Page 52 – Future of Privacy Forum

24 Organizations Release Principles for Protecting Student Data Privacy and Equity in the Pandemic

The Future of Privacy Forum (FPF) and 23 other education, healthcare, disability rights, data protection, and civil liberties organizations today released Education During a Pandemic: Principles for Student Data Privacy and Equity (available here). The Principles offer 10 guiding recommendations for schools as they rely on new technologies and data to facilitate remote, in-person, or hybrid learning models during the COVID-19 pandemic.

Signatories, including National PTA, National Education Association, Southern Poverty Law Center, the National Association of School Psychologists, and the National Center for Learning Disabilities, initially sought to address challenges posed by school closures in the spring, from how to fairly assess student attendance to closing the digital divide and protecting virtual classrooms from unwelcome interruptions. However, when it became clear the pandemic would also dramatically reshape the 2020-21 school year, the group developed its 10 recommendations to help guide schools as they navigate an unprecedented and evolving situation.

“The pandemic is not over, and the challenges facing K-12 schools aren’t, either. We have a long way to go, and the success of data and technology-driven efforts to educate students during this time depends on trust and ensuring adequate privacy and equity safeguards are in place to protect students and their families,” said Amelia Vance, FPF’s Director of Youth and Education Privacy. “These 10 principles provide an excellent roadmap for schools to build and maintain trust with students and families, and ultimately create a supportive, safe, and inclusive learning environment for all students during this unprecedented time.”

While many schools spent the summer preparing for the return of students in person, a surge of cases in late July and early August forced many schools to alter their plans, sometimes just days before school started, leading to what The New York Times called a “lost summer” of opportunity to fix online learning. School districts are using data to inform their decisions to reopen campuses, and some schools, facing the prospect of a winter surge in cases, are making plans to revert to online learning if needed.

The principles also raise key considerations for schools to ensure that all students are appropriately provided for during the pandemic. “This is an extraordinarily challenging time and it is more important than ever to ensure that schools guard against unfounded assumptions about students with disabilities that lead to segregation and unequal education,” said Jennifer Mathis, signatory Bazelon Center for Mental Health Law’s Deputy Legal Director and Director of Policy & Legal Advocacy.

Highlights of The Principles for Student Data Privacy and Equity (available here) include:

Limiting Data Collection and Sharing. Any COVID-19 related requests for the health information of students, their families, or school staff must be narrowly tailored to the information necessary to determine whether an individual has or does not have COVID-19, or whether a requested reasonable accommodation or modification related to COVID-19 is necessary. Similarly, any information shared with authorities such as state and local public health officials should be limited to a narrowly tailored and documented public health purpose in accordance with all local requirements and limitations.
Ensuring the Evidence-Based Use of Technology and Data. Any technology adapted or adopted to assist with online learning or help mitigate the spread of COVID-19, such as education technology applications, video-conferencing tools, contact tracing applications, thermal imaging, temperature scanning, or health wearable technology should be evidence-based and evaluated for efficacy and in alignment with all applicable laws.
Empowering Students and Families. Students and families should play a role in the return to in-person school decision-making process. They should also be provided with access to the data collected about them during the COVID-19 pandemic, and an opportunity to appeal individualized educational or health decisions that rely on this information.
Addressing Trauma. Many students have experienced heightened trauma due to COVID-19 and may face some difficulty reacclimating to the school environment and learning. Students should be provided with trauma support and not penalized based on the assumption that they will engage in disruptive behavior.

See the full list of 10 principles and signatories here.

The release of the Principles for Student Data Privacy and Equity furthers FPF’s commitment to providing new and timely resources for educators navigating the unprecedented student privacy challenges posed by the COVID-19 pandemic. Over the summer, FPF launched its “Privacy and Pandemics” professional development series for educators, also accessible through YouTube. FPF also partnered with the National Center For Learning Disabilities (NCLD) to develop Student Privacy and Special Education: An Educator’s Guide During and After COVID-19 and is maintaining a comprehensive list of student privacy and COVID-19 resources on its student privacy-focused website, Student Privacy Compass.

To learn more about the Future of Privacy Forum, visit www.fpf.org.

# # #

Contact: [email protected]

About FPF

The Future of Privacy Forum (FPF) is a nonprofit organization focused on how emerging technologies affect consumer privacy. FPF’s Youth & Education Privacy program seeks to protect child and student privacy while allowing for data and technology use that can help young people learn, grow, develop, and succeed. FPF works with stakeholders from practitioners to policymakers, providing technical assistance, resources, trend analysis, and training. The Youth & Education Privacy team runs Student Privacy Compass, the one-stop-shop resource site on all things related to student privacy. For more information, visit www.fpf.org.

FPF Submits Feedback and Comments on UNICEF’s Draft Policy Guidance on AI for Children

Last week, FPF submitted feedback and comments to the United Nations Children’s Fund (UNICEF) on the Draft Policy Guidance on Artificial Intelligence (AI) for Children, which seeks “to promote children’s rights in government and private sector AI policies and practices, and to raise awareness of how AI systems can uphold or undermine children’s rights.”

The draft policy guidance outlines nine requirements for child-centered AI, including to:

Support children’s development and well-being;
Ensure inclusion of and for children
Prioritize fairness and non-discrimination for children;
Protect children’s data and privacy;
Ensure safety for children;
Provide transparency, explainability, and accountability for children;
Empower governments and businesses with knowledge of AI and children’s rights;
Prepare children for present and future developments in AI; and
Create an enabling environment.

In the feedback and comments, FPF encouraged UNICEF to adopt an approach that accounts for the diversity of childhood experiences across countries and contexts. The feedback highlighted the need to address the specific and unique challenges children from marginalized groups face, particularly as AI may create or exacerbate prejudice, inequities, and harm for children from these communities. FPF also identified opportunities for the guidance to include strategies, tools, and resources to instruct stakeholders on ways to operationalize the requirements. Finally, the comments recommended a greater emphasis on acknowledging children as active participants in developing AI systems and their uses, and the importance of empowering children with digital literacy and citizenship skills.

