Author Archive

New FPF Paper: The Connected Car and Privacy: Navigating New Data Issues

The Connected Car and Privacy: Navigating New Data Issues is available to read here.

* * * * * *

Each model year brings cars that are getting smarter and more connected, offering new safety features and consumer conveniences. By the end of the decade, one in five vehicles on the road will be connected to the Internet. But for consumers to welcome these advances, they need to be sure their personal data will be handled in a trustworthy manner, as early research shows that considerable numbers of new car buyers are concerned about data privacy when it comes to car connectivity. To address those concerns, the Alliance of Automobile Manufacturers and the Association of Global Automakers have come together to put forward a set of privacy principles for vehicle technologies and services. These privacy principles set a responsible course for new uses of connected car data and should help avoid any privacy bumps in the road.

The principles cover a wide variety of vehicular data, and they directly address some of the chief privacy concerns raised by new in-car technologies. For example, they cover location information, driver biometrics, and other driver behavioral data, such as seatbelt use or frequency of hard-breaking, that can be gathered by a vehicle, and require opt-in consent by consumers before any of this sensitive information can be used for marketing purposes or otherwise shared with independent third parties. The principles also includea warrant requirement for geolocation information to be shared with law enforcement, absent exigent circumstances or certain statutory authorities. These are important protections, and essential to ensure consumer data is being handled in a trustworthy matter inside the connected car.

The Future of Privacy Forum’s new paper, The Connected Car and Privacy: Navigating New Data Issues, seeks to provide an overview of the various technologies currently available in cars and identifies the types of data collected and the purposes for which it is collected. While connectivity is the buzzword of the day, many of the recent privacy-related headlines about in-car technologies are, in fact, about data collection that is not novel. On-board diagnostic data have been generated by cars for decades, and recording accident-related information on Event Data Records (EDRs) has been going on for years.

Yet connectivity does promise new types of in-car data collection. New sensors and technologies do increase the ability of vehicles to harness location information and in the future, will allow vehicles to collect more information about the car’s immediate surroundings and its driver’s behavior. Today, connected cars frequently provide consumers with more opportunities to take advantage of location-based services in their cars and real-time traffic-based navigation. Similarly, onboard sensors can already be used by vehicles to detect lane markings and immediate obstacles.

In the future, in-car technologies will increasingly gather information about driver behavior or their biometric data. For example, vehicles will be able to quickly identify their drivers, changing car settings to accommodate the driving profile of a teenage or elderly driver. Sensors in the steering wheel or driver’s seat will monitor stress-levels and health conditions. Much of this information is used to drive vehicle safety improvements. Attention assist features evaluates a driver’s steering corrections along with other factors like crosswinds or road surface quality to predict driver fatigue. As they are developed, vehicle-to-vehicle and vehicle-to-infrastructure communications will also augment these features and will depend on responsible privacy standards.

We hope The Connected Car and Privacy provides an introduction to the key technologies used in connected cars and sets out a useful overview of the relevant data flows. We will be looking forward to working with the Alliance of Automobile Manufacturers and the Association of Global Automakers, as well as other stakeholders who deal with these issues, to continue this important conversation.

Public Perceptions on Privacy

Today’s new report by the Pew Research Center gives the lie to the notion that privacy is unimportant to the average American. Instead, the big take away is that individuals feel like they lack any control over their personal information. These feelings are directed at the public and private sector alike, and suggest a profound trust gap is emerging in the age of big data.

While Pew has framed its report as a survey of Americans’ attitudes post-Snowden, the report presents a number of alarming statistics of which businesses ought take note. Advertisers take the brunt of criticism, and the entire report broadly suggests that public concerns about data brokers and the opacity of data collection are only growing. Seventy-one percent of respondents say that advertisers can be trusted only some of the time, and 16% say they never can. These numbers track every demographic group, and indeed, get worse among lower income households. Eighty percent of social network users are concerned about the information being shared with unknown third parties. Even as Americans are concerned about government access to personal information, they increasingly support more regulation of advertisers. This support is strong across an array of demographic groups.

Further, even as consumers remain willing to trade personal information in return for access to free Internet services, two-thirds of consumers disapprove of the suggestion that online services work due to increased access to personal information. More problematic, however, is that 91% of Americans now believe that “consumers have lost control over how personal information is collected and used by companies.” Though this Pew study does not show that privacy values are trumping digital services — and every indication suggests that they are not — it is a likely topic for Pew to return to in the future. It would be interesting to see whether this anxiety translates into action.

