On January 11, 2017, FPF and Honorary Co-Hosts Senator Edward J. Markey, and Co-Chairs of the Congressional Bi-Partisan Privacy Caucus, Congressman Joe Barton, and Congresswoman Diana DeGette, held the 7th Annual Privacy Papers for Policymakers at the Dirksen Senate Office Building. The videos are below.
Yesterday, Congress introduced the Email Privacy Act (H.R. 387), which would update protections in the Electronic Communications Act (ECPA) to take account of citizens’ evolving use of technology and better align the law with consumers’ reasonable expectations of privacy in the contents of their email communications. Offered by Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO), this bi-partisan bill simplifies the law and codifies practices currently employed by law enforcement agencies and companies; in most circumstances, the bill requires the government to obtain a warrant government in order to access to email content. The bill would reduce confusion for police, companies, and users, while bringing statutory protections for electronic communications into the modern era.
ECPA, originally passed in 1986, created standards for government access to the content of communications sent over telecommunications systems – it is the primary federal law governing law enforcement access to Internet traffic. Although ECPA was forward-thinking for its time, the developments of technology and communications in the 30 years since have greatly surpassed its scope and the effectiveness of its policy direction.
The Email Privacy Act makes several important updates. Under ECPA, the content of communications (including email) could be obtained without a warrant after 180 days. This provision may had been reasonable when online storage was expensive, email use was limited, and few American engaged in sensitive communications online. However, in light of the current use and storage of email communications as a typical and standard means of individual and organizational correspondence, there is no reason to reduce protections for those communications after six months. This update recognizes the central role of email messages in modern society, and ensures that individuals and organizations can maintain their communications in reasonable confidence – requiring law enforcement to obtain a warrant based on probable cause for access. The “probable cause” standard for requesting or accessing the content of such communications is consistent with other protections from arbitrary search; eliminating this “180-day rule” is an excellent and necessary improvement to existing law.
Likewise, previous Department of Justice interpretation of ECPA established a standard that “opening” an email removed it from warrant protection, even within the 180-day period. This is interpretation does not align with users’ current expectations given the common use of email for communication by and between individuals and organizations. The contents of email, like the contents of traditional hard-copy official correspondence, should always enjoy 4th Amendment protections. The Email Privacy Act appropriately reflects that standard, requiring the government to demonstrate probable cause before accessing emails – even when those messages have been opened by the recipient.
While the bill doesn’t include every improvement or reform that many advocates would like to see, it includes key and important requirements that make big steps forward in the protections the contents of electronic communications. Nothing in the bill affects existing requirements under the Wiretap Act, FISA, or any other current law. FPF joins numerous other privacy and advocacy organizations to urge immediate passage of the bill as introduced.
The Privacy Policy Snapshot Challenge calls upon developers, designers, health data privacy experts, and creative, out-of-the-box thinkers to use the US Department of Health and Human Services ONC’s Model Privacy Notice template to create an online tool that can generate a user-friendly “snapshot” of a product’s privacy practices. ONC will award a total of $35,000 in prizes through this challenge. Enter your submissions now! The deadline for submission is April 10, 2017 with winners expected to be announced in mid-2017. For more information, view the Federal Register Notice.
ONC is also hosting an informational webinar on Thursday, January 12, 2017 from 2:00-3:00pm ET. Register for the webinar.
As the ONC team explains, ” More and more individuals are obtaining access to their electronic health information and using consumer health technology to manage this information. As retail products that collect digital health data directly from consumers are used, such as exercise trackers, it is increasingly important for consumers to be aware of companies’ privacy and security policies and information sharing practices. Health technology developers can use the Mobile Privacy Notice to easily enter their information practices and produce a notice to allow consumers to quickly learn and understand privacy policies, compare company policies, and make informed decisions”.
As FPF showed in our recent FPF Mobile Apps Study , the number of apps that provide privacy policies continues its upward trend from our previous surveys in 2011 and 2012. But health and fitness apps – which may access sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device – do worse than average at providing privacy policies. Only 70% of top health and fitness apps had a privacy policy (6% lower than overall top apps), and only 61% linked to it from the app platform listing page (10% lower than overall top apps).
The App Study also looked specifically at period tracking and sleep aid apps. Only 63% of period tracking apps provided a link to the privacy policy from the app platform listing page. More disappointingly, only 54% of sleep aid apps provided a link to the privacy policy from the app platform listing page.
FPF also released a best practices that responsible companies can follow to ensure they provide practical privacy protections for consumer-generated health and wellness data. The document was produced with support from the Robert Wood Johnson Foundation and incorporates input from a wide range of stakeholders including companies, advocates, and regulators.
Fitness and wellness data from apps and wearables provide significant benefits for users, but it is essential that companies incorporate Fair Information Practice Principles to safeguard this data.
Yesterday, Lauren Smith, FPF Policy Counsel testified at the NYC Taxi and Limousine Commission’s (TLC) hearing about its proposed rules that add new trip reporting requirements for for-hire vehicle (FHV) bases.
