Privacy News: December 15
Privacy after Roe, surveillance, FTC comments, state and federal privacy legislation, and more!
Privacy after Roe, surveillance, FTC comments, state and federal privacy legislation ... there's so much in the news these last few days that I'm leaving stuff related to Twitter and Mastodon out of this issue of the newsletter, and will have a followon tomorrow. Even without that, though, this is one of the juiciest news roundups yet!
This Privacy Setting Helps Keep Facebook From Tracking You
Katie Teague on CNET (cnet.com)
The Off-Facebook Activity tool lets you see and control data that apps and websites share with the platform, see what information third-party apps can access, and toggle off Future Off-Facebook Activity – which tells Facebook to disconnect any information the company has shared from your account. Huzzah!
The headline's a bit overblown; Facebook will still track you in other ways. Also, the activity lists don't show all the activity that Facebook has received – for example, information they've received when you're not logged into Faecbook, or details such as items added to your shopping cart. Still, it's a very valuable privacy setting, one one that most people don't know about.
The article says the setting's under Settings & Privacy > Settings > Off-Facebook Activity – presumably that's talking about the app. On the web interface, I found it in Settings & Privacy > Settings > Privacy > Your Facebook Information > Off-Facebook Activity
Automated decision systems
Economies of Virtue – The Circulation of ‘Ethics’ in AI
Edited by Thao Phan, Jake Goldenfein, Declan Kuch, and Monique Mann, on the Institute of Network Cultures (networkcultures.org)
Theory on Demand #46 features articles from a really outstanding list of authors: Corinne Cath and Os Keyes; Sarah Pink; Rodrigo Ochigame; Sy Taffel, Laura Bedford, and Monique Mann; Angela Daly; Tsvetelina Hristova and Liam Magee; Michael Richardson; Jake Goldenfein, Lilly Irani, J. Khadijah Abdurahman, and Alex Hanna; Jathan Sadowski, Thao Phan, and Meredith Whittaker. From the blurb:
This anthology is a collective response to the reification of ethics into commodity forms. It explores how industry participation in ‘ethical AI’ research has created a new ‘economy of virtue’—a massive network of actors variously situated across industry, civil society, and universities, producing and circulating ethics as a service and a product. The contributors present both critical perspectives and first-hand experiences of this economy. They address a wide range of topics including: the contradictions and personal dilemmas of working in industry-funded spaces; case studies of AI ethics in domains such as defence, facial recognition, and standards setting; critical assessments of techniques like green-washing and the manufacture of trust; and the risks and practicalities of direct action such as speaking up, organizing against and dropping out. Together, these contributions give voice to the intractable problems of co-option, capture, and complicity that plague AI ethics, and give shape to the networks and circulations defining the field.
For AI bias law coming January 1, unanswered questions remain
Sharon Goldman on VentureBeat (venturebeat.com)
On January 1, a new law regulating the use of AI employment decision tools goes into effect. What does it mean for U.S. businesses?
Privacy after Roe
Give a Mouse a Cookie, Get a BAA: OCR Bulletin on Tracking Raises HIPAA Risks for HIPAA-Regulated Entities and Online Tracking Vendors
Mason Fitch on Privacy Law Matters (hintzelaw.com)
A deep dive into the recent Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associate bulletin from the U.S. Department of Health & Human Services Office for Civil Rights (OCR) – and what covered entities and business partners need to do to ensure they're complying. The bulletin explains how HIPAA’s reach extends to information collected on websites or mobile apps.
While HIPAA-regulated entities have long understood that their ‘internal tools’ (ex: EHR’s, practice management, and clinical support software) must comply with HIPAA, the new bulletin makes it clear that information that is routinely collected by vendors on public-facing websites, apps, and web-based assets may be PHI as well.
FTC
Record Set: Assessing Points of Emphasis from the Public Input on the FTC’s Privacy Rulemaking
Tatiana Rice, Felicity Slater, and Chloe Suzman on Future of Privacy Forum (fpf.org)
A very interesting analysis based on sampling 70 of the more than 1,200 comments on the Federal Trade Commission’s Advance Notice of Proposed Rulemaking (ANPR) on “Commercial Surveillance and Data Security.” There was broad agreement on the value of data minimization (even Palantir and Google) and data security. The biggest area of contention is the FTC's authority, where trade associations and business communities unsurprisingly think they shouldn't have to be regulated. Also, there's a split on whether "commercial surveillance" is a good term; commercial surveillance trade association ITIF doesn't like it, and neither do other commenters (presumably commercial surveillance trade associations or businesses). Funny how that works.
