Judge Narrows Subpoena For New Yorkers’ Airbnb Records in Privacy-Protective Ruling

Late last fall we posted about Attorney General Schneiderman’s troubling attempts to subpoena data on 15,000 New York City-based users of Airbnb, the service best known for allowing people to rent out their spare bedrooms or their homes while on vacation. Schneiderman was trying to find landlords who were renting their apartments out long-term through Airbnb as makeshift hotels, while failing to pay the requisite hotel taxes. While recognizing the city’s compelling need to find tax scofflaws, FPF was critical of Schneiderman’s approach, as it required Airbnb to reveal the vacation habits of thousands of New Yorkers (even ones not suspected of any wrongdoing), including residents’ names and contact information, dates of guest stays, rates charged, and any communications between users and Airbnb about tax issues.

We are happy to report that State Supreme Court Judge Gerald Connolly ruled in Airbnb’s favor, generally siding with the company’s argument that the subpoena was overly broad. Although Judge Connolly’s opinion implies that a narrower subpoena of Airbnb’s records is likely to be upheld, the judge wrote that the subpoena “as drafted, seeks materials that are irrelevant to the inquiry at hand and accordingly, must be quashed.” Specifically, judge Connolly criticized the subpoena because it included information on residents outside of New York City, as well as rentals of fewer than 14 days (which are legal under New York Law).

Although no one should not be able to avoid the law simply by doing business online, overly broad subpoenas for innocent customer information harm consumer trust, which in turn cripples online business as well as individual freedom. We applaud Judge Connolly for correctly identifying the overbreadth problem with Schneiderman’s subpoena, and we expect that a more balanced request will follow.

FPF Statement on White House Big Data Report

Today, the White House released its report on big data and the future of privacy.  The Future of Privacy Forum (FPF), a DC-based think tank advocating responsible privacy and data practices, has closely followed the work of the Review Group.

“Today’s White House report on Big Data carefully identifies most of the key issues in this emerging and critical debate, and in various ways seeks to constructively address each of them through legislative policy, agency action, and funding efforts. The report is a full-barrel effort to move the dialogue forward in a way that demonstrates a deep commitment to the benefits of Big Data, while at the same time balancing appropriate concerns about privacy. Above all, it was very positive to see the White House commit to essential, long-overdue reform to the Electronic Communications Privacy Act,” said Jules Polonetsky, co-chair and executive director, FPF.

“We’re especially pleased to see the Administration reiterate support for and carefully advance a Consumer Bill of Rights, it’s commitment to funding of critical privacy technologies, getting consensus among federal agencies with regard to the impact of big data on civil liberties, and taking a comprehensive and careful look at the use of Big Data in education – which can have significant value but must address children’s privacy in a responsible way. Finally, we welcome the report’s call for a smart update to education privacy laws continue to address children’s privacy protections,” said Chris Wolf, co-chair and founder, FPF.

FPF previously submitted comments for the Review Group’s consideration in March.

Japan Approved to Participate in APEC’s Cross-Border Privacy Rules System

The Asia-Pacific Economic Cooperation (“APEC”) has approved Japan as its newest participant in the Cross-Border Privacy Rules (CBPR) system. The CBPR system is a voluntary program that establishes a baseline privacy certification process for the transfer of personal data among the 21 APEC member countries. To date, the United States, Mexico, and Japan have joined; meanwhile Canada recently committed to participating.

To be approved as a participant in the CBPR system, countries must submit a letter of intent to participate, and must fulfill other requirements, such as declaring an intent to make use of APEC-approved “Accountability Agents.” The countries must also describe their laws and enforcement mechanisms related to the protection of personal data. The letters are reviewed by the CBPR Joint Oversight Panel, which determines whether the country may participate.

“The participation of Japan to the CBPR system will make the system stronger, and will provide a key anchor in the Pacific for this regional system,” said FPF Policy Director Josh Harris. FPF is engaged in a series of efforts across the Asia Pacific to promote a more streamlined privacy landscape. FPF is currently working with the United States Department of Commerce and the Federal Trade Commission to provide technical assistance to interested APEC countries, and to advance this initiative through strategic partnerships with key industry stakeholders in each country.

