Roundtable Discussion: Smart Cities and Open Data (2017 MetroLab Network Annual Summit)

You are invited to join the Future of Privacy Forum at the 2017 MetroLab Network Annual Summit for a roundtable discussion about smart cities and open data.

MetroLab Network is a group of more than 35 city-university partnerships focused on bringing data, analytics, and innovation to city government. Its members include 38 cities, 4 counties, and 51 universities.

Who

Future of Privacy Forum

What

Privacy and Open Data

The Smart Cities and Open Data movements promise to use data to spark civic innovation and engagement, promote inclusivity, and transform modern communities. At the same time, advances in sensor technology, re-identification science, and Big Data analytics have challenged cities and their partners to construct effective safeguards for the collection, use, sharing, and disposal of personal information. In this breakout session, we will discuss privacy risks in open data programs and how cities like Seattle are promoting transparency while protecting individual rights.

Moderator

• Kelsey Finch, Policy Counsel, FPF

Panelists

• Michael Mattmiller, Chief Technology Officer,  City of Seattle
• Jesse Woo, Lawyer and Research Faculty, Georgia Tech

Privacy and Urban Instrumentation

As cities harness more data than ever, how can we assess the risks and opportunities of new technologies and data flows while preserving public trust and individual privacy? In this breakout session, come hear from Cities, CIOs, academic leaders, and industry experts as we examine the opportunities and challenges of new urban instrumentation and how we can come together to address privacy challenges in smart cities.

Moderator

• Annie Antón, Professor, College of Computing, Georgia Tech

Panelists:

• Nigel Jacob, City of Boston, Co-Founder, Mayor’s Office of New Urban Mechanics
• Scott R. Shipman, General Counsel & Chief Privacy Officer, Verizon

Where

2017 MetroLab Network Annual Summit

Georgia Tech

Atlanta, Georgia

When

December 14, 2017

2:30 PM & 4:00 PM

REGISTER HERE(Link Expired)

Learn more about the Summit by visiting metrolabnetwork.org/annual-summit.

The Top 10: Student Privacy News (October-November 2017)

The Future of Privacy Forum tracks student privacy news very closely, and shares relevant news stories with our newsletter subscribers.* Approximately every month, we post “The Top 10,” a blog with our top student privacy stories. This blog is cross-posted at studentprivacycompass.org. 

Over the past month and a half, student privacy issues have proliferated in the news. Among other big events coming up, the comments on the FTC/USED workshop on COPPA in schools are due this Friday (the workshop is December 1^st), and FPF is holding a free student privacy bootcamp for ed tech companies (register here) in DC on December 8^th.