The authors also looks at the range of opinions on health data (especially important in light of the Dobbs decision ending the right to abortion), children's data, and Automated Decision-Making and Civil Rights. I was disappointed that FPF didn't include my comments on Consent, Automated Systems, and Discrimination, which I thought made some good points that others didn't, such as
The FTC should develop its regulations working with the people most likely to be harmed by commercial surveillance – and prioritize their needs.
But then again they didn't mention any comments from individuals so hopefully it isn't anything personal. Anyhow, organizations concerned about discrimination thing the FTC should regulate; and industry groups suggest waiting for Congress to act. Since the American Data Privacy and Protection Act that Congress is currently considering allows commerical surveillance companies like Facebook and Google to do their own algorithmic impact assessments to see whether their software is discriminator, and exempts commercial surveillance service providers like Palantir and ShotSpotter, you can certainly see why industry would prefer that.
EPIC Commends FTC for Including Data Minimization & Data Rights in Chegg Settlement
on EPIC - Electronic Privacy Information Center (epic.org)
State privacy legislation
Cross-context behavioral advertising is ‘sale.’ It is time to get over it.
Michael Hahn and Tony Ficarrotta on International Association of Privacy Professionals (iapp.org)
Of course it is, but really matters here is that Hahn is General Counsel and Executive Vice President of IAB, the Interactive Advertising Bureau, so this is essentially the official position of the ad industry. It relates to what some saw as ambiguity in the langauge of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA, an update to CCPA passed in 2020 and going into effect on January 1, 2023) and how it relates to cross-context behavioral advertizing (CCBA).
The notion the CPRA amended the CCPA to make “sales” and “shares” mutually exclusive categories of personal information disclosures is fundamentally at odds with the structure of the law, which provides for those concepts to overlap. Indeed, a better reading of the CPRA is that all “shares” are “sales,” but not all “sales” are “shares.” For example, if an industry participant engages in CCBA, it is both a “share” and a “sale.” But there are certain measurement and reporting functions that can support CCBA, or other forms of advertising such as contextual, that are likely “sales” but not “shares....”
In order to support continued growth in an increasingly fraught regulatory environment, we as an industry must coalesce around a common understanding of the CPRA that accepts the broad scope of the law. Our job is to comply. And that begins by accepting the term “sale,” which is here to stay, includes the CCBA.
I'm not an expert on CPRA, CCPA, and CCBA interact but I think this aligns with the intent of the CPRA and the position of Califorinia Consumer Privacy Agency. If so, good for IAB!
The California Privacy Rights Act Brings New Data Requirements for Employers in 2023
Molly Arranz on JD Supra (jdsupra.com)
When CPRA goes into effect on January 1, 2023, it will end CCPA's temporary exemption for employee's data. This means that its protections now apply to , job applicants, officers, directors, and independent contractors as well as consumers. Arranz discusses what employers need to do to prepare for this.
How many businesses put up a “Do Not Sell My Personal Information” link even when they don’t have to?
David A. Zetoony on The National Law Review (natlawreview.com)
8% – at least according to Greenberg Traurig LLP, who reviewed the publicly available privacy notices and practices of 555 companies.
A bit of background: under CCPA, Companies that don't sell personal information – and say so in their privacy notice – don't have to have a “Do Not Sell My Personal Information” link. But some do, to give them the flexibility to sell the personal information they've collected at some point in the future. I'm not sure just what to think about the 8% number, but it's an interesting data point – and the first one of its type I've seen.
Federal privacy legislation
Revamped Kids’ Online Privacy Bill Emerges in Year-End Push
Maria Curi, Bloomberg Government (bgov.com)
Kids Online Safety Act (KOSA) Senate sponsors Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.) unveiled a reworked version of the bill Tuesday. It's an attempt to look like they're responding to the criticism from more than 90 human rights and LGBTQ Groups who sent a letter opposing it. As Ari Cohn of Tech Freedom says, it's better but still pretty bad. Cohn's thread goes into detail on how the improvements don't really address the major underlying issues.
