FTC Issues Updated FAQs

The FTC has just released its updated FAQs on the new COPPA rules. We have a post about the key points about apps on our educational app developer site,  ApplicationPrivacy.org.



Do Not Track Hearing Takeaways

Organized by Sen. Rockefeller (D-W. Virginia), who has repeatedly pushed for a “Do Not Track” law, yesterday’s Senate Commerce Commerce Committee hearing  on Do Not Track (DNT) was billed as an opportunity for industry to provide senators with an update on how voluntary DNT standards were proceeding.  Joined by Senators Blumenthal, Heller, McCaskill, and Thune, Sen. Rockefeller engaged in a two hour discussion that touched on not only the state of the online economy and behavioral advertising, but also important consumer privacy concerns.  The hearing produced three key takeaways:

1)     Advertisers and Industry Must Be More Proactive

Advertising and industry groups need to be more proactive in encouraging the DNT process or risk the government imposing its own solution.  Sen. Rockefeller (D-W. Virginia) criticized industry for “deliberately dragging its feet” and “undermin[ing] the very essense of a meaningful Do-Not-Track standard.”

Part of the problem, as FPF’s Jules Polonetsky and Omer Tene have suggested previously, is that there remains wide debate surrounding the question of whether behavioral tracking is a net social good or an unnecessary evil.  Discussions surrounding the technical implementation of DNT “camouflage deep value judgments which have yet to be made,” the pair concludes.

This dilemma was on full display during the hearing.  Sen. Heller (R-Nevada) asked directly whether behavioral tracking was producing any sort of harm, and the panelists explained that this may be the most difficult question of all.  Determining whether tracking produces either quantitative or qualitative harm to consumer privacy is a huge challenge.  “Privacy is a highly subjective condition,” Adam Thierer of the Mercatus Center noted, explaining that behavior we find to be creepy may not be harmful in any real sense.

The Digital Advertising Alliance’s Lou ­Mastria suggested that the question should revolve around user choice, arguing that the DAA was already voluntarily providing a consumer opt-out mechanism largely in line with that Sen. Rockefeller has proposed.

Harvey Anderson, speaking for Mozilla, stated that the DNT debate has mistakenly focused on business revenue models.  Models, he claimed, that lack consumer transparency.  The solution he put forward was for Internet industries to emphasize developing and encouraging trust with consumers.

However, though the World Wide Web Consortium (W3C) provides the perfect forum to hash out technical standards, it is ill-positioned to make these types of privacy value judgments.  The inability of everyone to agree what behaviors are good or bad may be hamstringing the process.

2)     Senators Are Skeptical of the W3C 

Perhaps as a result, senators appear skeptical of the ability of the Word Wide Web Consortium (W3C) to adequately tackle the problem.  Acknowledging that Congress may be ill-equipped to handle complicated technical policy questions, Sen. McCaskill  (D-Missouri) questioned whether  a technical body such as the W3C was the proper forum to be making sweeping Internet policy decisions.  Justin Brookman noted that the W3C already includes all of the major players, and Harvey Anderson explained that the organization was better positioned than regulators or other entities to achieve a technically feasible agreement.

Sen.  Rockefeller remained skeptical.  “The WC3, W3C, whatever it  has no authority whatsoever,” he said, and none of its standards were legal enforceable.  Beyond that, he was worried about the group’s generally slow progress at developing a self-regulatory framework for DNT.

Theirer, a frequent critic of the process, defended the W3C, emphasizing that developing technical standards, let alone establishing Internet policy, is incredibly challenging work.

Peter Swire, a senior fellow at FPF and the co-chair of the W3C DNT standards process, wrote in advance of the hearing that failure to come to a negotiated standard threatens a “new digital arms race.”  Further, he warned that failure at the W3C would lead to a government imposed solution, and if yesterday’s hearing was any indication, this is an avenue several senators want to explore.