Earlier in October, FPF also submitted comments to the United Nations Office of the High Commissioner for Human Rights Special Rapporteur on the right to privacy to inform the Special Rapporteur’s upcoming report on the privacy rights of children. FPF will continue to provide expertise and insight on child and student privacy, AI, and ethics to agencies, governments, and corporations to promote the best interests of children.

Learn more about FPF’s US and international work on youth privacy here.

A Look Back at the Role of Law and the Right To Privacy in LGBTQ+ History

By Katelyn Ringrose, Christopher Wolf Diversity Law Fellow at the Future of Privacy Forum, and Christopher Wood, Executive Director of LGBT Tech, with thanks to Connor Colson, FPF Policy Intern.

LGBTQ+ rights are, and have always been, linked with privacy. Over the years, privacy-invasive laws, practices, and norms have been used to oppress LGBTQ+ individuals by criminalizing and stigmatizing individuals on the basis of their sexual behavior, sexuality, and gender expression.

In honor of October as LGBTQ+ History Month, FPF and LGBT Tech explore three of the most significant privacy invasions impacting the LGBTQ+ community in modern U.S. history: anti-sodomy laws; the “Lavender Scare” beginning in the 1950s; and privacy invasions during the HIV/AIDS epidemic. These examples, along with many more, will be analyzed in FPF and LGBT Tech’s upcoming white paper on the sensitivity of data concerning a person’s gender identity, sexual orientation, and sex life.

1. Anti-Sodomy Laws and Sexual Privacy //

U.S. Anti-sodomy laws have been systematically utilized to oppress individuals through incarceration, denial of employment, and public shaming. In all American colonies the punishment for sodomy was death, a punishment that remained on the books in some states into the 19th century. In the early 20th century, sodomy was a felony in every state.

Anti-sodomy laws allowed law enforcement and communities to violate individual privacy by reporting suspected sexual activity. This practice of community and law enforcement invading the privacy of civilians continued well into this century, when the Supreme Court ruled the remaining state anti-sodomy laws unconstitutional in Lawrence v. Texas. In that 2003 case, Justice Anthony Kennedy refuted arguments that anti-sodomy laws protect against unwanted sexual activity:

The case does involve two adults who, with full and mutual consent from each other, engaged in sexual practices common to a homosexual lifestyle. The petitioners are entitled to respect for their private lives. The State cannot demean their existence or control their destiny by making their private sexual conduct a crime. Their right to liberty under the Due Process Clause gives them the full right to engage in their conduct without intervention of the government.

— Justice Kennedy, delivering the majority opinion in Lawrence v. Texas

More recently, scholars have begun to consider anti-sodomy laws in the larger context of “sexual privacy,” a distinct privacy interest that serves as a cornerstone for sexual autonomy, consent, human dignity and intimacy.

Although Lawrence invalidated state anti-sodomy laws, those laws still remain on the books in many states. For example, as recently as 2011 to 2014, 12 men in East Baton Rouge Parish, Louisiana were arrested for “crimes against nature.” Similarly, the government continues to regularly reveal, or “out,” information concerning people’s sexuality, gender identity, and HIV status through legal regimes, including, for example, state laws requiring people to frequent bathrooms in accord with their sex assigned at birth, denial of healthcare services to transgender individuals, and through mandatory disclosure laws to obtain government services, including government-issued identification.

In addition to issues of government intrusion, corporate or commercial collection of data can lead to many of the same harms mentioned above, including the perpetuation of existing bias and the encoding of discrimination within systems of power. Moving forward, it is important to understand the practices of the past in order to better understand potential harms posed by the collection, use, and sharing of commercial data.

2. The Lavender Scare and the Role of Employment Protection //

Beginning in the 1950s, the U.S. federal government began surveilling and systematically purging LGBTQ+ employees from the civil workforce in what became known as the “Lavender Scare.” In 1953, President Eisenhower declared in an Executive Order that federal employees, as a matter of national security, should be investigated for “sexual perversion” and “mental illness.”

Over the next four decades, resulting investigations led to more than ten thousand civil servants losing their jobs due to their sexual orientation. This movement made it largely impossible for federal employees to publicly identify as LGBTQ+. In fact, the stigma was so strong that federal employees were fired simply for “guilt of association” because they had known someone who was accused of being LGBTQ+.

The Lavender Scare was also the beginning of an intense fifty year period of government surveillance of LGBTQ+ individuals spearheaded by the FBI. The majority of the FBI’s documents from the Sex Deviant Program have been destroyed, but those that remain show the extent of government spying. The FBI recruited informants within early LGBTQ+ rights organizations, photographed and tracked protestors to get them removed from their federal jobs, and regularly outed them. Former Secretary of State John Kerry, in a formal apology issued in 2015, acknowledged the practice:

In the past — as far back as the 1940s, but continuing for decades — the Department of State was among many public and private employers that discriminated against employees and job applicants on the basis of perceived sexual orientation, forcing some employees to resign or refusing to hire certain applicants in the first place. These actions were wrong then, just as they would be wrong today.

On behalf of the Department, I apologize to those who were impacted by the practices of the past and reaffirm the Department’s steadfast commitment to diversity and inclusion for all our employees, including members of the LGBTI community.

— Former Secretary of State John Kerry, on behalf of the Department of State

While the Lavender Scare and associated practices within the federal government largely ended as late as the 1990s, issues associated with government surveillance and over-policing still plague LGBTQ+ communities today. And it wasn’t until 2020 that the Supreme Court clarified, in Bostock v. Clayton County, that Title VII of the Civil Rights Act bans employment discrimination on the basis of sexual orientation and gender identity.

