Commissioner Brill and the Broader Privacy Call to Arms

Wednesday, in a speech at the Polytechnic Institute of New York University, FTC Commissioner Julie Brill addressed an audience of engineers and computer scientists and solicited their skills to improve consumer privacy and enhance trust. Her specific concerns have tracked some of the biggest debates I have seen during my time at the Future of Privacy Forum.  Brill identified the challenges facing the Fair Credit Reporting Act (FCRA), the rise of the Internet of Things, and opacity of data brokers as three of “the most vexing privacy problems presented by big data.”

Her concerns about the FCRA in many respects echo the worries Professor Chris Hoofnagle discussed with me and detailed in an essay on the law in advance of FPF’s “Big Data and Privacy” conference last month.  Further, Brill notes that the Internet of Things will provide “a ready canvas” that provides “a new way of giving notice and consent that is more meaningful and less confusing for users.” FPF agrees and argues similarly that the flexibility inherent in the Internet of Things will benefit consumers.

Yet Brill seems most worried about the vast amounts of data collection and user profiling occurring by entities that are not consumer facing.  “What damage is done to our sense of privacy and autonomy in a society in which information about some of the most sensitive aspects of our lives is available for analysts to examine without our knowledge or consent, and for anyone to buy if they are willing to pay the going price?” Brill asked.

While so-called data brokers have become something like the bogeymen of the Big Data world, much of this is likely simply due to consumers having little understanding of what it is these companies do. In the past, FPF has called for companies to work toward “featurizing” data in ways “share the wealth” directly with consumers.  Simply sharing the data that gets collected about consumers with consumers could go a long way to demystifying what is happening.

Commissioner Brill’s “Reclaim Your Name” is a big step toward shedding some light behind the curtain.  The initiative is all about empowering consumers to find out how companies collect and use data, give access to that data, and provide consumers with a degree of control.  To that end, we’ve seen efforts like Axciom’s web-based “About the Data” tool that gives consumers access to portions of their comprehensive marketing profile.

These are positive steps, but another big challenge is simply the opacity that now clouds some important decisions individuals and society need to make.  Much of the discussion at the “Big Data and Privacy” conference suggested that the big challenge surrounding Big Data wasn’t so much privacy per se as it is the ethical considerations about personal autonomy. “Policymakers, scientists, technologists and business leaders should acknowledge that progress comes with attendant risks and work together to ensure a future of ethical innovation,” Jules Polonetsky said at the time.

On Wednesday, Brill stated she’d “come to realize that we need more than law and more than ‘best practices’ to safeguard privacy effectively.”  While the crux of her speech focused on technical solutions, her comments suggest that confronting our privacy problems will require all hands on deck.

Coincidently on Tuesday, the MIT Technology Review released a provocative essay by Evgeny Morozov.  In his essay, Morozov posits that our privacy problem is actually a democracy problem in disguise.  He worries that the pervasively automation of information processing and “algorithmic regulation” permits organizations and governments “solve public problems without having to explain or justify themselves to citizens.”  This echoes Viktor Mayer-Schönberger and Kenneth Cukier’s claim that Big Data will require society to ignore causality for correlation, to “not knowing why but only what.”

Morozov suggests that it is time for us to worry about what this implies for justice and equality. Our decisions to disclose personal information, he writes, “will inevitably have implications for other people, many of them less well off.”  In the end, this raises broad concerns about not just individual privacy but democracy itself.

Commissioner Brill has declared a call to arms to engineers and technologists–and that’s a start–but it interesting that it comes in concert with a much broader call to arms for all of us. Having everyone engaged on what privacy means and stands for may well be the only way we can all ensure that Big Data reaches its full potential to benefit us all.

-Joseph Jerome is a Legal & Policy Fellow at the Future of Privacy Forum

FTC Director of Consumer Protection Praises MLA Code

Politico reports this morning in Morning Tech that our guidelines for location analytics companies — announced yesterday — have been met with some kind words from FTC Director of Consumer Protection Jessica Rich. She said:

“It’s great that industry has recognized consumer concerns about invisible tracking in retail spaces and has taken a positive step forward in developing a self-regulatory code of conduct…Our staff appreciated the opportunity to provide feedback in the process of creating the code. This is a rapidly changing industry with critical consumer privacy implications, and the FTC is paying close attention how retailers are using these new technologies.”

via Politico Morning Tech.

Chris Wolf Asks Whether the LIBE Committee Torpedoed the Safe Harbor?

In a post on IAPP Privacy Perspectives blog, Christopher Wolf, FPF Founder and Co-Chair, suggests that the LIBE Committee has effectively called for the end of the US-EU Safe Harbor.

“Before abandoning the Safe Harbor, we urge the European Parliament and Council to take a deep breath, and to take a dispassionate view of the effectiveness of the Safe Harbor—especially in comparison to the enforcement tools that are or would be available if the Safe Harbor is blown up,” he suggests.

