Winning 2015 Privacy Papers for Policymakers to be Presented

The Future of Privacy Forum is pleased to publish our annual compilation of winning privacy papers, Privacy Papers for Policymakers. These five top papers along with two honorable mentions, all published in 2015, were selected by a subcommittee from the FPF Advisory Board as the best papers to inform any conversation about regulatory privacy initiatives in Congress, as well as at the Federal Trade Commission and other government agencies.

This evening (Jan. 13th), we look forward to hosting the authors of the selected papers at our annual panel and reception, an event which has sold out. Authors will discuss their individual publications across two panels, to be followed by Q&A. In addition, special guests, Julie Brill, FTC Commissioner, and Dr. Lorrie Faith Cranor, FTC Chief Technologist will make comments.

Click here to read the 1-page executive summaries of the winning papers.

FTC Releases Report on Benefits and Risks of Big Data

This week the FTC released a report exploring the use of Big Data analytics. The 33-page document, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, is based on the FTC’s Big Data Workshop on September 17, 2014. The report outlines some of the benefits and risks of Big Data use, and surveys the existing consumer-protective legal framework, including the Fair Credit Reporting Act (FCRA), the Federal Trade Commission Act (FTC Act), and a spectrum of equal opportunity laws.

In the report, we were pleased to see a thoughtful discussion of some of the benefits of Big Data use, including to provide better education, access to credit, and tailored healthcare. Included were many of the examples described in FPF’s report co-authored with the Anti-Defamation League, Big Data: A Tool for Fighting Discrimination and Empowering Groups. In this publication, we highlighted many of the ways in which data can be harnessed to combat discrimination, including to increase workplace diversity and access to employment opportunities. Featured prominently in the FTC’s report were many of the panel comments of FPF Founder Christopher Wolf, who spoke at the 2014 workshop on the uses of Big Data for combating discrimination.

Also highlighted were some of the comments of Senior Fellow Peter Swire, who has written that existing anti-discrimination laws in some sectors—such as housing, access to credit, and employment—already apply to online advertising. These laws, most notably ECOA, Fair Housing Act, and Title VII, prohibit discrimination in both online and offline marketing, and the online ecosystem may in fact lend itself to better disparate impact analysis.

The FTC’s report will certainly not be the last word on the subject in the world of Big Data and privacy. Followers of the ongoing conversation around Big Data should look next to the upcoming White House report (following up on a 2015 Interim Report) exploring the implications for big data technologies for civil rights, including for broadening opportunities and preventing discrimination.

Parent’s Guide to Student Data Privacy Now Available in Spanish!

The Future of Privacy Forum (FPF), Connect Safely, and the National PTA are proud to announce that the Parent’s Guide to Student Data Privacy is now available in Spanish, both on-line and in hard copy formats.

Last year, FPF partnered with ConnectSafely and the National PTA to create the Parent’s Guide to Student Data Privacy. This guide offers information specifically designed to provide parents with easy-to-understand FAQs explaining student rights to their educational data under current law. With the many recent changes in the role of technology in schools, and the increase in student data collected by schools and districts, it’s important that parents and student have a clear understanding of their rights to access and control over that information. This guide has been distributed to, and accessed on-line, by parents from schools across the country.  Thanks to a grant from Sheila Kaplan, we are now able to offer the Guide in Spanish as well. This will enable schools to reach an even wider audience and help educate more parents about their child’s data.

The guide is now available on FERPA|Sherpa here.

Future of Privacy Forum and Houston ISD Announce Winners for Student Privacy Video Competition

The Future of Privacy Forum (FPF) in partnership with Houston ISD’s Office of Educational Technology have introduced a student-created video campaign to encourage public school students to engage about how to safeguard their privacy and personal data. In October, students from the Houston Independent School District (HISD) were offered the chance to create short videos to discuss pertinent privacy issues aimed at their peers, on topics which rotated monthly.

