Today, the National Telecommunications & Information Administration (NTIA) circulated a Best Practices document that is being proposed by a diverse subgroup of stakeholders including leading privacy advocates, drone organizations and companies, and associations. The proposed Best Practices will be presented and discussed at the next meeting of the NTIA convened multi-stakeholder process concerning privacy, transparency, and accountability issues regarding commercial and private use of unmanned aircraft systems.
“These proposed draft principles recognize the value of drones for beneficial purposes, but also address in a practical way the privacy concerns they raise. Much careful negotiation and compromise went into ensuring privacy issues could be addressed in a way that is practical, so operators both large and small can comply,” said Jules Polonetsky, CEO, Future of Privacy Forum, a member of the subgroup proposing the Best Practices.
Google Provides Open Source Platform for Beacon Security
After an initial splash, news about beacon technology has been fairly quiet recently, but last week an advancement was announced that will support easier access to privacy and security capabilities on this unique technology.
Beacons are sometimes misunderstood – thought to collect or retain data on nearby people, or able to track smartphone movements without their owner’s awareness. In fact, they only transmit, never collect, data. And location tracking is possible ONLY if you have given that specific app permission to use your phone’s location functions, and if you have your Bluetooth access turned on. You can control this on your phone’s setting, and you can deny an app access to contact you via notifications.
The use of low-powered beacons has spread slowly and steadily – in stores, museums, airports or other spaces that set up a device that broadcasts a unique code. If your phone has Bluetooth turned on and you download the particular app for that location, and then you allow permission to use Bluetooth and location, the app can detect that beacon. By determining the location of your phone, the app then enables features.
Beacons positioned near an airport security checkpoint might trigger your airline’s app to show your boarding pass. A beacon in a museum might signal the museum app to show information about the artist of a painting you’re looking at. Retail-store beacons may help users locate products or indicate sale items. Beacons are inexpensive, simple to deploy and are supported by most mobile operating systems.
Since their introduction on a broader scale, retailers, shopping centers, public attractions, airports, and sports arenas have explored how to use beacons in many new and different ways. As consumers become more familiar with the advantages, they have grown to enjoy the benefits of a more personalized experience.
However, one continued challenge to a broader array of applications for beacons is that of security. They work well for a standardized response triggered by a general member of the public who enters their zone, but greater protection in general applications has been limited when needed to protect information to allow for an individualized response. Since unencrypted beacon signals are also susceptible to long-term tracking, this security shortfall has limited the pace of their increased use.
Last week, however, Google announced an offering of an open-source platform with the rollout of Eddystone-EID. Per the design team, other companies may have similar technologies, but they are proprietary without easy transparency into the process for how the encryption is achieved. This is where Eddystone-EID shines, since the technical specifications are open-source.
“Eddystone-EID enables a new set of use cases where it is important for users to be able to exchange information securely and privately. Since the beacon frame changes periodically, the signal is only useful to clients with access to a resolution service that maps the beacon’s current identifier to stable data. In other words, the signal is only recognizable to a controlled set of users.”
Google has developed the entire suite of Eddystone platforms as open source technology; they are available on GitHub. This newest addition – EID – turns the beacon-to-app-enabled phone into an encrypted, moving target. If another phone in the area doesn’t have the shared key, the EID representation is just gibberish. With the new tools, the exchange can’t be tracked or spoofed, and there is also access to safety features such as proximity awareness, device authentication, and data encryption on packet transmission.
Now, in addition to being able to find your way around the airport, you will be able to track your luggage without anyone else knowing which bag is yours. During sporting events, the facility can communicate with individual patrons in the “nosebleed” sections to offer them better seats, when available. A UK company will use this to offer subscribers personalized commuting information.
Introduced along with other new offerings – Beacon Tools, and Eddystone GATT-Service – this new open-source platform for secure encryption practices represents for an important moment in beacon technology for the increased security and protection of personal data.
Using Student Data Essential for Research that Empower Students
In our nation’s schools, we have seen widespread use of zero tolerance policies that lead to suspension, expulsion, and other extreme disciplinary measures. Do these policies work or do they cause more harm than good?
Thanks to research that studied student data over time, we now know that these procedures are not effective in preventing future misbehavior nor improving student outcomes.
Without studies that looked at this issue and others, our policies and education practices would be lacking key insights.
In Huffington Post Education, Jules Polonetsky writes about “Making a Digital Difference in the Classroom With Data,”. Jules reviews a recent FPF report written by NYU academic Elana Zeide which summarized an extensive collection of research studies that relied on student data to help gain insights used to improve student education.
