Multi-Stakeholder Group Finalizes Agreement on Best Practices for Drone Use
FOR IMMEDIATE RELEASE
May 18, 2016
Contact: Melanie Bates, Director of Communications, [email protected]
MULTI-STAKEHOLDER GROUP FINALIZES AGREEMENT ON
BEST PRACTICES FOR DRONE USE
Washington, DC – Today, a wide range of privacy groups and industry stakeholders participating in the National Telecommunications & Information Administration (NTIA) Multi-Stakeholder process concerning privacy, transparency, and accountability issues regarding commercial and private use of unmanned aircraft systems (drones) agreed on a set of best practices.
The best practices are intended to encourage operators to use this technology in a responsible, ethical, and respectful way. They provide enough flexibility to support innovative uses of this emerging technology, but at the same time provide firm privacy standards. The best practices acknowledge that the principles are qualified by the understanding that they are to be implemented as “reasonable” and “practical” – in order to allow flexibility for smaller operators, hobbyists or circumstances where compliance would be impractical. The full best practices document is available here. The Future of Privacy Forum (FPF) has created an easy to read summary of the best practices to help educate drone operators that can be found here.
“Drones are already being used for search and rescue and to assist farmers, home contractors, photographers, newsgatherers, and may soon be used for wireless internet and delivery. These standards will help ensure these technologies are deployed with privacy in mind,” said Jules Polonetsky, CEO, FPF. “This agreement is also a great boost for self-regulation and multi-stakeholder efforts and demonstrates that with good leadership industry and advocates can come together to advance responsible practices.”
The list of groups supporting the best practices includes, Amazon, AUVSI, Center for Democracy and Technology, Consumer Technology Association, CTIA, FPF, Intel, X (formerly Google X), New America’s Open Technology Institute, PrecisionHawk, SIIA, Small UAV Coalition, and a wide range of news media organizations.
###
The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. Learn more about FPF’s work by visiting www.fpf.org.
FPF Advisory Board Member Awarded Tenure and Named to Endowed Chair
We are pleased to share that the Samford University Board of Trustees recently voted to award tenure to FPF Advisory Board Member and Cumberland School of Law Associate Professor Woodrow “Woody” Hartzog, and to name him the W. Stancil Starnes Professor of Law.
According to Cumberland School of Law Dean Henry C. Strickland, III, Professor Hartzog follows in many traditions of the best Cumberland professors. He is a prolific scholar, having already established himself as a global leader in his field with over 25 major articles and book chapters in the last four years (including such leading journals as the California Law Review, the Columbia Law Review, and the Michigan Law Review), and that does not include countless articles for blogs and popular media. He is also a sought-after speaker, having given lectures by invitation to such institutions as Cambridge University, New York University, Stanford Law School, and Yale Law School. He has also given talks to the Federal Trade Commission, Facebook, Google and testified before Congress.
Privacy plays major role in new federal government guidance on transgender student rights
Recently, the Department of Justice and the state of North Carolina have filed counter-suits regarding the state’s so called “bathroom bill.” The North Carolina “Public Facilities Privacy & Security Act” requires students to use public restrooms that correspond with their sex assigned at birth and not with the gender with which they identify. On Friday, the Department of Education and the Department of Justice co-authored a Dear Colleague letter directed at public school districts across the country to provide guidance on transgender access. In this guidance, privacy considerations play a significant role in protecting student rights.
The primary law dealing with student privacy in public schools is the Family Educational Rights Privacy Act (FERPA), which limits access to student records to parents and to members of the school community who have a clear need for the data for educational purposes. FERPA limits further disclosures to specified situations, and primarily to the extent that the specific student data is necessary for the educational purpose being performed. The Departments’ guidance spells out that any nonconsensual disclosure of personally identifiable information (PII), such as the student’s sex or name at birth is an unwarranted disclosure that has the potential to harm a student.
One broad exception under FERPA allows disclosure of “Directory Information,” under which a school may choose to release previously-specified information such as name, birthdate, home address, email, and school grade and activities. However, the Departments’ letter makes it clear that FERPA prevents schools from designating a student’s transgender status as directory information, and that this is due to concerns about student privacy.
FERPA is also not the only law at issue. As the letter points out, “Protecting transgender students’ privacy is critical to ensuring they are treated consistent with their gender identity. The Departments may find a Title IX violation when a school limits students’ educational rights or opportunities by failing to take reasonable steps to protect students’ privacy related to their transgender status, including their birth name or sex assigned at birth.”
Consistent with FERPA, the current guidance does not require schools to amend educational records to reflect a student’s gender identity or name change upon request, however it does emphasize a student’s right to request a change or include comments about information in the educational record they deem to be inaccurate.