HISD elementary school students created videos on the importance of strong passwords as a key to responsible digital citizenship. Out of 8 submissions, 5 students from two schools demonstrated their mastery of this concept, winning the top prizes in the video production contest. Harvard Elementary School students won four of the five prizes (first and second, as well as two honorable mentions), while a student from Eastwood Academy took home the third-place prize.

The competition was created as a part of Houston ISD’s Digital Awareness program to increase students’ web savvy while also giving them an opportunity for creative expression.

“This has been such a great outlet for the students,” said Harvard Elementary School Instructional Technologist John Schaff. “We have been trying to create movies that fit into our curriculum, and we will be recommending other cyber safety and digital citizenship topics for future competitions.”

Students received gift cards of $150, $100, $50, and $25 for honorable mentions, provided by the Future of Privacy Forum. FPF has pledged to support the HISD program in the future.

For more information about Houston Independent School District please go here

For more information about the program please go here

In-Store Location Tracking: A Holiday Guide

In these final remaining days before Christmas, last-minute holiday shopping is in full swing. The window for online delivery is closing, and more shoppers this week will be doing their holiday shopping the old-fashioned way—in the store.

For those of us who prefer brick and mortar shopping, our smartphones have revolutionized the experience. Mobile devices can bring all sorts of good tidings: recommendations, discounts, and new abilities to find precisely the item we’re looking for, even down to the aisle. It’s safe to say that most major retailers have a mobile strategy these days—not to mention the proliferation of general retail shopping apps that offer discounts and deals at a range of partnered stores.

But hark! As you shop, you should understand that many of these services, in order to deliver on their promises, rely on location technology. Location tracking allows apps to provide helpful services (like finding an item in a store), and is also used for secondary purposes, such as marketing, advertising, and business analytics. This Holiday Guide explores how these location tracking technologies work, and how consumers who wish to do so can opt out.

There are many ways that your location can be assessed using the sensors on your phone. A few are precise enough to detect your movements inside a single store or a particular aisle, while others are more general or rely on aggregated data. Location data can be collected via cell towers, mobile Location Services, mobile location analytics, in-store Wi-Fi networks, beacon technologies, and emerging sensor technologies (lights and audio). Each method evokes different privacy issues and permits different consumer choices.

1. Location Services

• Needs Permission? Yes
• Can you opt out? Yes
• When is it collecting? Depends on the app settings

Mobile operating systems use a variety of positioning systems within your phone—including the GPS, cellular triangulation, Wi-Fi, and Bluetooth—and combine it together under an umbrella called Location Services. This service, which is controlled by the operating system, provides a more accurate location than any individual system.

Apps and websites must get your permission to access this source of data. Some of them need it to provide you with the service you want (think about car-sharing apps, or “find my phone” apps). Shopping apps might use it to help you locate a nearby store, or send you a location-based advertisement. But apps that have no location feature often ask you for your location anyway. Many of these apps, regardless of their purpose, may do this to create a behavioral profile of you as a shopper, and share this info with third party advertisers and online data companies.

The takeaway? When an app or a website asks you to enable Location Services, be aware of why it’s making the request; give a glance over its privacy policy; and know that you have always the option to limit collection by turning off access in the phone’s Settings.

2. Mobile Phone Carriers

• Needs permission? Yes
• Can you opt out? Apps using this service must provide an opt-in
• When is it collecting? Always (when the phone is on)

When your phone is on, in order for it to receive (and make) phone calls, it must be identified by the nearest cell tower with reasonable accuracy. Cell towers collect the device’s Cell ID, location relative to the tower, and signal strength. The accuracy can be relatively low in rural areas with fewer cell towers (to within several miles) and is more accurate in cities.

Cell phone carriers offer location-based services on an individualized basis, to enable functions like tracking of minor children, locating a lost cell phone, or for apps that offer location-based marketing to users. These services are based on an “opt in” process by which the owner must provide clear consent.