EU-US Privacy Shield Gets Nuanced Review by EU Privacy Regulators
On April 13, 2016, the Article 29 Working Party (Working Party) released its review of the EU-US Privacy Shield (Privacy Shield), the proposed new framework for US companies to transfer data from the EU to the US. The review of the Working Party was nuanced, giving strong credit for improvements by the Privacy Shield over the previous Safe Harbor agreement for commercial uses of data and praising new protections related to government surveillance. But the Working Party also cited various issues of concern that it wants to see addressed.
The Working Party recognized that some of the issues raised might be addressed in a future review of the Privacy Shield after the new GDPR is in place or after EU Court decisions inform the appropriate limits on bulk collection of data and surveillance. Other issues might be addressed by documents that more clearly explain the Privacy Shield or by a new glossary that explains Privacy Shield key terminology.
The Working Party also pointed out some areas where important EU concepts are not in their view captured in the Privacy Shield, such as limits on data retention, rights to object to automated processing and more.
EU Commission spokesman Christian Wigand reacted to the review saying “EU Data Protection Authorities welcome significant improvements to Privacy Shield. We aim for adoption in June.”
“While policymakers and regulators debate the next steps on Privacy Shield, they should keep in mind who is most impacted by uncertainty about EU-US data flows, stated FPF CEO Jules Polonetsky. “51% of the companies in Safe Harbor were there to transfer the human resources data of EU employees to the US, for payroll, promotions and bonuses.”
A previous FPF study also revealed that Safe Harbor included 152 companies who are headquartered or co-headquartered in European countries, which span across a wide range of industries and countries.
Click here to view the Working Party’s full opinion.
May 10th Event: The Higher Education Privacy Conference
The HEPC is one-day event that focuses on privacy and information management in higher education. The event consists of a combination of speakers and smaller breakout discussion groups to foster interactivity and engagement. Participants include higher education CIOs, security professionals, privacy professionals, compliance professionals, and general counsel. Also participating are key individuals from industry, law firms, associations, and government regulatory agencies.
The National Network to End Domestic Violence Discusses Protecting Victim Privacy While Holding Offenders Accountable
Future of Privacy Forum Advisory Board member Cindy Southworth, Executive Vice President and Founder of the Safety Net Technology Project at the National Network to End Domestic Violence (NNEDV), shared a post we thought was important. In its article, “Smartphone Encryption: Protecting Victim Privacy While Holding Offenders Accountable,” NNEDV recognizes the significance of smartphone encryption in the ability for law enforcement to hold offenders accountable, but also states that smartphone encryption does not prevent law enforcement from doing an investigation of technology-facilitated domestic violence, sexual assault, and stalking.
NNEDV points out that in most cases, it is possible for law enforcement to successfully investigate and build a domestic violence and sexual assault case without needing the perpetrator’s smartphone. It is explained that evidence of harassment via emails, texts, or social media will also exist on other technology platforms. Thus, access to the smartphone is not required.
Essentially, NNEDV contends that the issue of smartphone encryption comes down to balancing victim privacy and offender accountability. It believes that both are equally important, but neither should be compromised for the other. NNEDV suggests that instead of finding waysto get around smartphone encryption, law enforcement agencies deserve and need far more resources to investigate crimes facilitated through technology.
FPF Hires Director of Communications – Melanie Bates
We are delighted to welcome Melanie Bates to the Future of Privacy Forum (FPF) as of April 11, 2016 as our new Director of Communications. In this new position, Melanie will be responsible for all FPF communications requirements including website updates, media relations, internal member communications, and social media presence. She will also assist with development of FPF’s strategic communication plan, and support availability of written or in-person representation of FPF’s position on important public policy questions on consumer privacy issues.
Melanie came to us from her role as the Director of Policy & Communications at the American Civil Liberties Union of the Nation’s Capital (ACLU-DC). Prior to ACLU-DC, she was the Legislative Director for Ward 6 Councilmember Tommy Wells at the Council of the District of Columbia. Melanie was the 2014-2015 President of the Greater Washington Area Chapter, Women’s Lawyers Division, National Bar Association (GWAC). She also served on the National Bar Association’s Board of Governors. Melanie is a graduate of the DC Bar Leadership Academy and the New Leaders Council Institute (NLC), Washington, DC Chapter.
Melanie earned her Bachelor of Science in Marketing from Hampton University in 2007 and her Juris Doctor from North Carolina Central University School of Law in 2011.
We are excited to have Melanie on board as FPF continues to grow its impact within the public policy discussion on the responsible use of data in consumer and commercial privacy issues. For inputs or questions about FPF’s work, please contact Melanie at [email protected].
De-Identification: Practice and Policy, April 13 in San Francisco
The Future of Privacy Forum, EY, and Privacy Analytics are hosting an event to share and advance practices and policies around de-identification. This all day forum will include panel discussions on topics such as emerging policy questions, de-identification case studies, implementation and best practices, and the role of controls. We encourage audience participation and knowledge sharing.
