Georgetown Hosts Lawful Access to the Cloud Seminar
On Tuesday, Georgetown’s Law School hosted a Seminar titled “Lawful Access to the Cloud.” The seminar’s panelists grappled with how to find the right balance between civil liberties and legitimate law enforcement needs to access data in the cloud;.
The morning’s first panel focused on lawful access to data in the U.S., and the second panel focused on law enforcement access to data in the E.U. Bruce Schwartz, Deputy Assistant Attorney General at the U.S. Justice Department began the day by pushing back at the widespread perception that the U.S. has less protection than the E.U. for data stored in the cloud. In fact, he said, the U.S. has higher greater protections for electronically stored data than the E.U. The Center for Democracy and Technology’s President and CEO, Leslie Harris, responded that the most important criterion for laws and practices regarding lawful access to data in the cloud is conforming to citizen’s expectations. Harris submitted that most users would be very surprised at the permissiveness of the current legislative structure in the U.S. regarding lawful access to data in the cloud.
Next, Mark Rasch, the Director of Cybersecurity and Privacy Consulting at CSC, examined several of the ways that the cloud is different from previous technologies and explained how much of the legal structure regarding lawful access to electronic communication is hopelessly out of date. The final panelist, Fred Cate, Professor of Law and Director of the Center for Applied Cybersecurity Research at Indiana University, talked about how U.S. lawful access statutes need to change more quickly. He also argued that the U.S. government needs to do a much better job being transparent and accountable about lawful access to electronically stored information.
Peter Swire, Senior Fellow at FPF and the C. William O’Neill Professor of Law at the Ohio State University, began the second panel by explaining that the widespread use of encryption has led law enforcement to increasingly rely on accessing data stored in the cloud. Widespread encryption makes it very difficult for law enforcement officials to access encrypted electronic communications as they are being sent, so law enforcement places greater emphasis on accessing the unencrypted, stored communications in the cloud. Swire then gave an overview of UK data protection laws and pointed out that the laws in the UK in many respects are more permissive than U.S. law.
Following Swire, Google’s Richard Salgado talked about the practices his company follows regarding lawful access. Salgado explained that Google’s policies are based on the reasonable privacy expectations of users. Google, he said, works hard to be transparent and, when legal, provides notices to consumers when their data is accessed by law enforcement. Emilio de Capitani, former Head of Unit at the Committee on Citizens’ Freedoms and Rights in the European Parliament, rounded out the day. He gave an overview of E.U. laws governing lawful access and discussed some of the challenges facing E.U. member states as they try to increasingly standardize their policies for lawful access to data.
Throughout the day, several themes emerged time and again. The seminar made it clear that there is a significant amount of uncertainty about the laws and practices of lawful access in both the U.S. and the E.U. Secondly, U.S. laws regarding lawful access are very outdated and need to be updated to take into account the technological changes that have emerged during the last several decades. Finally, many foreign companies and countries believe that U.S. laws regarding lawful access, especially the PATRIOT Act, allow the U.S. government very significant access to electronically stored data. Regardless of the validity, this fear is having an adverse effect on the ability of U.S. cloud providers to sell their services overseas.
-Peter Swire and Steven Beale
App Developer Privacy Summit – April 25th
FPF Responds to WH Announcement on Green Button Initiative
WASHINGTON – Today, the White House announced that 9 new utilities have committed to adopting the industry-led Green Button Initiative, joining 6 previously announced commitments, for a total of 27 million homes committed.
The statement below can be attributed to Jules Polonetsky, Director and Co-Chair of the Future of Privacy Forum.
“Offering consumers access to their data provides the kind of transparency that enhances privacy. By showing consumers the details of energy usage data, utilities are taking an important step to ensure that smart meters are a key benefit intended to help consumers be smarter about energy use.
With appropriate privacy programs in place, access to data will increasingly empower consumers to use their data to manage smart home devices that will advance innovation and consumer control.”
For any questions, or to schedule a phone call with Jules Polonetsky, please email [email protected].
The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups.
