App Developers Summit – Gallery

[imagebrowser id=4]

 

Joseph Jerome

Joseph Jerome is a policy counsel at Future of Privacy Forum. At FPF, Joseph’s issue portfolio focuses on big data and the Internet of Things, where he works on de-identification standards and educational privacy questions. He is interested in questions around transparency and accountability mechanisms in data use. Prior to joining FPF, Joseph served as a national law fellow at the American Constitution Society, where he edited legal scholarship and organized programming addressing civil liberties and national security questions. He is a graduate of New York University School of Law, where he was an International Law and Human Rights Student Fellow in 2010.

 

Mobile Payments: Why so Scary, America?

Mobile payment systems are a relatively new technology that has sparked the interest of lawmakers, federal agencies, academics, and privacy advocates. The question they are all asking is why are Americans not taking advantage of a system that promises to significantly increase economic efficiency and convenience?

When it comes to mobile payment systems, the United States is lagging far behind in usage compared to Europe, Japan, and South Korea. A recent study conducted by the Federal Reserve revealed “perceptions of limited usefulness and concerns about security are holding back the adoption of mobile financial services,” with only 12 percent of mobile phone owners reporting that they made a mobile payment in the last year.

Electronic wallets serve a multifunctional purpose on a device that can fully emulate physical wallets retaining cash, transaction information, and identification and authentication information. They have the ability to capture and transmit data onto a device that can replace the need for loyalty cards, transit cards, movie tickets, parking tickets, keys, and ID cards. It is clear that both consumers and merchants alike stand to benefit significantly from the new mobile system.  And yet, the Federal Reserve reported that more than a third of consumers that don’t use mobile payments either don’t see any benefit from using mobile payments or find it easier to pay with another, more traditional method.

Security

According to statistics published by the Federal Reserve, security concerns were the primary reason given for not using mobile payments (42 percent) and the second most common reason for not using mobile banking (48 percent). At the FTC’s Mobile Payment workshop on April 26, 2012, panelists convened to discuss the security and privacy implications if such a system were to be adopted on a larger scale. Bradley Greene, Senior Business Leader in the Mobile Products division at Visa, stated that mobile payment systems have the potential to add levels of security to consumers through distinct features including locked payment credentials with only the bank having access; dynamic authentication and data; and configuring the use of a passcode for transactions within the device.

As security practices have yet to be standardized, “mobile payments as related to security are the wild wild west,” said Paul Rasori, Senior Vice President of Marketing at VeriFone Systems. Ben Milne, CEO and Co-Founder at Dwolla, noted that security is a network architecture issue regarding mobile payments, raising the concern that personal information can be stolen from any number of service providers without the user’s knowledge. Yet when implemented correctly and with proper security measures in place, a mobile device should be more secure than a physical credit card, said Milne. As an additional security measure, companies should start from the assumption that “bad” data will be passing through systems. To that end, he suggested building procedures to discard of such data as well as data no longer needed for its intended purpose.

Privacy

The success of mobile payments hinges on establishing user trust through transparency, said Pat Walshe, Director of Privacy at the GSM Association. “Privacy by design is really the key for mobile payments,” said Harley Geiger, Policy Counsel at the Center of Democracy and Technology. According to Geiger, users should be provided with controls over the collection of information for the purpose of marketing, and not every purchase should be the equivalent of joining a loyalty program. Update: Geiger also wrote a detailed blog post explaining the privacy issues with mobile payments.

These principles are in line with the findings from a survey conducted by the Berkeley Center for Law and Technology, revealing that a majority of Americans objected to having their personal information shared at the point of sale. In particular, 65% stated that they would definitely not allow sharing their telephone number with a store where they purchase goods. Moreover, despite the fact that mobile payment systems can enable unique consumer information to be passed to the retailer, the authors suggest that retailers should be prohibited from obtaining this information automatically without the consumer’s consent. “An opt-in standard on a per-transaction basis could empower consumers to share where they find it appropriate but block this information collection and sharing by default.”

Others on the panel argued that the government should be careful not to anticipate unimagined advances in order to avoid speculative harms, particularly as this technology is just beginning to emerge. “A dozen years ago, the prospect that a company would know your reading habits and use that was something that seemed suspect. Today, personalized book recommendations on the Internet are an offering most couldn’t have envisioned and few would want to give up. With comfort the public often embraces change; the uncertain future becomes the popular now,” said Mallory Duncan, Senior Vice President and General Counsel at the National Retail Federation.