Sample MLA Reports

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

The Future of Privacy Forum and Sen. Schumer Announce Important Agreement to Ensure Consumers Have Opportunity to “Opt-Out” Before Stores Can Track Their Movement Via Their Mobile Devices

FOR IMMEDIATE RELEASE:  October 22, 2013        

The Future of Privacy Forum and Sen. Schumer Announce Important Agreement to Ensure Consumers Have Opportunity to “Opt-Out” Before Stores Can Track Their Movement Via Their Mobile Devices

FPF and Schumer Release New Code-of-Conduct Agreed to By Location-Technology Companies

Code Includes A Requirement of Clear, In-Store Signage That Tracking Technology Is Being Used And Instructions for How To “Opt-out” So Stores Can’t Track You

New York, NY – The Future of Privacy Forum (FPF), U.S. Senator Charles E. Schumer and a group of leading location analytics companies – including Euclid, iInside (a WirelessWERX company), Mexia Interactive, SOLOMO, Radius Networks, Brickstream and Turnstyle Solutions – today announced that they have agreed to a Code of Conduct to promote consumer privacy and responsible data use for retail location analytics.  The companies responded to privacy concerns raised by Senator Schumer and the FPF about the use of this new technology.  The code of conduct includes in-store posted signs that alert shoppers that tracking technology is being used, and instructions for how to opt out.

Schumer and Location Technology

“Today, location analytics companies have introduced a comprehensive code to ensure they have data protection standards in place to de-identify data, to provide consumers with effective choices to not be tracked and to explain to consumers the purposes for which data is being used,” said Jules Polonetsky, executive Director of the Future of Privacy Forum. “These standards ensure that consumers understand the benefit of the bargain and have choices about how their information is used while allowing technology to continue to improve the shopping experience. As we quickly approach the holiday shopping season, this is not only the right move – but a timely one as well, adding a layer of trust, choice and transparency onto a shopping experience that in 2013 is more mobile and hi-tech than ever before.”

PHOTO: Senator Schumer, second from left, pictured with (L-R) Glenn Tinley (President & Founder, Mexia Interactive), Will Smith (CEO, Euclid), Jules Polonetsky (Executive Director, Future of Privacy Forum), and Jim Riesenbach (CEO, iInside Inc.).

“This is a significant step forward in the quest for consumer privacy,” said Senator Schumer.  “This agreement shows that technology companies, retailers, and consumer advocates can work together in the best interest of the consumer.  There is still much more work to be done and I will continue to push for privacy rights to be respected and strengthened, but this represents real progress and I thank the Future Privacy Forum and these tech companies for their hard work hammering out this agreement.”

Major national retail chains have been testing technology that would allow them to automatically track shoppers’ location through stores. The FPF worked with the technology companies to develop a Code to ensure that appropriate privacy controls are in place as retailers seek to improve the consumer shopping experience. These technology companies use mobile device Wi-Fi or Bluetooth MAC addresses to develop aggregate reports for retailers.

The Code puts guidelines in place to create best data practices that will provide transparency and choice for consumers. The Code calls for the display of conspicuous signage by retailers and for a central opt-out site for consumers.

Under the Code, companies that collect data through this technology must limit how the information is used and shared and how long it may be retained.  The Code mandates that companies de-identify the data and explain in their privacy policy how they do so. Companies are required to get opt-in consent when personal information is collected, or when a consumer will be contacted. The Code calls for opt-out consent where the information collected is not personal.  In addition, this data cannot be collected or used in an adverse manner for employment, health care or insurance purposes.

“We are just beginning to see the possibilities that in-store analytics can bring to shoppers and to retailers, and yet, as with any new technology, there is the chance for confusion about the intent and possible implications of such technology,” said Steve Jeffery, CEO, Brickstream. “We applaud the Future of Privacy Forum for taking the lead in bringing retailers and technology providers together to address these important issues.”

“We would like to thank Senator Schumer for his leadership on this issue,” said Will Smith, CEO, Euclid. “Privacy has always been a priority as we’ve designed and built our services, and we have been working diligently with FPF to release best practices for the retail analytics industry as a whole.”

“iInside and industry partners have made it a top priority to assure that consumers are well-informed and their personal privacy and identity are protected.  The newly announced code is a major step forward in establishing and communicating clear and concise standards across our industry,” said Jim Riesenbach, CEO, iInside Inc.

“The release of a Code of Conduct to guide industry practice ensures that businesses and retailers are able to enhance their customers’ experience without compromising their privacy,” said Glenn Tinley, President & Founder, Mexia Interactive. “Business and consumers also can be assured that a company listed on the website has committed to following the code.”

