Commerce Privacy Specialist Josh Harris Joins Future of Privacy Forum as Policy Director

Commerce Privacy Specialist Josh Harris Joins Future of Privacy Forum as Policy Director

Washington, DC, January 14, 2014 —  The Future of Privacy Forum (FPF), a  Washington, DC-based think tank advancing responsible data use and consumer privacy, today announced that former Department of Commerce staffer Josh Harris has joined FPF as its Policy Director.  In this role, Mr. Harris will be coordinating FPF’s focus on cutting-edge privacy issues.  Mr. Harris will report to FPF Executive Director Jules Polonetsky.

Mr. Harris brings to FPF his seven years of experience in the International Trade Administration’s Office of Technology and Electronic Commerce.  In this capacity, Mr. Harris worked to develop and implement the Asia Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) System.  In 2012, Mr. Harris received the United States Department of Commerce Gold Medal – the highest award offered by the Department – for his work in this area.  In 2004, he was selected to the White House’s Presidential Management Fellowship program.  Previously, Mr. Harris served as the Vice-Chair of the American Bar Association’s Privacy and Information Security Committee.

FPF Founder and Co-Chair Christopher Wolf commented on Mr. Harris’s new role as Policy Director by saying “Josh’s experience developing and implementing privacy-based codes of conduct is an extremely valuable asset to FPF’s mission to develop best practices for the responsible use of data.”

FPF’s Executive Director and Co-Chair, Jules Polonetsky said, “Josh has the kind of practical, hands-on experience in the privacy field that will make a great addition to our FPF Team.  We’re very glad to have him onboard.”

Commenting on his new appointment, Josh Harris said: “I am honored to have the opportunity to help advance FPF’s important privacy work, along with Jules and Chris, Senior Fellows Mary Culnan, Peter Swire, Omer Tene, and the Junior Fellows.”

If you are interested in learning more about Future of Privacy Forum, please email [email protected] or call 202-642-9142.

The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.

Additional Comments to the FTC about the Internet of Things

On Friday, the Future of Privacy Forum provided an additional set of comments to the FTC in the wake of the Commission’s workshop on the Internet of Things (IoT) last November.   The comments expand on FPF’s recent white paper, An Updated Privacy Paradigm for the “Internet of Things”, and address two important themes from the FTC’s workshop: (1) the importance of data security and (2) the privacy issues raised by the comprehensive collection of information.

FPF’s whitepaper explores why IoT is not well-suited to a one-size-fits all approach to consumer privacy.  The myriad types of connected devices and the varied contexts in which those devices will operate will require the implementation of flexible frameworks designed to address evolving privacy issues and consumer preferences.  The imposition of rigid or universal standards to promote privacy within IoT may harm innovation and, moreover, be ill-suited to the privacy risks and consumer preferences that ultimately emerge.

Our comments note that data security may have been the most frequently raised concern at the FTC’s workshop.  Inadequate security presents the biggest risk of actual consumer harm within IoT.  With it, bad actors will have access to all manner of connected devices, and will be able to pry into intimate spaces or perpetrate fraud or identity theft.  Company must devote adequate resources to security before and after their products reach the market.  Fortunately, companies large and small are aware of this concern and are taking steps to address it.

Another concern posed by the IoT is the ubiquitous data collection of “deeply personal” information.  Still, it must be recognized that not all connected devices will facilitate the large-scale collection of personally identifiable information.  And this issue is neither new nor unique to IoT.

FPF’s comments urge the FTC to continue its advocacy of the high-level principles of privacy by design, simplified consumer choice, and transparency while being mindful of the need for flexibility described above. High-level principles are particularly well-suited for the Internet of Things as they allow policies and procedures to be tailored to the nature of connected devices, the environments in which they are used, the purposes for which the information is used, and the evolution of consumer preferences.  Simplified consumer choice and increased transparency by industry should also be encouraged.  Industry must ensure that consumers understand how they will benefit from IoT and see that measures are in place to promote consumer privacy and security.

Again, our complete set of comments are available to read here.  Our whitepaper, An Updated Privacy Paradigm for the “Internet of Things”, is also available, as are our initial set of comments regarding the Internet of Things from May 2013.

Jules Polonetsky to Discuss the State of the World on Data Privacy

Tomorrow at 2 PM ET, Jules Polonetsky will be joining Christina Peters, IBM’s Chief Privacy Officer, for a live videochat to discuss data privacy.  Specifically, the two will address challenges managing cross-border data issues as different countries pursue different approaches and regulations for emerging technologies, mobile, and the Internet of Things.

The conversation will be streaming for IBM’s Big Data and Analytics Hub, and you can following the conversation on Twitter at #BigDataBytes.

GAO Looks at Privacy Practices for Connected Car Location Data

Yesterday, the Government Accountability Office released its study on in-car location-based services, and its survey generally concludes that players in the connected car space are thinking seriously about driver privacy.  Companies reported that they neither share nor sell personal location data to marketing companies or data brokers, and the GAO found that all parties are taking steps to address privacy challenges.