The Top 10

1. As reported in my last newsletter, four districts (and possibly two universities) were targeted in September and October by hackers who threatened to harm students and disclose their sensitive information. After the S. Department of Education warned districts about the potential security threat, the story hit CNN, Wall Street Journal, NPR, Mother Jones, NBC News, CNBC, and the Washington Post, among many other outlets. It is worth rereading EdWeek’s report on ransomware in schools from earlier this year and this blog from PogoWasRight on the possible consequences of this breach. Policymakers at the state and federal level are planning to act – and hopefully they will provide the money and resources necessary to help districts build up their security and train educators on how to avoid cyber threats and protect privacy. However, it is noteworthy that many of the hackers’ actions are already against the law. My worry? Copycat hackers.
2. GDPR kicks in on May 25^th, 2018, and S. schools have begun to focus on how it applies to them. Every higher ed institution – and some K-12 institutions – as well as most ed tech companies with users in the EU will be impacted. (see my Storify of live-tweets from the panel). Novatia has some recent potentially useful articles on GDPR and schools as well.
3. Personalized Learning – and the data that drives it – continues to inspire articles that discuss its effectiveness and potential impacts on privacy. The latest is Ben Herold’s article on “The Case(s) Against Personalized Learning,” part of an EdWeek special report on “Personalized Learning: Vision vs. Reality.” This month, we also saw the Rand Corporation’s newest research study on personalized learning and Ben Williamson noted that “It is important for education research to engage with how some of its central concerns—learning, training, experience, behaviour, curriculum selection, teaching, instruction and pedagogy—are being reworked and applied within the tech sector.”
4. A progressive political group “filed FOIA requests seeking the publicly available student directories to get student cell phone numbers [available through FERPA’s directory information exception] at every one of Virginia’s 39 public colleges. Of those, 18 schools, including Tech and Radford, complied.” This will lead to legislation banning directory information disclosures for this purpose next spring. In related news, a great blog on how “Cell Phone Numbers are the New SSNs.”
5. Over 800 “School websites [were] hacked to show pro-Islamic State message” (more info in this Fox News article) due to a vulnerability in the company that maintains the websites. In response, Rep. Donald Payne Jr said he is “working on federal legislation to address cybersecurity threats to schools.” In related news, student security expert Doug Levin is halfway through a blog series about state education agency and district websites. So far, he’s covered whether they have secure browsing and ad tracking.
6. EdWeek reported on the education implications behind a New York City Council bill that would require that “all city agencies publish the source code behind algorithms they use to target services to city residents.” ProPublica also released a report after “A federal judge this week unsealed the source code for a software program developed by New York City’s crime lab, exposing to public scrutiny a disputed technique for analyzing complex DNA evidence,” which could have implications for schools.
7. Policymakers, pundits, and the public continue to express more skepticism about tech companies than ever before, and ed tech companies are not exception. The New York Times continued its series about how ed tech is changing education with “How Silicon Valley Plans to Conquer the Classroom,” which has already resulted in a Maryland “Legislator Target[ing] Tech Perks in Baltimore County District” and a Baltimore Sun investigation finding that “Baltimore County school leaders…were paid by tech industry group” without disclosing the payments. Mother Jones also published “Inside Silicon Valley’s Big-Money Push to Remake American Education;” “Silicon Valley Tried to Reinvent Schools. Now It’s Rebooting,” via BloombergTechnology; and EdSurge reported on AltSchool’s shutting down two of their campuses, asking “Where Does Silicon Valley’s Philanthropy End and Profits Begin?”
8. Student Privacy went viral this month! Read about the saga of Taiwan Jones in Buzzfeed. Even though this was all probably fake, it raised questions for educators as to whether grading in public violates FERPA. The answer: it depends. It would likely be a FERPA violation if the person sitting next to the teacher can see the name and grade of the student (someone suggests this is another reason to use ID numbers instead of names on homework assignments), but FERPA could also be read to mean that it doesn’t violate FERPA because the grade hasn’t been entered into the gradebook.
9. The House Committee on Government Oversight and Reform passed H.R. 4174, which implements recommendations from the Evidence-Based Policymaking Commission (see their report that was backed by EPIC and my write-up of its impact on education here). Some groups are opposing the bill on privacy grounds.
10. The annual Global Privacy Enforcement Network Privacy Sweep found that some educational apps “fall short on privacy,” via Business Insider. Part of the problem? “[W]ebsite privacy notices are too vague and generally inadequate.”

Image: “image_106” by Brad Flickinger  is licensed under CC BY 2.0.

John Verdi Talks Connected Devices with Fox 2 St. Louis

On November 13, 2017, FPF’s Vice President of Policy, John Verdi, discussed the privacy implications of connected devices with Mike Colombo of Fox 2 St. Louis. John explained:

“What data is being transmitted and what data is being used really depends on the device,” Verdi said. “They can offload that information from the device to servers on the internet that are either controlled by the companies or third parties and there’s some processing that can happen there.”

“I think it’s really time for folks at the federal level to be thinking about comprehensive, baseline, common sense privacy law,” he said.

You can watch the full interview below.

Understanding Corporate Data Sharing Decisions: Practices, Challenges, and Opportunities for Sharing Corporate Data with Researchers

Data has become the currency of the modern economy. A recent study projects the global volume of data to grow from about 0.8 zettabytes (ZB) in 2009 to more than 35 ZB in 2020, most of it generated within the last two years and held by the corporate sector.

As the cost of data collection and storage becomes cheaper and computing power increases, so does the value of data to the corporate bottom line. Powerful data science techniques, including machine learning and deep learning, make it possible to search, extract and analyze enormous sets of data from many sources in order to uncover novel insights and engage in predictive analysis. Breakthrough computational techniques allow complex analysis of encrypted data, making it possible for researchers to protect individual privacy, while extracting valuable insights.

