Privacy

Privacy on the Go report cover

California AG’s Mobile Ecosystem Report Not the Worst

Today the California Attorney General’s office released a report “Privacy on the Go: Recommendations for the Mobile Ecosystem” that lays out a set of recommended practices for app developers, app platform providers, ad networks and others that it thinks will enhance privacy for consumers. This comes on the heels of an earlier agreement last year with Amazon, Apple, Google, HP, Microsoft and RIM to ensure that all mobile apps that collect personally identifiable information have a privacy policy. Readers of this blog will know that I am a frequent critic of proposals to impose additional privacy rules and regulations when industry-led self-regulatory efforts would be more efficient and effective. So in this case I am rather pleased to see that the California AG has steered away from additional lawsuits (at least for now) and instead has offered voluntary best practices for consumer privacy in mobile apps. Many of these recommended practices are relatively simple and commonsense ideas, such a “use encryption in the transit and storage of personally identifiable data” and “post or link the [privacy] policy on the app platform page.”

In many ways this is a … Read the rest

Location-based apps

Location Privacy Legislation is Move in Wrong Direction: Part 1 – User Notice and Choice

Over a decade ago, President Clinton ordered the Department of Defense to discontinue “Selective Availability”, the intentional degrading of the civilian Global Positioning System signal, in an effort to allow all businesses and residents in America to have access to the numerous benefits of location-based technology. This has been an enormously successful policy decision that has unleashed a wide range of innovations for consumers and businesses that use geo-location data in sectors as diverse as transportation, agriculture and public safety. Today location can be determined on mobile devices, with various degrees of precision, from a variety of data including GPS, cell towers, Wi-Fi signals, and IP addresses. Unfortunately Congressional legislation would prohibit companies from collecting or using location information from electronic devices without first obtaining consent from the user might stall many of these benefits.

This bill in question is the Location Privacy Protect Act of 2012 which passed the Senate Judiciary Committee in late December. This legislation would require any company that discloses geo-location information collected from an electronic device to another entity, including its affiliates, to identify these entities and obtain user consent. This is particularly … Read the rest

2012-FTC-facial-RPG-feature

The Myth of Anonymity

The Federal Trade Commission (FTC) released its staff report yesterday on facial recognition technologies where it warned of potentially “significant privacy concerns” and called on companies to respect the privacy interests of consumers by implementing FTC-recommended “best practices.”

First, as I have written before, policymakers should not create technology-specific rules for facial recognition. Facial recognition technology belongs to a larger class of biometric technology that should be treated the same. In addition, facial recognition has many benefits, from improving security to automating tasks to personalizing transactions.

That said, there is nothing wrong with the federal government working with industry and advocacy groups to develop voluntary best practices that protect privacy and spur innovation. But these best practices should be based on sound knowledge, such as a clear understanding of technology and an accurate representation of the world. What I’d like to address here is the myth, repeated in the FTC report, that facial recognition technology “may end the ability of individuals to remain anonymous in public places.” The FTC identifies this particular privacy risk as one of the major privacy concerns of the technology. However, contrary to the FTC’s … Read the rest

Cover of report "Privacy and Modern Advertising "

New Survey Shows Some Privacy Scholars Lack Objectivity

A survey funded by Nokia and conducted at the Berkeley Center for Law and Technology shows what has become increasingly apparent to those who follow this line of research: some of the most prominent academic researchers have ceased to retain even a veneer of objectivity in their research on privacy. The authors, Chris Hoofnagle, Jennifer Urban and Su Li, state that their survey shows that “Americans have a low level of knowledge about [Do Not Track], but prefer that it mean that websites do not collect tracking data.”

I won’t mince words here: this is shoddy research.

There are two main survey questions in their study related to Do Not Track (for more on this proposal and why it is a bad idea, see this or this). The first is a question about whether people have even heard of the Do Not Track proposal. The survey question reads, “Policymakers are considering creating a ‘do not track’ option for the internet. Have you heard of proposals for a ‘do not track’ system, or not?” Thirteen percent of respondents indicated that they had heard of the proposal; eighty-seven percent had not. … Read the rest

electionAhead

Privacy Complaint in the Silly Season

As this is a presidential election year, it’s not surprising that the the “silly season” of politics has been extended into the baseball playoffs. A group of political extremists organized by the Competitive Enterprise Institute (CEI) has filed a complaint with the FCC over the privacy disclosures for an old  consumer broadband measurement program. This isn’t the program that the Commission conducts every year with Sam Knows that leads to an annual report comparing actual broadband speeds to advertised ones, but to a program that was developed by the National Broadband Plan some three years ago to provide the team with a snapshot of performance.

The letter has me wondering whether the advocates: (a) Have just come out of a three year coma; and (b) Have any idea at all about how the Internet works. There are also some distortions of law that will slap attorneys in the face. Please read the letter, but sit down first so you don’t hurt yourself rolling on the floor laughing at its circular logic.