3. The HIV/AIDS Epidemic and the Importance of Medical Privacy //

Public health infrastructure has historically excluded acknowledgement of LGBTQ+ individuals, even going as far as perpetuating harms in the form of underinvestment in healthcare. When the Human Immunodeficiency Virus (HIV) and the associated Acquired Immunodeficiency Syndrome (AIDS) came into the American consciousness in the early 1980s, most hospitals saw homosexuality as an illness, and care was laced with stigma.

HIV/AIDS, initially called GRID or Gay Related Immuno-Deficiency Syndrome, was accompanied by a range of required HIV/AIDS disclosures. As a result of these disclosures, gay and bisexual men were fired from their jobs, kicked out of housing and even refused treatment due to their potential or actual HIV status. In addition, they were often denied health insurance and in order to pay for health coverage, were exploited by viatical insurance companies to sell life insurance policies for pennies on the dollar.

The high rate of stigmatization led individuals to avoid testing or treatment, with individuals avoiding testing out of fear that their employer would find out about their LGBTQ+ status when visits or medication were billed to their employer’s insurance. Healthcare providers themselves perpetuated this stigma by refusing to treat HIV positive patients. This stigma has led a significant portion of men who had sex with men to withhold their sexual orientation from their doctors, resulting in a lack of tailored care. These issues were only compounded by existing racism and inequities—with HIV prevention programs reaching Black communities at a slower pace than programs aimed at white gay and bisexual men, despite HIV/AIDS impacting a higher proportion of the Black population than other races and ethnicities.

A lack of medical privacy and inadequate anti-discrimination protections continue to impact the LGBTQ+ community. A recently issued rule from the Department of Health and Human Services (“HHS”) would eliminate federal protections for LGBTQ+ individuals in accessing health insurance, particularly transgender individuals who are already mistreated and neglected through the denial of equal coverage and care.

At the same time, governments, physicians and researchers use personal data to provide HIV/AIDS services, monitor healthcare efforts, and to advance research that benefits LGBTQ+ communities. In these circumstances, the balance between public health and individual privacy is difficult to strike — at least partially due to the deep distrust that developed during the height of the HIV/AIDS epidemic.

Looking Forward //

Lessons learned from the past about privacy and LGBTQ+ history can, and should, continue to shape conversations today. For example, during the COVID era, we can apply lessons learned from the HIV/AIDS epidemic to examine issues around required medical disclosures for COVID-19. As we contemplate issues from the implementation of digital contact tracing to mandatory medical disclosures for individuals who have tested positive for COVID-19, we must understand that the collection of medical data, at least for the LGBTQ+ community, is an issue deeply rooted in history, laced with stigma, and marked by a lack of legal protection.

Today, connected devices and services are empowering members of the LGBTQ+ community to participate more fully online. Data regarding an individual’s sexual orientation, gender identity, or details about their sex life can be important to the provision of social and healthcare services, public health, and medical research. However, data pertaining to an individual’s gender identity, sexual orientation, and sex life can be incredibly sensitive—and the collection, use, and sharing of this data can raise unique privacy risks and challenges. Conversations around LGBTQ+ data privacy must take into account the harms of the past.

FPF and LGBT Tech continue to research LGBTQ+ Privacy. Please contact either Katelyn Ringrose at [email protected] or Chris Wood at [email protected] with any questions, comments, or to get involved.

Dr. Lauren Gardner, Creator of Johns Hopkins University’s COVID-19 Dashboard, and UC Berkeley Data Analytics Researcher Dr. Katherine Yelick to Keynote FPF Conference on Privacy & Pandemics

Workshop Explores the Value and Limits of Data and Technology in the Context of the COVID-19 Pandemic

Today, the Future of Privacy Forum announced a pair of distinguished professors and researchers will be the keynote speakers for a two-day virtual workshop exploring the value and limits of data and technology in the context of a global crisis. The workshop, “Privacy & Pandemics: Responsible Uses of Technology and Health Data During Times of Crisis – An International Tech and Data Conference,” convened by FPF with the Duke Sanford School of Public Policy, Dublin City University, and Intel Corporation, will take place virtually from 10:00AM to 2:00PM EST on October 27^th and 28^th.

Dr. Lauren Gardner, whose team at the Johns Hopkins University Center for Systems Science and Engineering (CSSE) is responsible for aggregating the most comprehensive publicly available data set on the coronavirus pandemic will deliver the day one keynote.

“We’re living through a moment when the stakes for the technology and data protection community are high because lives depend on the responsible use of public health data,” said FPF CEO Jules Polonetsky. “Dr. Gardner has been making high-stakes decisions to balance privacy and access to data throughout the pandemic. Privacy practitioners and public health officials can learn a lot from her experience with the COVID-19 Dashboard.”

The keynote speaker on day two of the workshop will be Dr. Katherine Yelick, the Robert S. Pepper Distinguished Professor of Electrical Engineering and Computer Sciences and the Associate Dean for Research in the Division of Computing, Data Science and Society at UC Berkeley. She is also the Senior Advisor on Computing at Lawrence Berkeley National Laboratory and leads the ExaBiome project on scalable tools for analyzing microbial data. Dr. Yelick will address address the challenges of COVID data analytics, specifically the many different types of data involved, the numerous barriers to access of that data, the variable quality of COVID data, and the challenges to fast and accurate analysis.

“The COVID-19 pandemic has elevated issues of data access and responsible data use, including respect for privacy, as it relates to epidemiology and public health surveillance,” said Dr. Sara Jordan, FPF Policy Counsel, Artificial Intelligence and Ethics. “Dr. Yelick offers a thoughtful analysis of the unique challenges of the COVID-19 response related to data access, sharing, protection, and use.”