At the same time, these newfound data sources hold significant promise for advancing scholarship and shaping more impactful social policies, supporting evidence-based policymaking and more robust government statistics, and shaping more impactful social interventions. But because most of this data is held by the private sector, it is rarely available for these purposes, posing what many have argued is a serious impediment to scientific progress.

A variety of reasons have been posited for the reluctance of the corporate sector to share data for academic research. Some have suggested that the private sector doesn’t realize the value of their data for broader social and scientific advancement. Others suggest that companies have no “chief mission” or public obligation to share. But most observers describe the challenge as complex and multifaceted. Companies face a variety of commercial, legal, ethical, and reputational risks that serve as disincentives to sharing data for academic research, with privacy – particularly the risk of reidentification – an intractable concern. For companies, striking the right balance between the commercial and societal value of their data, the privacy interests of their customers, and the interests of academics presents a formidable dilemma.

To be sure, there is evidence that some companies are beginning to share for academic research. For example, a number of pharmaceutical companies are now sharing clinical trial data with researchers, and a number of individual companies have taken steps to make data available as well. What is more, companies are also increasingly providing open or shared data for other important “public good” activities, including international development, humanitarian assistance and better public decision-making. Some are contributing to data collaboratives that pool data from different sources to address societal concerns. Yet, it is still not clear whether and to what extent this “new era of data openness” will accelerate data sharing for academic research.

Today, the Future of Privacy Forum released a new study, Understanding Corporate Data Sharing Decisions: Practices, Challenges, and Opportunities for Sharing Corporate Data with Researchers. In this report, we aim to contribute to the literature by seeking the “ground truth” from the corporate sector about the challenges they encounter when they consider making data available for academic research. We hope that the impressions and insights gained from this first look at the issue will help formulate further research questions, inform the dialogue between key stakeholders, and identify constructive next steps and areas for further action and investment.

READ REPORT

FPF gratefully acknowledges the support of the Alfred P. Sloan Foundation for this project.

New Study: Companies are Increasingly Making Data Accessible to Academic Researchers, but Opportunities Exist for Greater Collaboration

FOR IMMEDIATE RELEASE

November 14, 2017

Contact: Melanie Bates, Director of Communications, [email protected] 

New Study: Companies are Increasingly Making Data Accessible to Academic Researchers, but Opportunities Exist for Greater Collaboration

Washington, DC – Today, the Future of Privacy Forum released a new study, Understanding Corporate Data Sharing Decisions: Practices, Challenges, and Opportunities for Sharing Corporate Data with Researchers. In this report, FPF reveals findings from research and interviews with experts in the academic and industry communities. Three main areas are discussed: 1) The extent to which leading companies make data available to support published research that contributes to public knowledge; 2) Why and how companies share data for academic research; and 3) The risks companies perceive to be associated with such sharing, as well as their strategies for mitigating those risks.

“More widespread access to corporate data sets would support new scholarship and allow researchers to consider questions that cannot fully be answered from publicly available data alone,” said Leslie Harris, FPF Senior Fellow and Understanding Data Sharing Decisions’ Principal Researcher. “In this exploratory study, we aim to contribute to the literature by seeking the ‘ground truth’ from the corporate sector about the challenges they encounter when they consider making data available for academic research.”

Of the companies interviewed, 70% report making at least some data available to academic researchers. Half of the sharing companies began making data available to external researchers within the last five years. Close to half of the interviewed companies said that the main reason for sharing data for research was to obtain insights that would help the company “better execute” or “better understand” their mission. A number of companies also said that sharing data for research helped to build their brands, strengthen relationships with academics, and attract talent to the company. The study also found that companies are concerned about privacy, particularly the risk of re-identification. Companies are equally concerned that sharing data for research might diminish or destroy the intellectual property value of their data.

FPF identified several opportunities to promote data-driven research: 1) to enhance the positive public profile of company/academic data sharing; 2) to help mitigate perceived risks, particularly privacy and re-identification risks; 3) to develop and share tools for public outreach and community engagement; 4) to encourage peer-to-peer knowledge sharing; and 5) to create a clearinghouse identifying data types desired by academics.