Swire Presents at FBI/DOD Sponsored Facial Recognition Forum
On Wednesday, March 14 FPF Senior Fellow Peter Swire gave a talk on “Facial Recognition by the Government: Privacy and Civil Liberties Issues.” The talk took place at the third installment in the U.S. Government Facial Recognition Legal Series. Wednesday’s forum was titled “Striking the Balance – A Government Approach to Facial Recognition Privacy and Civil Liberties.” The forum participants and speakers explored use cases for facial recognition across federal law enforcement and national security agencies, sought to deepen their understanding of the existing law and policy that governs facial recognition in these contexts, and identified gaps in legal/policy authority that may result in privacy and civil liberties vulnerabilities if left unaddressed The forums have been geared towards federal law enforcement and intelligence personnel.
Swire, a law professor at the Ohio State University, focused his presentation on the legal landscape surrounding privacy and facial recognition technology. To frame the discussion, he began by outlining two differing perspectives on facial recognition technology: 1) it has always been legal to observe people in public, and facial recognition technology is simply making this easier and 2) facial recognition technology allows an unprecedented ability to surveil and track people, and this information could be stored indefinitely and correlated with other personal information.
Next, he examined some of the constitutional issues surrounding facial recognition. Of particular importance in the facial recognition space is the fourth amendment. The fourth amendment requires warrants and probable cause for searches and prohibits unreasonable searches and seizures. Observing a person in public has traditionally not required a warrant. However, Professor Swire pointed out, the Supreme Court’s recent decision in U.S. vs. Jones may dramatically impact privacy by requiring law enforcement agents to obtain a warrant to conduct surveillance on suspects in public, something law enforcement has never had to do. However, the fourth amendment contains a consent exception; if an individual consents to a search, a warrant is not required. Professor Swire pointed out that some might argue that individuals consent to going outside or to other public places (i.e. a bank or mall) where security cameras are present.
Professor Swire also examined how several other laws might impact facial recognition technology. Some, including Justice Sotomayor, are worried that constant surveillance by the government could chill free speech and free association. Constant surveillance could also potentially lead to discrimination—while most Americans are familiar with the phrase “driving while black,” constant surveillance could lead to “walking while black.”
To finish his talk, Professor Swire advised the government attendees that not everything that is legal should be done. He recommended that law enforcement and intelligence agencies practice data minimization and conduct the New York Times test to determine whether or not a surveillance program is a good idea: if the program was detailed on the front page of the New York Times, would the public reaction be negative or positive?
Following Professor Swire’s talk, officials from government agencies including the FBI, OMB, DoD, and DHS presented on a range of topics including the impact of public perception on law and policy, biometrics privacy policies in different agencies, and gaps in facial recognition law and policy. The presenters and participants all agreed that they need to work hard to earn and maintain the public’s trust in their use of biometrics technology, including facial recognition services.
The presenters and government attendees showed a high degree of sensitivity to the privacy issues surrounding facial recognition technology. Additionally, they were aware that they are all in the same boat; as one government official put it, a big facial recognition privacy mishap by one government agency would tarnish legitimate facial recognition programs in every other agency. Conversely, any well-thought-out and run facial recognition program can help every agency build trust around facial recognition technology.
Chris Wolf Column in Slate Explores Tension Between EU Privacy Interests and Other Legitimate Interests
FPF co-chair Chris Wolf has written a column for SLATE that illustrates the tension in the EU between privacy law and other interests, as highlighted in a recent German episode. The piece links the recent episode to the current consideration of the proposed EU Regulation. For further context and a link, see here.
Meeting with the FTC in a Simulated Informal Investigation
On Thursday, March 8, 2012 at the IAPP Global Privacy Summit, FPF’s Christopher Wolf sat down with Christopher N. Olsen, Assistant Director in the Division of Privacy and Identity Protection at the FTC. Together, they hashed out the do’s and don’ts of when companies might be subject to FTC enforcement. The clear answer is to comply with the FTC’s requests as much as feasibly possible. But what does that really mean for a company or its representing counsel? When and how should counsel go about negotiating with the Commission? Chris Wolf asked Olsen these practical questions and more regarding best courses of action, yielding important and valuable information for companies and their representing counsels facing potential FTC investigation or enforcement.
It is better to reach out than to wait to be contacted. If your company might be subject to FTC enforcement due to a breach or other privacy problem, it is better to be proactive and contact FTC staff to discuss the situation. Companies should be open to fielding the FTC’s questions, even if they don’t have all the answers yet.
