Recently, a news report said employees of multimedia messaging app Snapchat were using internal tools to violate the privacy rights of users, shining a light on the security threat that can arise from knowledgeable insiders. But the problem of insiders misusing or abusing their access privileges in order to invade the privacy rights of individuals is not new. 

In Snapchat’s case, Motherboard reported: “Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users.” Sources and emails obtained by the news outlet, “described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user’s Story).”

But Snapchat is hardly the first private company to face problems with employees abusing or misusing their security access privileges to violate customers’ privacy. And it is not just technology companies facing these issues. 

In 2014, the Indiana Court of Appeals upheld a jury’s verdict against a Walgreen concerning a pharmacy employee who accessed the medical record of a customer and gave the prescription information to the customer’s ex-boyfriend, whom the employee was dating. In the case, Hinchy v. Walgreen Co., et al. (pdf), Walgreen was found liable for negligent supervision and retention and invasion of privacy. In 2015, the court, upon rehearing, affirmed the original decision (pdf). 

When people consider data protection officers and privacy regulators, they mostly think about foreign agencies who have made headlines with their battles to protect sensitive personal information from misuse or abuse, such as the U.K. Information Commissioner’s Office or France’s Commission nationale de l’informatique et des libertés (CNIL). In January, the CNIL fined Google 50 million euros “in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” And earlier this month, the ICO fined Bounty UK Limited 400,000 pounds because the pregnancy and parenting club “illegally shar[ed] personal information belonging to more than 14 million people.” Last year, the Hong Kong privacy commissioner launched an investigation into “the massive data breach at Cathay Pacific Airways that affected millions of its passengers.”

Although the data protection agencies can be restricted in their efforts in many ways, and there are questions about the adequacy of some of them, it is notable that these countries have a national agency to handle the privacy and security of sensitive personal data. They also have data protection officers at lower levels of government.

In the United States, there is no one information protection agency at the federal level. The responsibility is splintered, and the agencies’ power can be handicapped. Some of the agencies include the Privacy and Civil Liberties Oversight Board, the Department of Homeland Security’s Privacy Office, the Department of Health and Human Services, and the Federal Trade Commission.

The PCLOB was recommended by the 9/11 Commission, and the board was created in 2004 and placed within the White House. In 2008, Congress passed and President Bush signed the “Implementing the 9/11 Commission Recommendations Act of 2007,” which took the Privacy and Civil Liberties Oversight Board out of the White House and established it “as an independent agency within the executive branch.” Although it has been hobbled throughout its history by vacancies, it has released reports on the National Security Agency’s bulk telephone records surveillance program and a Section 702 of FISA surveillance program. 

Increasingly, targeted behavioral advertising is in the news. Sometimes, the ads created and displayed to individuals are innocuous. But the targeted advertising also can add to a person’s emotional burden at difficult times, as detailed in a recent case below. 

Targeted behavioral advertising is where a user’s online activity is tracked so that ads can be served based on the user’s behavior. What began as online data gathering has expanded — now there’s online and offline data collection and the tracking of consumers’ habits. Companies can also buy information on individuals from data brokers.

Some people are uncomfortable with the tracking and targeting by companies and attempt to opt out; by declining to be tracked via e-mail address or by having your Web browser send an opt-out signal to a company as you conduct your online activity. Opt-out puts the burden on consumers to learn about what the privacy policies are, whether they protect consumer data, whom the data is shared with and for what purpose, and how to opt out of this data collection, use and sharing. Consumer advocates support opt-in policies, where companies have an incentive to create strong privacy protections and use limitations so consumers will choose to share their data. 

People also have installed ad-blocker technology to avoid seeing ads. But there has been a battle. For example, Apple’s Safari browser and Mozilla’s Firefox browser have included anti-tracking technology for years. However, some companies choose not to respect Do Not Track signals sent by Web browsers.

Recently, there has been increasing scrutiny of weather apps and the data that they collect. There have been public outcries after investigations and research have revealed mobile apps are tracking the locations of their users even when they say no to sharing the location data. 

In Los Angeles, City Attorney Mike Feuer filed suit in early January against TWC Product and Technology, the maker of the Weather Channel mobile app. He accused the app of “covertly mining the private data of users and selling the information to third parties, including advertisers.” 

The complaint alleges that TWC used the geolocation tracking technology present in the app to monitor where users live, work, and visit, twenty-four hours a day, as well as how much time users spend at each location. The complaint further alleges that TWC led its users to believe that their location data would only be used to provide them with “personalized local weather data, alerts and forecasts.” Instead, TWC allegedly sends this information to affiliates of its parent company, IBM, and other third parties for advertising and other commercial purposes entirely unrelated to the weather.

The lawsuit alleged that TWC buried the location-tracking information in its privacy policy. It seeks an injunction “prohibiting TWC from continuing to engage in allegedly unfair and fraudulent business activities, including deceptively collecting and selling personal data, as well as Civil Penalties up to $2,500 for each violation.”

IBM’s initial response was to tell the New York Timesthat TWC “has always been transparent with use of location data; the disclosures are fully appropriate, and we will defend them vigorously.”

The Children’s Online Privacy Protection Act became law in October 1998, and the Federal Trade Commission promulgated its rule concerning the law in the next couple of years. It has been 20 years of ups and downs for privacy protection for children’s data. There continue to be numerous privacy challenges for parents seeking to safeguard their children’s personal information.

As soon as they are born and are issued identification numbers, children face the risk of identity theft. Such thefts can be undetected for years, until a young adult has reason to use her Social Security Number for a loan or credit card. We have schools tracking children (and college students) with camera surveillance systems or RFID-enabled school uniforms or ID cards. Some schools started using biometric ID systems for students to pay for their lunches. There are concerns about tracking apps such as ClassDojo, which can be used by teachers and parents to monitor students’ progress.

The FTC marked the 20th anniversary by noting it has made changes to its Rule over the years: “by amending the Rule to address innovations that affect children’s privacy – social networking, online access via smartphone, and the availability of geolocation information, to name just a few. After hosting a national workshop and considering public comments, we announced changes to the Rule in 2013 that expanded the types of COPPA-covered information to include photos, video, or audio files that contain a child’s image or voice.” Read more »

As people increasingly use personal fitness devices, such as Fitbits, or health-tracking apps, such as Strava, there has been increasing concern about individual medical privacy as the data is gathered and used, sometimes for purposes of which runners or cyclists were unaware. People have questioned where this data collection could lead.

Recently, U.S. life insurance giant John Hancock announced one path for fitness tracking: To cut life insurance rates. Beginning next year, John Hancock, in partnership with Vitality Group, “will stop underwriting traditional life insurance and instead sell only interactive policies that track fitness and health data through wearable devices and smartphones,” Reuters reported. “Policyholders score premium discounts for hitting exercise targets tracked on wearable devices such as a Fitbit or Apple Watch and get gift cards for retail stores and other perks by logging their workouts and healthy food purchases in an app.”

Currently, John Hancock’s program is voluntary and there are numerous other life insurance companies that offer traditional policies, which do not involve constantly tracking individuals’ health and fitness information through wearable devices. But how soon will this change, to where more and more people are pressured to give up such personal data, such daily information, in order to have policies to protect their families?  Read more »