The report, requested by Sen. Al Franken, evaluated (1) how selected companies use in-car location data and (2) whether these companies’ policies align with industry-recommended privacy practices.  For its survey, the GAO interviewed six automobile manufacturers, which together constitute 75% of new car sales in the United States, along with several makers of portable navigation devices and developers of mapping and navigation apps.  Though the report generally reflects the positive steps taken by companies to address the privacy risks posed by increased access to information about drivers’ locations, the GAO cautions that current privacy practices are in some cases “unclear” and “could make it difficult for consumers to understand the privacy risks that may exist.”

The GAO looked at how company practices comported with the Fair Information Practice Principles generally and then compared them to industry-developed privacy practices that the GAO believed were applicable to location data.  Specifically, the GAO evaluated company practices with regards to (1) disclosures, (2) consumer consent and control, (3) data safeguards and retention policies, and (4) company accountability.

 

The Future of Privacy Forum was one of a handful of privacy organizations that met with the GAO in advance of this report.  FPF supports the development of flexible notice and choice mechanisms in connected cars, and has launched a Connected Cars Project to promote best practices in privacy and data security for connected cars. This report by the GAO should be taken as an opportunity to advance a dialogue among players in the connected car space that works to protect consumer privacy and promote the beneficial uses of in-car location data.

Privacy Ins and Outs for 2014

Happy New Year!

Happy New Year from the Future of Privacy Forum!  Here is our 2014 List of Ins and Outs for your enjoyment. On behalf of the entire team at FPF we wish you a fulfilling New Year.

Chris and Jules

2014 Ins and Outs

1.    Privacy Notices for Websites

1.  Privacy Notices for Sensors

2.    Smith v. Maryland

2.  Fourth Amendment

3.    “The face is familiar, but I can’t pull in the name…”

3.  Facial Recognition

4.    One-stop shop for EU DPAs

4.  One-stop shop derails EU Privacy Law

5.    “Big Data”

5.  “Internet of Things”

6.    Letters from Congressman Markey

6.  Letters from Senator Markey

7.    “What They Know” Stories

7.  What the NSA Knows Stories

8.    Connected Teens

8.  Connected Cars

9.    Edward Snowden

9.  Edward Snowden

10.  Twitter “Twits”

10. Google “Glassholes”

11.  Minority Report

11. The Circle

12.  Viviane Reding

12. ?

 

The LIBE Committee Wants To “Suspend” The Safe Harbor… Along With Thousands of EU Employee Salaries

The Committee on Civil Liberties, Justice and Home Affairs (LIBE) released a draft report yesterday calling for the European Commission to suspend the US-EU Safe Harbor.  FPF has written an in-depth report analyzing the effectiveness of the current Safe Harbor regime and cautioning the European Commission not to revoke the agreement, which has been largely successful in safeguarding user privacy while promoting international data transfers.  We’ve yet to see the Committee’s actual draft, but we are nonetheless concerned that the Commission is so willing to suspend the framework, especially when it will mean that thousands of EU employees risk experiencing delays in getting their paychecks.

The Safe Harbor is a well-established mechanism for the transfer of data between the US and EU and is designed to streamline compliance requirements for US small businesses.  One of the most common types of data transferred from the EU to the US is human resources data – this is because many EU data subjects work for US companies in Europe.  In fact, FPF has searched through the Safe Harbor List and found that over 1,695 companies listed as “current” members use the Safe Harbor to process their human resources data.  That’s over 50% of all companies currently in the program.

If the Safe Harbor framework were suspended, EU citizens whose HR data is stored or handled in the US would be heavily burdened.  US companies who hire EU citizens would need to revert to model contracts, which are strict and expensive to implement (particularly for small businesses).  Inhibiting the flow of HR data between the US and EU could mean delays for EU citizens receiving their paychecks, or a decline in global hiring by US companies.

FPF urges the LIBE committee to consider our recommendations to improve the Safe Harbor framework rather than create additional burdens and expense for companies that employ EU residents.  These recommendations, which include Chris Connolly’s suggestion of appointing a “Safe Harbor Master,” adequately address EU concerns about user privacy while allowing US and EU businesses to continue growing.

Study Suggests Broad-Based Consumer Concerns about Privacy

An October study published by McGraw Hill Financial Global Institute cautions that consumers believe they are losing control of their online privacy.  The report from authors at J.D. Power suggests that a majority of consumers feel they have lost control over how their personal information is collected and used, suggesting a lack of consumer trust will be a critical issue for companies to manage.

The study also provides further evidence debunking the old canard that young people do not care about their privacy.  On the contrary, if young people’s concerns about privacy are lessened, this may be due to evidence to that younger consumers are taking direct actions to reduce their privacy risk.  According to the report, younger generational groups more frequently take advantage of social media settings and set their social networking to private than older consumers.  Additionally, nearly 30% of younger consumers “openly admit to providing false information on websites and apps.”