VICTORY! The Safe Connections Act is Now Law
India McKinney on Electronic Frontier Foundation (eff.org)
The Safe Connections Act makes it easier for survivors of domestic violence to separate their phone line from a family plan while keeping their own phone number. It also requires the FCC to create rules to protect the privacy of the people seeking this protection. This bill overwhelmingly passed both chambers of Congress, and it was signed by the President on December 7, 2022, making it Public Law 117-223. It's not a perfect bill but it's a good incremental step.
Nearly 40 press rights and civil liberties organizations urge Sen. Schumer to help pass the PRESS Act
Freedom of the Press Foundation on Freedom of the Press (freedom.press)
Letter argues that law would curtail trend of government surveillance of journalists.
Surveillance
Surveillance Was Supposed to Make Long-Haul Trucking Safer. Did It?
Karen Levy on Slate (slate.com)
The results were surprising—and alarming. This is an excerpt from Levy's Data Driven: Truckers, Technology, and the New Workplace Surveillance, which has gotten great reviews (including Zephyr Teachout's Cyborgs on the Highways which was in the December 11 newsletter but is worth mentioning again!
The biggest lie tech people tell themselves — and the rest of us
Rose Eveleth on Vox (vox.com)
They see facial recognition, smart diapers, and surveillance devices as inevitable evolutions. They’re not.
Cops missing information on surveillance
Yawu Miller on The Bay State Banner (baystatebanner.com)
Last year, the Boston City Council passed a sweeping law aimed at reining in surveillance practices by the Boston Police Department and other city agencies. Like surveillance ordinaces elsewhere, this required city departments to report on surveillance technologies their using like facial recognition, license plate readers, ShotSpotter and other gunshot detction technologies.
Yet during a hearing Monday with the Boston Police Department, police officials were unable to provide key pieces of information required by the ordinance, such as the location of surveillance devices or even how many officers have access to the information culled by such devices.
Can police use facial recognition as probable cause? Probably not, but some are doing it anyway
Benjamin Powers on Grid News (grid.news)
Using facial recognition has implications for the judicial system, from false arrests to racial bias
Violation of Right to Privacy: Karti Chidambaram on ‘Orwellian’ usage of facial recognition by Chennai police
Aihik Sur on Moneycontrol (moneycontrol.com)
This comes a few days after the Greater Chennai Police admitted to using the technology in response to a tweet by a Chennai resident.
And ...
Forget erasure: why blockchain is really incompatible with the GDPR
Elizabeth M. Renieris on Berkman Klein Center Collection (medium.com)
Whether blockchain-based projects can comply with the GDPR is a question of much debate and controversy at present.
What privacy issues are on deck for 2023? Here are some of the most interesting ones (Part One)
KDW Privacy Team on Kelley Drye's Ad Law Access (adlawaccess.com)
Five new state privacy laws will take effect at various points in 2023; other states may pass their own laws; the FTC has a rulemaking in progress ...
If 2022 was the year that regulators and companies spent positioning themselves on the field, 2023 will be the year the balls start flying.
Sen. Warren presses Defense Secretary about ex-Google CEO Schmidt’s potential conflicts when he advised Pentagon on AI
Eamon Javers,Kevin Breuninger on CNBC (cnbc.com)
Elizabeth Warren pressed Defense Secretary Lloyd Austin about ex-Google CEO Eric Schmidt’s time on advisory panels connected to an industry he was investing in.
SIA and NTNU survey practitioners on Privacy by Design in national digital IDe
Alessandro Mascellino on BiometricUpdate.com (biometricupdate.com)
The Secure Identity Alliance (SIA) and the Norwegian University of Science and Technology (NTNU) have partnered to conduct a survey on the implementation of Privacy by Design principles within National Digital Identity Systems (NDIS).
EU confirms draft decision on replacement US data transfer pact
Natasha Lomas on TechCrunch (techcrunch.com)
The European Commission has announced a draft decision on US adequacy, paving the way for a replacement EU-US data transfer deal to be adopted next year.