Looking to the Future

An effective mobile payment system must have the proper infrastructure in place with all the players working together, due to the intricate interdependent nature of this ecosystem. Currently, the two major competing mobile payment services are Isis, a joint venture formed by AT&T, T-Mobile, and Verizon and Google Wallet backed by Visa, American Express, Discover, MasterCard, Nexus, and Sprint. As these providers compete to bring these services to the market, the evidence is clear that privacy and security will play a key role in paving the path to consumer adoption.

 

-Lia Sheena

Blumenthal and Bono Mack Discuss Privacy, Cybersecurity Legislation

Last Thursday morning, Politico Pro presented a briefing focused on cyberprivacy and cybersecurity. Participating in the discussion were Sen. Richard Blumenthal (D-CT), Rep. Mary Bono Mack (R-CA), Dr. Thomas M. Lenard (President and Senior Fellow at the Technology Policy Institute), and Tim Sparanpani (Principal at SPQR Strategies, PLLC).

The briefing began with a discussion of the pending Cyber Intelligence and Sharing Act (CISPA). This pending legislation would increase the ability of the government and private sector to share cyber threat information. While both Sen. Blumenthal and Rep. Bono Mack agreed that the cyber threat is significant and real, they disagreed about provisions of CIPSA. While Bono Mack supports the bill in its current form, Blumenthal believes that the bill needs greater privacy protections and should include a private right of action. Blumenthal also broached the idea of creating a new cybersecurity agency to protect the country against cyber attacks. Bono Mack responded that creating a new agency would not be a panacea, and that the best solution is to empower the private sector to find solutions.

Blumenthal and Bono Mack also expressed differing opinions about privacy legislation. Blumenthal voiced his support for baseline privacy legislation. He said that people understand privacy, and they should have knowledge of data practices and the option to give consent to data collection. Bono Mack, on the other hand, said people frequently choose convenience over privacy, and there should be more Congressional hearings on privacy. Her first choice, she said, was for industry self-regulation; only if this failed, should Congress pass privacy legislation. Tim Sparanpani meanwhile voiced optimism that app developers are taking privacy seriously. He also noted the importance of data minimization and warned against legislation that would inhibit the ability of the private sector to develop new, innovative products and solutions.

One area where Blumenthal and Bono Mack did agree was on data breach legislation. They both voiced their support for data breach legislation, and such legislation has strong bipartisan support.

Overall, the participants were in broad agreement about what needs to be done; all agreed that privacy is very important, and the U.S. urgently needs to increase cybersecurity.  However, as with so many events on cybersecurity and cyberprivacy legislation, the participants held divergent opinions about the best way to accomplish these goals. The discussion, while informative, did not seem to indicate an immediate compromise solution.

 

-Steven Beale

Apr. 23, 2012 – Facebook Apps Scored For Privacy, RedOrbit

PCLOB Nomination Hearing

Last Wednesday the Senate Judiciary Committee held a confirmation hearing for nominees to the Privacy and Civil Liberties Oversight Board (PCLOB). The Board, created in response to the 9/11 Commission, is charged with making sure privacy and civil rights are protected for executive branch activities and measures. It consists of five members appointed by the President, and all five of these nominees were present at Wednesday’s hearing. The nominee for Chairman of the PCLOB is David Medine, and the other nominees are James Xavier Dempsey, Elisebeth Collins Cook, Rachel L. Brand, and Patricia M. Wald. The nominees are bipartisan, and all are recognized thought leaders on privacy and civil rights.

The hearing showcased significant common ground between the senators present and the nominees. All agreed that civil rights are fundamental; as Senator Leahy put it, safeguarding liberties is not a partisan issue, it is an American issue. At the same time, everyone agreed that privacy controls should not impede security. Rather, there was consensus that that privacy and security are not mutually exclusive, and that it is possible to simultaneously have both strong security and privacy.

One topic that surfaced multiple times was cybersecurity and information sharing. Senators Leahy, Whitehouse, and Franken all asked the nominees questions about pending cybersecurity legislation. In particular, the senators were interested in how to encourage the sharing of cybersecurity threat information while also protecting the privacy of U.S. citizens. The nominees agreed that this is an important issue, and Mr. Dempsey expressed the opinion that increased information sharing would be beneficial and could be done in a privacy-friendly manner.