Participants in the workshop include international leaders from academia and industry. The workshop begins with a session focused on the challenges associated with the urgent efforts to assemble, collect, manage, and transfer volumes of data from a variety of disparate sources to track the spread of COVID-19. The second session will assess the proliferation of technologies to facilitate contact tracing, exposure notification, thermal scanning, and isolation following an infection, attempting to balance the epidemiological benefits of these technologies against the privacy concerns they raise.

On day two of the workshop, the third session will feature experts discussing what we can learn from this pandemic for the future of law, regulatory authority, and social norms. The workshop will conclude with a session that considers the future direction of privacy law, technology, and research when interfacing with the scientific community. Following the workshop, a report will be prepared and used by the National Science Foundation to help set the direction for its Convergence Accelerator 2021 Workshops, speeding the transition of convergence research into practice to address grand challenges of national importance.

The event will take place from October 27^th and 28^th and is hosted in collaboration with the National Science Foundation, Duke Sanford School of Public Policy, SFI ADAPT Research Centre, Dublin City University, Intel Corporation, OneTrust, and the Israel Tech Policy Institute. To register and learn more about the event, go to the FPF website.

The Federal Trade Commission Updates to the COPPA FAQs

In July, the Federal Trade Commission (FTC) announced changes to update and streamline its Children’s Online Privacy Protection Act (COPPA) Frequently Asked Questions (FAQs). The COPPA FAQs supplement the COPPA Rule by providing plain-language guidance and examples of COPPA compliance. Although the Commission stated that the revisions “don’t raise new policy issues,” companies collecting or managing data from children under 13 should be aware of several significant changes and clarifications to the FAQs. The revised FAQs:

Clarify the application of COPPA in schools by providing more detail about the circumstances in which companies may obtain consent from schools;
Address operators’ obligations under other federal education laws to clarify the application of COPPA;
Incorporate the holding of the 2019 YouTube settlement by describing the “directed to children” standard and the responsibilities of “mixed audience” sites and services;
Incorporate the Commission’s 2017 non-enforcement policy for specific uses of voice recordings of children;
Introduce other changes regarding obtaining parental consent, wireless network information, the definition of internal operations, and more.

The changes to the FAQs, discussed in detail below, do not impact the Commission’s ongoing review of the COPPA Rule, for which The Future of Privacy Forum (FPF) provided comments in 2019.

COPPA and Schools

The Commission made two significant changes to the “COPPA and Schools” portion of the FAQs: one regarding consent under COPPA and the other relating to other federal education laws.

Consent in the School Environment

The requirements for collecting verifiable parental consent (VPC) have long been a challenge for companies that partner with schools or provide educational services intended for classroom use. The Commission’s updates to the FAQs clarify that companies contracting with schools must not state in their “Terms of Service or anywhere else” that schools are responsible for complying with COPPA because it is “the responsibility of the Operator [to comply] with the Rule.” The FAQs further clarify that companies must provide schools with “the same type of direct notice regarding its practices as to the collection, use, or disclosure of personal information from children as it would otherwise provide to the parent.” This change indicates that while the actual notice provided to schools can differ from that given to parents, it must be direct and must convey the same information as notice provided to parents.

Federal Student Privacy Laws

The updated FAQs provide more detailed descriptions of operators’ and schools’ obligations under applicable laws, including the Family Educational Rights and Privacy Act (FERPA), the Individuals with Disabilities Education Act (IDEA), and the Protection of Pupil Rights Amendment (PPRA). The previous FAQs did not mention IDEA and included only PPRA and FERPA as additional legal considerations.

The Commission also updated language throughout the section on COPPA in schools to refer to operators’ and schools’ obligations under federal education laws. One notable addition is the following: “The school’s agreement with a third party operator must also be reviewed under the school official exception or other applicable exception under FERPA.” This language indicates that COPPA alone does not provide a basis for collecting student data; operators may obtain COPPA-required consent from schools and teachers only in the context of agreements subject to FERPA.

Response to the 2019 YouTube Settlement

The FAQs now include the Commission’s interpretations of COPPA that were dispositive in the landmark settlement with YouTube. The YouTube complaint alleged that YouTube maintained numerous child-directed channels and used persistent identifiers to serve targeted advertising on these channels. The settlement findings noted that the collection and use of persistent identifiers for targeted advertising from viewers of such channels violated COPPA because YouTube had actual knowledge that many of its channels were clearly child-directed, but did not obtain parental consent to collect, use, and disclose children’s personal information. In light of this, the updated FAQs include guidance for determining whether sites are directed to children, as well as guidance for mixed audience websites.

Directed to Children

The updated FAQs 1) address when COPPA deems content creators to be operators subject to the law; and 2) include four specific factors to help operators determine whether videos posted on their websites are directed to children. These four new factors specific to video build on the 10 factors listed by the Commission for determining whether sites are directed to children. This update largely incorporates a standalone blog that the Commission published to help content creators analyze whether their content is directed to children. The FAQs urge content creators to consider whether their content is directed to children because, in light of the YouTube Settlement, content creators may be considered operators (and thus subject to COPPA) if their sites collect personal information such as persistent identifiers from children.

Mixed Audience

The FAQs provide deeper insight into how operators may determine whether their websites or services are directed to children, a mixed audience, or a general audience. The FAQs distinguish these three categories by clarifying that “the ‘mixed audience’ category is a subset of the ‘directed to children’ category, and a general audience site does not become ‘mixed audience’ just because some children use the site or service.” The Commission clarified that when operators’ sites or services target children under 13 but they are not the primary audience, operators can take advantage of the mixed audience exception.