Facebook Gives Users More Control With New “Facebook Login”

Today at f8, Facebook announced a new version of “Facebook Login,” the system that allows Facebook users to log into third-party apps and sites with their Facebook account. The new Facebook Login has a number of new and improved privacy controls, which will be very helpful for users seeking to control the information that gets shared with these third-party apps.

First, the new Facebook Login offers Line-by-Line control, allowing users to pick and choose what information apps will be able to get from their Facebook profile. For example, if a user wants to share their email address with an app, but not their birthday, they can make that choice before using the app. The new Facebook Login will also prevent apps from posting to Facebook without permission.

Second, the new Facebook has a new feature called “Anonymous Login.” This feature does what its name suggests: it provides an easy way for people to log into an app without sharing any of their personal information from Facebook. Users can still log into third party apps using their Facebook credentials (obviating the need to remember additional usernames and passwords), but no personal information from their Facebook profile will be shared. People can decide later if they want to share any additional information, once they understand more about the app.

Third, Facebook is now providing users with a centralized App Control Panel. This dashboard will let users see a list of all the apps they use, manage specific permissions for each app, or remove apps entirely. The control panel as well as all the above features will be available on both desktop and mobile platforms.

“Facebook’s improvements to its Login system are a great addition that will give users even more control of how their information is shared with third parties,” said FPF Executive Director and Co-Chair Jules Polonetsky. “Studies have shown that some users have avoided using social log-ins because they weren’t sure what data would be shared. Facebook’s new changes should make users more comfortable using social logins.”

Press Release: EU-US Safe Harbor Essential To Leading European Companies

NEW FPF STUDY DOCUMENTS OVER 150 EUROPEAN COMPANIES PARTICIPATING IN THE US-EU SAFE HARBOR PROGRAM. FROM MAJOR EMPLOYERS SUCH AS ALCATEL LUCENT, ADIDAS, BMW, NOKIA TO FAST-GROWING START-UPS LIKE APP DEVELOPER MIND CANDY, EUROPEAN COMPANIES DEPEND ON EU-US AGREEMENT

_____________________________________________________________________________________

The Future of Privacy Forum has conducted a study of the US-EU Safe Harbor program run by the United States Department of Commerce and has documented that more than 150 European companies are active Safe Harbor participants.

Recently, some European policymakers have called for an end to the Safe Harbor program, while others have called for the program to be improved.  FPF believes that simply terminating the program would have negative consequences for data protection and for companies and consumers not only in the United States, but in Europe as well.  FPF has previously noted the consequences of termination for those European employees who rely on the Safe Harbor program for the processing of their human resources data.¹ FPF’s new study reveals that termination would adversely impact many leading European companies as well.  To date, 152² active Safe Harbor member companies are headquartered or co-headquartered in European countries.  These companies include some of Europe’s largest employers, across a wide range of industries and countries, including:

 

These and other participating European companies depend on the Safe Harbor program so that their US subsidiaries can effectively use data for research, to improve products, to pay employees and serve customers. These companies would therefore be severely burdened and disadvantaged by termination of the program.  FPF agrees with the need to improve the Safe Harbor in a number of key areas and has detailed these recommendations in a recently-released report.³  Given the importance of this mechanism to companies and consumers on both sides of the Atlantic, FPF recommends that the Safe Harbor arrangement be preserved and improved.

Methodology:

For the full list of European companies in the Safe Harbor program, or to schedule an interview with Christopher Wolf or Jules Polonetsky, email [email protected].

­_____________________________________________________________________________________

ABOUT FUTURE OF PRIVACY FORUM

Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. FPF is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.


1 http://fpf.org/2013/12/20/the-libe-committee-wants-to-suspend-the-safe-harbor-along-with-thousands-of-eu-employee-salaries/

2 The survey does not include those global companies with EU offices and as a result is a conservative estimate of impacted European companies.

3 For a comprehensive list of FPF’s recommendations, see The US-EU Safe Harbor: An Analysis of the Framework’s Effectiveness in Protecting Personal Privacy, available at http://fpf.org/wp-content/uploads/FPF-Safe-Harbor-Report.pdf

The Need for Privacy and Technology in our Schools: Rethinking Privacy in Education

Last Thursday, Jules Polonetsky participated in a Congressional E-Learning Caucus Briefing on “Data Privacy in Education” on Capitol Hill. Moderating the discussion was Intel’s David Hoffman, who today summarized his thoughts on the event:

The demise of inBloom and many of the findings of the Pew research point to a need for continued dialogue on the issue of education privacy. . . . While transparency and parent engagement are critical, we need to supplement them with a better understanding of how organizations should use student data. We ask all of you to join us in that effort, and help us describe what ‘the appropriate and accountable’ use of data means in education.

