Wrap up from today's FCC forum (by: Professor Peter Swire)

062811.Fcc Privacy Location

FPF Issues Statement on FCC & FTC Location Based Services Forum:

Leaders of the Future of Privacy Forum (FPF), a privacy think tank whose Advisory Board includes privacy scholars, privacy advocates and corporate privacy officers, made the following statements in relation to today’s FCC & FTC Forum on Location Based Services:

“Today’s Location Based Services Forum is a positive and important educational opportunity  to highlight best practices concerning the collection and use of location information,” said Christopher Wolf, FPF co-Chairman.  He added, “Consumers are entitled to privacy protections for their location information when using mobile devices and only with privacy will there be the consumer trust needed for the nascent location based services sector to flourish.”

“For real privacy advances to be made in this space, it is important that the range of ways location based information is collected and used is well understood by consumers and policymakers,” explained Jules Polonetsky, FPF Co-Chairman. “Location based information comes from a wide ecosystem that includes wifi networks and GPS, in addition to cell towers.  This information is then used and shared by multiple platforms, such as application developers and ad networks.  To help further understanding of this complicated environment, we have released the following education chart, and we look forward to a continued discussion on the issue.”

To schedule an interview with Jules Polonetsky or Christopher Wolf, email: [email protected].

To learn more about privacy issues in the mobile and online application spheres, visit www.applicationprivacy.org

 

Center for American Progress Hosts Program on “Do Not Track” with Focus on Kids

With a room filled to capacity this morning, the Center for American Progress hosted a special presentation entitled “Tracking: Where You Are, What You See, and What to Do.”  Neera Tanden, the Chief Operating Officer for Center for American Progress moderated the panel which featured a keynote by FTC Commissioner Julie Brill. Panelists included FPF co-chair Chris Wolf along with Professor Peter Swire  (Senior Fellow, Center for American Progress, and Professor of Law, Ohio State University), Ed Felten (Chief Technology Office, Federal Trade Commission), along with Jim Steyer (Founder and CEO, Common Sense Media).

Commissioner Brill, after describing the FTC’s ongoing examination of the privacy framework, focused on the five key elements the FTC is looking for a Do Not Track mechanism, including: (1) simple to find and use, (2) effective, (3) applicable across companies and technologies, (4) does more than just prevent consumers from receiving targeted online behavioral advertising, and (5) provides persistent choice.

Commissioner Brill cited the recent FPF survey showing that three quarters of most Apps lack a privacy policy, a situation she said needed great improvement.

The lively panel discussion included Ed Felten describing the progress being made by the browser companies in designing Do Not Track mechanisms into their products; a plea by Jim Steyer for a Do Not Track law focused on kids, which he described as an urgent need; an overview of the Do Not Track Kids bill introduced by Representatives Markey and Baron by Chris Wolf, including a synopsis of criticism of the bill from the Center for Democracy and Technology, the Direct Marketing Association and Libertarian Adam Theier, each of whom have focused on the First Amendment issues implicated by the bill because of its potential to limit even adult access to content because of the need to identify all users of  web sites to determine which are kids entitled to protection, and because of the impracticality of the “Erase Button” requirement in the bill.  Peter Swire discussed the potential technology could play in achieving some of the objectives of the Do Not Track Kids bill.  Questions from the audience including one mentioning how parental consent for teen access to online content could thwart legally protected teen access to reproductive health information.

A replay of today’s program is available here.

"Why privacy legislation is hot now"

Colleague Peter Swire has an article published in today’s publication of The Hill discussing the growth of privacy legislation today, see the full article here.

Will users opt-in to analytics cookies? Initial results show: “No!”

In order to demonstrate a model implementation for opt-in cookies under the Amendments to the EU Telecom Directive, the UK Information Commissioner’s Office (ICO) implemented an opt-in for the use of an analytics cookie. The “above the banner” opt-in request can be seen here, and at the links here and here you can see the results of its implementation in visuals.

So what happened? Tracked traffic to the site fell by a staggering 90%! Leading web analytics expert, Vicky Brock (@brockyvick) made a Freedom of Information (FOI) request to obtain the traffic to the ICO site measured using the Google Analytics tool. The results are what is shown in graphics linked to above (on Vicky Brock’s Flikr).