Expect the FTC to Refrain from “Fishing.” The FTC has a right to investigate matters that can be reasonably tied to a breach or privacy issue. “If you can demonstrate that a request is so remote from any potential data security vulnerability that was at play, that’s an area where we may show some flexibility,” said Olsen.
Stay in touch with the FTC during an investigation. Following up with FTC staff monthly may be a good idea to get a sense of whether your company is likely to be a target of enforcement.
When dealing with the FTC, always attempt to first resolve issues with FTC line staff. Do not automatically go up the chain of command. Even if you know senior FTC staff, follow proper protocol and attempt to resolve issues with FTC staff first. Going over heads is distinctly frowned upon.
Also at IAPP, Tanya Forsheit, Founding Partner at InfoLawGroup LLP, presented on a panel titled, “The Ethos of Lawyers in a Networked World: Privacy, Privilege and Evolving Parameters.” Forsheit brought to light the implications of comments added in the ABA Commission on Ethics 20/20, providing that lawyers should keep abreast of changes, including risks associated with technology. Lawyers should be responsible when storing or transmitting confidential information through cloud computing, said Forsheit.
-Lia Sheena
Mar. 9, 2012 – Off-Line, National Journal
Privacy Update from Barcelona
I have just arrived in Barcelona for the Mobile World Congress. More than 60,000 people focused on mobile technologies have converged at this annual event to hear and see the latest from carriers, device makers, platforms, app developers and more. It is clear from the smart phones and tablets displayed on the show floor that the next generation of smart devices will be faster, more powerful and more integrated with consumers’ lives. More than batteries or chips, our personal information is what truly powers these devices. Our address books, location, network of friends, emails and text messages, when used wisely by these small computers, empower us to be smarter and to do more. As additional sensors are added to capture new kinds of data and as the use of phones to make purchases spreads more widely, these machines will have more intimate data about us than any government or corporation ever did.
Who is the real custodian of these new rich data streams? The ecosystem for the mobile consumer is quite complicated. Mobile platforms, app developers, device makers, carriers, analytics companies, ad networks, social networks, chip companies and others are all part of the equation. The battle between consumer tech titans like Google, Apple, Microsoft, Amazon and Facebook is being played out as each company seeks to link consumer identity and data across smartphones, desktops, search engines, email, social networks, ad networks, payment systems and more. Google’s privacy policy consolidation slated to become effective in a few days has captured the lion’s share of attention, but it is Apple that has been the most effective at linking consumer data across every aspect of its services. European regulators have proposed a privacy law that seeks to put the data genie back in his bottle, but consumers have voted by expressing delight in Steve Jobs vision by making Apple the most valuable company in the world. Yet at the same time, consumers continue to express alarm at the misbehavior of apps that grab too much information and many regularly clear cookies in the hope of protecting their privacy.
How can it be that consumers deeply love the brands that privacy critics single out for criticism? Although Google now trails Apple in some measures of brand value, it too continues to be one of the handful of globally respected consumer brands. Do the regulators and privacy advocates know something that consumers don’t? Or do consumers value the benefits of these technologies and willingly make the privacy trade-off? I am looking forward to discussing this and more at my panel tomorrow.
— Jules Polonetsky
White House Announces New Privacy Framework Including Consumer Privacy Bill of Rights
The Internet Policy Task Force utilized a multi-stakeholder approach to create the policy paper, consulting with “stakeholders in industry, civil society, academia, and government” during the drafting process, as well as considering the numerous written responses it received pursuant to the publication of the Privacy and Innovation Notice of Inquiry. The drafters stated that the majority of the written responses they received indicated that there is a “compelling need to ensure transparency and informed consent, to provide additional guidance to businesses, to establish a baseline commercial data privacy framework to afford protection for consumers, and to clarify the U.S. approach to commercial data privacy—all without compromising the current framework’s ability to accommodate customer service, innovation, and appropriate uses of new technologies.” The earlier version of the paper included policy recommendations under four broad categories:
Enhance Consumer Trust Online Through Recognition of Revitalized Fair Information Practice Principles.
Encourage the Development of Voluntary, Enforceable Privacy Codes of Conduct in Specific Industries Through the Collaborative Efforts of Multi-stakeholder Groups, the Federal Trade Commission (FTC), and a Privacy Policy Office Within the Department of Commerce.