Wednesday, April 13, 2016 from 1:00 PM to 6:00 PM (PST)
San Francisco, California
The program will include:
Panel 1: Law, Self-Regulation, and Standards
This panel discusses the regulatory, operational, and technical frameworks guiding de-identification practices today, including perspectives on the evolving definition of personally identifiable information, the development of self-regulatory mechanisms, and international standard-setting efforts
Panel 2: Sector-Specific Case Studies
This panel discusses practical considerations and critical issues when implementing de-identification practices, including real world examples from in a diverse range of industries
Panel 3: The Role of Controls
This panel discusses managing de-identification in the context of comprehensive privacy and security program, including balancing technical and administrative controls, weighing the benefits and risks of data use, and evaluating safeguards for sharing data.
Closing and Group Discussion led by FPF, EY, and Privacy Analytics
* * *
Following the event, please join us for a reception sponsored by Privacy Analytics at Roy’s Restaurant, located across the street from the EY office at 575 Mission Street.
Student Privacy Pledge – Hits 250 with Launch of New Site!
The Student Privacy Pledge, a public commitment by education technology companies for the responsible handling of student data, has reached the milestone of 250 signatories. We are also pleased to announce the launch of the newly re-designed Student Privacy Pledge website. The site, studentprivacypledge.org, now provides more information, including a Frequently Asked Questions section, and is easier for visitors to navigate, find signatory companies, and inquire about signing the Pledge.
The K-12 Student Privacy Pledge was introduced by the Future of Privacy Forum (FPF) and the Software & Information Industry Association (SIIA) in October 2014 with 14 original signatories and took effect in January 2015 as a legally enforceable agreement for companies that provide services to schools. The twelve specific commitments in the Pledge detail ongoing industry practices that both meet the demands of families and schools and track key federal and state laws. By signing the Pledge, school service providers clearly articulate their adherence to these practices to schools and parents regarding the collection, use, maintenance, and retention of student data.
As we enter 2016, we have seen a rapid increase in inquiries and companies taking the Pledge, which continues to provide accountability for signatory school service providers. The result is a bolstering of the public trust necessary for continued technology access for school operations and student learning – technology that is critical to the nation’s continued educational and economic competitiveness.
The Pledge adds to an existing framework of student data protections, which also include existing laws, contracts, and company privacy policies. A company’s security and other commitments made under the Student Privacy Pledge are legally enforceable under Section 5 of the federal Consumer Protection Act.
“The sustained support and interest in the student privacy pledge demonstrate the commitment education service providers have to protecting student information. As many states have passed legislation on this issue, the strength of the Pledge and its commitments show the providers’ awareness of community expectations in addition to their legal responsibilities.”
– Mark MacCarthy, Senior Vice President, Public Policy, Software & Information Industry Association (SIIA)
FPF and SIIA are proud to facilitate the efforts of education technology companies to lead in the responsible use of student data by signing the Student Privacy Pledge. We look forward to a continuing increase in the number of companies joining this effort and agreeing to be held publicly accountable to the safeguards embodied in the Pledge.
Read the full text of the Student Privacy Pledge here.
19 Times Data Analysis Empowered Students and Schools
Which Students Succeed and Why?
“Thoughtful use of education data has tremendous potential to improve and address inequities in America’s education system. Scientists better understand how the brain incorporates new information and skills. Educators have a more accurate sense of student progress and potential risk for dropping out. Students and teachers use more detailed information about their strengths, weaknesses, and individual academic performance to diagnose and address learning gaps. Schools can correlate patterns with failing or dropping out, and intervene early with at-risk students. Districts and schools can use data to allocate resources and create institutional reform to better meet student needs in a world where students take increasingly personalized or non-traditional paths to graduation.”
Thus begins FPF’s newest paper, by Elana Zeide, which goes on to demonstrate the power of data to show school, districts, parents, and students, the trends and outcomes that are occurring, and inspire ways to make those outcomes better.
Student data, as part of the education record from each student’s school experience, is most importantly a tool for that student to reflect their achievements, and inform their future decisions. In addition, however, data across students and over time enables insights for teachers, administrators, districts, and states to identify trends, show patterns, and evaluate the success of educational changes to ensure that new programs or services achieve the desired results.
This paper identifies 19 studies – a relatively small sample – where data was successfully used to evaluate a program, create a new strategy, or delve into equity and bias issues. The appropriate protection and responsible use of student data in such studies is a fundamental value. But the power of data to shed light on current student and educational system outcomes and improve the opportunity for individual success is overwhelming.
New data analysis techniques provide the opportunities to understand and transform learning theory and practice. As Ms. Zeide concludes: “Properly used, mindfully implemented, and with appropriate privacy protections, student data is a tremendous resource to help schools fulfill the great promise of providing quality education for all.”