Though these numbers are only an initial look at the effects of implementing the cookie amendments to the Telcom Directive, they make it clear that interpreting the law expansively will be impractical. Although some companies may figure out how to do better at enticing consumers to consent to analytics, the negative effect on a Web site’s ability to track basic information about how a site is being used will clearly be dramatically affected.

CFP Hosted a Panel of Chief Privacy Officers: “The Privacy Profession — Corporate Apologists, or Agents of Positive Change?”

Thursday, June 16 Computers Freedom and Privacy (CFP) hosted a panel called “The Privacy Profession — Corporate Apologists, or Agents of Positive Change?” that featured Chief Privacy Officers (CPO) from various agencies and companies. The panel included: Nuala O’Connor Kelly as moderator (Senior Counsel, Information Governance & Privacy, GE; FPF Advisory Board member), Doug Miller (Executive Director, Consumer Advocacy & Privacy, AOL; FPF Advisory Board member), Jonathan Cantor (Chief Privacy Officer, Department of Commerce), and John Kropf (Deputy Chief Privacy Officer, U.S. Department of Homeland Security).  The discussion provided time for each of the panelists to share a bit about their career path, and then moved on to touch on various subjects including the major policy issues each CPO is facing in their current roles, questions for the CPOs to ask each other, and also provided opportunity for a few audience questions.

One of the interesting discussions that Nuala O’Connor Kelly elicited was about the “ethos” of the CPO role. More specifically, the CPOs considered whether they looked at their role as an internal versus external advocacy role.  John Kropf aptly compared the role of a CPO to a line from a Johnny Cash song and said he “walk[ed] the line,” referring to the line between an internal or external oversight role. Overall, the panel agreed that their role is multidisciplinary, and inclusive of legal, technology, and policy considerations. As such, there was also emphasis later in the discussion about fostering relationships with other departments within organizations, including, and especially the Chief Information Officer (CIO) of an organization.  Additionally, though each felt their position was similar in its role as an advocate for privacy, each highlighted the difference a corporate or agency environment or culture may have on their role as CPO. For instance, Jonathan Cantor compared his past experiences with privacy enforcement at the Social Security Office to those as CPO at the Department of Commerce.

In discussing the current and pressing policy issues, answers varied. Three common answers however, were: cyber security, cross-border data flows, and information sharing (whether it be with government or third party advertisers). The diversity of answers shared shed light on how truly multifaceted the policy implications of privacy concerns are. Accordingly, when John Kropf asked his fellow panelists about the future of privacy, the CPOs undoubtedly agreed that privacy and the role of CPOs was growing rapidly, and had a bright (and busy) future; Nuala chimed in, “only up.” Curious about how to motivate and encourage interest in the growing role of privacy, Doug Miller discussed how to encourage interest among employees and the public.

The panel provided a great opportunity for both audience members and panelists to discuss the roles and growth of the privacy office.  The insights were based on a great depth of experience, and provided great perspective for all who attended.

Senator Leahy (D-VT) Makes Keynote Address at CFP on Thursday (June 16, 2011)

Today Senator Leahy (D-VT) made a brief keynote address at the Computers, Freedom, and Privacy Conference at the Georgetown Law Center (CFP). Senator Leahy urged that we must “modernize” the legal framework to stay apace with the technology of today’s age. He discussed the numerous recent data breaches, and quoted statistics indicating the hundreds of millions of records have been subject to data breaches.

Additionally, the senator addressed some of his proposed legislation. First, Senator Leahy discussed his proposed updates to the Electronic Communications Privacy Act (ECPA)—“The Electronic Communications Privacy Act Amendments of 2011.”  These amendments could be the first in 25 years, and include requirements for search warrants based on probable cause in order to access information held in electronic communications. The amendments also propose new protections for location based information and require search warrants before tracking people in real time using location information provided by service providers. In responding to a question, a member of the Senator’s staff noted however, that this protection does not extend to historically collected data because the legislation intents to maintain balance (presumably for law enforcement purposes).  Additionally, the Senator addressed the data breach notification bill he introduced on June 7, 2011, known as the “Personal Data Privacy and Security Act of 2011.” He indicated that this will be his fourth attempt to pass this legislation, and that with each new introduction of the bill, the threat to security and privacy has been greater.