3. Mobile Location Analytics (MLA)

• Needs permission? No
• Can you opt out? Yes (online for participating companies or by turning off Wi-Fi and Bluetooth on the phone)
• When is it collecting? Passively collected when you’re in the physical store using this technology

Many retailers (and other facilities, like airports and hotels) use Mobile Location Analytics (MLA) technology to understand the traffic patterns of people in their stores. Most MLA technologies operate by detecting your phone’s Bluetooth signal, as well as the Wi-Fi MAC address, a 12-digit string of letters and numbers assigned to your device by the manufacturer. This information can provide useful insights, such as how long customers stand in line, and how they generally move around within an area.

Smartphones typically broadcast their MAC address whenever they are passively scanning for Wi-Fi—that is, whenever you have Wi-Fi turned on in Settings. This is how your phone automatically recognizes your home or work network when you arrive in those locations. Since most people carry their phones all the time and generally leave Wi-Fi turned on, a store can scan for MAC addresses and get a pretty accurate idea of how many people are in the store.

For iPhone users running iOS 8 or later (i.e., most of the newer phones, including the 4S and later models), the iPhone randomizes the MAC address being emitted every time the phone searches for a Wi-Fi network. This limits venues from tracking unique devices over time.

Nonetheless, if you’re running an older version of the iOS or simply uncomfortable with the practice, there are ways to opt out: users can enter their Wi-Fi and MAC addresses at smart-places.org to alert participating companies that they do not wish to be tracked. Alternatively, shoppers can turn off the Wi-Fi and Bluetooth on their devices when they’re out of the house or away from a trusted network.

4. Wi-Fi in the Store

• Needs permission? Yes
• Can you opt out? Yes (by declining to use the service)
• When is it collecting? When you’re using the in-store Wi-Fi (some retailers capture location information even if users are not logged in)

Many retail stores are now offering free Wi-Fi to their customers as an added benefit to the shopping experience. This can certainly be convenient, especially for users with limited data plans, permitting easy access to the Internet while shopping.

In addition to the information collected by mobile location analytics (MLA), described above, stores offering free Wi-Fi can generally collect more information, including any web browsing you do in the store. If you are required to provide an email address or name to log in to the service, the retailer may be able to associate your location with other individualized information (purchasing habits, or other online activities, such as social media behavior).

5. Bluetooth Beacons

• Needs permission? On by default (user may disable)
• Can you opt out? Yes
• When is it collecting? Depends on the app settings

Increasingly, major retailers are installing beacons in their physical stores. Beacons are simple—essentially just small radio transmitters. They emit a low power, one-way Bluetooth signal that can be picked up by your mobile app or computer. Ranging in size from quarter-like to palm-sized, they all look a little different and are sometimes designed to blend into their environments.

Beacons only send signals one-way, so they don’t actually collect any data. Rather, it is the app that collects data, by detecting when a beacon is nearby. Thus, if a brick and mortar store chooses to deck the halls with beacons, a shopping app can pick up their signal as you walk in the aisles or browse for items.

Beacon-detecting apps can use this information to send you location-specific notifications. For example, when you walk up to a display of holiday sweaters in your favorite store, the app could pop up with a discount for sweaters. Shopping apps can provide loyalty programs that give points for walking into stores, often allowing linkage between location data and other consumer behavior information (such as social media activity) that can be collected and shared across ad networks and other third parties.

Generally, apps should provide notice to users when Bluetooth is being used to track location by detecting beacons. Although Bluetooth is frequently being used in conjunction with Location Services (which requires permission), some apps that use beacons may continue to collect data when Location Services is turned off. Thus, users should be aware of how beacons work, so that they may choose to limit this collection by turning off Bluetooth on their phone when it is not in use. Another option is to keep the app but turn off its ability to trigger notifications.

6. Sensor Data: Audio, Light

• Needs permission? Yes (for camera and microphone)
• Can you opt out? Sometimes
• When is it collecting? Depends on the app settings

Holiday shoppers should also be aware of emerging methods of location tracking that make use of the phone’s array of other sensors to detect signals emitted from devices placed within physical stores.

For example, “audio beacons” may be used within a retail store to emit ultrasonic audio signals. In much the same way as Bluetooth beacons, described above, the devices emit audio signals outside the range of human hearing, and a mobile app can detect those signals using the device’s microphone. Similarly, LED signals can be emitted via lights installed in a store, and detected by an app that has received permission to access the phone’s camera.