“Proximity and location technology is evolving rapidly, and we want to make sure it’s deployed in an open, responsible and trustworthy manner. The retail location analytics Code of Conduct is a solid step in the right direction,” said Marc Wallace, Co-Founder & CEO, Radius Networks, Inc.

“SOLOMO sees privacy as an opportunity for retailers to build trust with customers,” said Liz Eversoll, CEO, SOLOMO.  “We’ve collaborated to develop the Code of Conduct to ensure transparency and empowerment for retail customers.   Indoor location technology will offer customers new in-store experiences, special deals, and localized services as retailers introduce it in their stores.  Everyone wins.”

“Turnstyle Solutions is pleased to partner with the Future Privacy Forum in the development of this Code of Conduct. We are confident the code lays the foundation necessary to protect sensitive consumer information, while offering retailers and consumers services that enhance their shopping experience,” said Devon Wright, Co-Founder, Turnstyle Solutions.

About the Future of Privacy Forum

The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.

For more information on retail location analytics and the Mobile Location Analytics Code of Conduct, visit For any further questions or to schedule an interview, please contact [email protected].

Privacy a Hot Topic at Place 2013 Indoor Marketing Conference, ITworld Reports

On the heels of this week’s Place 2013 Indoor Marketing Conference in San Francisco, ITworld has published a piece called ‘How location tracking will change the way you shop.’ Location tracking has become a key issue for FPF, and we were really pleased that privacy was a big part of the conversation at the conference, and the ITworld article. Our director Jules Polonetsky is quoted in the article emphasizing the need for company transparency, but also that retailers ought to promote the benefits of data gathering to their customers:

‘Companies need to be transparent about what they’re doing and why, said Jules Polonetsky, executive director and co-chairman at the Future of Privacy Forum.

“We’re never going to convince consumers that they should love data exchanges or marketing,” he said. But instead of burying their data gathering in a long privacy policy, retailers should promote the types of benefits Amazon offers with its recommendations, Polonetsky said, and tell customers, “We recommended this to you because you liked such and such.”‘

Location tracking creates so many possibilities to improve the consumer experience, and we’re hopeful that — if done right — these need not come at the cost of transparent and responsible data gathering.

Read the rest of the article at ITworld.

Safe Harbor Faces Scrutiny at Recent LIBE Committee Hearing

As we described in our previous post, the Safe Harbor is currently facing criticism in the EU in light of disclosures involving US surveillance programs. A recent hearing by the European Civil Liberties, Justice and Home Affairs (LIBE) Committee is demonstrative of this negative sentiment and shows that there is no sign that this backlash will subside.

On October 7, the LIBE Committee of the European Parliament held a hearing to examine the US-EU Safe Harbor framework as well as other mechanisms for lawful data transfers in light of the NSA revelations. At the hearing, all the speakers argued that data collection at the scale conducted by the NSA was inconsistent with EU law, and pressed for the enactment of Article 42 – a provision currently under consideration that would prohibit countries outside of the EU from accessing personal data in the EU where required by a non-EU court or administrative authority without prior authorization by a DPA.

Peter Hustinx, the European Data Protection Supervisor, offered the most positive review of the Safe Harbor framework, describing it as having merit but lacking a comprehensive overview. Isabelle Falque Pierrotin, President of CNIL, noted that the Safe Harbor and BCRs were not designed to address government requests for data transfers, instead arguing for strong agreements with non-EU countries in order to avoid conflicts of law, and the development of a European cloud system to create clear legal responsibility for companies.

Christopher Connolly, director of consulting firm Galexia and author of a 2008 report on the Safe Harbor, was most critical of the framework. He cited what he believed to be considerable flaws in the framework – many of the same criticisms he levied in his 2008 report – and advocated for its suspension. Despite only Connolly calling for a suspension of the Safe Harbor, at the end of the hearing, Claude Moraes, Labour MEP for London and a member of the LIBE Committee, stated that his draft report would recommend suspending the framework.

The rhetoric at this hearing is an example of why FPF is conducting its own objective assessment of the Safe Harbor framework. We believe that it is important to provide EU policy makers with a neutral review of the Safe Harbor that provides basic facts about the implementation and enforcement of the framework to best understand what is working, and what can be improved. By taking a balanced look at the current state of the Safe Harbor, FPF can provide input into the ongoing EU debate.

Oct. 1 – Your Digital Trail: Private Company Access – NPR

Jules Polonetsky is featured in a multi-series piece about digital life on NPR’s All Tech Considered:

“I think companies haven’t figured out how to talk to people about data or privacy,” says Jules Polonetsky, executive director of the Future of Privacy Forum. “And we think that’s a big part of why the industry has such a bad rap. They’re worried that [consumers’] reaction will be, ‘That’s creepy. I don’t like it.’ “

But Polonetsky says most companies that track users have an innocent explanation: They are helping other companies advertise their products directly to you, or personalizing their service to buy your loyalty.