: “Law enforcement tracking of cellphones, once the province mainly of federal agents, has become a powerful and widely used surveillance tool for local police officials, with hundreds of departments, large and small, often using it aggressively with little or no court oversight, documents show.” Read more »

On Thursday, U.S. Department of Homeland Security Secretary Janet Napolitano visited Canberra, Australia, to celebrate the 70th Anniversary Commemoration of the Battle of the Coral Sea (related to World War II). She also came to sign agreements, including one to “improve information sharing between the United States and Australia.” During her trip, she spoke at the Australian National University and her speech (DHS html; archive pdf) focused on “Achieving Security and Privacy.” She focused on highlighting similar goals between the two countries while skimming past the differences in the countries’ privacy-protective laws and programs. Here’s an excerpt from her prepared remarks:

So today, I would like to talk about some of these security challenges, and specifically, to express my belief that we can, and we will, meet them … while simultaneously protecting civil rights and privacy.

As we work to meet evolving threats, we must protect our values, including the rights, liberties, and privacy of our peoples.

After all, everything we do to combat terrorism and violent extremism is rooted in the fundamental objective to secure for future generations the values and way of life that our countries share.

Privacy has long been one of these core values. [...]

Read more »

In March, the Federal Trade Commission started a new technology blog and Twitter account for FTC Chief Technologist Ed Felten. Recently, Felten wrote two posts concerning the issues of anonymity and privacy. In the first, he discusses “hashing” as a poor technique for “anonymization.” (We’ve discussed problems with anonymization and de-anonymization before.) Felten writes:

What is hashing anyway? What we’re talking about is technically called a “cryptographic hash function” (or, to super hardcore theory nerds, a randomly chosen member of a pseudorandom function family–but I digress). I’ll just call it a “hash” for short. A hash is a mathematical function: you give it an input value and the function thinks for a while and then emits an output value; and the same input always yields the same output. What makes a hash special is that it is as unpredictable as a mathematical function can be–it is designed so that there is no rhyme or reason to its behavior, except for the iron rule that the same input always yields the same output.

He goes on to give an example of how a hash can be a poor anonymization technique, but he also notes: “Does this means that hashing always fails, and is never a good way to scrub data? Almost, but not quite. There are more advanced uses of hashing that can offer some protection in some settings. But the casual assumption that hashing is sufficient to anonymize data is risky at best, and usually wrong.” Read more »

To recap: In 2010, Google came under fire for its Street View product, where the online services giant photographed homes and other buildings in numerous countries as part of its online mapping service, as individuals said the photos invaded their privacy. Then, in 2010, Google announced that, for more than three years — in more than 30 countries — it had been “mistakenly collecting” personal data from open WiFi networks as its vehicles roamed the streets taking photos for its Street View mapping service. Later, the company admitted the data collected — without individuals’ knowledge or consent — included entire e-mails and passwords. And it was revealed that “Google also recorded the street addresses and unique identifiers of computers and other devices using those wireless networks and then made the data available through Google.com.” The online services giant faced questions from states, and Google reached a settlement with Connecticut over the data collection. In October 2010, the Federal Trade Commission announced that (pdf) it had closed an investigation into possible privacy breaches by Google’s Street View after the company pledged to stop gathering consumers’ e-mail, passwords and other personal data.

A few weeks ago, the Federal Communications Commission decided (redacted pdf) that it would not take enforcement action against the company over this data collection and retention, but it would fine Google for impeding the agency’s investigation into the private data collected and retained via its Street View product. The FCC noted that it still had “significant factual questions” about the Street View data collection and that it could not interview “Engineer Doe,” the Google engineer “who developed the software code that Google used to collect and store payload data,” because Doe had invoked his Fifth Amendment right against self-incrimination. (“Payload data” is a technical term for sensitive, private data such as e-mail messages, passwords, Internet search or browsing history.)

The New York Times spoke with a former state investigator (several states investigated the data collection by Google through its Street View project) and he identified Engineer Doe as “Marius Milner, a programmer with a background in telecommunications who is highly regarded in the field of Wi-Fi networking, essential to the project.” Milner directed reporters to his lawyer. Read more »

NPR takes a look at tensions between Europe and technology companies in the United States concerning privacy rights:

America’s big technology companies are negotiating the details of a new privacy system called “Do Not Track,” to let people shield their personal data on websites. There’s no deal yet, but people inside the talks say the main reason American companies are even considering “Do Not Track” is the pressure they’re feeling from Europe.

Jacob Kohnstamm, a European privacy regulator, has been on a tour of Silicon Valley, and his message to America’s tech giants is, respect European privacy rules — or else. [...]

Not only should people be allowed to block websites from collecting and keeping their data, he says, but that should be the default setting — on European browsers, at least. Talking from a phone inside the headquarters of Facebook, Kohnstamm is in no mood to let Americans decide everything about the Internet. [...] Read more »

The Washington Post reports on the issue of patient privacy and mobile applications related to medical data:

As smartphone users have grown more comfortable forking over information about their bank accounts and physical whereabouts to mobile applications, a growing group of app developers are betting health-related data will be next. [...]

Applications are being built to assist physicians at a patient’s bedside or help remotely monitor chronic conditions, but remain somewhat limited by concerns about their ability to ensure patient safety and privacy.

That’s caught the eye of federal regulators. The Food and Drug Administration will likely finalize its first-ever guidance on mobile health applications later this year, giving the agency at least some oversight of mobile products that replace or complement other medical devices, such as a stethoscope or EKG machine. Read more »