If operators serve a mixed audience, they can establish age screens to ensure that they do not collect personal information from users under age 13 or to ensure they collect verifiable parental consent for those users. The FAQs also add details about how operators may appropriately establish age screens in the context of a mixed audience site or app. The Commission clarified that knowledge-based questions alone, such as a difficult math problem, are insufficient to screen children but that knowledge-based problems can be used “in addition to asking the age of the user.” The Commission also restated its longstanding position that companies must establish methods to prevent children from back-buttoning to enter a new age at an age gate, using technical means such as cookies.

IOT Devices and the Non-Enforcement Policy Regarding Voice Recordings

The updated FAQs include Internet of Things (IOT) devices—specifically, connected toys, smart speakers, and voice assistants—as commercial services subject to COPPA. The new FAQ F.6 incorporates the Commission’s 2017 Enforcement Policy Statement Regarding the Applicability of the COPPA Rule to the Collection and Use of Voice Recordings, which aligns with FPF’s 2016 recommendations regarding connected toys and voice recordings. The FAQs now state that the FTC will not enforce the prior parental consent requirement when operators 1) collect an audio file of a child’s voice for the purpose of fulfilling a request or conducting an internet search; and 2) maintain that file only “for the brief time necessary for that purpose.”

This policy applies as long as operators provide clear notice of their data collection, use, and deletion policies; do not request personal information via voice; use the audio file solely to fulfill the user’s request; and delete the file upon request fulfillment. In addition to this new section, the FAQs clarify that COPPA applies to connected toys, IOT devices, smart speakers, and voice recordings of children.

Additional Changes

The Commission made several other notable changes to the FAQs, including adding new methods for obtaining verifiable parental consent; clarifying that wireless network information is subject to COPPA; adding examples of “internal operations;” and removing guidance regarding the transition from the old COPPA rule.

New methods for obtaining parental consent

The FAQs highlight two new methods of obtaining parental consent. Operators may require “a parent to answer a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer.” Or, operators may compare and verify a parent’s photo identification with a photo submitted by the parent through facial recognition technology, as long as the FTC pre-approves the mechanism deployed for either option.

Wireless network information is subject to COPPA

The FAQs add the Commission’s finding that wireless network identifiers used to infer the precise location of a child is personal information covered by COPPA and, thus, requires notice and parental consent prior to collection, per the 2016 InMobi settlement.

Further examples of internal operations

The FAQs update the Commission’s definition of activities that support internal operations to include “activities necessary for the site or service to maintain or analyze its functioning,” specifically listing “intellectual property protection, payment and delivery functions, spam protection, optimization, statistical reporting, and debugging,” as such activities. The FAQs further remind operators that behavioral advertising and amassing profiles are not internal operations, consistent with settlements dating back to 2015.

Removing guidance relating to the transition from the old COPPA Rule

Throughout the FAQs, the Commission has removed language that distinguished the “old” and “new” COPPA rules. The Commission said that because the current regulations have been in place for seven years, it removed language regarding the transition between the two rules.

References:

This blog was authored by Anisha Reddy, Casey Waughn, and Tyler Park.

FPF, Highmark Health, and CMU Host Wired for Health: 2020 — Examining Biometric Technologies in the Age of COVID-19

On Thursday, October 8th, Highmark Health, Carnegie Mellon University’s CyLab Security and Privacy Institute, and Future of Privacy Forum hosted a virtual symposium—taking an in-depth look at the role of biometrics and privacy in the COVID-19 era.

During this virtual symposium, expert discussants and presenters examined the impact of biometrics and privacy in the ongoing fight against the novel coronavirus. The world has changed. Today, keeping COVID-19 at bay is a top priority across our communities, throughout our country, and around the world.

The full recording of the virtual symposium is available here:

https://www.youtube.com/watch?v=rrJsjBERsUE

Presentations focused on emerging technology, covering advanced facial recognition systems, temperature scanning, and respiratory disease detection. Presenters included Dr. Anil Singh of the Allegheny Health Network and Satya Venneti, CTO and Co-founder of Telling.ai; Dr. Marios Savvides of the CyLab Biometrics Center at Carnegie Mellon University; and Dr. Yang Cai of the Visual Intelligence Studio at Carnegie Mellon University.

The expert panel analyzed the privacy impacts of certain technologies, including the deployment of voice recognition and temperature sensing to identify disease symptoms associated with COVID-19. Panelists noted the inherent tensions within certain biometrics technologies, including the ethical and social dilemmas raised by public and private use.

Panel discussants included: Dr. Lorrie Faith Craon, Director and Bosch Distinguished Professor of the CyLab Security and Privacy Institute at Carnegie Mellon University; Dr. Lisa Martinelli, Chief Privacy and Data Ethics Officer, Highmark Health; Dr. Rachele Hendricks-Sturrup, Health Policy Counsel, Future of Privacy Forum; Kirk Nahra, Partner, WilmerHale; and Jules Polonetsky, CEO, Future of Privacy Forum.

We look forward to continuing this important conversation, with an in-person conference — Wired for Health 2021 — later next year.

FPF Submits Comments to United Nations Ahead of 2021 Special Report on Child Privacy

Last week, the Future of Privacy Forum (FPF) submitted comments to the United Nations Office of the High Commissioner for Human Rights Special Rapporteur on the right to privacy to inform the Special Rapporteur’s upcoming report on the privacy rights of children.

The Special Rapporteur’s report, expected in March 2021, will focus on how privacy affects the evolving capacity of the child and the growth of autonomy, and what factors enhance or constrain this development.

FPF’s comments focus on encouraging the Special Rapporteur to consider two key points in the development of their report, including:

How child privacy legislation can and should react to actual harms, and not unsubstantiated fears, in order to avoid unintended consequences that may impact the rights of children to benefit from and participate in the online ecosystem; and
How child privacy policies must consider and balance competing and evolving interests between children and other authority figures such as parents or teachers, and recognize the need to foster resilience and autonomy in children by helping them develop digital skills.

