December 11th, 2014
I’ve written before about how postings on Twitter, Facebook, Google+ and other social-media sites have been used against individuals. Such sites have been used to gather evidence in trials against jurors and defendants, in divorce cases, against employees (which can lead to lawsuits), politicians and high school students.
We’ve seen it affect applicants to jobs in the United States and abroad. For a while, there was increasing focus on the practice by some employers of requiring job applicants to hand over their passwords or allow access to their private accounts on social-networking sites in order to gather personal data when the social-networking profiles are closed to the public. States including California, Illinois and Maryland passed laws to protect employees from such prying by employers; Maryland’s law includes exemptions for employers for some investigations into possible wrongdoing by employees.
Recently, the New York Times reported that students are scrubbing their accounts in anticipation of colleges and universities reviewing the social-media postings of applicants. The social-media searches by colleges and universities have been occurring for several years. Six years ago, education services firm Kaplan surveyed 320 college and university admissions officers and found “one out of ten admissions officers has visited an applicant’s social networking Web site as part of the admissions decision-making process.” Read more »
December 1st, 2014
There has been considerable debate about the ethical, privacy, and civil liberty issues surrounding the unauthorized or unknowing retention and use of babies’ blood samples for purposes other than disease-screening in the United States and abroad. Often, parents are not told of the possible lengthy data retention period, possible distribution to other agencies, and possible other purposes for which their children’s blood samples could be used. Now, WNCN in North Carolina looks at the situation, and what it finds shows there are also questions about de-identification or “anonymization” of newborns’ medical data.
Asked what the government plans to do with the data, Scott Zimmerman, director of the N.C. State Public Health Lab, said, “So if an outside agency such as an academic institution approaches us and asks for dried blood spots, there are two approaches that can be taken. One, we can get parental consent to release that dried blood sample to an outside entity. We will not release any DBS that contains patient information without parental consent.”
Zimmerman added, “The only other way DBS are released is if they are de-identified.”
Researchers have shown that, often, data that has been de-identified can be re-identified (or “de-anonymized”), and sensitive data could be linked back to an individual. Therefore, there is a significant privacy concern for individuals’ whose information is shared, without their consent, in this manner. Read more »
November 24th, 2014
At a recent dinner, Uber Senior Vice President Emil Michael suggested that Uber could spend “a million dollars” to hire opposition researchers to dig up dirt on journalists who were critical of the company, a service for hailing taxis, private cars or ride-shares. According to BuzzFeed: ”That team could, he said, help Uber fight back against the press — they’d look into ‘your personal lives, your families,’ and give the media a taste of its own medicine.” He mentioned specifically focusing on the private details of the life of journalist Sarah Lacy. Lacy’s response is here. Michael has apologized for his comments, and Uber CEO Travis Kalanick has said Michael’s comments “were terrible and do not represent the company.”
If Uber were to investigate journalists or other critics, it would not be the first company to do so. Two cases involved Germany’s Deutsche Bank and Hewlett-Packard. In 2009, Deutsche Bank fired two executives because of a scandal in which bank executives hired investigators who spied on board members and a shareholder. In early 2006, then-Hewlett-Packard Chair Patricia Dunn hired private investigators that used “pretexting” to acquire the personal phone records of board members and journalists in an effort to locate the source of leaks to the media. (“Pretexting” is a fancy word for “pretending to be someone else in order to get his or her personal information” — in this case, phone records.) There were various criminal and Congressional investigations. Dunn said she didn’t know that the investigators were pretexting, and the charges against her were eventually dismissed. The scandal prompted Congress to pass the Telephone and Records Privacy Act of 2006, which prohibits pretexting to gather phone record data (with exceptions for law enforcement).
BuzzFeed also reported that another Uber executive, the general manager of Uber NYC, did something that also raises privacy questions. During an e-mail exchange with a journalist, the Uber executive “accessed the profile of a BuzzFeed News reporter, Johana Bhuiyan, to make points in the course of a discussion of Uber policies. At no point in the email exchanges did she give him permission to do so.” This raises the specter of an insider misusing or abusing his data-access privileges to invade the privacy of an individual. We’ve talked before about the problems that arise when insiders abuse or misuse their access to individuals’ data. There have been many such cases. Read more »
November 20th, 2014
The Senate, by a vote of 58 to 42, failed to advance to debate on the USA Freedom Act, a bill to reform bulk data collection by the National Security Agency. The NSA has faced considerable criticism from the public and lawmakers since revelations by former contractor Edward Snowden concerning the agency’s broad surveillance programs. (He revealed several surveillance programs by the agency.) The USA Freedom Act, introduced by Sen. Patrick Leahy (D-Vermont), chairman of the Judiciary Committee, and a host of Democratic and Republican co-sponsors. The legislation was backed by the Obama administration, which called for reforms in January. The Washington Post reports:
Congress and the administration face a June 1 expiration of a key provision of the USA Patriot Act that enables the intelligence community to gather data for counterterrorism purposes. Section 215 allows the government to obtain specific records relevant to particular investigations. But, as Snowden disclosed, it also was the authority cited by the government to enable the NSA to collect data in bulk. Reform advocates want to end that bulk collection but in general maintain the government’s ability to issue targeted orders for data.
The 58-to-42 vote exposed fissures in the GOP over the legislation, with national security-oriented members and a vocal privacy proponent, Sen. Rand Paul (R-Ky.), voting to block the bill — but for different reasons. Read more »
November 19th, 2014
The New York Times reports on privacy questions surrounding apps for tracking students’ behavior in classrooms, such as ClassDojo. The app has addressed one of the concerns listed in the story concerning retention and deletion of the data. The New York Times reports:
ClassDojo is used by at least one teacher in roughly one out of three schools in the United States, according to its developer. The app is among the innovations to emerge from the estimated $7.9 billion education software market aimed at students from prekindergarten through high school. Although there are similar behavior-tracking programs, they are not as popular as ClassDojo.
Many teachers say the app helps them automate the task of recording classroom conduct, as well as allowing them to communicate directly with parents.
But some parents, teachers and privacy law scholars say ClassDojo, along with other unproven technologies that record sensitive information about students, is being adopted without sufficiently considering the ramifications for data privacy and fairness, like where and how the data might eventually be used. [...] Read more »
November 18th, 2014
The Federal Trade Commission announced that it has reached a proposed settlement with TRUSTe, a provider of privacy certifications for online businesses, over its privacy seal program. TRUSTe faced charges “that it deceived consumers about its recertification program for company’s privacy practices, as well as perpetuated its misrepresentation as a non-profit entity.” The FTC said:
TRUSTe provides seals to businesses that meet specific requirements for consumer privacy programs that it administers. TRUSTe seals assure consumers that businesses’ privacy practices are in compliance with specific privacy standards like the Children’s Online Privacy Protection Act (COPPA) and the U.S.-EU Safe Harbor Framework. [...]
The FTC’s complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertifications of companies holding TRUSTe privacy seals in over 1,000 incidences, despite providing information on its website that companies holding TRUSTe Certified Privacy Seals receive recertification every year. [...] Read more »