Echoing the language in the law, the letter reminds schools that “If the school does not amend the record, it must inform the requestor of its decision and of the right to a hearing. If, after the hearing, the school does not amend the record, it must inform the requestor of the requestor of the right to insert a statement in the record with the requestor’s comments on the contested information… That statement must be disclosed whenever the record to which the statement relates is disclosed.”
Title IX will apply to the procedures for change requests as well since “under Title IX, a school must respond to a request to amend information related to a student’s transgender status consistent with its general practices for amending other students’ records.” That is – if a student or parent requests a change to the record, the school must respond consistent with its usual process for such requests. If the parent complains about the school’s handling of such a request, the school must “promptly and equitably” resolve it under the Title IX grievance procedure the school has in place.
The responsible collection, use, and protection of student data is critical to each child’s success in school. Those who need access to data to provide educational services must have it, but further disclosure, whether within or outside the school community must be carefully controlled, and permitted only in the context of further FERPA exceptions. Particularly in the context of sensitive data like a student’s gender or gender identity, schools must be mindful that disclosing information without consent could do irreparable harm to a student and, as is made clear in the letter, would be a breach of a student’s right to privacy. Any deviation from these standards would constitute a clear disregard for one of our most vulnerable student populations.
The CNIL released its inspection program for 2016 revealing sectors of focus
In 2016, the CNIL plans to conduct between 400 and 450 inspections.
The total number of inspections will be divided in the following way:
25% of inspections will be related to the three themes set out in the CNIL’s 2016 annual program (detailed below)
20% will be based on complaints received by the CNIL
35% will be undertaken after formal notices or sanctions, at the CNIL’s initiative or related to news topics
The remaining 20% will aim to check video surveillance systems.
The themes for the 2016 annual program cover both public and private sectors and pertain to people’s daily lives in the international context.
The three themes of focus are:
Data brokers: defined as intermediaries between entities that collect personal data and entities that use such data for their economic activity. The CNIL highlights that profiling based on this data is increasingly accurate and relevant, and represents the major concern with respect to protecting privacy in the 21st In this context, the CNIL will check that data brokers comply with EU privacy law, in particular, data accuracy, information given to people, consent, people right of access and right to object, as well as security principles.
SNIIRAM (Social Security Inter-regimes National Information System). This database comprises dozens of millions of files containing data such as age, gender, diagnosis, death date, city and county of residence, and treatments that were reimbursed. This data is “pseudonymized”. Inspections will aim to check the conformity of this data processing with French privacy law (Act n°78-17 of 6 January 1978 on information technology, data files and civil liberties) and the truthfulness of pseudonymization.
The API-PNR system (Advance Passenger Information-Passenger Name Record System): used notably to fight terrorism.
Additionally, the CNIL will keep on collaborating with its fellow European Data Protection Authorities regarding connected devices upon the fourth Internet Sweep Day.
Study: Mobile ad block use up, but fewer users turning limit ad tracking on
According to Jules Polonetsky, CEO of the Future of Privacy Forum, the limit ad tracking feature hasn’t been heavily surveyed. So while Koestier’s comment might be comforting for marketers, this means it’s possible that most mobile users are simply unaware the feature exists.
As it gets more media coverage, it’s likely that mobile users will begin turning on the limit ad tracking feature in greater numbers. That scenario seems to be playing out with ad block tech adoption with its rising trend that has been following increased attention in both the ad industry and the general media.
Yesterday, I attended the 5th annual Higher Education Privacy Conference at George Washington University with experts and data advocates from across the country to discuss student privacy and information management in higher education. The event was hosted by Daniel Solove, a research professor at George Washington University School of Law, and Tracy Mitrano a principal of Mitrano & Associates LLC. The day featured a lively panel discussion and smaller breakout sessions that fostered interactivity and engagement.
The morning plenary session was led by FPF’s own Jules Polonetsky along with Ellen Wagner the Vice President of Research at Hobsons, Andrea Nixon the Director of Educational Research at Carleton College, Jo Ann Oravec a Professor at the University of Wisconsin and Steven McDonald the General Counsel for the Rhode Island School of Design. The discussion focused mainly on the benefits and risks associated with implementing data analytics at colleges and universities and the question of how heavily should schools rely on data to inform their decisions. Attendees were treated to a healthy debate on how data analytics can help students succeed as panelists pursued ethical questions of what we “can, may and should” do with student data. One panelist shared an example of how data analytics can be beneficial when they discussed how a state university took action once it learned that students who did not begin their freshman year taking the necessary 15 credits per semester were less likely to finish in four years. The university now provides a customized set of courses for new students that ensures they take at least the “bare minimum” of credits their first semester. This is a great example of how data analytics can benefit students in a profound way when used properly.