Like many government programs that collect information that might be considered personal and sensitive, the FCC’s broadband measurement program … Read the rest

Romney Word Cloud

Comparing the Privacy Policies of the Presidential Campaign Websites

Many elected officials are in favor of more online privacy…except when it comes to how they use data to target voters and raise money. While neither presidential candidate has made online privacy issues a part of his campaign, the debate over privacy is certainly a hot topic in Washington. In addition, both the Obama and Romney campaigns have released mobile apps, and transparency of mobile apps have been the focus of the initial multistakeholder processes for privacy initiated by the NTIA. With that in mind, I decided to investigate the privacy practices of the two presidential campaign websites.

There are some clear differences between the privacy policies on the campaign websites. For example, the Obama for America website has much more detailed disclosure of its practices and uses of information. Perhaps this is not surprising since transparency is one of the key principles in the Obama Administration’s proposed Consumer Privacy Bill of Rights. The Obama for America campaign also appears to be using more services that collect and use data on its website.

In contrast, the Romney for President campaign website has fewer cookies and a shorter, less-detailed privacy … Read the rest

Safari browser

Whatever happened to “No harm no foul”?

The Wall Street Journal (WSJ) reports that the Federal Trade Commission (FTC) is close to reaching a record settlement with Google for the charge that it tracked Apple Safari web browser users. Google had earlier signed a 20-year consent decree in which it agreed not to misrepresent its privacy practices to consumers. Tracking Apple Safari users appears to be in violation of that agreement because Google had posted a statement in its online help center stating that these Safari users would not be tracked. The WSJ reports that Google will pay a penalty of $22.5 million, a record fine for the FTC.

When this issue first came out I wrote a post in which I argued:

“As always, the FTC can and should investigate if it discovers legitimate concerns about the business practices of a particular company. But companies should not face punitive sanctions for actions that do not cause consumer harm and are taken in good faith. To do so would discourage the type of fast-paced innovation that has defined the remarkable progress of the Internet era.”

I stand by these comments today. It’s always good to see … Read the rest

FTC's Model Privacy Form

Bank Privacy Notices Cost Consumers Over $700M Annually

The Gramm-Leach-Bliley Financial Modernization Act of 1999 requires that financial institutions provide privacy notices to consumers at least once a year (or sooner if the privacy policy changes). Since this provision went into effect in July 2001 people tend to receive these notices in the summer. Yet when was the last time you read the privacy policy of your bank?  For most people, the answer is probably “never.” Consumers generally don’t like reading fine print and often find it confusing. (Although to address the complexity issue, the Federal Trade Commission (FTC) created a Model Privacy Form for banks to use to communicate privacy information more effectively to their customers.) Yet regardless of the apparent apathy of most customers towards the privacy policies of their financial institution, banks dutifully send out these notices every year as required by law.

The Gramm-Leach-Bliley privacy notices illustrate how misguided privacy regulations tend to be in the United States. Rather than provide any actual benefit to consumer privacy, they just serve to raise costs. And the costs of all of these privacy notices add up. According to a 2009 report from the FDIC, approximately … Read the rest

Cookies

The European War on Cookies

On May 26, the new EU-mandated “Cookie Law” will go into effect in the UK.  This law requires that websites give users the ability to opt-out of all tracking. The UK and Ireland took this a step further and require users to opt-in.  Website owners in the UK that fail to comply with the law will face fines up to £500,000.

What does this mean for Internet users? In practical terms, it means users will now start seeing pop-ups or splash screens that require them to give consent to receiving cookies before they can access a website that uses cookies (which is the vast majority of websites on the Internet).  Not only will this annoy users and slow them down from visiting sites, but after seeing this on every single website they visit, users will likely grow accustomed to these notices and click “Accept” without giving it a second thought.  After clicking a few thousand of these, the law will likely have conditioned most users to accept any privacy notice they receive. So much for the strategy of teaching users to be more privacy aware…

Over time, I also … Read the rest

cover of FTC report on privacy

The FTC Report on Consumer Privacy Misses the Mark

This week the FTC released its much anticipated report on consumer privacy, “Protecting Consumer Privacy in an Era of Rapid Change”. The report is an update to the preliminary staff report released in December 2010 which laid out the FTC’s proposed framework for privacy. In the new report, the FTC lays out a set of principles for consumer privacy and calls on Congress to implement privacy legislation using the framework laid out in this report.  While the report does provide a comprehensive discussion of many of the major privacy challenges, too often the report sides with privacy advocates at the expense of competition and innovation.

One important change in the new report is that the FTC has proposed that its privacy framework apply to all commercial entities that collect or use consumer data, except those who collect data on fewer than 5,000 consumers.  The FTC exempts small businesses from the privacy framework because of the potential burden that would be imposed on them. However, larger businesses would face similar burdens and these costs would ultimately be passed on to consumers.

Read the rest