Additionally, FPF’s comments suggest that the Special Rapporteur’s report include a discussion on the need for schools, districts, and their third-party vendors to be transparent about data and technology use, storage, analysis, and purpose with children, parents, and other relevant stakeholders.

Transparency around data and technology use has become particularly urgent in recent months as millions of children around the world shifted to some form of online or distance education when the COVID-19 pandemic closed many school buildings in early 2020. Since that time, FPF has developed and compiled student privacy and COVID-19-related resources for school leaders, policymakers, teachers, and students and their families on its student privacy-focused website, StudentPrivacyCompass.org.

By sharing our expertise and insight on the US student privacy landscape and its long history of unintended consequences, the importance of balancing the interests of children with authority figures, and the critical need for fostering an environment of transparency and trust, FPF hopes to help inform a thorough and thoughtful report on the privacy rights of children by the Special Rapporteur next spring. We look forward to discussing these recommendations and others with child privacy stakeholders in the U.S. and around the world in the coming months.

READ COMMENTS

Chelsey Colbert Discusses Trends in Mobility & Location Data

Chelsey Colbert, Policy Counsel, leads FPF’s mobility and location data portfolio. Prior to joining FPF, Chelsey was a lawyer at an international business law firm in Canada and was seconded as in-house privacy and data governance counsel to Sidewalk Labs, an Alphabet company that designs and builds urban innovations. Chelsey holds a J.D. with a major in technology law and policy from the University of Ottawa.

Can you tell us about your career and what led you to FPF?

While I was in law school, one of my professors, the late Ian Kerr, sparked my interest in AI and robotics and he has influenced my career path towards AI and robotics. After law school, I worked as in-house counsel for Sidewalk Labs while on secondment from a law firm. I’m really passionate about cutting edge technologies that blend the digital and physical worlds and there’s no better or more exciting space than mobility and smart cities for me to exercise that interest. I’m really optimistic about the potential for robots and automated vehicles to positively shape our future, particularly in terms of saving lives, increasing efficiencies, and providing humans with conveniences. At the same time, I recognize that there can be ethical and privacy harms to individuals and society through the irresponsible use of technologies. I believe there are ways to mitigate risks and reduce or eliminate harms to get as many benefits from technologies like automated vehicles and digital micromobility services, like bike- or scooter-sharing.

FPF has been a really great fit for me because I get to be deeply involved in some of the most exciting privacy and data-related challenges of our time. I enjoy getting to work with a variety of stakeholders, including government, industry, and academia. My work at FPF presents me with a unique opportunity to help shape our mobility future to be more equitable, accessible, safe, and affordable. I believe that the multitude of mobility options – from connected and autonomous vehicles (CAVs) to e-scooters to delivery robots – present many benefits and implications for society. My portfolio at FPF covers the entire range of privacy and data topics in the mobility space, and it’s rare to have a day go by where there isn’t something newsworthy coming out.

What attracted you to working on aspects of law related to AI, privacy, and mobility?

AI and privacy as a field is both niche and extremely broad. Some of the reasons why I’ve become interested in AI and privacy with respect to mobility specifically are that the technical and regulatory challenges of autonomous vehicles are fascinating and raise a lot of questions related to privacy and data protection. I’ve also found that mobility data is quite varied in nature and, because of that, raises really complex and contextual privacy challenges. The mobility ecosystem requires collaboration and input from the various levels of government, communities, companies, and international partners. Working with such a wide variety of stakeholders has been a highlight of my time at FPF.

What are the hot-button issues that you’re working on related to mobility?

Currently, I’m working with FPF stakeholders on a report that will outline privacy-by-design goalposts for connected and autonomous vehicles. The report will take a deep dive into connected and autonomous vehicle technologies that are essential for the safe development of these cars, including optical sensors, computer vision, and geolocation and HD mapping. I believe that just as safety and security should be built into the design of cars, so should privacy.

Mobility data sharing is another fascinating and dynamic area. One example is the sharing of micromobility data between companies and cities through the Mobility Data Specification (MDS). MDS is a set of open-source APIs that allows the data from a vehicle to be shared – almost in real-time – with city governments, typically the DOT. A big part of my work in this space is understanding the privacy implications of types of mobility data, which often includes personal data and location data. There are interesting questions about the temporal nature of mobility data, whether mobility data can be used to identify individuals, and the sharing of data between the private sector and the public sector, where each sector often has different obligations and responsibilities. Another fascinating development is the Right to Repair movement, which illustrates the potential conflicts of access to and control over vehicle data.

What mobility trends will we all be talking about in the next couple of years?

We’re seeing increased interest in the space from regulators across the globe, particularly in the larger markets. Regulators are concerned about safety regulations and standards. In the United States, for example, the National Highway Traffic Safety Administration recently announced an online, centralized platform for cities and companies to voluntarily post updates about their automated vehicle testing. After stalling in 2017, the SELF DRIVE Act was recently reintroduced, which would create a federal framework for the regulation of autonomous vehicles (AVs) and includes a section on privacy policies. We may see this or a new AV bill become law in 2021 and this will have implications for privacy and data protection.

There is also a lot of policy and legislative action in state and local governments in terms of mobility data sharing, access to mobility data, and general privacy laws that impact CAVs. Also, in Europe, the European Data Protection Board is expected to intensify its work in this area and recently released draft guidelines on connected cars. We’re also seeing advanced driver-assisted technologies and driver monitoring systems become required in car safety regulations and standards, which has implications for privacy and data protection. Regulations and standards are important from a technical perspective, because safety standards often drive the development of new technology. When manufacturers develop the technology to reach those standards, it’s important that companies (and governments) implement privacy by design in the technologies and in their organizational practices.