3)     There Is Some Enthusiasm to Explore Legislative or Regulatory Solutions

Indeed, Sen. Rockefeller appears eager to pursue a legislative response.  He has reintroduced his Do-Not-Track Online Act, but it is worth noting that the bill currently only has on co-sponsor:  Sen. Richard Blumenthal (D-Conn.). Thus, it is unclear how successful Sen. Rockefeller’s effort will be.  For his part, Sen. Blumenthal, who also sits on the committee, was left wondering what sort of action might be required by either Congress or the FTC to spur the DNT process along.

“If voluntary agreements are not forthcoming, is it time for a law?” Sen. Blumenthal (D-Conn.) asked.

While the panelists did not directly address this question, the general sentiment was that stakeholders were on a path to finding a solution without congressional involvement.  Justin Brookman from the Center for Democracy & Technology noted that part of the problem remains that the United States simply lacks any sort of comprehensive privacy law to provide a baseline.  DNT receives much attention, but it is hardly “the worst thing out there,” he suggested.

Nonetheless, even as panelists pushed for more time, all eyes will be on the W3C’s next meeting among all the major stakeholders on May 6.

Peter Swire's Op-Ed on Do Not Track

FPF Senior Fellow and the Ohio State University Moritz College of Law Professor Peter Swire wrote an Op-Ed today for Wired on “How To Prevent the ‘Do Not Track’ Arms Race.” The article highlights the challenges of implementation and the need for a multistakeholder negotiated Do Not Track standard.


Techworld: Our Internet Privacy is at risk – but not dead (yet)

With this year declared, “The Year of Privacy on Steroids” companies, policy makers and professional experts alike agree that privacy is essential but the real conversation on the matter is, where is the sliver lining?

Future of Privacy Forum’s own, Jules Polonetsky, shared his own professional expertise on the topic specifically when it comes to companies tracking user’s online behavior and their attempt to self-regulation.

To read the article click here.

Interesting Thoughts from "This Week in the Boardroom"

Some wise thoughts on privacy and security for corporate boards, from FPF Advisory Board member Russell Schrader.

To watch this video click here (link expired).

Domestic Drones Should Embrace Privacy by Design

On Wednesday, the FAA held an online forum to seek input from members of the public on the agency’s development of a privacy policy for unmanned aircraft systems, or civilian drones. For two hours, privacy advocates, engineers, and representatives of the unmanned aircraft industry went around in circles debating whether drones even present novel privacy questions–and whether the FAA was the appropriate government agency to conduct such a conversation. If the unmanned aircraft industry wishes to encourage the widespread societal embrace of this technology, suggesting that drones do not present privacy challenges and moreover, arguing that our current legal and policy framework can adequately address any concerns is counterproductive.

Drones Are Different

As the Associated Press reported last week, public fear that unmanned aircraft technology will be misused threatens the health of the entire unmanned aircraft industry. Robert Fitzgerald, CEO of The BOSH Group, provides drone support services, was quoted as saying that the industry’s “lack of success in educating the public about unmanned aircraft is coming back to bite us.”

While it may be true as a technical matter that unmanned aerial surveillance is no different than a manned overhead flight, the privacy implications are worlds apart. As a practical consideration, unmanned aircraft are degrees cheaper and more accessible to use than their manned counterparts. The ACLU’s Jay Stanley has suggested that unmanned aircraft erase “natural limits” of aerial surveillance, and as drones become both smaller and more technically advanced, will pose bigger and bigger challenges to individual privacy.

But what truly makes unmanned aircraft so unique is that they provide a physical manifestation of our generally abstract, mental conceptions about privacy. Professor Ryan Calo surmises that drone surveillance is “visible and highly salient” in a ways that people experience quite different from network surveillance or commercial data brokerage. “People would feel observed, regardless of how or whether the information was actually used,” he explains.