“We hope that the impressions and insights gained from this first look at the issue will help formulate further research questions, inform the dialogue between key stakeholders, and identify constructive next steps and areas for further action and investment,” said Jules Polonetsky, FPF’s CEO.

FPF released Understanding Data Sharing Decisions today at the ADRF Network Inaugural Conference during the session on Expanding Private Sector Administrative Data Access. The focus of the discussion centered around why and how companies share data for academic research, strategies for mitigating risks and building trust, and recommendations for encouraging company-academic data sharing.

FPF would like to thank Leslie Harris (FPF Senior Fellow), the Principal Researcher of this report, and Chinmayi Sharma (University of Virginia School of Law), Research Assistant.  FPF gratefully acknowledges the support of the Alfred P. Sloan Foundation for this project.

###

The Future of Privacy Forum (FPF) is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.

FPF Advisory Board Member Amie Stepanovich Discusses 'Why Inclusion Matters'

Pictured Above: Amie Stepanovich (Access Now)

Yesterday, Future of Privacy Forum Advisory Board Member, Amie Stepanovich, U.S. Policy Manager at Access Now, published an article explaining the importance of ensuring marginalized communities have greater influence on how emerging technologies are developed. Amie says:

“Ultimately, we won’t be able to change things in any significant way so long as we create and facilitate an environment that is hostile toward diversity. Instead of digging our heads into the sand when scandals erupt, those of us working in tech should embrace change and invest in identifying and promoting smart, diverse voices. That means developing institutional and operational systems and processes that respect the range of backgrounds and experiences that diversity brings; creating public policies that are not developed or dictated by a single point of view; and providing platforms for discussion such as panels or events that highlight the voices and perspectives of under-represented people and organizations that are breaking through societal roadblocks and developing valuable expertise, often at great personal cost.”

READ ARTICLE

FPF Comments on the FTC Informational Injury Workshop

On Friday, October 27, 2017, the Future of Privacy Forum filed comments with the Federal Trade Commission in advance of the December 12, 2017 Informational Injury Workshop. The purpose of the workshop is to examine consumer injury in the context of privacy and data security. FPF’s comments focus on describing the harms that can arise from automated decision-making as well as highlighting existing risk-based privacy analyses.

Analysis of personal data can be used to improve services, promote inclusion, and combat discrimination. However, such analysis can also create valid concerns about differential treatment of individuals or disparate impacts on vulnerable communities. In FPF’s preliminary review of the relevant literature and public policy regarding automated decision-making, we found that the concerns identified by leaders in this space fall into four broad categories of potential harms: (1) loss of opportunity; (2) economic loss; (3) social stigmatization; and (4) loss of liberty. Depending on the context and circumstances, we determined that each of these categories of harms can accrue to individuals, groups, or society as a whole. Notably, not all harms described in existing literature will necessarily be legally cognizable – although they may be widely considered unfair – while some may already be illegal under existing laws.

Regarding potential solutions, we explain strategies that generally fall in one of four categories: (1) algorithmic design solutions; (2) business process solutions; (3) legal and policy solutions; or (4) data methods solutions. As with harms, these potential solutions describe the universe of proposals rather than specific recommended solutions. It is also important to recognize that proposed solutions may sometimes impact other important values, such as freedom of speech or economic competition. Their use may need to be considered on a case-by-case basis and by a balancing of the benefits and risks of intervention.

The challenges of conceptualizing informational injury are increasingly relevant as risk-based privacy analyses become more common in law, policy, and internal business practices. One long-standing legal basis for processing data in the European Union is the “legitimate interests” framework, which has similarities to the FTC’s unfairness analysis under Section 5 of the FTC Act. Under this basis for lawful processing, companies may engage in lawful data processing if their legitimate interests are not “overridden by the interests or fundamental rights and freedoms of the data subject.” In addition, under the General Data Protection Regulation (GDPR) that will come into effect in May 2018, companies are required to carry out a data protection impact assessment if data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” In each of these benefit-risk analyses, the underlying risk relies on an accurate assessment of the nature of informational injuries.