The volume of data coming from connected cars and other forms of mobility will increase, as will its value. There will be more opportunities to monetize this data, but it’s a really complex ecosystem with many players, all of which need to be strategic and thoughtful about privacy. We’re seeing the industry continue to move away from siloed operations, toward more collaboration, consolidation, and partnership in the mobility space as stakeholders – including car manufacturers, mapping companies, driverless technology companies and others – recognize the importance of collaboration to unlock the full potential of mobility data. This all makes for a really complex ecosystem, which means there is a lot for businesses, consumers, and policymakers to navigate. Some of the data is relatively benign from a privacy perspective, while other data is very sensitive, and some data could become personal and sensitive depending on the context, such as location data. Companies and governments collecting mobility data must ensure that their staff have a deep understanding of the privacy implications of new technologies and data types. Privacy-by-design and a cross-functional approach are some of the best ways to address these complex, multifaceted privacy issues.

I’m also expecting to see more public-private partnerships in this space. The private sector and all levels of government must have a relationship with each other to ensure that there is a constructive dialogue on privacy, safety, and technical standards. Municipal governments are an important part of the ecosystem, in addition to state and federal governments. Mobility data provides many social and monetary benefits and can also be used or misused in ways that have unintended harmful consequences for individuals and society. Companies and governments using and benefitting from mobility data should both be held to higher standards of privacy and data protection. The public should also have a voice in the policymaking and innovation process. Better transparency about how technology is being developed and the mitigation efforts to reduce harms could help improve consumer trust and the adoption of newer technologies such as delivery robots and automated driving features.

I expect the next several years in mobility law and policy to be very interesting and challenging. I consider myself to be very lucky to work in such a dynamic area of technology law and policy and am hopeful for a future with more (human friendly) robots in it.

FPF & Dataskydd.net Webinar – Privacy in High Density Crowd Contexts

Authors: Hunter Dorwart and Rob van Eijk

On 30 September 2020, Future of Privacy Forum (FPF) and Dataskydd.net jointly organized the webinar ‘Privacy in High Density Crowd Contexts’. A key aspect of the webinar was the role of industry-driven privacy standards in the development and deployment of privacy-friendly technologies for crowd management, mobile connectivity, and smart city services.

Keywords: IEEE P802E Recommendations, Privacy by Design, Certification, Standardization

Speakers (in alphabetical order)

Amelia Andersdotter (Dataskydd.net, Member of the European Parliament 2011-2014)
Jelena Burnik (Head of International Cooperation and Enforcement at the Information Commissioner of the Republic of Slovenia)
Jerome Henri (Cisco, Editor P802E)
Kelsey Finch (Future of Privacy Forum)
Marit Hansen (State Commissioner for Data Protection Schleswig-Holstein)
Rob van Eijk (Future of Privacy Forum)
Tiago Rodrigues (Wireless Broadband Alliance)
Udo Oelen (Chief Privacy Officer at Dutch Railways, former Head of Private Sector at the Dutch Data Protection Authority)

The recording is available here.

Privacy-Preserving Technologies and Standards Development

Many industry-driven standards development organizations (SDOs) have been working to improve the general privacy qualities of both network infrastructures and web infrastructures. Generally speaking, these bodies focus on how industry standards can remedy design flaws in technologies in order to facilitate transparency, foreseeability, and the ability of consumers to both opt out and make decisions about the way they can interact with technical infrastructures.

Some of these standards have been quite successful and continue to show a lot of promise to address emerging privacy issues in technology. For instance, the Internet Engineering Task Force (IETF), which is responsible for the bulk of what consumers see in a web browser or in an email, considers privacy issues when developing Internet standards through, among other things, the RFC6973 Privacy Considerations for Internet Protocols. In addition, many technical bodies are attempting to introduce encryption and minimization standards to ensure that network protocols do not generate identifiers beyond what is necessary for the network to function.

As the world becomes more digitized, SDOs will continue to develop privacy-preserving standards. However, challenges are beginning to emerge regarding the widespread adoption of these standards and how industry-setting bodies such as Internet Engineering Task Force (IETF), the Institute of Electrical and Electronics Engineers (IEEE), 3rd Generation Partnership Program (3GPP), and the World Wide Web Consortium (W3C) interface with EU-level policymaking. As it is, there is a real risk that the underlying policy goals of governments may conflict with future standards setting and that lack of coordination across SDOs and between governments may hinder consistency and interoperability.

Striking a balance between protocols that need some type of identifier to function and the level of privacy exposure that might result has created difficulties for embedding privacy within standards. In order to enable seamless communication between routers and devices, protocols that govern access points within the routers must trace identifiers unique to a product device. Because devices are often linked to an individual user, the network protocols that facilitate communication invariably expose data about these users. The IEEE navigates this trade-off by providing technical solutions to help developers make this seamless flow of communication and data-sharing more aligned with public policy goals.

IEEE Recommended Practices for Privacy Considerations for IEEE 802 Technologies

To this end, the IEEE P802E working group has been drafting Recommended Practices for Privacy Considerations for IEEE 802 Technologies (P802E). P802E contains recommendations and checklists for IEEE 802 technologies developers (Figure 1). The approach builds on Section 7 questionnaires of RFC6973 Privacy Considerations for Internet Protocols adapted to the IEEE 802 environment which considers harms and risks to privacy when developing network protocols.

Figure 1 – Overview of P802E applications (slide from the presentation by Jerome Henry)

The purpose of the P802E recommendation is ‘to promote a consistent approach by IEEE 802 protocol developers to mitigate privacy threats identified in the specified privacy threat model and provide a privacy guideline.’ In order to strike the right balance between functionality and privacy, the IEEE focuses on the context of device use. For instance, personal devices make it easier to identify the user through network traffic routing while shared devices generally do not. The rubric for developing standards therefore changes depending on how users will interface with the device.