His complete thoughts are available at Policy@Intel.

FPFcast: Can Intellectual Property Law Inform Privacy? A discussion with Eric Goldman

April 25, 2014: Can Intellectual Property law inform Privacy? A discussion with Eric Goldman

[audio

In this podcast, FPF Legal and Policy Joe Newman talks with Eric Goldman, Professor at Santa Clara University School of Law, Director of the High Tech Law Institute, and a new member of FPF’s Advisory Board. Professor Goldman discusses the problems that arise when trying to incorporate property law concepts within privacy debates.

It’s no surprise that personal information today is a hot commodity, bought and sold by thousands of entities daily. Companies like Covata and Personal tell consumers they can “Own their data,” suggesting that personal information be characterized as property. Goldman discusses the history of privacy thinking with respect to the idea of “data” as “property” and the general reluctance of privacy thinkers to export intellectual property law concepts to cover privacy. General cynicism about the effectiveness of IP law in the 1990s made many fear that once data was “propertized,” companies “would just find easier ways of grabbing that data,” at the expense of consumers. “People’s norms about property get really weird,” Goldman notes. “A lot of the time the label ‘property’ actually distorts the conversation in fundamental and often unhelpful ways.”

 

New Mobile Tracking Dos and Don’ts from Apple

We wrote in the past about how Apple was addressing privacy concerns about mobile tracking by restricting the identifiers that mobile developers can use to track devices. Apple announced in 2011 that developers moving forward would only be permitted to track an iOS device using Apple’s new Advertising Identifier (IDFA).  Despite the fact that this identifier was specifically labeled as for advertising purposes, some companies assumed it could be used for analytics as well.

However, in February, reports began to surface indicating that the App Store was rejecting new apps that used the IDFA for analytics but did not host ads. This raised the concern that analytics were not going to be allowed for any purpose.

In its new iTunes Connect module for developers, Apple explains how the IDFA can and cannot be used within apps distributed on the App Store.

Developers must now specifically indicate as part of their app submission to Apple whether they use the IDFA to serve ads within an app, as well as whether they attribute app installation or other actions within the app to a previously served advertisement. Thus, Apple is permitting the use of the IDFA for serving ads and tracking conversion events.  Other limited uses of the IDFA may yet be permissible, as Apple suggests that developers contact them if they believe they have another acceptable use for the identifier.

As we have mentioned before, The IDFA is subject to a user controlled privacy setting labeled “Limit Ad Tracking” and found within “Settings –> Privacy –> Advertising –> Limit Ad Tracking” in iOS 7 (in iOS 6, the setting is at “General –> About –> Advertising –> Limit Ad Tracking”).

The new language also clarifies that an application, as well as any third party that interfaces with the application, is subject to the new rules. More discussion of the new iTunes Connect module can be found at TechCrunch here.

Google Updates Developer Program Policies with New Rules for Ads

Google has recently updated its set of rules that developers must follow when distributing apps on the Google Play store. The updated rules are designed in part to guide developers in promoting their apps. The rules prohibit apps from promoting themselves through deceptive ads (for instance, by simulating a Google service or app notification), misleading install tactics or unsolicited SMS messages. Google has also expanded its restrictions on acceptable app behavior, curbing “erotic” content, links to malicious software and apps that alter a device’s browser settings or bookmarks.

Google’s new policy also increases transparency surrounding in-app purchases: “If your product description on Google Play refers to in-app features to which a specific or additional charge applies, your description must clearly notify users that payment is required to access those features.” These changes should help to boost confidence in the ever-expanding mobile app ecosystem.

Also, note that while not a new addition to the Policy, developers should be aware of the approaching August 1st deadline for moving app tracking based on the “Android ID” to the new “Android Advertising Identifier.” After the deadline, all apps may track using only the Advertising ID and may not link it to any persistent identifier such as a MAC address without the explicit consent of the user. For more information on Google’s developer policy, visit the Android Police site.

