Search


  • Categories


  • Archives

    Data Brokers, Consumer Profiles and Privacy

    January 7th, 2015

    The Federal Trade Commission recently announced that it had charged in a federal court complaint (FTC pdf; archive pdf) that data broker LeapLab “sold the sensitive personal information of hundreds of thousands of consumers — including Social Security and bank account numbers — to scammers who allegedly debited millions from their accounts.” There is an industry for gathering data on individuals — there are data brokers such as LeapLab, Acxiom and Choicepoint, along with individual companies tracking individuals’ online and offline behavior to create consumer profiles. (Here’s a great New York Times article from 2012 that takes an in-depth look at “How Companies Learn Your Secrets.”)

    The FTC said, “data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.” Read more »

    Note to Readers: Off for the Holidays

    December 18th, 2014

    I’m taking time off for the holidays and will resume posting here in January. I’ll be posting sporadically on Twitter, so follow me there @privacylives if you want privacy news.

    Update: Netherlands Threatens to Fine Google Over Privacy Policy

    December 16th, 2014

    In the ongoing case concerning Google’s changes to its privacy policies a couple of years ago, the Netherlands announced that it will fine the Internet services giant if it doesn’t meet certain requirements by February 2015. “The Dutch Data Protection Authority (Dutch DPA) has imposed an incremental penalty payment on Google. This sanction may amount to 15 million euros. The reason for the sanction is that Google is acting in breach of several provisions of the Dutch data protection act with its new privacy policy, introduced in 2012.”

    Here’s a recap of the controversy and legal questions surrounding Google’s change to its privacy policies. In January 2012, Google announced changes in its privacy policies that would affect users of its services, such as search, Gmail, Google+ and YouTube. Advocates and legislators questioned the changes, saying that there were privacy issues, and criticized (pdf) the Internet services giant for not including an opt-out provision. The critics included 36 U.S. state attorneys general, who wrote to (pdf) Google raising privacy and security questions about the announced privacy policy changes. The EU’s Article 29 Data Protection Working Party wrote to (pdf) to the online services giant about the privacy policy changes, which affect 60 Google services. The Working Party, which includes data protection authorities from all 27 European Union member states as well as the European Data Protection Supervisor, asked Google to halt implementation of these changes while the data protection authority in France (the National Commission for Computing and Civil Liberties, CNIL) investigates. Google refused and its new privacy policies went into effect in March 2012. The CNIL investigation continued, and in January, CNIL fined the Internet services giant €150,000 ($204,000) over privacy violations. Read more »

    Update: Digital Ad Firm PointRoll Settles with Six States Over Bypassing Safari Privacy Settings

    December 15th, 2014

    In the latest news concerning a 2012 circumvention of a Web browser’s privacy settings, New York Attorney General Eric T. Schneiderman announced that digital advertising company PointRoll — part of media giant Gannett, which owns USA Today and Gannett Broadcasting — has agreed to a $750,000 settlement with New York, New Jersey, Connecticut, Florida, Maryland and Illinois.

    To recap: In February 2012, the Wall Street Journal reported on new research by Stanford researcher Jonathan Mayer that shows four companies seek to circumvent consumers’ privacy settings in Apple’s browser, Safari. The four companies are: Google, Vibrant Media, Media Innovation Group and PointRoll. Google said the circumvention was a mistake and it has disabled the code, but there was (pdf) public criticism, including a complaint (pdf) filed with the Federal Trade Commission. Questions were raised about whether the Safari circumvention meant that Google had violated a settlement it made with the FTC last year over Google’s Buzz product. The Internet services giant had agreed to a comprehensive privacy program to settle charges (pdf) it “used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz. In August 2012, the FTC announced Google would have to pay a minimal-for-the-Internet-giant fine of $22.5 million to settle charges that it circumvented users’ Do Not Track privacy settings in Safari. In November 2013,  Maryland announced that it joined 36 states at the District of Columbia in settling with Google for $17 million. Read more »

    Colleges, Universities Increasingly Review Applicants’ Social Media Postings

    December 11th, 2014

    I’ve written before about how postings on Twitter, Facebook, Google+ and other social-media sites have been used against individuals. Such sites have been used to gather evidence in trials against jurors and defendants, in divorce cases, against employees (which can lead to lawsuits), politicians and high school students.

    We’ve seen it affect applicants to jobs in the United States and abroad. For a while, there was increasing focus on the practice by some employers of requiring job applicants to hand over their passwords or allow access to their private accounts on social-networking sites in order to gather personal data when the social-networking profiles are closed to the public. States including CaliforniaIllinois and Maryland passed laws to protect employees from such prying by employers; Maryland’s law includes exemptions for employers for some investigations into possible wrongdoing by employees.

    Recently, the New York Times reported that students are scrubbing their accounts in anticipation of colleges and universities reviewing the social-media postings of applicants. The social-media searches by colleges and universities have been occurring for several years. Six years ago, education services firm Kaplan surveyed 320 college and university admissions officers and found “one out of ten admissions officers has visited an applicant’s social networking Web site as part of the admissions decision-making process.”  Read more »

    Continuing Debate on Privacy and Use of Newborns’ Blood Samples

    December 1st, 2014

    There has been considerable debate about the ethical, privacy, and civil liberty issues surrounding the unauthorized or unknowing retention and use of babies’ blood samples for purposes other than disease-screening in the United States and abroad. Often, parents are not told of the possible lengthy data retention period, possible distribution to other agencies, and possible other purposes for which their children’s blood samples could be used. Now, WNCN in North Carolina looks at the situation, and what it finds shows there are also questions about de-identification or “anonymization” of newborns’ medical data.

    Asked what the government plans to do with the data, Scott Zimmerman, director of the N.C. State Public Health Lab, said, “So if an outside agency such as an academic institution approaches us and asks for dried blood spots, there are two approaches that can be taken. One, we can get parental consent to release that dried blood sample to an outside entity. We will not release any DBS that contains patient information without parental consent.”

    Zimmerman added, “The only other way DBS are released is if they are de-identified.”

    Researchers have shown that, often, data that has been de-identified can be re-identified (or “de-anonymized”), and sensitive data could be linked back to an individual. Therefore, there is a significant privacy concern for individuals’ whose information is shared, without their consent, in this manner.  Read more »