Skip to content

Privacy News: November 17

Federal privacy legislation, Mastodon, an intriguing upcoming event, and more!

A road sign with the word Privacy on it.

Before we get to some very interesting articles on federal privacy legislation and Mastodon, first some important media news – and a very intriguing upcoming event.

Protocol, the tech-news focused website, will shutter and lay off its entire staff

Oliver Darcy, CNN (

San Francisco-based Protocol has announced that they are shutting down and laying off 60 staffers. It's a huge loss for many reasons, including their solid coverage of privacy issues and tech lobbying.  Back in 2021, for example, Emily Birnbaum was the first to report that an Amazon lobbyist had given the first draft of the Virginia Consumer Privacy Bill (based on the Bad Wasington Privacy Act)  to the state legislator to introduced it.  This year, Ben Brody contributed. Quiet industry lobbyists are watering down state privacy laws and What Microsoft, IBM and others won as the privacy bill evolved (focusing on the ADPPA consumer privacy bill I disussed in earlier this week in The elephant and the lame duck: ADPPA after the midterms).  Issie Lapowsky's For Big Tech whistleblowers, there’s no such thing as ‘moving on’, from 2021, is another great example of in-depth reporting Protocol frequently produced.

German media conglomerate Axel Springer acquired Protocol's parent company Politico early this year, ad sales have been slumping, and the tech industry in general is hitting a bumpy road.  Even so it's somewhat surprising they didn't fold at least some of Protocol's newsletters and reporters into Politico.  As IAPP's Cobun Zweifel-Keegan said to Lapowsky on Twitter, she and the whole team helped him do his job – and the same's true for so many of us.

Event: The Fight Against Surveillance: Our Neighbors, Our Safety

Wednesday, November 30, 10:00 a.m. - 12:00 p.m. Pacific / 1:00 - 3:00 p.m. Eastern

From the description:

As funders aiming to secure safety, self-determination, and joy for all–and particularly for those of us committed to ending the harmful practice of mass incarceration—the issue of surveillance is of utmost importance; one which deeply impacts marginalized communities, as well as those fighting for justice and liberation. Without swift intervention from philanthropy, we can only expect increased and more invasive surveillance in our lifetimes....

I invite you to join Spark Justice Fund grantee partners S.T.O.P. (Surveillance Technology Oversight Project), Mijente, and Eye on Surveillance ... for a mini teach-in on surveillance. You’ll hear from a panel of activists leading fights on the ground to progress both anti-surveillance and decarceration efforts—and you’ll leave our gathering better able to understand the strategies needed to progress this work before it’s too late.

Federal Privacy Legislation

What do US midterm results mean for a federal privacy law?

Jessica Lyons Hardcastle on The Register (

Democrats will hold the Senate, with 50 or 51 seats; Republicans are likely to have a razor-thin margin in the House. What does that mean for the American Data Privacy and Protection Act (ADPPA)? Hardcastle's summary matches what I've heard from staffers:

For the bipartisan American Data Privacy and Protection Act, now stalled in the House, this sharply divided Congress could mean lame-duck lawmakers are more likely to compromise on a privacy law instead of rushing appointments and more partisan issues through the process. Or, it could signal the death knell for the ADPPA, and stronger data privacy.

Hardcastle doesn't mention the elephant – although she does mention criticism by Sen. Maria Cantwell (D-WA) of ADPPA for being too weak, and if you follow the link you'll see the elephant.  She also focuses primarily on the blocking issue of preemption (part of the pattern I discussed a few days ago in The elephant and the lame duck), but does mention that people in other states care about preemption too, which is often overlooked.  And there are some interesting quotes giving a lot of texture to the two ways of looking at it.  So it's definitely worth reading!

Kids' privacy online gets yearend push in Congress

Ashley Gold, Axios (

Earlier this year, the Senate Commerce Committee (chaired by Sen. Cantwell) advanced two bipartisan bills: Children and Teens' Online Privacy Protection Act (CTOPPA, also called COPPA 2.0) and the The Kids Online Safety Act (KOSA). Gold reports that Senate leadership, including Sen. Cantwell, plans to make these a priority in the lame duck and quotes KOSA co-sponsor Sen. Richard Blumenthal (D-CT) as saying the most likely path is to attach  the bills to a must-pass bill year-end bill, either defense or the omnibus spending.

Of course, bill sponsors always express confidence in getting them passed, and something the article doesn't mention is that Sen. Roger Wicker (R-MS) has opposed CTOPPA.  Wicker has argued that the effort is better spent on  ADPPA (which also has a section on chidren's privacy), so depending on how many Republicans see it that way, it's possible that these bills fate is intertwined with ADPPA. We shall see! In any case, another very solid article.

Foreign ad tech risks crystalized in new research, Congress has the power to act

Zach Edwards and Alexa Raad on

HUMAN’s Zach Edwards and Alexa Raad discuss the recent Reuters reporting on a Russian software vendor and what this means for the ad tech industry.


If you're on Mastodon, or anywhere else in the Fediverse, check us out at!

Is Mastodon Private and Secure? Let’s Take a Look

Bill Buddington, Electronic Frontier Foundation (

This detailed overview starts with the basics:

  • Private messages aren't end-to-end encrypted, so admins and moderators can read them.  If you need secure messaging, use something like Signal insead.
  • Mastodon's open-soure code is mostly written by volunteers, there isn't a dedicated security team, and some forks have had (and fixed) embarrassing vulnerabilities.  Expect more bugs as the code base gets more attention.
  • Two-factor authentication can help keep your account secure.  Turn it on.