Worries about privacy and personal data management exist worldwide.  While over 80% of consumers in the U.S. say they have lost control over how personal information is collected and used, the study found that similarly high numbers of people in emerging economies like China and India are concerned about their privacy.

The entire report, entitled “Consumer Concerns about Data Privacy Rising: What Can Businesses Do?,” is available to read.

 

 

Tracking Do Not Track: New Ad Network Data Shows That 8 Percent Of Users Have DNT On

Getting Ready For Tracking Transparency Law to Kick In

Starting in 2014, California’s new law AB 370 requires all websites that collect personally identifying information to disclose in their privacy policies how they respond to browser Do Not Track signals.  FPF has launched AllAboutDNT as a resource for companies preparing to make a statement about DNT, providing a location to point consumers for more information.  The site includes instructions for activating the DNT header on a variety of devices as well as a list of companies with public commitments honoring DNT.

We are also releasing interesting data we recently received from Chitika, an online advertising network that honors browser DNT requests.  Chitika reports that its ad network delivers over four billion targeted ads each month to a network of over 300,000+ sites.  A sample of Chitika’s data shows that currently over 8 percent of users across all browsers are transmitting a DNT signal indicating a preference not to be tracked.

pie chart

chart 2

Browser  Share of sample

 DNT:1 signal ON

 Chrome

22%

2.06%

 Safari

13%

5.86%

 Firefox

12%

7.35%

 IE 6

6%

0.00%

 IE 8

13%

0.27%

 IE 9

5%

8.82%

 IE 10

8%

69.14%

 Android

8%

0.00%

 other

12%

1.97%

 Grand Total

100%

8.39%

This data is likely consistent with what an average ad network would see daily with respect to user implementation of DNT.  However, this data does not reflect what percentage of users have actually chosen to turn DNT on or off; determining that number is more complicated because the above statistics encompass browsers and versions for which DNT is unavailable, as well as browsers that have DNT on by default.  For instance, these numbers include users of IE 10, for which “Express” installations set the DNT setting on by default.  (Although 69% of IE 10 users have the DNT setting on, IE 10 users only make up 8% of the sample size.)  It’s also interesting that almost 31% of IE 10 users do not have DNT:1 on, which suggests that a surprising number have expressly adjusted the setting to allow tracking.  Additionally, the actual Firefox adoption rate of DNT is likely higher than 7.35%, because 10% of the Firefox data set uses Firefox 3, which does not have a built-in DNT feature.

For detailed statistics broken by browser version, please download this Excel file.

Testimony on Privacy Policies before the California State Assembly

This morning, Jules Polonetsky, FPF’s Executive Director, will be speaking before the California State Assembly Joint Committee Hearing on Digital Privacy on the question of whether privacy policies adequately protect consumer privacy.  Jules’ testimony will note that “[p]rivacy policies are not useful for many consumers, but are essential accountability mechanisms. Consumers need to be able to rely on the design and user interface of a service to quickly grasp how data is being used.”

Jules will discuss a variety of different mechanisms that organizations can implement both to protect consumers and offer them value for their data.  FPF has proposed several ideas for places to start, such as (1) more transparency of algorithms, (2) treating data use like a feature, (3) advances in de-identification, (4) serious self-regulation and (5) effective privacy professionals.  Policymakers need to encourage creative approaches to addressing privacy challenges.

Read Jules’ full testimony here.

The US-EU Safe Harbor: An Analysis of the Framework's Effectiveness in Protecting Personal Privacy

This morning, the Future of Privacy Forum (FPF) released our report on the effectiveness of the U.S.-EU Safe Harbor program.  Our analysis, which we first announced in August, responds to recent recommendations by the European Commission and suggests a number of areas where the framework can be further strengthened.

An overview of key findings and recommendations found in the report are listed below:

Findings

    1. Suspending the Safe Harbor’s protections would weaken personal privacy protections for EU citizens.  Under the Safe Harbor, the FTC has the capacity to enforce against US companies on behalf of EU citizens, simplifying complex jurisdictional issues.  The Safe Harbor program also results in stronger investigatory and monitoring powers for the FTC.
    2. Alternatives to the Safe Harbor program as a mechanism of compliance with the EU Data Directive may not be feasible for all companies.  These alternative mechanisms, including express consent, model contracts, and binding corporate rules, are either too inflexible or too difficult to implement at scale for the wide variety of companies that rely on the Safe Harbor and provide less transparency for regulators about data flows.
    3. Eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.  The global economy, and particularly the transatlantic economy, will continue to rely on international data transfers, and when US-based companies are presented with a valid legal order from the US government for information, companies will be compelled to provide access to that data regardless of their membership in the Safe Harbor.
    4. Restricting the ease of data flows between the EU and US could have an extremely harmful effect on the trans-Atlantic economy.

Recommendations

 

With these reforms, as well as continued vigilance by regulators and compliance bodies, the Safe Harbor will become even more effective in safeguarding citizens’ commercial privacy rights.  FPF hopes this report will help advance constructive dialog about the Safe Harbor framework moving forward.

The full report is available to read here.