Privacy Approaches to Unmanned Aircraft Systems

The Association for Unmanned Vehicle Systems International (AUVSI) has put forward a broad privacy statement that endorses efforts to ensure unmanned aircraft are used in an accountable and transparent fashion. So far, so good. However, the statement also calls for technology neutral policies. In other words, data collected from unmanned aircraft would be treated no differently from information uncovered from manned aircraft–or mobile phones. Additionally, while AUVSI has embraced limits on information collection, storage, use and sharing, it recommends enforcement via “established law and policy.” This might not be such a problem if the United States had more comprehensive privacy protections in place, but as Professor Calo and others have pointed out, there are few privacy laws that actually limit surveillance by either private or public parties.

Thus, because of this reality, it is problematic for organizations like AUVSI to suggest, as it did on Wednesday, that the solution is to trust the judicial system to sort out any privacy issues that may arise. Relying on either the traditional privacy torts or the Department of Justice to somehow police privacy intrusions by private companies is not only inefficient, but it does nothing to address the public’s broader concerns about unmanned aircraft. AUVSI claims to want a broad, society-wide discussion about privacy, but it fails to recognize that its own technology may well be the catalyst that forces us to readdress our privacy laws.

Alleviating these fears should be the industry’s top priority should it wish to see the projected economic boom from unmanned aircraft come to fruition. It may make sense to redirect this conversation to an agency with more substantive privacy expertise, but that will only further delay a policy discussion that is already behind where our technology is moving. As unmanned aircraft technology advances, it faces a patchwork of different laws and regulations across the country. A legislative fix by Congress is unlikely, and moreover, Congress has specifically mandated that the FAA work to safely integrate drones into our national airspace.

Given the slim likelihood of legislative action, stakeholders are more or less stuck with the FAA.  Thus, it is essential that the FAA work to develop guidelines that encourage public trust and confidence. The industry’s current approach is unlikely to accomplish this, so how can we best ensure the development of unmanned aircraft technology in a way that protects privacy? One strategy is to couple aircraft safety with privacy protections, and a number of mechanisms put forward by privacy advocates, such as metadata transmissions or “drone license plates,” would promote safety, as well. Another strategy is to develop policies that are informed by the Fair Informational Practice Principles (FIPPs), and for its part, this is the approach the FAA has suggested so far.

Incentives to Embrace Privacy by Design

Data minimization, security, transparency, and accountability are all important principles to respect, but one way of operationalizing these principles in the context of unmanned aircraft is to embrace the concept of Privacy by Design. Developed by Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada, Privacy By Design encourages organizations to build privacy in–early, robustly and systematically–across products and business ecosystems.

According to the Federal Trade Commission, Privacy by Design requires entities to “promote consumer privacy throughout their organizations and at every stage in the development of their products and services.” Applying this notion to the field of robotics, researcher Aneta Podsiadła has suggested that privacy protections can be operationalized through a combination of technical solutions during product development and “embedding privacy” into an organization’s operation. Unmanned aircraft manufacturers and operators do not appear to be seriously thinking about privacy from either perspective, however.

Ironically, the vocal public concern about drones actually combats one of the biggest challenges to implementing Privacy by Design. Often economic incentives to protect privacy are simply inadequate. Privacy scholar Ira Rubinstein explains that this combines with inexact guidance by regulators on how to implement Privacy by Design to make investing in privacy safeguards costly to firms. In the case of unmanned aerial surveillance, however, public demand for privacy safeguards is salient–and indeed, an economic opportunity.  Already firms are developing surveillance “countermeasures” for sale to the general public.

This provides an opening to make the FAA’s privacy proposals a model for future privacy policies and operationalizing Privacy by Design. Both regulators and industry needs to begin elaborating design principles, discussing best practices, and researching how privacy can be engineered into unmanned aerial systems. Absent an ongoing dialog, we are committing ourselves to privacy protections that are more aspiration than reality in the skies above. All parties have every incentive to consider these issues: the drone industry anticipates adding 70,000 high-tech jobs and $14 billion to the economy by mid-decade. If we hope to see those figures come to fruition, everyone should be working with the FAA to encourage innovation and experimentation with privacy-protecting technologies.