Another theme that surfaced several times was how to ensure privacy in an era of rapid technological change. GPS, facial recognition technology, data aggregation, and other new technologies allow the government track and gather significant data about citizens. This data can be used both to protect our nation’s security, but, if proper rules are not in place, it can also infringe the privacy and civil liberties of innocent Americans. Ms. Cook noted that, if confirmed, she would work with her colleagues to use new privacy enhancing technologies. Ms. Wald also noted the important role the PCLOB can play by working to ensure privacy and civil liberties are protected during the policy design phase.

The hearing demonstrated that if and when the nominees are confirmed, they will have to carefully prioritize their important work. The hearing did not feature any harsh questions or significant criticisms of the nominees, so the path may be clear for proceeding to confirmation.

 

-Steven Beale

Apr. 22, 2012 – Facebook apps rated on privacy protection, Tucson Citizen

Swire Cybersecurity Op-Ed in The Hill

FPF Senior Fellow Peter Swire just published an op-ed in The Hill titled “Moving Too Fast on Cybersecurity.” In the piece, Swire cautioned against rushing cybersecurity legislation through Congress. To see the full op-ed, click here.

Tracking Progress on Do Not Track

The Tracking Protection Working Group of the World Wide Web Consortium (W3C) met last week in Washington, D.C. to further its efforts in developing industry standards for Do Not Track (DNT) measures. As deadlines for public release of the specifications near, the pressure is on for the group to come to agreement on critical policy questions around Do Not Track. The group has made a lot of progress on some issues such as reaching general agreement that DNT is primarily aimed at third parties who collect data at sites. However, substantial debate continues around the definition of a third party and what those third parties can do with data when the DNT header is “on.”

Some stakeholder participants maintain that DNT should give consumers the ability to block most data collection by third parties, and only allow collection and retention for limited specified purposes, such as fraud and security. Other participants maintain that they need to be able to collect more data under DNT in order to perform business functions such as frequency capping, auditing, financial logging, and market research.

FTC Commissioner Julie Brill made a guest appearance to show the FTC’s support for the W3C’s efforts, identifying it as one of three major DNT processes underway-the other accompanying processes are the advertising trade groups’ self-regulatory program and popular browsers that have implemented do not track mechanisms. The FTC set the stage for a future DNT framework in its Final Privacy Report released last month. The report called for a Do Not Track standard to mean more than just “Do Not Target” and to have elements of “Do Not Collect.” Failing the inclusion of this, the FTC indicated it would support DNT legislation. However, Commissioner Brill stated that she, along with FTC Chairman Jon Leibowitz, is confident that there will be an effective DNT framework by the end of the year.

Why is tracking so important for companies, if they have already agreed to allow users to opt-out of behavioral advertising? Tiny banner ads are a poor way to influence users compared to the richness of TV, radio, and magazines. But banner ads and their effectiveness can be precisely measured in ways that the other media cannot be (yet!). Advertisers still spend the bulk of their dollars offline, even though users increasingly spend large chunks of their day on the web. The big value add for many web publishers is their ability to report which ads on which sites were successful in causing users to transact on other sites and later in time.

For some, allowing the logging of data needed for such cross-site tracking creates too many risks. They worry the government might seek the data or they do not trust companies to refrain from using it for profiling or for discriminatory purposes. Others argue that consumers who are promised that they will not be tracked expect not to be tracked at all.

We believe that the potential compromise solution will need to allow for the basics of analytics and ad reporting, while relying on de-identification and retention limits as well as contractual and policy commitments to minimize privacy risks.

We were surprised to see Yahoo called out yesterday by the WSJ as “leading the charge” against DNT. If a DNT compromise is reached, no individual on the industry side will be more deserving of credit than Yahoo’s Shane Wiley. He and his team at Yahoo have spent countless hours on proposals seeking to bridge the differences among companies and other stakeholders. The volume of emails in our inbox and on the W3C listserv is a testament to that.

There is still much work to be done and the next weeks will be critical.

For a detailed analysis of the Do Not Track debate, read Jules Polonetsky and Omer Tene’s paper, “To Track or Do Not Track.”

 

-Lia Sheena

Apr. 19, 2012 – Banjo hits 1 million users, signaling mainstream interest in social location apps, ComputerWorld