Privacy Advocates Love Strong Encryption, The FBI Doesn’t—Here’s Why
Sascha Brodsky on Lifewire (lifewire.com)
Apple has released new end-to-end encryption that helps protect iCloud data and security advocates love it, but the FBI doesn’t because it makes it harder for the agency to catch criminals.
Google urges advertisers to test post-cookie solution as it updates ‘Privacy Sandbox’
Garett Sloane on Ad Age (adage.com)
Google updates its “Privacy Sandbox” with call for the industry to test it more, as advertisers look for alternate targeting techniques.
Apple’s End-to-End Encryption of Cloud Data a Victory for Privacy, Security and Safety
Mallory Knodel, Nick Doty on Center for Democracy and Technology (cdt.org)
Apple’s new features and service commitments that provide broader accessibility of strong end-to-end encryption are a victory for privacy and security, including safer online services for children. CDT is encouraged that Apple has taken onboard our and other advocates’ and experts’ advice in moving…
Privacy watchdogs to bite into edtech in 2023, analyst predicts
Eric Johansson on Verdict (verdict.co.uk)
The edtech industry ballooned during the pandemic, but analysts now predict the sector will become the next target for privacy regulators.
Dark patterns, online ads will be potential targets for the next Commission, Reynders says
Luca Bertuzzi on EURACTIV (euractiv.com)
The Privacy War Is Coming
Damian Tommasino on Dark Reading (darkreading.com)
Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Greek MPs Clash Over New Privacy Communications Bill
Eleni Stamatoukou on Balkan Insight (balkaninsight.com)
Political parties in parliament confront one another over government’s attempt to put a lid on the Predator spyware scandal by passing a new bill on communications privacy.
Your selfies are helping AI learn. You did not consent to this.
Shira Ovide on The Washington Post (washingtonpost.com)
What are the rules of the road for the A.I. age, where anything you share online might train a computer system that puts an innocent person in jail?
A Promising New GDPR Ruling Against Targeted Ads
Gennie Gebhart on Electronic Frontier Foundation (eff.org)
Targeted advertising’s days may be numbered. The Wall Street Journal and Reuters report that the European Data Protection Board has ruled that Meta cannot continue targeting ads based on user’s online activity without affirmative, opt-in consent. This ruling is based on the European Union’s General.…
Around 360K people in Ontario affected by COVAXon privacy breach
Hannah Jackson on Global News (globalnews.ca)
The ministry said in over 95 per cent of cases, only names and/or phone numbers were impacted in the breach.
Understanding International Data Transfers and Privacy Protection Under Schrems II
TrustArc Privacy Intelligence on TrustArc Privacy Blog (trustarc.com)
TrustArc’s privacy experts explain how the rules for EU international data transfers changed after the Schrems II decision, including several updates to standard contractual clauses (SCCs).
Tapping Phone Lines Or Recording Calls Without Consent Violates Right To Privacy: Delhi High Court, Grants Bail To Former Mumbai Police Chief
Nupur Thapliyal on Live Law (livelaw.in)
The Delhi High on Thursday said that tapping phone lines or recordin
PODCAST: Right on!: Where enforcement meets Privacy (Glyn Moody)
on Buzzsprout (buzzsprout.com)
In this episode of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Outschool have a rousing good time with Glyn Moody, author of the recent book Walled Culture: How Big Content Uses Technology and the Law to Lock Down Culture and Keep Creators Poor.
Legal threat follows NHS data pilot based on Palantir tech
Lindsay Clark on The Register (theregister.com)
‘Acute and justifiable fear’ in the way patient data is set to be processed, campaigners warn
Jammu And Kashmir’s Unique Family ID Move Raises Concerns Over Data Privacy
Press Trust of India on NDTV (ndtv.com)
The Jammu and Kashmir administration is planning to create an authentic database of all families in the Union territory with each of them having a unique alpha-numeric code.
Senator: TikTok Bans Won’t Solve Data Privacy Issues
By: Jose Rascon on MeriTalk (meritalk.com)
Amid the recent rush at the Federal and state levels to ban or curtail use of the China-based TikTok social media app, at least one U.S. senator says that those actions would not be sufficient to prevent China interests from accessing personal data on United States citizens.
Image Credit: Privacy by Nick YoungsonCC BY-SA 3.0Alpha Stock Images via picserver.org.