Comments for the White House "Big Data Review"

This afternoon, FPF submitted comments to help inform the White House Office of Science and Technology Policy’s “Big Data Review.” Announced in January, the White House Big Data Review has been a helpful exercise in scoping out how big data is changing our society.  Through public workshops at MIT, NYU, and Berkeley, the review has solicited thought leadership from a wide array of academics and researchers. Moving forward, FPF believes there is much that can be done to promote innovation in a way that advances privacy.

We advanced the following recommendations for the OSTP Big Data Review report:

1)      Embrace a flexible application of Fair Information Practice Principles (FIPPs). Traditional FIPPs have guided privacy policy nationally and around the globe for more than 40 years, and the White House Consumer Privacy Bill of Rights is the most recent effort to carry these principles forward into a world of big data. FPF supports the continued reliance on the FIPPs and believes they remain flexible enough to address many of the challenges posed by big data when applied in a practical, use-based manner. Our Comments recommend a nuanced approach to their applicability that accounts for modern day technical realities.

2)      Promote the benefits of big data in society. Researchers, academics, and industry have demonstrated how big data can be useful in driving economic growth, advancing public safety and health, and improving our schools. Yet, privacy advocates and the public appear skeptical of these benefits in the face of certain outlier uses. More work is needed to understand the ways big data is already improving society and making businesses more efficient and innovative. This report should highlight the importance of big data’s benefits and identify additional opportunities to promote positive uses of big data.

3)      Support efforts to advance practical de-identification, including policy and technological solutions. While the Federal Trade Commission (FTC) has acknowledged that data that is effectively de-identified poses no significant privacy risk, there remains considerable debate over what effective de-identification requires. FPF believes that technical anonymization measures are only one component of effective deidentification. Instead, a broader understanding that takes into account how administrative and legal safeguards, as well as whether data is public or non-public, should inform conversations about effective de-identification procedures.

4)      Encourage additional work to frame context and promote enhanced transparency. The context in which data is collected and used is an important part of understanding individuals’ expectations, and context is a key principle in both the Consumer Privacy Bill of Rights and the FTC Privacy Framework. Respect for context is an increasingly important privacy principle, yet more work by academics, industry, and policymakers is needed about how to properly frame and define this principle. The Department of Commerce-led Internet Policy Task Force (IPTF) should continue its work convening stakeholders and hold programs that could help frame context in an age of big data. At the same time, another important tool that can be used to promote public trust in big data is enhanced transparency efforts. In particular, FPF has called for more transparency surrounding high-level decisional criteria that organizations may use to make decisions about individuals.

5)      Encourage efforts to promote accountability by organizations working with big data. Data privacy frameworks increasingly rely on organizational accountability to ensure responsible data stewardship. In the context of big data, FPF supports the further development of the concept of internal review boards that could help companies weigh the benefits and risks of data uses. In conjunction with the evolving role of the privacy professional, accountability measures can be put in place to ensure big data projects take privacy considerations into account.

6)      Promote government leadership on big data through its own procedures and practices. The federal government is one of the largest producers and users of data, and, as a result, the government may inform industry practice and help demonstrate the value of data through its own uses of big data across and among agencies. The Federal Chief Information Officer (CIO) Council is particularly well-positioned to ensure the federal government can maximize the potential of big data with an eye toward privacy protection.

7)      Promote global efforts to facilitate interoperability. Recent privacy developments in the Asia Pacific and the European Union have given new life to constructive collaboration on the cross jurisdictional issues presented by big data. FPF urges government to actively promote and maintain existing frameworks to facilitate interoperability, including the US-EU Safe Harbor and the Asia Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) System

Big data presents many benefits and potential risks. A thoughtful, balanced analysis of the value choices now at hand is essential. The Administration’s efforts to convene thought leaders have produced many fruitful conversations, and more are needed. At the same time, it will be essential that the Administration provide transparency and a clear plan of action to all stakeholders moving forward.These broad next steps are suggested as a helpful beginning to the work that needs to be done.

Big data offers the United States a great opportunity to provide global leadership on promoting innovation – and protecting privacy. It also presents a challenge, but we have the privacy principles and frameworks needed to thoughtfully address that task.