We see a promising set of solutions arising in literature and regulatory conversations on the topic of automated decision-making and risk-based analyses, and we look forward to a robust conversation on these issues at the upcoming FTC workshop.

READ COMMENTS

2nd Annual McGowan Forum on Ethics: The Challenge of Big Data

On October 26, 2017, John Verdi, FPF’s Vice President of Policy, served as a panelist for the National Archives Foundation’s 2nd Annual McGowan Forum on Ethics: The Challenge of Big Data. The panel discussed the ethical responsibility of those who compile and track citizens’ personal data.  The conversation focused around what responsibility corporations and governments have to protect their customers and be transparent in regard to possible data hacks. 

The session was moderated by Kim Hart, the Technology Editor at Axios. Other panelists included Neil Chilson, Acting Chief Technologist, Federal Trade Commission; Marc DaCosta, Co-founder and Chairman, Enigma; and Michelle De Mooy, Director of the Privacy & Data Project at the Center for Democracy & Technology.

Thank you for hosting, National Archives Foundation! You can watch full event below.

Video

TEDx Wilmington: What's Driving the Connected Car? Data, It Turns Out.

On Tuesday, October 17, 2017, Lauren Smith, FPF Policy Counsel, presented at the TEDx Wilmington Salon, Who’s in the Driver’s Seat? The Transformation of Transportation. The TEDx included an exciting line up of the leading voices in the connected car space, including FTC Commissioner Maureen Ohlhausen. Lauren’s talk was titled, What’s Driving the Connected Car? Data, It Turns Out, and emphasized the importance of responsible data management in autonomous vehicles. FPF staff and friends gathered at our offices in Washington, DC to watch Lauren’s presentation. She explained:

“I am going to argue that in a world where 94% of car crashes are caused by human error, the case is so much stronger for opting in and sharing data with your car than even your phone—something we have all already chosen to do. As with smartphones your car will need to collect information, and sometimes send it, in order to enable these features. And as with smartphones, the companies involved will need to safeguard your privacy in order for you to use and trust the technology. The truth is that yes, your car will be learning more about you, but what it learns may save your life.”

Videos

Press

• Speakers, topics announced for TEDx transportation salon (Delaware Business Now)
• Topics announced for TEDxWilmington Salon on future of transportation (Technically Delaware)
• TEDxWilimingtonSalon tackles privacy, tech and safety in transportation (Delaware Business Times)

Blogs

• Meet the Speakers: Lauren Smith
• The TEDx Process: Lauren Smith for TEDxWilmington

General Information

• Event Page
• Livestream
• Photographs

DQC Report: Effective Data Use and Research Partnerships between SEAs and Education Researchers

Today, the Data Quality Campaign (DQC) released a new infographic and resource on education research, Roadmap for Effective Data Use and Research Partnerships between State Education Agencies and Education Researchers. DQC brought together education researchers and policy experts, including FPF’s Education Policy Counsel Amelia Vance, to create these new resources.

The new infographic explains how education research “is about answering questions,” “support[ing] individual students,” “inform[ing] better decisions,” “build[ing] knowledge for the future,” and helping “students and schools succeed.” The new “roadmap” resource discusses how “safeguarding student information is paramount to successful [state education agency and] research partnerships,” and provides practical tips on improving privacy and security (page 13) and engaging and being transparent with the public about state research efforts (page 11).

DQC’s new resources are especially important as policymakers consider how to improve evidence-based policymaking. In the past few years, several states have passed laws limiting or eliminating sharing data with researchers due to privacy concerns even though, as the DQC roadmap highlights, education research and effective educational policies go hand-in-hand.

FPF looks forward to continuing to work with DQC on education research and student privacy issues.

DQC’s roadmap is part of a larger conversation about how best to protect student privacy while promoting data-driven research that can improve education outcomes.  It is crucial for researchers to embrace privacy safeguards and review mechanisms beyond traditional institutional research boards (IRBs) in some circumstances. It is also important for researchers to articulate the value of data and communicate with stakeholders regarding privacy-protective practices.  Stakeholder support can make or break data driven education initiatives.  Two of the best ways to to earn stakeholder trust are to implement meaningful privacy protections and communicate effectively with the community.