Author Archive

Pew Tackles the Future of Privacy

On Wednesday, the Pew Research Center released its third report on Americans’ attitudes towards privacy and surveillance. While the report confirms previous findings that, no, privacy is not dead, it focuses a broader look at Americans’ views on privacy in public and information control. It finds that our privacy-values are particularly heightened with respect “to having a sense of control over who collects information and when and where activities can be observed.”

Nearly all adults report that who is gathering information and what information are an essential dimension of privacy control. Strong majorities believe — 74% believe “very strongly” — that it is important to be in control of who can get information about you. Home continues to be viewed as “do not disturb” zones, which may present interesting implications for the emerging Internet of Things. And by a 2-to-1 margin, Americans believe in limits on employer-monitoring of employees.

One particularly interesting finding from the report are the Americans’ views toward data retention broadly. Most Americans believe that only “a few months” or less is long enough for companies to store most records of their activities. Different industry sectors get more or less leeway. For example, majorities support credit card companies retaining their data, but even here, the length of time people feel are reasonable retention periods varies. Once again, strong majorities were skeptical of the need for online advertisers to “safe any info” about them for lengthy periods of time, if at all.

The Future of Privacy Forum’s Capitol-Area Academic Network was privileged enough to discuss the Pew privacy project with the report’s authors last fall, and Pew’s series continues to demonstrate not only the value of privacy — but the strong need to think about better ways to offer privacy controls and communicate practices with consumers.

-Joseph Jerome, Policy Counsel

NYC Taxi & Limousine Commission Proposal Raises Privacy Concerns for Apps

On Monday, the Future of Privacy Forum joined with the Bill of Rights Defense Committee/Defending Dissent Foundation, Center for Democracy & Technology, The Constitution Project, and Electronic Frontier Foundation to write the NYC Taxi and Limousine Commission (TLC) about its proposed rules regarding For-Hire Vehicle dispatch apps.

We were especially concerned with the requirement that apps be automatically capable of “collecting and transmitting” a wide array of data including the requested pick-up time, date, and location, which could be collected even in the event that the passenger later cancelled the trip. The proposed rules provide no guidance with regard to when and how such transmission would occur, suggesting this data could be requested at the sole discretion of TLC.

This sort of broad data collection by a government agency presents important privacy issues. In particular, it raises key Fourth Amendment concerns, as well as permits wide swaths of sensitive data to potentially be released publicly through state Freedom of Information laws. Several news reports have previously demonstrated how even allegedly anonymized taxicab data can be “reverse engineered” to reveal passenger names and trip pick up and drop location information.

Everyone understands the TLC’s need to regulate FHVs and that mobile apps are increasingly the mechanisms that govern these services. FPF in particular has been a strong proponent of smart city initiatives, and using trip data to optimize traffic flows, improve the environment, and advance safety.

Nonetheless, we urge the TLC to seriously consider the privacy challenges posed by its proposal. Our letter encourages the Commission to engage in a more in-depth consultative process with privacy experts, organizations and the public in order to determine how to achieve TLC’s goals to guide FHV apps without unnecessarily placing passengers’ privacy at risk. The full letter is available to read here.

A Historical Primer on Section 215 Bulk Collection

Over on the IAPP’s Privacy Tracker blog, FPF Senior Fellow explains how the past week has seen two significant events concerning Section 215 of the USA PATRIOT Act. First, on May 7, the Second Circuit ruled that “the telephone metadata program exceeds the scope of what Congress has authorized and therefore violates” Section 215. And yesterday, the House of Representatives approved the USA FREEDOM Act by 338-88, which could limit by statute collection of domestic telephone metadata and other records under Section 215. According to Swire, this week’s activities will have potential important effects in the long term on surveillance policy.

Rise of the Drones

Drone

This morning, the Center for Strategic and International Studies presented a panel conversation on some of the challenges – and opportunities – around domestic drone use. After following the issue for years, it would appear that drone policy’s day has finally arrived. According to the FAA, nearly 4,500 comments were submitted in response to the agency’s proposed rulemaking for drones, or unmanned aircraft systems (UAS), and the NTIA received over 50 comments specifically on privacy issues around drones.

While the Future of Privacy Forum continues to think about how best to address these issues, there is little question that domestic and commercial drone use offer tremendous societal benefits. At the panel, Brian Wynne, President of AUVSI, a leading robotics trade association, explained that drones will create over $83 billion in economic activity in their first decade, and promise to generate tens of thousands of jobs. Wynne suggested that it is “almost impossible to anticipate all the different ways we can utilize UAS moving forward.”

Even the ACLU’s Jay Stanley, who remains concerned about law enforcement’s eagerness to use drone technology, admitted that drones could be a “generative technology” in the private sector.  He noted that privacy issues on the commercial side are incredibly complicated, not only implicating the First Amendment but perhaps lacking the sort of privacy-invasive incentives that could exist in law enforcement. Indeed, his “nightmare scenario” is a world where drones could be used for persistent surveillance, while members of the public, including journalists and entrepreneurs, will be hamstrung in their ability to use UAS technologies.