Lauren explained that the proposed rules would create significant privacy risks by mandating that FHV bases transmit passenger drop-off time and location data. This can be highly sensitive information. These additional data points pose particular risks in light of the TLC’s existing data collection, given that FHV bases must already report the date, time, and location of passenger pick-ups. With the addition of drop-off data as proposed by the rule, the TLC’s data set would provide the TLC and the public with a comprehensive view of the movements of individual New Yorkers.
Lauren asserted that at minimum, the TLC should explore ways to: 1) tailor the data collection more narrowly to the stated purpose by focusing on trip duration rather than the location of passengers’ trips; 2) collect less precise, more general geographic information; and 3) enact policies and procedures that detail the privacy and security protections for such sensitive data.
Read the full testimony.
Today, FPF is pleased to make available the Conference Proceedings from our Beyond IRBs: Designing Ethical Review Processes for Big Data Research workshop. The workshop, co-hosted by the Washington & Lee School of Law and supported by the National Science Foundation and the Alfred P. Sloan Foundation, aimed to identify processes and commonly accepted ethical principles for data research in academia, government and industry.
The workshop brought together over 60 researchers, including lawyers, computer scientists, ethicists and philosophers, as well as policymakers from government, industry and civil society, to discuss a blueprint for infusing ethical considerations into organizational processes in a data rich environment. To learn more about the event, its participants, and its organizers, please visit bigdata.fpf.org.
As part of the Beyond IRBs workshop, FPF and the Washington & Lee School of Law issued a call for papers addressing ethical, legal, and technical guidance for organizations conducting research on personal information. The papers were published in Spring 2016 in the Washington & Lee Online Law Review.
Building on the discussions at Beyond IRBs, FPF also co-hosted a Roundtable on Ethics, Privacy, and Research in June 2016 with the Ohio State University’s Program on Data and Governance. This timely event, which followed the White House’s call to develop strong data ethics frameworks, convened corporate and academic leaders to discuss how to integrate ethical and privacy considerations into innovative data projects and research. To learn more about the event, see our post here.
FPF was also recently awarded additional grants by the National Science Foundation and the Alfred P. Sloan Foundation in our pursuit of thought-provoking discussions around ethical, legal, and technical guidance for organizations conducting research on personal information.
Read the Conference Proceedings.
On Monday, the Future of Privacy Forum joined with the Center for Democracy & Technology, the Electronic Frontier Foundation, The Constitution Project, and Tech Freedom to write the NYC Taxi and Limousine Commission (TLC) about its proposed rules that add new trip reporting requirements for for-hire vehicle (FHV) bases.
The proposed rule would create significant privacy risks by mandating that FHV bases collect and transmit passenger drop-off time and location data, which can be highly sensitive information. The proposed rule poses particular risks in light of the TLC’s current data collection—FHV bases must already report the date, time, and location of passenger pick-ups—and the history of similar passenger data held by TLC becoming publicly available in response to Freedom of Information requests. With the addition of drop-off data, the TLC’s data set would provide the TLC and the public with a comprehensive view of the movements of individual New Yorkers.
We understand that the Commission has proposed this rule change in order to reduce the risks associated with fatigued driving. However, it is unclear how the collection of precise location information—information that includes details of the day-to-day activities, lifestyles, and habits of millions of individuals—will achieve this end. Driver fatigue results from long periods of time on the road, which is information the TLC could ascertain from collecting trip duration rather than pick-up and drop-off location information of individual passengers. At minimum, the TLC should explore ways to: 1) tailor the data collection more narrowly to the stated purpose by focusing on trip duration rather than the location of passengers’ trips; 2) collect less precise, more general geographic information; and 3) enact policies and procedures that detail the privacy and security protections for such sensitive data.
Read the letter.
A new report released was today by the Center for Digital Democracy and the School of Communications at American University focuses on privacy and wearables. As a recent HHS report made clear, the data collected by most wearables is not regulated to the same degree as information you provide to your doctor. But several mechanisms have ensured that many health and fitness apps respect users’ data – the leading app platforms impose strong privacy requirements, barring sale of sensitive data and requiring enhanced notice. Companies can also look to the guidelines established by FPF in our Best Practices for Consumer Wearables and Wellness Apps and Devices. And of course, the Federal Trade Commission has the authority to investigate and fine companies that do not keep their promises or act unfairly.
“Some data collected by wearables may be trivial, but other information can be highly sensitive,” said Kelsey Finch, FPF Policy Counsel. “Companies must take affirmative steps to build consumer trust – especially when they are using intimate, identifiable data.”
Today, Senator Nelson’s office released a report outlining several privacy and security implications of “connected toys” that the office identified based on conversations with six major toy manufacturers. The report emphasizes the unique sensitivity of children’s personal information; urges toymakers to build privacy and security into their toys from the inception; and suggests that the FTC has authority to monitor and bring enforcement actions under Section 5 and the Children’s Online Privacy Protection Act (COPPA).
“Connected toys can help entertain and educate kids,” said Stacey Gray, Policy Counsel at the Future of Privacy Forum. “But, as Senator Nelson makes clear, companies cannot play around with children’s data. If toymakers run afoul of the strong requirements of COPPA, the monetary penalties can be financially devastating. Leading companies are building trust by providing enhanced disclosures and implementing strong security standards – others should follow suit. I commend Senator Nelson for pressing this important issue.”