Buddington also discusses the privacy implications of defederation and the absence of full-text search, as well as muting and blocking and challenge of dealing with abusive behavior in a federated environment.

One topic I wish  had been discussed: the privacy and security implications of mainline Mastodon's refusal to support "local-only posts", which have been available in forks like glitch-soc and Hometown since 2017.  This functionality is important for privacy and reducing to exposure to abuse, but relatively few servers make it available.  It will be interesting to see whether lead developer Eugen Rochko, Mastodon's BDFL (Benevolent Dictator for Life), starts to prioritize privacy and anti-abuse enhancements.  Even if that doesn't happen, though, forks and different compatible implementations of the ActivityPub protoco still provide a path forward.

And ...

Telehealth Sites Put Addiction Patient Data at Risk

on WIRED (

New research found pervasive use of tracking tech on substance-abuse-focused health care websites, potentially endangering users in a post-Roe world.

The Hidden Value of Prototyping for Policy Making in Tech and Beyond

Michal Luria on Tech Policy Press (

Prototyping should be used as a research tool in the policymaking process, says CDT Research Fellow Michal Luria, discussing work done with Caroline Sinders.

Unsealed court documents reveal data anarchy at Meta

Johnny Ryan on Irish Council for Civil Liberties (

ICCL letter to European Commission highlights new material about Meta’s internal data systems, and how Meta infringes the DMA & GDPR.

SF Mayor ‘Wallpapered Over’ Privacy Concerns About Police Access to Live Surveillance Cameras, Docs Show

Aaron Gordon on

While privacy groups sounded the alarm, SF Police lobbied for the policy and distributed talking points members of the public read aloud at a hearing.

California Data Privacy Roundup #2

Travis Brennan on JD Supra (

A roundup of several stories, starting with the class action against Apple for their apps continuing to collect data even after users change their settings.

EU’s Digital Services Act enters into force -- but no confirm if Twitter will feel its full force yet

Natasha Lomas on TechCrunch (

The EU’s Digital Services Act enters into force today -- setting the clock ticking on designations that will determine which larger Internet platforms face the toughest oversight.

Privacy Hits a Low at TikTok, Twitter

Teri Robinson on Security Boulevard (

Privacy on social media has taken a hit this month, which should surprise no one. Just days after Elon Musk took over Twitter, the platform’s chief

Lack of privacy stops 43% from seeking advice in pharmacy, survey finds

Emily Stearn on C+D (

More than two fifths of patients would seek advice or medication for self-treatable conditions if there was more privacy in pharmacies, survey results shared exclusively with C+D have revealed.

The First-Party Data Gold Rush: 7 Critical Shifts for Digital Advertising to Thrive

Keith Pieper on Medium (

Digital advertising is changing because free-for-all access to data is ending. Zero and first-party data is becoming the new standard data…

Twitter faces privacy scrutiny over claims it fails GDPR

Craig Hale on TechRadar pro (

Twitter faces a battle to remain GDPR compliant in the EU

Mozilla: These Are the Tech Gifts Privacy-Conscious Shoppers Should Avoid

Rob Pegoraro on PCMag (

Mozilla’s buyers’ guide often amounts to a don’t-buy-this guide, but it also commends some privacy-preserving gadgets.

Location tracking continues to face scrutiny after Google’s latest data privacy settlement

Marty Swant on Digiday (

The tech giant is paying $392 million in a new agreement with 40 state attorneys general, but some expect the industry will face more legal battles.

The Android Privacy Sandbox Will Enter Beta In Early 2023

Allison Schiff on AdExchanger (

Google said it plans to roll out the initial Android Privacy Sandbox beta to Android 13 mobile devices starting early next year.

Worker’s breach-of-privacy claim should be heard by arbitrator: Saskatchewan Court of Appeal

Jason Tan on Canadian Lawyer (

Labour arbitrator, not court, has jurisdiction over breach that arose from employment relationship

Google Play streamlines policies around kids’ apps as regulations tighten

Sarah Perez on TechCrunch (

Google Play today announced a series of changes to its programs and policies around apps designed for children. The company is describing the update as an expansion of its previously launched “Teacher Approved” program, which includes a review process where teachers and experts vetted apps not just…

Amazon RDS snapshots allow extensive leakage of personally identifiable information (PII)

Taryn Plumb on VentureBeat (

According to research from Mitiga, hundreds of databases are exposed monthly — with extensive PII leakage — via Amazon RDS snapshots.

New privacy laws in 2023 — considering draft regulations

Gary Kibel on Reuters (

Gary Kibel of Davis+Gilbert LLP discusses draft regulations in California under its consumer privacy law, one of several consumer privacy laws taking effect in 2023.

Maintaining Patient Privacy when Transferring Medical Information

Anat Even-Chen on JD Supra (

An analysis of the Israeli Privacy Protection Authority's recently-published a draft document  “Protecting Patients’ Privacy When Transferring Medical Information via Digital Devices and Undesignated Software.” Public comments are invited; the deadline is December 6.

Image Credit: Privacy by Nick YoungsonCC BY-SA 3.0Alpha Stock Images via