Because of the requirements of mobile operating systems, users can control which apps are given permission to access the device’s microphone and camera. Nonetheless, apps requesting permission to access these sensors may not always be clear about why they are asking, or for what (sometimes unexpected) secondary purposes the data may be used. As a result, users should read carefully and be informed about why shopping apps request these permissions.

~~~~~~~~~~~~~~~

It’s clear that there are a range of benefits to location-based services. The blessings of saving time, price discounts, and overall convenience give the often weary world of last-minute holiday shoppers a reason to rejoice. However, as we increasingly turn to our smartphones to shop online or make our decisions in the physical world, it’s important for us to understand the scope of location data being collected about us, and the reasons for which that data is being collected, so that we can make informed choices.

Happy Holidays!

The struggle to balance surveillance and privacy in France

In a historic decision last October, the European Court of Justice struck down Safe Harbor, one of the most relied upon legal agreements to transfer data between Europe and the U.S. At stake were some of the surveillance programs put in place by the NSA to gather data about both U.S. and foreign individuals. According to the Court, the U.S. failed to provide an “adequate level of protection” to European data. In this context, Professor Peter Swire and the Future of Privacy Forum released last week a report titled “U.S. Surveillance Law, Safe Harbor, and Reforms Since 2013.” The report addresses serious misunderstandings of U.S. national security laws and covers three critical areas: (1) the fundamental equivalence of the United States and EU member States as constitutional democracies, (2) the Section 702 PRISM and Upstream programs are reasonable and lawful responses to changing technology, and (3) the U.S. Congress and executive branch have instituted over two dozen significant reforms to surveillance law and practice since 2013.

As leaders in both sides of the Atlantic debate the proportionate balance of privacy and intelligence surveillance, we thought it would be useful to study the relevant legal authorities in France. France and its powerful data protection agency have been a fierce defender of the privacy of its citizens. But government authorities have significant powers to conduct surveillance, powers that have been enhanced following the recent Charlie Hebdo and Paris terror attacks.

This new paper takes a deeper look at what is actually happening in France with a view to providing insights into how one leading democracy has structured its balance of the human right to security and to privacy.

EFI Blog | Student Privacy 101: The low down on the laws of the land

On December 14th, Education Framework announced it would begin a series of blog posts to explore the different factors affecting the world of student data. Their goal is to demystify the subject of student data privacy and help bring educators up to speed so they can address this serious topic in their school districts.

To view Education Framework’s blog post, click HERE

New Swire-FPF Report: U.S. Surveillance Law, Safe Harbor, and Reforms Since 2013

In the wake of critical decisions being handed down by the EU concerning the Safe Harbor laws (Schrems case) and U.S. Surveillance practices, Professor Peter Swire and the Future of Privacy Forum today have released a report titled “U.S. Surveillance Law, Safe Harbor, and Reforms Since 2013.”

The new report responds to two requests to Swire bythe Belgian Privacy Commission: (1) explain whether U.S. surveillance law is fundamentally compatible with E.U. law, in the wake of the Schrems case striking down the EU/US Safe Harbor; and (2) explain U.S. reforms since the Snowden revelations began in 2013.

Swire will deliver his report December 18, speaking remotely, to a conference hosted by the Belgium Privacy Commission, which is studying these issues for the broader group of European privacy regulators in the Article 29 Working Party. The agenda is at: https://www.privacycommission.be/en/events/forum-consequences-judgment-schrems-case.

The Swire study addresses serious misunderstandings of U.S. national security laws, which were reflected in official statements made in the Schrems case. The soon-to-be released report covers three critical areas:

(1) The fundamental equivalence of the United States and EU member States as constitutional democracies. In the Schrems decision, the US was criticized for failing to ensure “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.” This chapter critiques that finding, instead showing that the United States has strict rule of law, separation of powers, and judicial oversight of law enforcement and national security surveillance.

(2) The Section 702 PRISM and Upstream programs are reasonable and lawful responses to changing technology. The Advocate General’s opinion in the Schrems case said that the PRISM program gave the NSA “unrestricted access to mass data” stored in the U.S., and that Section 702 enabled NSA access “in a generalised manner” for “all persons and all means of electronic communications.” This chapter refutes those claims. Instead, Section 702 operates with judicial supervision and subject to numerous safeguards and limitations.

(3) The U.S. Congress and executive branch have instituted over two dozen significant reforms to surveillance law and practice since 2013. The Schrems decision said that U.S. privacy protections must be evaluated in the “current factual and legal context,” but disregarded the numerous changes put in place since 2013. This chapter provides a readable explanation of each of these actions, which together constitute the biggest set of pro-privacy actions in U.S. surveillance law since creation of the Foreign Intelligence Surveillance Act in 1978.

To read the report, click here.

About Peter Swire

Peter Swire is the Huang Professor of Law and Ethics at the Georgia Tech Scheller College of Business, a Senior Counsel to Alston & Bird LLP, and Senior Fellow of the Future of Privacy Forum. He served as one of five members of President Obama’s Review Group on Intelligence and Communications Technology.

About FPF

The Future of Privacy Forum (FPF) is a Washington, D.C.-based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups. For more information, visit www.fpf.org

Privacy Papers for Policymakers

*Update: We will be LIVE-streaming this event! * Live streaming will begin at 5:30 PM ET on Wednesday, January 13th, 2016. CLICK HERE to view the Live Stream. (video and/or audio may appear as “disconnected” until 5 minutes before event begins)

The Future of Privacy Forum invites you to

“Privacy Papers for Policy Makers”

A discussion of leading privacy research

Opening Remarks by:

Dr. Lorrie Faith Cranor, Chief Technologist, U.S. Federal Trade Commission 

Paper presentations by:

Prof. Arvind Narayanan, Princeton University Department of Computer Science

Paper: A Precautionary Approach to Big Data Privacy

(written with co-authors Prof. Joanna Huey and Prof. Edward Felten, Princeton University)

Dr. Florian Schaub,  Carnegie Mellon University School of Computer Science, Dr. Rebecca Balebako, RAND Corporation, and Adam Durity, Google

Paper: A Design Space for Effective Privacy Notices (written with co-author Dr. Lorrie Faith Cranor)

Prof. Ryan Calo, University of Washington School of Law

Paper:  Privacy and Markets: A Love Story

Prof. Neil Richards, Washington University School of Law

Paper: Taking Trust Seriously in Privacy Law (written with co-author Prof. Woodrow Hartzog, Samford University’s Cumberland School of Law)

Prof. Peter Swire, Georgia Tech Scheller College of Business

Paper:  Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy (Testimony before the Senate Judiciary Committee, July 8, 2015)

Prof. Joel R. Reidenberg, Center on Law and Information Policy, Fordham University

Paper:  The Transparent Citizen

Closing Remarks by Special Guest:

Julie Brill, FTC Commissioner

Our presenters were selected by FPF’s Advisory Board as having written the articles and papers that should inform any conversation about privacy among policymakers in Congress, as well as at the Federal Trade Commission and other government agencies in 2016. To view and read their papers, visit: https://fpf.org/2015/11/19/what-privacy-papers-should-policymakers-be-reading-in-2016/.

January 13, 2016 | 5:30 – 7:30 PM

Microsoft Innovation & Policy Center

901 K Street Northwest, 11th Floor Washington, DC 20001

Reception to Follow

This event is intended to comply with applicable Congressional and Executive branch gift rules. Contact us with any questions.

Space is limited. RSVP by January 6th: Click here to register.

Privacy Papers for Policymakers 2015 is sponsored by AT&T, Tune, and Microsoft

Beyond IRBs: Designing Ethical Review Processes for Big Data Research

Our morning Firestarters, Joshua Fairfield and Margaret Hu, Professors at Washington & Lee School of Law, are now bringing the Workshop into full swing with a provocative guided discussion around the ethical obligations of informed consent to privacy policies.