The White Paper released today by the Administration addressed many of the issues brought to light by and built on many of the recommendations set forth in the earlier version, the Green Paper, and the more than one hundred comments received in response to the publication of the Green Paper. The Administration addressed those issues and recommendations by setting forth a new privacy framework that consists of four key elements: (1) a Consumer Privacy Bill of Rights; (2) a multi-stakeholder process to determine how these rights will apply in specific business contexts; (3) an effective enforcement model; and (4) greater interoperability between the privacy frameworks of the United States and its international partners.
Consumer Privacy Bill of Rights
The cornerstone of the Administration’s privacy framework is the Consumer Privacy Bill of Rights, which adapts the decades-old Fair Information Practice Principles (FIPPs) to the interconnected and interactive world that we live in today. The Privacy Bill of Rights applies to commercial uses of personal data and seeks to provide greater privacy protection for consumers and greater certainty for businesses. There are seven core rights that comprise the Privacy Bill of Rights:
Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
Transparency: Consumers have a right to easily understandable information about privacy and security practices.
Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of personal data.
Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.
In a media teleconference about the White Paper, FPF’s Jules Polonetsky stated that a key point of framework is that the Administration calls on “consumer-facing companies [to] act as the stewards, as the ones responsible” for consumers’ privacy. He noted that although this seems like a logical arrangement, it is not the way the online ecosystem has worked in the past. By calling on consumer-facing companies to take responsibility for consumers’ privacy, the framework seeks to align business practices with consumers’ expectations about who will safeguard their privacy.
Multi-stakeholder Process
The Administration’s framework contemplates a multi-stakeholder approach that will produce enforceable codes of conduct that implement the Privacy Bill of Rights. The multi-stakeholder approach is championed by the Administration due to the “flexibility, speed, and decentralization necessary to address Internet policy challenges.” FPF’s other co-chair Chris Wolf, praised the Administration for eschewing a one-size-fits-all approach and instead opting for flexible codes of conduct, stating that “the call for enforceable codes of conduct is a sensible way to address privacy.” In addition to flexibility, the speed with which the multi-stakeholder process can produce solutions—as compared to the regulatory or law making process—is also appealing due to the constantly-evolving nature of privacy issues. Jules noted that “many [privacy] issues are moving so quickly that if you don’t achieve success in the short term, [they] can outrun you.” The Administration has tasked the Commerce Department’s National Telecommunications and Information Administration (NTIA) with spearheading the multi-stakeholder process, and Polonetsky commented that he expects NTIA to start the process by releasing a Notice of Inquiry sooner rather than later, so that quick wins can be achieved.
Strengthening FTC Enforcement
In the White Paper, the Administration highlighted the importance of the FTC in maintaining a level playing field by ensuring that businesses adhere to their privacy commitments and punishing those that do not. The Administration stated that a business’s commitment to adhere to a voluntary code of conduct will become enforceable under Section 5 of the FTC Act, analogizing the situation to the FTC’s power to enforce the promises and representations businesses make in their privacy policies. However, the Administration also noted that one of the benefits of adhering to a code of conduct is that in “any enforcement action based on conduct covered by a code, the FTC will consider a company’s adherence to a code favorably.”
Promoting International Interoperability
Referring to the differences in national privacy laws that create challenges for businesses that wish to transfer data across national borders, the Administration stated that it is “critical to the continued growth of the digital economy that they strive to create interoperability between privacy regimes.” The Administration expressed its desire to promote international interoperability by pursing mutual recognition of commercial privacy frameworks, international codes of conduct based on the multi-stakeholder process, and bilateral or multilateral enforcement cooperation.
Calls for Privacy Legislation
At the conclusion of the White Paper, the Administration called on Congress to adopt the Consumer Privacy Bill of Rights and provide the FTC and State Attorneys General with the power to enforce those rights. However, Polonetsky pointed out that it is unlikely that Capitol Hill will act on this suggestion in the short term.
In addition, the Administration expressed support for creating a national standard for security breach notification, which would replace the state breach notification laws that are currently enacted in 47 states, the District of Columbia, Puerto Rico, and the Virgin Islands. The Administration noted that the “patchwork of State laws creates significant burdens for companies without much countervailing benefit for consumers.”
Feb. 23, 2012 – "Do Not Track" Web Button Part of Online Privacy Bill of Rights. Marketing Vox