I spoke to Kathleen Styles, Chief Privacy Officer of the Department of Education during the event about implementing data analytics at institutions of higher education and she said the following:
“Data analytics present us with exciting new opportunities to improve learning, and to address equity issues, by illuminating and ameliorating long-standing disparities in student achievement. Schools need also evaluate, however, the “should” aspect of data use. They need to ask, ‘will this proposed data use truly help students?’ Helping students should always be the ultimate goal.”
I definitely agree with Kathleen that data analytics can help identify students that require additional support to be successful in college. I also agree we need to make sure that the data collected is meant to benefit students. After the failure of InBloom, student privacy has been a hotly debated topic at the K-12 level. Colleges and universities have barely scratched the surface when it comes to using predictive analytics and other analytic tools to inform their decisions and shape the advice they provide to students. Institutions of higher education, education service providers, and data advocates must have more thoughtful conversations like the one we had yesterday.
Responding to a request by the Senate Judiciary Committee, a new GAO report analyzes the role of smartphone tracking apps in facilitating stalking, and the potential responses the federal government may take against their developers. Once installed, the 40 apps examined by the GAO display no icon and provide a user of a separate device the ability to retrieve location data, and in some cases communications data.
The report paints the majority of these apps as wolves in sheep’s clothing, with marketing materials billing them as tools for tracking children, consenting employees, or even elderly Alzheimer’s sufferers. Roughly one third of the apps are openly marketed as spying tools, with cheating spouses a leading target. In these cases, the developers sought to protect themselves with a veneer of legal legitimacy by including disclaimers in their terms of service explicitly contradicting the marketing materials.
Despite such attempts to limit liability, the report identifies four areas of federal law which may be applicable to the developers. Of these options, three are untested in the smartphone tracking context. First, deceptive marketing practices, like those detailed in the report, are the target of Section 5 of the FTC Act. The wrinkle in this scenario is that the purchaser is not the one suffering from the deceptive practices, but some experts interviewed by the GAO felt the protection of third parties would suffice. Second, smartphones qualify as computers for the Computer Fraud and Abuse Act. The CFAA provides criminal and civil remedies for accessing computers without, or in excess of, authority. However, this clear violation of CFAA may be hampered where a shared phone plan is involved. Third, the federal stalking statute contains specific prohibitions on using electronic communications services to stalk. The act itself previously required the stalking activity to cross state lines, but the Violence Against Women Reauthorization Act empowered the pursuit of ‘cyberstalking’ under the stalking statute regardless of location.
Finally, should these untested options prove inapplicable, the federal wiretap act has been successfully applied to developers of apps which intercept and monitor communications data. However, the GAO notes that some federal courts have held that location data does not qualify as “the substance or content of a communication” for purposes of the act, and thus developers of tracking apps which solely relay location data may still escape liability.
Learning from Student Data
Just as adults’ personal lives and data increasingly inhabiting online spaces, so are students. While this shift brings many benefits and the possibility of learning tailored to individual students’ needs, it is also brings new challenges. Students create an electronic trail of information that creates an obvious concern: How can they enjoy the better learning outcomes technology makes possible but still maintain control of their data and be protected?
Nearly two years ago, a debate ignited over student information from multiple states and regions being collectively stored with the data repository InBloom. Critics charged that the not-for-profit service provider could potentially sell, misuse, or otherwise put at risk student data it held for schools. Surprised by the backlash, InBloom was ill prepared to explain its services to parents. Critics didn’t trust a third party whose name they didn’t recognize and who didn’t provide any service they could see, or track to a direct benefit for their child’s educational experience.
Richard Hsu Interviews CEO of the Future of Privacy Forum
Shearman & Sterling, LLP Partner Richard Hsu, a CIPP/US and CIPM Certified Privacy Professional, Global Head of the Intellectual Property and Technology Transactions Group and Co-Head of the Global Technology, Media and Telecommunications (TMT) Industry Group, interviewed Jules Polonetsky, CEO of the Future of Privacy Forum (FPF), on finding the sweet spot between corporate data, personal privacy and innovation.
Should Colleges Report When They Get Government Data Requests?
Last year, the University of California, Berkeley, announced that it was publishing a transparency report detailing government requests for data, similar to what tech companies including Google and Facebook have been doing for years.
Universities also have to worry about how they share data with the public, said Brenda Leong, director of operations for the Future of Privacy Forum.
“By being too transparent, you could impede on students’ individual rights,” she told NBC News.
Sharing information that could be used to identify students would be a bad idea, Leong said, but simply divulging the number of requests received and granted by a university would be a step in the right direction.