However, in the meantime, anxiety about privacy suggests an opportunity for companies to win with consumers simply by providing them with more control. Fully 61% “would like to do more” to protect their online privacy. We have repeatedly called for efforts to “featurize” data and have supported efforts to help consumers engage with their personal information. Many companies already provide meaningful controls on the collection and use of personal information, but the challenge is both making consumers aware of these options and ensuring that taking advantage of these dashboards and toggles is as fun as using a simple app.

So we need more tools to make privacy fun. And industry may also need to a better job staying attuned to consumer preferences. Pew reiterates how context-dependent privacy is, and that the value of privacy and consumer interest in protecting their privacy can vary widely from person to person, in different contexts and transactions, and perhaps most pointedly, in response to current events. “[U]sers bounce back and forth between different levels of disclosure depending on the context,” the report argues.

The challenge is ensuring that context is understood similarly by all parties. Part of this is understanding where and when personal information is sensitive. This is a debate that was highlighted at the FTC’s recent big data workshop, and is a theme that increasingly arises in conversations about big data and civil rights. Aside from Social Security numbers, which 95% of respondents considered to be sensitive information, data ranging from health information and phone and email message content to location information and birth date could be viewed as sensitive depending upon the context.

Depending upon context, everything is sensitive or nothing is sensitive. Obviously, this can be a tricky balancing act for consumers to manage. Information management requires users to juggle different online personas, platforms, and audiences. Thus, the door is open for companies to both take certain information off the table — or make a better case why some sensitive information is invaluable for certain services.

While Pew has not shown whether these privacy anxieties trump other pressing economic or social concerns, the report also suggests that the Americans’ perceptions of privacy are heavily intertwined with their understanding of security. Privacy may be amorphous, but security is less so — but being proactive on the one can often be a boon to the other. Positive and proactive public actions on privacy are essential if we are to reverse Americans’ doubts that they can trust sharing their personal information.

-Joseph Jerome, Policy Counsel

Debating the FBI on Phone Encryption

FBI Director James Comey has heated up the encryption debate with his recent appearances on Sixty Minutes and at the Brookings Institution.  Comey has sharply criticized Apple and Google for the companies’ announcements that they would enable strong encryption on their phones.  In contrast to prior practice, the companies would no longer keep a key to gain access to the encrypted content.  I applaud the companies’ announcements, which among other virtues will strengthen cybersecurity.

On November 17th, I have been invited to debate this issue at the New America Foundation, from 4:00 to 5:30 p.m., with webcast planned.  Nancy Libin, formerly of both the Center for Democracy and Technology and the U.S. Department of Justice, will be the moderator.  The opposing perspective will be offered by Andrew Weissmann, who until 2013 was General Counsel at the FBI.  I believe this will be the highest-profile live debate on the issue since Comey began his statements.

To remind us of the issues at stake, this post highlights four items I have previously worked on about encryption and global communications policy, the first three of which were supported by the Future of Privacy Forum’s project on government access to data in 2011-2013.

First, and perhaps most readably, is “Going Dark vs. the Golden Age of Surveillance.” (2011). This piece challenges the FBI’s claims that it is “going dark” due to encryption and other changes in communications technology.  Instead, Kenesa Ahmad and I argue that a better image would be that we are in “a golden age of surveillance.”  Compared with earlier periods, surveillance capabilities have greatly expanded.  Government agencies have unprecedented access to location information now that we all carry cellphones.  Information about contacts, confederates, and conspirators has massively expanded, as all of our texts, emails, and social network postings are saved by communications carriers.  In addition, there are myriad new databases that create digital dossiers about our lives.  In short, if government agencies were offered the choice of current capabilities or pre-Internet capabilities, they would overwhelmingly prefer their surveillance abilities today.  This piece was written before the Snowden leaks, so the idea of law enforcement and intelligence agencies “going dark” is even less plausible today.

Second, this going dark discussion was part of a larger research project on “Encryption and Globalization” (2012).  This lengthy article provides background on a variety of encryption issues, including developments in India and China.  One claim of the article is that strong encryption is even more vital in today’s globalized world than during the crypto wars of the 1990’s.  A second claim concerns what we call “the least trusted country problem.”  If there are backdoors or limits on effective encryption, then the security of global communications is only as strong as the security in the least trusted country.  Other countries will demand the same backdoors available to the U.S. government.  When the FBI or other agencies argue for weak security, we should consider the effects of surveillance by these other countries, many of whom lack the legal safeguards in the United States.

