California AG: Post Privacy Policy….Or Else!

The California Attorney General has warned 100 mobile app developers to comply with California law to post privacy policies or face fines up to $2,500 per download. Read more about it at ApplicationPrivacy.org, a privacy resource for app developers.

Oct. 25, 2012 – FPF was mentioned in Politico for the release of Privacy Papers for Policy Makers 2012

Please join the Future of Privacy Forum for a reception celebrating the selected authors on Wednesday, November 7 from 4:00-6:30 pm at the Microsoft Innovation & Policy Center, 901 K Street, 11th Floor, Washington DC, 20001

To RSVP for this event please e-mail [email protected]

Click here to see Politico.

Click here to read more about Privacy Papers for Policy Makers 2012.

From Uruguay, Chris Wolf: Privacy and Technology in Balance

On Tuesday, October 23, FPF’s Chris Wolf was one of the first plenary speakers at the

34th Annual Conference of Data Protection and Privacy Authorities in Punta Del Este, Uruguay.  Here is the text of his remarks:

Privacy and Technology in Balance

Thank you for the opportunity to present on behalf of the Future of Privacy Forum, our think tank devoted to advancing responsible data practices.

Privacy has never mattered as much as it does today. We are in an era of rapidly-evolving technology capable of collecting, storing, sharing (and potentially, mishandling) personal data about every aspect of our lives.

One measure of the progress on privacy in the Information Society is the sheer number of people concerned with the privacy profession, in government, civil society, academia, in business and in law.   This is true around the world, but perhaps nowhere is there a greater proliferation of people concerned with privacy than in my own country, the United States.

My personal experience is an example. I have been practicing law for more than three decades, and I focused on technology and the Internet early on. I was one of the first American lawyers to devote myself exclusively to privacy law.

My full concentration on privacy law arose from my representation in federal court of a gay sailor as to whom the US Navy illegally obtained information from AOL in a discriminatory effort to oust him from the service.  I saw then as I see today, the potential personal harm that can come from illegal collection and use of data.

And so, I am devoted to responsible data collection and use. I now lead a full-time team in Washington, DC of 17 lawyers, and have dozens of law firm colleagues who focus on privacy around the world in our European and Asian offices. We are soon to open an office in Brazil.

The Future of Privacy Forum, the think tank I founded in 2008 and that I co-chair with Jules Polonetsky has grown dramatically from our first days, and we now have dozens of academics, consumer advocates and business representatives participating.

We are focusing on a wide range of issues from Big Data, to de-identification, to the Smart Grid to mobile and Application Privacy, and many more issues that are arising with new uses of data.

In my law practice and at the Future of Privacy Forum, we recognize that a greater understanding of the expectations raised by the Information Society can contribute to improving data protection regulation and control.

In considering the issue of progress in privacy and data protection, I am reminded of the observations by the author Doug Adams who wrote the book entitled “The Hitchhiker’s Guide to the Galaxy.”

Adams made these three observations about our reactions to new technology.

1) The things that exist in the world when you’re born are normal and acceptable;

2) Anything invented between when you are born and before you turn thirty incredibly exciting and creative;

3) Anything invented after you turn thirty is against the natural order of things and the beginning of the end of civilization as we know – that is, until it’s been  around for about ten years when those investions gradually turn out to be alright really.

And likewise, progress in data protection is a matter of perspective. Ten years ago, I never would have imagined the scope of the privacy profession. The International Association of Privacy Professionals, started just over a decade ago with a handful of members, now has membership in the tens of thousands. Those numbers reflect the range of privacy issues being addressed by businesses that recognize a responsibility due to laws, regulations — but also out of a sense of responsibility and data stewardship, and the commitment to maintain consumer trust.

Earlier this year, I testified before the United States Senate Judiciary Committee Subcommittee on Privacy concerning a law passed in 1988 called the Video Privacy Protection Act, or VPPA.  That law obviously was passed to react to the practices of videocassette rental stores, well before the Internet era; before Netflix, and before Facebook.  Yet, the VPPA is being applied to the technologies of the Internet era even though Congress never contemplated such a world.

My experience with the video privacy law is part of what gives me concern that data protection that is put in place to react to new technologies may in time not be viewed as progress at all but rather as a barrier to progress.

I know that some DPAs react viscerally when objections to certain regulations are made because of the risk to innovation.  But it is axiomatic that over-regulation thwarts innovation.

What is needed is smart, forward-looking regulation, and it can come from many sources – from law and yes from enforceable self-regulation created by those who are closest to the workings of changing technologies. Perhaps a better label for what I am describing is co-regulation.

The theme of this conference, “Privacy and Technology in Balance” captures perfectly the tension between privacy rules and advances in the Information Society.

And the conference comes at a time when the privacy frameworks in the US and the EU are under re-examination.

There are common aspects to the EU and U.S. proposals. Both fundamentally are premised on Fair Information Practice Principles. Both call for implementation of the “Privacy by Design” concept intended to build in privacy sensitivity and consideration into every stage of the development of products and services. Both recognize the importance of accountability by those who collect and use personal data. Both reflect the principle that people should not be surprised by the use of their personal data collected for one purpose but used for another purpose.