Two weeks ago, FPF released a white paper, Kids & the Connected Home: Privacy in the Age of Connected Dolls, Talking Dinosaurs, and Battling Robots, detailing the privacy and security implications of the diverse range of “smart toys” and “connected toys” available today. The paper provides a thorough legal analysis of how COPPA applies to connected toys. Further, FPF urges companies to provide enhanced disclosures regarding their toys. For example, although not required by COPPA, companies can provide notices on toy packaging that make it easy for parents to understand at the point of sale whether they will be asked to consent to the toy’s collection of their child’s information. Finally, the paper details a number of important security steps that leading toy manufacturers are taking; Senator Nelson’s report mentions several of these steps, for example, implementing strong security standards (HTTPS / SSL) to prevent toys from communicating with unauthorized devices or servers.
The future for connected toys is promising. Toymakers that follow leading privacy and security best practices, including those described in Kids & the Connected Home and Senator Nelson’s report, will mitigate financial risks under COPPA and support a thriving connected toy marketplace.
During this joint meeting of the FPF Capital Area Academic Network and Consumer Business Dialogue, Lorrie Faith Cranor will discuss her role as FTC Chief Technologist, and her academic research and policy development priorities.
Lorrie Faith Cranor joined the US Federal Trade Commission as Chief Technologist in January 2016. She is on leave from Carnegie Mellon University where she is a Professor of Computer Science and of Engineering and Public Policy, Director of the CyLab Usable Privacy and Security Laboratory (CUPS), and Co-director of the MSIT-Privacy Engineering masters program. She also co-founded Wombat Security Technologies, an information security awareness training company. Cranor has authored over 150 research papers on online privacy and usable security, and has played a central role in establishing the usable privacy and security research community, including her founding of the Symposium on Usable Privacy and Security. She was previously a researcher at AT&T Labs-Research. Cranor holds a doctorate in Engineering and Policy from Washington University in St. Louis. She is a Fellow of the ACM and IEEE.
* * * *
Lunch will be served
* * * *
If you are unable to join us in person, you may join via dial-in. Please just select “RSVP-Dial-in” under the registration link.
FOR IMMEDIATE RELEASE
December 8, 2016
Contact: Melanie Bates, Director of Communications, [email protected]
New Survey Finds Parents Support School Tech and Data, But Want Privacy Assurances
Washington, DC – Today, the Future of Privacy Forum (FPF) released a new survey, Beyond One Classroom: Parental Support for Technology and Data Use in Schools. The survey asked parents to comprehensively outline their goals and concerns about the use of technology and student data. Their answers, and the conclusions that can be drawn from them, should inform the debate regarding local, state, and national policies concerning K-12 education and data use.
Beyond One Classroom follows FPF’s 2015 survey, which showed that parents were generally aware of and understood the technology used in their children’s schools, but lacked knowledge of many of the specific laws and practices that provide guidelines and important protections for children’s information.
“Parents are the strongest advocates for their children’s educational success, and all other stakeholders in the educational system should embrace the opportunity to communicate and work with parents as partners in addressing these issues,” said Amelia Vance, FPF Policy Counsel.
The survey found the rates of technology use in schools – both by students and parents – went up by 20% since 2015 (see below graph). Not only are students using more technology provided by schools, but more parents are using school-related technology to supervise their child’s education process, and to communicate with the school.
The key findings of Beyond One Classroom indicate that the closer the use of data is to individual classrooms and to the parent’s child, the more strongly parents support, and desire, the benefits of student data collection and use. According to most parents, the most convincing reasons to use individual student information are to:
The results point out that as data use becomes less directly tied to students, parents still want to comprehend the benefit to the classroom. Moreover, parents support research that can be used in a school or classroom to directly benefit students.
“Communicating and demonstrating these additional benefits to parents is key to establishing and maintaining trust in an ongoing relationship between parents, their communities, and the schools and vendors that serve them,” Vance said.
The findings also illustrated that parents may be seeing the value school districts gain from the use of traditionally “sensitive” information. Support for the collection and use of parents’ marital status, family income, and social security numbers all increased significantly:
Over half of parents of school age children now agree that race and ethnicity are data that is appropriate for collection and use by schools.
“The use of this type of data, appropriately controlled and protected, is critical for research that identifies potentially discriminatory policies and practices, and it is heartening to see that parents appreciate the value that this data can provide when it is used responsibly,” Vance said.
“Overall, 2016 showed the increasing prevalence of technology use by both parents and students, increasing levels of support by parents of the appropriate collection and use of data by schools, and continued strong belief in the possibilities of technology to improve their child’s educational opportunities,” said Brenda Leong, FPF’s Senior Counsel and Director of Operations. “The goals for educators, advocates, and policymakers remain to communicate policies clearly; establish transparent practices; and work with parents as key partners in the educational system to achieve the best learning outcomes for our children.”
Beyond One Classroom was produced with funding provided from the Bill & Melinda Gates Foundation.
###
The Future of Privacy Forum (FPF) is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.