Third is my 2012 article “From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud.”  This paper, as the title suggests, explains how changing technology is pushing government agencies to go to cloud providers for law enforcement and intelligence purposes.  Relevant to the Comey debate, and as explained in detail by Chris Soghoian, cloud providers hold an enormous wealth of potential evidence.  Even if police have difficulty getting into a smartphone, the relevant evidence very often is available from the cloud provider.

Fourth is the discussion of encryption in the report of President Obama’s Review Group on Intelligence and Communications Technology, for which I was one of five members.  The report in general, and our Recommendation 29 in particular, emphasizes why U.S. government policy should strongly encourage the use of effective encryption.

Andrew Weissmann, in addition to his role at the FBI, is an experienced litigator and former chief of the Enron Task Force.  He is a Senior Fellow at the NYU School of Law and its Center for Law and Security.  I look forward to a vigorous debate.

Peter Swire is Senior Fellow at the Future of Privacy Forum and the Huang Professor of Law and Ethics at Georgia Tech Scheller College of Business.

Cameron Kerry Queries Whether Law Enforcement Is Really “Going Dark”

Writing in Forbes today, Cam Kerry, formerly of the Department of Commerce and a member of the FPF Advisory Board, discusses some of the challenges facing law enforcement as technology continues to race past the law. In recent weeks, FBI Director James Comey has criticized tech companies like Apple and Google for embracing stronger levels of encryption, encryption that increasingly hampers the ability of law enforcement to get access to information.

Kerry notes that not only did last year’s Snowden revelations made “it hard to argue the U.S. government lacks visibility into communications,” but he also recognizes a fundamental tension between the needs of law enforcement and technological innovation. “[Law enforcement's] main mission to catch the bad guys constrains the airing of civil liberties and privacy issues that matter to Internet users, providers and others,” he writes. “[F]rom a technical standpoint, the FBI’s front door is a hacker’s or spy’s back door.”

There’s the rub: any lawful intercept solution will be exploited by third parties. Without a basic recognition of this fact, the honest debate the FBI Director is seeking may be difficult to properly frame.

Jules Polonetsky Statement Following Home Depot Announcement

Today, The Home Depot released new findings from its investigation of the company’s recent payment data breach. Jules Polonetsky, Executive Director of the Future of Privacy Forum, had the following statement:

More important than legal compliance after a breach is a company’s efforts to make sure that consumer concerns are addressed. It’s great to see The Home Depot take this extra step of notifying individuals whose email addresses were located in files apparently taken during a previously-reported payment breach. Since passwords or other protected account information wasn’t affected, there is no legal obligation for the company to disclose that email addresses have been taken, but clearly consumers affected will benefit from The Home Depot’s consumer outreach and can be on guard against suspicious emails.

Privacy Calendar

all-day IAPP Practical Privacy Series 2014
IAPP Practical Privacy Series 2014
Dec 2 – Dec 3 all-day
Government and FTC and Consumer Privacy return to Washington, DC. For more information, click here.
9:00 am Progress of the EU Data Protecti...
Progress of the EU Data Protecti...
Dec 11 @ 9:00 am
The EU Member States have agreed to conclude the negotiations on the EU Data Protection draft Regulation in 2015. The process will have arrived at a critical point by the end of this year. The[...]
8:30 am Privacy as a Profit Center: Leve... @ Old Slip by Convene
Privacy as a Profit Center: Leve... @ Old Slip by Convene
Jan 26 @ 8:30 am – Jan 27 @ 4:15 pm
Learn how those on the leading edge of privacy governance and digital innovation from companies including Cigna, Cisco Systems, eBay Inc. Public Policy Lab, FocusMotion,Ghostery, Goodyear Tire & Rubber Company, Google, HP Enterprise Security Products, JPMorgan[...]
all-day Data Privacy Day
Data Privacy Day
Jan 28 – Jan 29 all-day
“Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The Day commemorates the 1981 signing of Convention 108, the first[...]
all-day Global Privacy Summit 2015
Global Privacy Summit 2015
Mar 4 – Mar 6 all-day
For more information, click here.
6:00 pm CDT Annual Dinner “TechProm” 2015
CDT Annual Dinner “TechProm” 2015
Mar 10 @ 6:00 pm – 9:00 pm
Featuring the most influential minds of the tech policy world, CDT’s annual dinner, TechProm, highlights the issues your organization will be facing in the future and provides the networking opportunities that can help you tackle[...]
all-day BCLT Privacy Law Forum
BCLT Privacy Law Forum
Mar 13 all-day
This program will feature leading academics and practitioners discussing the latest developments in privacy law. UC Berkeley Law faculty and conference panelists will discuss cutting-edge scholarship and explore ‘real world’ privacy law problems. Click here[...]

View Calendar