Search


  • Categories


  • Archives

    « Home

    Archive for the ‘Security’ Category

    States Are Taking Privacy Into Their Own Hands

    Tuesday, April 30th, 2019

    When people consider data protection officers and privacy regulators, they mostly think about foreign agencies who have made headlines with their battles to protect sensitive personal information from misuse or abuse, such as the U.K. Information Commissioner’s Office or France’s Commission nationale de l’informatique et des libertés (CNIL). In January, the CNIL fined Google 50 million euros “in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” And earlier this month, the ICO fined Bounty UK Limited 400,000 pounds because the pregnancy and parenting club “illegally shar[ed] personal information belonging to more than 14 million people.” Last year, the Hong Kong privacy commissioner launched an investigation into “the massive data breach at Cathay Pacific Airways that affected millions of its passengers.”

    Although the data protection agencies can be restricted in their efforts in many ways, and there are questions about the adequacy of some of them, it is notable that these countries have a national agency to handle the privacy and security of sensitive personal data. They also have data protection officers at lower levels of government.

    In the United States, there is no one information protection agency at the federal level. The responsibility is splintered, and the agencies’ power can be handicapped. Some of the agencies include the Privacy and Civil Liberties Oversight Board, the Department of Homeland Security’s Privacy Office, the Department of Health and Human Services, and the Federal Trade Commission.

    The PCLOB was recommended by the 9/11 Commission, and the board was created in 2004 and placed within the White House. In 2008, Congress passed and President Bush signed the “Implementing the 9/11 Commission Recommendations Act of 2007,” which took the Privacy and Civil Liberties Oversight Board out of the White House and established it “as an independent agency within the executive branch.” Although it has been hobbled throughout its history by vacancies, it has released reports on the National Security Agency’s bulk telephone records surveillance program and a Section 702 of FISA surveillance program. 

    Read more »

    What’s the Weather? Using an App to Answer Could Mean Giving Up Privacy.

    Friday, February 1st, 2019

    Recently, there has been increasing scrutiny of weather apps and the data that they collect. There have been public outcries after investigations and research have revealed mobile apps are tracking the locations of their users even when they say no to sharing the location data. 

    In Los Angeles, City Attorney Mike Feuer filed suit in early January against TWC Product and Technology, the maker of the Weather Channel mobile app. He accused the app of “covertly mining the private data of users and selling the information to third parties, including advertisers.” 

    The complaint alleges that TWC used the geolocation tracking technology present in the app to monitor where users live, work, and visit, twenty-four hours a day, as well as how much time users spend at each location. The complaint further alleges that TWC led its users to believe that their location data would only be used to provide them with “personalized local weather data, alerts and forecasts.” Instead, TWC allegedly sends this information to affiliates of its parent company, IBM, and other third parties for advertising and other commercial purposes entirely unrelated to the weather.

    The lawsuit alleged that TWC buried the location-tracking information in its privacy policy. It seeks an injunction “prohibiting TWC from continuing to engage in allegedly unfair and fraudulent business activities, including deceptively collecting and selling personal data, as well as Civil Penalties up to $2,500 for each violation.”

    IBM’s initial response was to tell the New York Timesthat TWC “has always been transparent with use of location data; the disclosures are fully appropriate, and we will defend them vigorously.”

    Read more »

    As COPPA Turns 20, What’s Next for Children’s Privacy?

    Monday, October 29th, 2018

    The Children’s Online Privacy Protection Act became law in October 1998, and the Federal Trade Commission promulgated its rule concerning the law in the next couple of years. It has been 20 years of ups and downs for privacy protection for children’s data. There continue to be numerous privacy challenges for parents seeking to safeguard their children’s personal information.

    As soon as they are born and are issued identification numbers, children face the risk of identity theft. Such thefts can be undetected for years, until a young adult has reason to use her Social Security Number for a loan or credit card. We have schools tracking children (and college students) with camera surveillance systems or RFID-enabled school uniforms or ID cards. Some schools started using biometric ID systems for students to pay for their lunches. There are concerns about tracking apps such as ClassDojo, which can be used by teachers and parents to monitor students’ progress.