Stanley applauded the “outpouring” of interest on privacy with drones. He echoed notions that drones are more salient among the public. “It’s not hard to see the privacy issues with a drone with a camera on it,” he said. “Things like big data are more abstract.”

Adam Cox, from CSIS and an advisor to DHS’ Advanced Research Projects Agency (HSARPA), suggested that privacy and drones presents a “technically sexy problem.” “A lot of people are interested [in the technology],” he explained, and because drones allow everyone to engage in flight, “people are going to want to put new things on this.” He encouraged technologists to work hand-in-hand with policymakers, recommending both geofencing solutions and education efforts toward both manufacturers and operators of drones.

On that front, the Future of Privacy Forum is eager to engage. Last week, we filed comments with the NTIA on our thoughts on privacy and domestic drone use. A wide variety of individuals and organizations also submitted comments ahead of a new drone privacy multistakeholder effort, and it is clear that there are a number of ideas in play for how to address data collection and use by drones, as well as the address public concern about a loss of privacy from above.

In addition to several procedural recommendations, our comments focus on the value of transparency and training to address privacy concerns. We recognize that drones present different types of transparency challenges, both in terms of general practice and then individual drone flight. In both instances, we support conversations about what sort of information could be communicated to consumers in a way that does not place significant burdens onto individual UAS operators. Further, while drone operation will require at least some degree of safety training, we are hopeful some type of privacy training can be incorporated into that.

As today’s panel and all these comments suggest, there is much work to be done to figure out how general privacy principles can be applied to a diverse array of UAS technologies. While we support a technology neutral approach, it is clear that consumers, businesses, and policymakers all need to have a voice in determining how commercial drones can and should take flight.

-Joseph Jerome, Policy Counsel

FPF Senior Fellow Peter Swire Provide Comments to the FCC on Broadband Consumer Privacy

Later today, Peter Swire, FPF Senior Fellow, will participate at the FCC’s public workshop on broadband consumer privacy. He also prepared written comments expanding on his thoughts. Professor Swire summarizes his research as follows:

First, I examine the effect of the Section 222(a) definition of “proprietary information” as compared with the Section 222(c) definition of “customer proprietary network information.” (CPNI) My conclusion, based on some analogous provisions from HIPAA and GLBA, is that the Commission should be cautious about founding any additional regulatory requirements under this proceeding based on the language in 222(a).

Second, I examine the intersection of privacy and competition law, drawing on my previous writings in the area. New entry into online advertising, including by broadband providers, could be a new source of competition on privacy attributes. My recommendation to the Commission is to consider the effects of this potential competition on privacy and other non-price aspects of competition, along with price aspects of competition, as part of the overall assessment of how to govern the use of CPNI for broadband providers.

Third, I address priority uses of information that I believe should be permitted in the CPNI context. Although I do not seek to create a complete list of possible exceptions to the general CPNI rule of consumer opt-out, I do emphasize three areas where an opt-out is not generally appropriate – anti-fraud, cybersecurity, and research on network usage. I also analyze the role of de-identification and aggregate information under Section 222, suggesting strategies to preserve the utility of de-identified and aggregate information while protecting privacy. In this discussion, I do not take a position on whether a rules-based, principles-based, or other approach should be adopted by the Commission. Instead, I emphasize that important interests such as anti-fraud and cybersecurity should be taken into careful consideration in whatever approach the Commission pursues.

He concludes that translating Section 222 privacy protections to the broadband sector is far from a simple task, noting the “considerable technical and market differences from the telephone market governed by the 1996 CPNI rules.”

Professor Swire’s full written comments are available here.


Privacy Calendar

May
26
Tue
7:00 pm Student Data Privacy in an Onlin... @ The New York City Bar Association
Student Data Privacy in an Onlin... @ The New York City Bar Association
May 26 @ 7:00 pm – 9:00 pm
For more information, please click here.
May
27
Wed
all-day PL&B’s Asia-Pacific Roundtable (...
PL&B’s Asia-Pacific Roundtable (...
May 27 all-day
PROFESSOR GRAHAM GREENLEAF, Asia-Pacific Editor, Privacy Laws & Business International Report, will lead a roundtable on the countries of most interest to business in the Asia-Pacific region. Click here for more information.
Jul
6
Mon
all-day PL&B’s 28th Annual International...
PL&B’s 28th Annual International...
Jul 6 – Jul 8 all-day
The Privacy Laws & Business 27th Annual International Conference featured more than 40 speakers and chairs from many countries over 3 intensive days. At the world’s longest running independent international privacy event participants gained professionally by[...]
Jan
28
Thu
all-day Data Privacy Day
Data Privacy Day
Jan 28 – Jan 29 all-day
“Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The Day commemorates the 1981 signing of Convention 108, the first[...]
Jan
28
Sat
all-day Data Privacy Day
Data Privacy Day
Jan 28 – Jan 29 all-day
“Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The Day commemorates the 1981 signing of Convention 108, the first[...]

View Calendar