There is no disagreement about the need for informed consent about the collection and use of personal information (although the kind of consent envisioned in each jurisdiction differs as to various categories of data). Finally, the U.S. view of what constitutes “personal data” seems to be moving toward the EU’s: the FTC refers to data that can be “reasonably linked to a specific consumer, computer or other device,”   a standard very close to ––and arguably even broader than––the EU definition of personal data.

Big differences in approach emerge from the fact that the United States, while proposing a first-ever federal privacy law with a “Privacy Bill of Rights,” still intends to rely on a variety of  self- or co-regulation. And the U.S. proposed rules do not contemplate a “right to be forgotten”

Similarly, there is no right to “data portability” in the U.S. proposals as there is in the EU plan.

And even though the EU has borrowed the data breach notification idea from the United States, it proposes a presumptive obligation to provide notice within twenty-four hours of a breach, a time frame widely regarded as wholly unworkable by those who have worked under the U.S. data breach laws. Finally, the EU proposes a schedule of monetary fines of up to 2 percent of an entity’s global worldwide turnover for violations of the proposed Regulation––an amount that many stakeholders view as unreasonable due to the apparently wide discretion given to enforcers in assessing such a fine.

The period ahead will be one of adjustments to the proposed EU Regulation to make it acceptable to the European Parliament and to the Council of the European Union, the bodies responsible for the co-decisioning process required to adopt the Regulation.  Likewise, in the United States, the exact shape of the new privacy framework is still to be determined, on Capitol Hill and through the work of the Executive Branch, and the results of the election in a few weeks will be import.

As things now stand, there is a big gap to bridge between the two trans-Atlantic approaches, i n many ways, so close. Yet, they are very far apart in fundamental respects.

Privacy will most effectively evolve in the Information Society when the privacy frameworks are interoperable. My hope is that the fundamental differences in approach give way to that fundamental understanding.

And therefore, to close, I commend to you the recent remarks of Cameron Kerry, the General Counsel at the US Department of Commerce before the European Parliament, who quite wisely observed that for the information society to thrive, “the global marketplace will require mutual recognition and innovative solutions that permit businesses to streamline their operations across countries with differing legal regimes.”

This conference is a perfect opportunity to explore such innovative solutions towards mutual recognition and cooperation, and towards a robust and growing information society.

FPF Announces Privacy Papers for Policy Makers 2012

The Future of Privacy Forum Announces

Privacy Papers for Policy Makers 2012

WASHINGTON – The Future of Privacy Forum (FPF) today released the 2012 Privacy Papers for Policy Makers, highlighting eight leading privacy writings that were voted by the FPF Advisory Board to be most useful for policy makers. The papers cover a wide array of topics, including privacy by design, online behavioral advertising, mobile privacy, government surveillance, de-identification, and social networks.

The digest will be featured at an event held at the Microsoft Innovation and Policy Center on November 7th in Washington, D.C. The eight papers featured in the digest were selected among more than thirty-five entries, and were chosen by members of FPF’s Advisory Board, which is comprised of leading figures from industry, academia, law and advocacy groups. The digest was sponsored with support from AT&T, Microsoft, and GMAC.

Christopher Wolf, FPF’s founder and co-chair commented on the significance of the Privacy Papers for Policy Makers Digest, “Improving privacy protection is vitally important in this technology age so we are delighted to help build a bridge of communication between privacy scholars and privacy policy makers. We hope this publication will lead to greater communication and collaboration.”

FPF’s director and co-chair Jules Polonetsky emphasized the need to educate more policy makers about the diverse issues surrounding privacy issues and explore the myriad of thoughts that academics, industry leaders, and privacy advocates have on the issue.

“There’s no silver bullet to resolving all of the privacy concerns the public has in this new technological age,” Polonetsky said. “These writings offer some of the most compelling and innovative viewpoints that we hope policymakers consider as they look to address privacy issues.”

A full list of the writings and authors featured in the Privacy Papers for Policy Makers Digest are listed below. To see the full text of the digest and the executive summaries of the writings, click here.

Leading Papers:

Bridging the Gap Between Privacy and Design,

Deirdre Mulligan and Jennifer King

Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising

Blase Ur, PedroGiovanni Leon, Lorrie Faith Cranor, Richard Shay and Yang Wang

‘Going Dark’ Versus a ‘Golden Age of Surveillance’

Peter Swire and Kenesa Ahmad

How Come I’m Allowing Strangers to go Through My Phone? Smart Phones and Privacy Expectations

Jennifer King

Mobile Payments: Consumer Benefits & New Privacy Concerns

Chris Jay Hoofnagle, Jennifer M. Urban and Su Li

The ‘Re-Identification’ of Governor William Weld’s Medical Information: A Critical

Re-Examination of Health Data Identification Risks and Privacy Protections, Then and Now

Dr. Daniel Barth-Jones

Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents

Ira Rubinstein and Nathan Good

Will Johnny Facebook Get a Job? An Experiment in Hiring Discrimination via Online Social Networks

Alessandro Acquisti and Christina Fong

Please join the Future of Privacy Forum for a reception celebrating the selected authors on Wednesday, November 7 from 4:00-6:30 pm at the Microsoft Innovation & Policy Center, 901 K Street, 11th Floor, Washington DC, 20001

To RSVP for this event please e-mail [email protected]

The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.