IEEE 802 LAN standards specify the operation of media access control (MAC) methods and protocols that support frame-based network communication. MAC procedures and various protocol frame formats and fields can be used to identify personal devices, their attributes, and their use to support specific networking applications and activities. An adversary can use this information to obtain (location) information about an individual. Other possible threats in IEEE 802 LAN standards are, e.g., flow identifiers, optional fields in the standard, network discovery flows and patterns, ranging exchanges, authentication flows, directed queries, frame timing, and frame structure. Figure 2 illustrates the threat of location services systematically tracking (mobile) access points.

Figure 2 – Example of the threat of location services systematically tracking (mobile) access points (slide from the presentation by Marit Hansen).

Speed to Market

As standards evolve, policymakers and industry must work together to minimize the speed to market. This includes facilitating the adoption of privacy by design and establishing appropriate benchmarks for matching regulatory compliance with technological design. As it is, one major challenge facing public-private partnerships is how fast the technological landscape changes. Putting in place the infrastructure to adapt standards to novel privacy challenges becomes difficult as more IoT devices proliferate throughout the economy and make tracking scenarios much larger than before.

Standardization and Certification

From the perspective of industry, many stakeholders in the broadband industry see the importance of implementing privacy policies throughout their services and recognize the demand from policymakers. Like standards bodies, network operators must also strike a balance between functionality and privacy-preserving practices. But this doesn’t have to be a zero-sum tradeoff. Organizations can push for policies that establish a compliance baseline that industry must meet. In turn, this enables standards bodies to have a better sense of how to build trust chains for authenticated communications in particular environments.

To this end, technical standardization is an important and valid tool for building compliance and achieving common knowledge and common understanding around emerging technologies. Furthermore, in the EU, codes of conduct and certification (article 40-43 GDPR) complement the toolkit. However, even though policymakers can establish benchmarks through regulations, it is still necessary to engage with industry and technical bodies in order to clarify ambiguities in the law. While standards can serve as benchmarks for DPAs and relevant authorities, there needs to be a relevant mechanism to ensure transparency in the auditing process and validate that market players are really respecting the standard.

Lessons Learned from Smart Cities and Transportation

Current discussions around automotive and transportation use-cases illustrate some of these lessons. When designing automotive technology to connect cars to smart devices, engineers have had to adjust to changing regulatory and market environments. Back in the mid-2000s, car designers relied on device identifiers to connect mobile phones to cars. But now that the environment has changed, engineers have come up with new ways to ensure connectivity without having to rely on identifying a particular user to a device.

As standards around identifiers continue to change, so too will the technology in automobiles. Widespread adoption in the market of new technologies is not just a technical challenge but also an industry challenge. Industry must be ready to embrace the new technical features, which means the question becomes one of measuring the demand needed to change industry behavior.

Policymakers can contribute to this through implementing regulatory initiatives and engaging with industry and technical bodies. For instance, in the EU, any processing of data around wifi and device identifiers needs to comply with the GDPR. In part, this baseline establishes a legal basis for smart cities to process mobility data and can serve as a target for standards development bodies in their activities.

For instance, Dutch Railways faced issues around data processing for crowd management purposes. While facilitating public transportation qualifies as a legitimate interest to process data under the GDPR, railway operators must check whether the way they process crowd data is really the best option and valid under the circumstance. Indeed, Dutch Railways faced many issues around crowd management and had options to enable both wifi and bluetooth tracking to process data, but chose to take a method that was less privacy intrusive than alternatives. They utilize(d) wifi tracking only in locations where absolutely necessary and trace travel patterns of commuters with an alternative method that masks the identities of the passengers.

Dutch Railways does this by hashing twice the WiFI-MAC address of the traveler’s phone through sensors in the railway station and sending the data to a central server. During the length of commute, subsequent sensors send hashed information to the same server which allows the company to match the data and generate a mobile pattern while preserving the identity of the commuter. The data is available for only one day before it is deleted which minimizes the risk of aggregating large data sets over time.

In addition, in the context of smart cities, it’s also important for policymakers and city coordinators to communicate effectively with the public. For instance, while there isn’t a clear legal standard for processing mobility data in the United States, public backlash about wifi tracking throughout cities serves as an incentive not only for policymakers to adopt more privacy-preserving trafficking solutions but also for industry to enable those solutions through product design. Organizations therefore need to engage with the public in a meaningful way to effectuate problem solving.

Figure 3 – Recommendations aimed at the use of MAC addresses in the context off Wi-Fi tracking (slide from the presentation by Marit Hansen).

Takeaways from the Panel Discussion

P802E defines a framework, a recommended practice for privacy considerations when designing or evaluating an IEEE 802 Standard. P802E does not provide a standard-specific set of rules or recommendations. The goal of the framework is to encourage designing for privacy, limiting (unauthorized) personal information exposure as much as possible. P802E can be used beyond 802 technologies, to inform how privacy may be affected by networking communications in the Data Link Layer (also known as L2-layer). The L2-layer is the second level in the seven-layer OSI reference model for network protocol design.

Different contexts (e.g., hospital, public Wi-Fi tracking, airport, smart city transportation platform) imply different privacy requirements which means that stakeholders need to communicate the privacy policies expectations for each vertical transparently. Mobile users expect a harmonized experience across contexts, which creates challenges for public sector actors, private industry, certification bodies, and technical standards bodies to strike the right balance between functionality and privacy.

When developing standards, SDOs should explore how such standards fit in regulatory regimes and the specific rules and definitions of personal data. Policymakers in turn must search for synergies to promote compliance with various legislative and regulatory rules and engage with standards bodies to ensure that stakeholders are on the same page. Such engagement should reflect a broad, interconnected way of thinking and routinely employ use cases to find the appropriate technical solution. To this end, it is also important that organizations involved in these workstreams know and appreciate the same terminology and frameworks.

Following such a path could help shorten the speed to market and ensure that technical standards and certification schemes are flexible and adaptive to the vast changes in technology that confront us.