The comments were clear and succinct, with a tone of urgency: we need to work towards modernizing the legal framework to address the privacy issues that exist in our fast-growing digital age.

(Posted by: Shreya Vora, FPF Fellow)

FPF Advisory Board Members Take the Stage at Computers, Freedom, and Privacy Conference to discuss: “Frontiers in Privacy"

Wednesday, June 15 at Computers Freedom and Privacy (CFP), three Future of Privacy Forum (FPF) Advisory Board members took the stage during a discussion about “Frontiers in Privacy.” Advisory Board member Professor Annie Anton moderated a discussion between Professors Peter Swire and Daniel Solove. The discussion was fast-paced and covered six topics–each getting a lightning-round type of discussion which elicited discussion by the panelists.

The topics included:

First, the all or nothing fallacy in privacy and security. The professors debated whether there is false tradeoff between the concepts of privacy and security. Professor Solove chimed in that he believes these concepts are not all-or-nothing, but rather are “different sides of the same coin.” Professor Swire commented similarly that the debate is not really between privacy versus security, but rather security versus security.

Second, encryption and globalization in India and China. Professor Swire discussed his recent trip to India and his growing concerns over the maximum 40-bit encryption key limit in the country. Professor Solove agreed with Professor Swire’s commentary, and both find the trends abroad alarming and distressing. Specifically both pointed to the similar debate that occurred in the US’ recent past, and believe that the default internationally should similarly shift to “good encryption.”

Third, the concept of having nothing to hide. Both professors disagree with the sentiment that if you have “nothing to hide” there should be no concern over privacy. The “nothing to hide” concept was labeled as too narrow because it does not account for those who want privacy rights related to things such as access to view and correct information retained about them online, or even the right to prevent aggregation of profiles about them. Along the lines of aggregation and profiling, the professors voiced concerns about having to deal with judgments and inferences, often wrong, that arise from ones online actions.

Fourth, social networks, freedom of association, and privacy. The discussion engaged the panelists about the growth of social networks and the benefits and drawbacks associated therein. Professor Swire succinctly stated that we as consumers are torn between the wonderful ability of sharing and networks but at the same time, fear. The professors also debated the social value derived from these networks and discussed potential regulatory limitations that could be placed on them as well.

Fifth, the future of the Fourth Amendment. The discussion focused on the Fourth Amendment’s reasonable expectation of privacy test. Professor Solove emphasized his view that the test is drawn too narrowly today. Professor Swire indicated a gradual shift that seems to be occurring in the Federal bench, specifically citing to recent cases that limit the scope of the Fourth Amendment as it relates to e-mail and computer searches.

Finally, the panel discussed data minimization versus data drench. There is a significant focus on data minimization both in the EU and US (FTC; McCain/Kerry Bill). However, both panelists emphasized that this concept of minimization is contradictory to the data infusion that is actually occurring in the real world. Professor Solove aptly compared asking entities to limit their use of data to the example of a tiger in a cage with a huge amount of meat—could you really request the tiger to only eat the data in small chunks?

EPIC Honors Wall Street Journal for “What They Know” Series

Earlier this week, FPF’s Co-Chair Christopher Wolf, had the pleasure of honoring The Wall Street Journal for its  “What They Know” series, on behalf of EPIC at a special event in Washington, D.C.   His remarks from that celebration are featured below:

I am pleased to serve on EPIC’s Advisory Board and pleased to have been asked to present an award from EPIC to the Wall Street Journal.

EPIC has been explaining for some time that there is a big gap between the type of tracking that companies are engaged in on the Internet and what most people know or think is occurring. As EPIC has explained it, the general public has very little idea that every second they are on the Internet, their behavior is being tracked; that even if  the information collected is anonymous, it is used to create a “profile” which is then sold to companies on “stock-market-like” exchanges to create and deliver targeted advertising back to the individual.

In 2010, EPIC gained a new ally in spreading the work about what is going on online.