    The FTC marked the 20th anniversary by noting it has made changes to its Rule over the years: “by amending the Rule to address innovations that affect children’s privacy – social networking, online access via smartphone, and the availability of geolocation information, to name just a few. After hosting a national workshop and considering public comments, we announced changes to the Rule in 2013 that expanded the types of COPPA-covered information to include photos, video, or audio files that contain a child’s image or voice.” Read more »

    In Schools, Camera Use Grows Beyond Security Into Evaluating Student Performance

    Friday, July 27th, 2018

    Security in school has increasingly included surveillance of schools. Previously, we discussed some schools using RFID-enabled school uniforms or cards to track students. There’s also been discussion of the use of video surveillance systems, also called CCTV for closed-circuit television, in schools. As the installation of such surveillance systems in K-12 grades and colleges and universities became widespread, officials said the systems were for improved security and to be used by school security or police. But video surveillance has begun spreading beyond security in some schools.

    Several years ago, ten schools in the United Kingdom began using facial-recognition camera surveillance systems to make sure students “have turned up, records whether they were on time or late and keeps an accurate roll call,” reported the Daily Mail. And earlier this year, India’s capital of Delhi announced that it “said CCTV will be installed in all government schools within three months” and “Parents in India’s capital will soon be able to watch their children in the classroom in real time, using a mobile phone app,” reported BBC News. (And several schools in India have used RFID technology to track students, including for attendance logs.)

    But an even more intimate use of camera surveillance in classrooms is being used in China. People’s Daily Online reports:

    The “intelligent classroom behavior management system” used at Hangzhou No. 11 High School incorporates a facial recognition camera that scans the classroom every 30 seconds. The camera is designed to log six types of behaviors by the students: reading, writing, hand raising, standing up, listening to the teacher, and leaning on the desk. It also records the facial expressions of the students and logs whether they look happy, upset, angry, fearful or disgusted.

    Read more »

    The Speed of Tech Advances Can Be a Hindrance to, But Also Can Help, Privacy Rights

    Tuesday, June 5th, 2018

    There has been an ongoing discussion about how privacy rights can be eroded because laws do not anticipate changing technology. The most prominent example is the Electronic Communications Privacy Act, which was passed in 1986 and remains mired in the technology of that time, which did not include cloud computing, location tracking via always-on mobile devices and other current technology that can reveal our most personal information. (The World Wide Web was invented three years later, in 1989.)

    While ECPA includes protection for email and voicemail communications, the 180-day rule is archaic as applied to how the technology is used today. (The rule is: If the email or voicemail message is unopened and has been in storage for 180 days or less, the government must obtain a search warrant. If the message is opened or has been stored unopened for more than 180 days, the government can access your message via a special court order or subpoena.) Thirty-two years ago, people had to download their email to their computers; the download would trigger an automatic deletion of the content from the provider’s servers. The government could not subpoena an Internet Service Provider (ISP) for your email because it did not have them in 1986. Now, copies of your private email remain stored in the cloud for years by third-party service providers (Google, Facebook, Dropbox, etc.)

    Privacy and civil liberty advocates have been trying for years to update ECPA. Last year, the U.S. House passed the Email Privacy Act, which would codify the rule set out in 2008’s Sixth Circuit case Warshak v. United States: The government must obtain a warrant before they could seek to compel an ISP or other service providers to hand over a person’s private messages. This year, the Email Privacy Act is part of the House version of the National Defense Authorization Act, a must-pass bill. But the Senate has its own version of the NDAA and it’s unknown whether the privacy legislation will be part of it. Read more »

    Fitness Apps Can Be Fun, But Who Else Is Seeing Your Personal Data?

    Wednesday, March 28th, 2018

    Recently, an Australian student publicized that Strava, a fitness app, had published online a Global Heat Map that “uses satellite information to map the locations and movements of subscribers to the company’s fitness service over a two-year period, by illuminating areas of activity,” according to the Washington Post. Strava “allows millions of users to time and map their workouts and to post them online for friends to see, and it can track their movements at other times,” the New York Times reports.

    The data, culled from Strava’s 27 million users (who own Fitbits and other wearable fitness devices), is not updated in real-time. Yet the map still raised privacy and security questions for Strava’s users.

    A similar case in 2011 concerning wearable device Fitbit also raised privacy questions about searchable fitness data. There was an uproar over Fitbit’s privacy settings when people who were logging their sexual activity as a form of exercise learned that the data was showing up in Google searches. And in 2014, Jawbone faced criticism after it published data about how many people wearing its fitness tracker woke up during an earthquake in Northern California. People questioned whether Jawbone’s privacy and data-sharing policies had disclosed such use of their health data.

    Fitness devices, including smartwatches, and mobile health or wellness apps are used by tens of millions of people worldwide. There are many such apps available in Apple’s and Google’s app stores. The data gathered can reveal much personal information about individuals. In the case of Strava, you could track patterns of activity over the two years’ worth of data. Read more »