Washington Privacy Update Event, Chicago, IL

Invitation to those of you in Chicago – please join us!

Our friends at BrightTag with help from privacy expert Justine Gottshall are hosting an event for us.

Washington Privacy Update Event

When: Thursday, October 25th, 10:00am – 11:30 

Please RSVP to [email protected] to sign up and we will send you location and details. (no cost).

Details Follow:

Join a select group of Chicagoland’s privacy experts for a briefing by Jules Polonetsky, Co-chair of Future of Privacy Forum, a Washington, D.C industry-funded think tank that seeks to advance responsible data practices. The FPF is comprised of Chief Privacy Officers from many of the Fortune 100 as well as academics and privacy advocates who are concerned with staying up to date on the changing global privacy landscape. Hear from Jules on the current state of legislative and regulatory efforts in the US and EU. What is the FTC thinking and how does that connect to efforts on the Hill and at the State and local level? Are the efforts around Do Not Track gaining traction? Is data collection from mobile apps going to be regulated in California and beyond? Is the FTC going to successful in pushing through its agenda. Jules will give you his insider perspective and insight and will gladly answer questions and address whatever topics you bring.

What’s Wrong with the Proposed EU Right of Data Portability?

A new report shows that a largely unpublicized section of the EU draft Data Protection Regulation could have far reaching implications for both businesses and consumers.  The draft Regulation gives consumers an unprecedented new economic and human right—the right to data portability (“RDP”).   The basic idea of the RDP is that individuals would be able to transfer their electronic information, such as a Facebook friend lists or iTunes music, from Facebook or Apple to a competitor, without hindrance.

The idea of the RDP is very appealing, but the draft Regulation as written is likely to harm consumers as well as software and online service providers. Interoperability in practice is often difficult and costly, yet the draft Regulation appears to mandate new code from software and service providers.  In addition, the draft Regulation ignores years of wisdom from antitrust law about how to address lock-in problems – the high switching costs that the EU is seeking to address.  The draft Regulation applies to a software app created in a garage just as it does to large businesses, so long as they sell to any European consumers.  Its software mandates thus may deprive consumers of innovative products from both start-up and larger companies.

The RDP also poses serious risks to a long-established EU fundamental right of data protection: the right to security of a person’s data. Previous access requests by individuals were limited in scope and format. By contrast, when an individual’s lifetime of data must be exported “without hindrance,” then one moment of identity fraud can turn into a lifetime breach of personal data.

The draft Regulation was issued by the European Commission early this year, and is being considered now in the European Parliament. A draft Regulation that potentially harms consumers in these ways should not be enacted without much further debate.

The report is co-authored by Peter Swire, a law professor at the Ohio State University and Senior Fellow of the Future of Privacy Forum, and Yianni Lagos, a Legal and Policy Fellow at FPF.  The final version will be published in the Maryland Law Review.

See “Why the Right to Data Portability Likely Reduces Consumer Welfare: Antitrust and Privacy Critique” at http://ssrn.com/abstract=2159157.

 

Rushing to Install – Online Notice and Consumer Behavior

During our Mobile App Ecosystem Webinar, presenter Nathan Good, Chief Scientist and Principal of Good Research, referred to a video that showcases users’ interaction and behavior with notice during installation in the online environment. When you watch the video, keep in mind that the video is in real-time (meaning it’s not sped up).

The experiment illustrates the challenge of online notice –  let’s learn from the mistakes of the desktop notice before repeating them in mobile!

 

New Advertising & Marketing Programs for Top Wireless Carriers

Some mobile advertising and reporting news coming out of  Advertising Week in NYC, as two wireless carriers make announcements about their marketing and advertising programs.

Sprint announced the launch of its new advertising platform called Pinsight Media+ in which customers will have “choice and control over whether they have their data anonymously used so that advertisers using the platform can give users better-targeted ads.”  Sprint’s advertising program is opt-in while its marketing and reporting program which use aggregated data is opt-out. (link here to the Sprint consumer page explaining this)

Verizon Wireless announced its opt-out program called Precision Market Insights that will be used for marketing and reporting purposes. Verizon will use its mobile network to aggregate data that will provide brands and companies with “real insights on consumer behavior.”

FPF Mentioned in The Energy Datapalooza Fact Sheet, The White House

As part of the Energy Data Initiative, the Obama Administration hosted the Energy Datapalooza, highlighting entrepreneurs and innovators that are using freely available data from the government to build products, services, and apps that advance the future of clean energy in their Energy Datapalooza Fact Sheet. FPF was mentioned for its seal program, the first of its kind, which will be available for companies offering home energy management, and other services that seek to access consumer energy data in the.

Smart Grid Privacy Seal Program

FPF and TRUSTe announce Smart Grid Privacy Seal Program – The Future of Privacy Forum has developed a first of its kind privacy seal program for companies that use consumer energy information.  The seal will be powered by TRUSTe, the leading data privacy management company with over 5,000 customers.