Starting last summer, The Wall Street Journal began a  year-long “What They Know” investigation into online tracking and exposed a fast-growing network of hundreds of companies that collect highly personal details about Internet users—their online activities, political views, health worries, shopping habits, financial situations and even, in some cases, their real names—to feed a $26 billion U.S. online-advertising industry.  As  the Journal described it, the nation’s top fifty websites installed an average of 64 pieces of tracking technology onto the computers of visitors, usually without warning, for a total of 3,180 tracking files. A dozen sites installed more than a hundred. Two-thirds of those files were installed by 131 companies that are in the tracking and online consumer profiling business.

Having been in the online privacy world since it began, I have never witnessed a impact like the one theWall Street Journal’s “What They Know” series has had in the privacy world.

First, as a privacy litigator and FTC regulatory attorney, the series has generated a lot of business for me and my colleagues at Hogan Lovells.   Always happy to have the business.  

But more importantly, the series has provoked debates and discussions about privacy that we have never seen before.  It quite literally has made privacy front page news. In many ways, the series of articles about online privacy that the Wall Street Journal began publishing last year has set the tone for the privacy debate nationally.

At a recent conference, one technology executive complained to Julie Angwin, one of the Journal’s principal reporters on the series that “When you use words like ‘surveillance’ and ‘spying,’ it freaks people out.”  And another participant at that conference said the series directly had influenced the comments made by Congressional representatives. “The question addressed to me [by Congress] was, ‘Look at these apps the Wall Street Journal found—so you, app developer, tell us why we shouldn’t be afraid of these.” 

Julie Angwin responded to that comment by saying “What we’re doing is reporting the facts,”  “The fact is, we tested a bunch of apps, and this is the data they were sending,” she said. “And this is pretty revolutionary in the news business.” “Most often, data written about in the newspaper is provided to them, as in, ‘a Brooking Institution report says this.’ We decided to test things ourselves. It was expensive, it was difficult. And it turns out, we now have the best data available about what apps are doing. It’s hard to replicate that study. You have to hack the phones, and measure the traffic.”

She continued: “There are some loaded words in those stories, I agree. But I also think that this is actually what is happening—you are being tracked.”

[I should mention that Ashkan Soltani, an independent researcher and consultant on privacy, who is here with us tonight, assisted the Wall Street Journal with its research.]

The series triggered significant steps to provide greater transparency and consumer control over the use of data collected, including a major bipartisan bill in the Senate sponsored by John McCain and John Kerry calling for a “privacy Bill of Rights” for Americans which was a direct response to the Journal’s work, as the senators made clear in introducing the bill, with Senator McCain reading from a What They Know article at the press conference.

And in the House, the series also prompted a bipartisan privacy bill in the House, introduced by Cliff Stearns (R, Fla.) and Utah Democrat Jim Matheson, that encouraged companies to offer more information to consumers about how they are being tracked. The bill also called for the data-collection industry to develop a policing program that would be approved by the Federal Trade Commission.

Representative Jackie Speiers, who has introduced a Do Not Track bill in the House, is quoted as saying: “I must tell you that until I read it in the Wall Street Journal, and their 13-part series, I didn’t know that Dictionary.com was just a means by which tracking takes place. And they’re using something like the dictionary to identify you and then to track you. I was pretty outraged when I read that.”

The series also has echoed through the advertising and tech industries, with industry groups toughening privacy codes and dozens of businesses changing basic practices. Microsoft, Apple and Mozilla have all moved to install robust new privacy features in their browsers in direct response to our report of Microsoft’s quashing of a privacy feature at the behest of advertisers.  The Future of Privacy Forum, the think tank that I founded and co-chair with Jules Polonetsky, who is here tonight, has helped to convene discussions among companies, privacy advocates, privacy scholars and regulators about how to improve privacy online for consumers and, without question the Journal series was a catalyst.  The Future of Privacy Forum is hoping our efforts will further help the App world reach a consensus that the value and convenience of Apps will not be fully realized until and unless privacy is built in.

Over the weekend, I was reading a piece by Dean Starkman in the Columbia Journalism Review about the Journal’s  series and want to share his observations with you.  He said:

Reading The Wall Street Journal’s “What They Know” series on Internet (un)privacy last year, I thought, this has “Pulitzer” written all over it.

I don’t mean that in a cynical way. Unlike some people, I do care who wins the Pulitzers and other prizes because they often reward big, risky, in-depth, investigative reporting, including some of my all-time favorites. 

[And] aside from prizes, there really aren’t any other metrics for journalism quality. 

[So]I thought the series, by Julia Angwin and others, had all the hallmarks of a Pulitzer winner: it was ambitious, risky (some of the companies named had objected vociferously, I am told), well-written, and full of surprises.

Plus, it touched off government investigations and reform. Check, check, and check.

It didn’t win, and wasn’t even a finalist. I’m surprised. Staffers at my old paper were crushed when they learned, one of them tells me. I understand. (I noticed corrections appended to a couple of the stories and don’t know if that was a factor, but none seems major.) 

Well, while perhaps not yet as prestigious as a Pulitzer prize, the EPIC prize tonight is given to the Wall Street Journal for its significant contribution to privacy education, and to shining the line on online privacy issues that has led to an important national discussion.

I am told it is the custom at the Journal not to accept such awards in person, so we will send them their prize and I will report on the recognition I expect you now will give with your applause.

Thank you.

White House Smart Grid Report Includes Key Privacy Guidance

Earlier today Future of Privacy Forum co-chair Jules Polonetsky attended the Obama administration’s announcement at the White House for a number of new initiatives designed to accelerate the modernization of the Nation’s electric infrastructure, bolster electric-grid innovation, and advance a clean energy economy.

The National Science and Technology Council (NSTC) report focuses on 4 pillars for state and federal policy-makers: (1) enabling cost-effective smart grid investments

(2) unlocking the potential of innovation in the electricity sector

(3) empowering consumers and enable informed decision-making

(4) securing the grid

Some of the issues potentially relevant to consumers’ energy usage data and privacy are as follows. Under pillar (2), the Government will work toward fostering open, uniform technology-neutral interoperability standards and will protect consumer options and prevent anticompetitive practices.  Under pillar (3), state and federal policymakers are called to “evaluate the best means of ensuring that consumers receive meaningful information and education about smart grid technologies and options” (noting that some state regulators already mandate education/outreach programs for smart grid deployments that affect consumers); ensure consumers have access to and control over their energy consumption data in machine readable formats; help foster consumer-facing devices and applications that make it easier for users to manage energy consumption; ensure utilization of Fair Information Practice Principles (FIPP) to help protect consumer information (noting that the Administration supports FIPPs for industries not subject to sector-specific regulation); and update consumer protection policies (in addition to privacy) as necessary to account for new issues. Under pillar (4), the Federal Government will continue to work towards standards and guidelines for cybersecurity through public-private cooperation, including through the promotion of a “rigorous, performance-based cybersecurity culture.”

Regarding privacy specifically, the reports notes that currently “there is not in place a comprehensive and broadly-accepted application of FIPPs in the smart grid context.”  The report talks about the Administration’s support for a broad “consumer bill of rights” which could cover energy usage information.  The Administration also supports a broad array of stakeholders taking “responsibility for implementing FIPPs through privacy rules that are specific to the smart grid context.”  The report lauds FIPPs as “comprehensive, yet flexible” and envisions them facilitating the development of enforceable codes through the collaboration of industries, consumer advocates, and regulators.  The report notes that any rules or guidelines will vary depending on whether energy usage information is shared with third parties.

The report also states that: “State regulators may consider requiring utilities and other firms to provide customers clear information regarding how their data may be used, if consumers authorize such use, and guaranteeing that customers have the ability to select the purposes for which their data may be used.” The report does not advocate either a default opt-in or opt-out approach, but acknowledges that defaults “can be influential.”  It favors FIPPs because they don’t categorically require one approach or the other.

Regarding cybersecurity, the Report refers to the Administration’s proposed cybersecurity legislation and states that “the Federal Government will seek to ensure that grid operators have access to actionable threat information; support research, development, and demonstration of cybersecurity systems and develop human capital; and work with private-sector stakeholders to establish accountability for meeting standards and performance expectations.”

The administration also announced the creation of Grid 21, which is a private sector initiative to promote consumer-friendly innovations while ensuring proper privacy safeguards and consumer protections.

More information and the full text press release can be found at the website for the Office of Science and Technology Policy.

Additionally, for more smart grid resources, see the Future of Privacy Forum’s smart grid page.