Privacy News: August 15

Loyalty programs sharing pregnancy information, student privacy abuse here in Washington state, and much much more

Privacy News: August 15

Today's top story is from right here in King County – home to Seattle, Microsoft, Amazon, and The Nexus of Privacy!

How King County’s efforts to help at-risk students created a record that could jeopardize their privacy

Daniel Gilbert on Seattle Times (seattletimes.com)

King County's Check Yourself questionnaire collecting students’ age, grade, race, language, gender identity, sexual orientation, school, and other details they include in open-ended responses — as Gilbert says, "an unusually intimate record for a survey that isn’t anonymous. "  Then

This data is transmitted without student names to a for-profit software firm, which grants access to Seattle Children’s Research Institute — both contracted by King County. Schools, which can link student names to their answers, follow up with them to offer support.

What could possibly go wrong?

The goal is a good one – screening middle- and high-school students for mental health and other risks.  And experts in screening youth who the Seattle Times talk ed to mostly praised the approach.  From a privacy perspective, though, it's a nightmare.  To start with, it's not clear whether the information should be considered part of students' educational record ... but the implications are bad either way.

With such sensitive information in hand, schools must determine whether kids’ screening results are part of their education record. If so, parents would have a right under federal law to see things that their children might not want them to know. If not, the information isn’t protected by a federal privacy law — raising the prospect that it could be released publicly and compromise student privacy, experts say.

The whole article is worth reading.  A key point from the "deeper look" at the end: it absolutely is possible to do this kind of screening while still providing stronger student privacy protections. Massachusetts, for example, prohibits creating any record that includes information that could identify a student – a legal mandate that doesn’t exist in Washington state yet.

Privacy after Roe

Does your rewards card know if you’re pregnant? Privacy experts sound the alarm

Manuela López Restrepo on NPR (npr.org)

A Twitter thread from a person who bought a pregnancy test at Walgreen's using their reward card and then got a package in the mail from baby forumla company Enfamil (with formula, a pacifier, and a box with the phrase, "Here's our first gift for the most important person in the world") highlights the potential privacy risks of loyalty cards.  Walgreen's claims they didn't provide customer data to Enfamil; Enfamil says they don't have access to Walgreen's customer data; so clearly it's just coincidence, right?  Wrong. It turns out that if customers opt in to receive marketing information (such as special deals – and who wouldn't opt in for that?) the data is shared with a third party,who then gives Enfamil and others access to it.

ADPPA PERSPECTIVES: the American Data Privacy Protection Act (ADPPA) currently working its way through Congress has a loophole in it specially crafted to allow this kind of data sharing.  Section 104(b), the "pay for privacy" section, allows companies to give customers cheaper prices or better services for agreeing to share their information as part of a "bona fide loyalty program" – just like this one.  

For more on ADPPA's "pay for privacy" issues, see EFF's Americans Deserve More Than The Current American Data Privacy Protection Act, ACLU's July 18 letter on ADPPA, and Californians for Consumer Privacy Announce Opposition to ADPPA

Also ...

How California Reproductive Health Workers Can Protect Information They Submit to the Government, Dave Maass on Electronic Frontier Foundation (eff.org)

The Demise of Roe Threatens the Privacy of a Woman’s Entire Reproductive Health Record, Jeffrey E. Harris on JURIST (jurist.org)

Facebook, abortion, and the future of data privacy, Mathew Ingram on Columbia Journalism Review (cjr.org)

And ...

‘Ring Nation’ Is Amazon’s Reality Show for Our Surveillance Dystopia, Edward Ongweso on vice.com

At this point, it is hard to defend ownership of a Ring camera. Using fear-mongering about package theft and suburban crime, a surveillance company has convinced countless homes to affix a surveillance network node that police departments and one of the world’s largest monopolies will use to their benefit. And now they want us to laugh about it all in our (ideally) Ring-surveilled homes.

Police Used a Baby’s DNA to Investigate Its Father for a Crime, Emily Mullen on WIRED (wired.com)

Jennifer Sellitti, an attorney with the Office of the New Jersey Public Defender, which is representing the father, says combining newborn screening samples with genetic genealogy opens the door for virtually anyone’s DNA to be used in a criminal investigation. “This is like a dystopian onion. Every time we peel back another layer, we find some new violation of privacy,” she says.

Does Your Car Need to Know Your Race and Heart Rate? ,Julia Angwin on The Markup (themarkup.org), a followup to Jon Keegan and Alfred Ng's Who Is Collecting Data from Your Car?,

Another Amazon acquisition brings us closer to the death of privacy, Tiffany C. Li on MSNBC (msnbc.com)

Amazon’s Creepy Palm Reading Payment System Is Taking Over Whole Foods, Mack DeGeurin on Gizmodo (gizmodo.com)

Introduction to the Conformity Assessment under the draft EU AI Act, and how it compares to DPIAs, Katerina Demetzou, Future of Privacy Forum (fpf.org)

Biometrics reach more health cards, airports and retailers amid data privacy conflicts | Biometric Update, Chris Burt on BiometricUpdate.com (biometricupdate.com)

Here’s What to Know About Google Search Rival DuckDuckGo, Adam Benjamin on CNET (cnet.com)

Telehealth and Digital Health Privacy Regulations, Scott Lashway on JD Supra (jdsupra.com)

Connecticut Will Add More Privacy Requirements, Jason C. Gavejian and Joseph J. Lazzarotti © Jackson Lewis on SHRM (shrm.org)

Meta is ever so slowly expanding its testing of end-to-end encryption, Dan Goodin on Ars Technica (arstechnica.com)

Google to pay $60m fine for misleading Australians about collecting location data, Australian Associated Press on The Guardian (theguardian.com)

85% of Android users are concerned about privacy, Esther Shein on TechRepublic (techrepublic.com)

In-app browsers like those in Facebook and Instagram are a big privacy risk, developer shows, Ben Lovejoy on 9to5Mac (9to5mac.com)

Google fined $40M+ or misleading location tracking settings in Australia, Natasha Lomas on TechCrunch (techcrunch.com)

Hospital and Drugmaker Move to Build Vast Database of New Yorkers’ DNA, Joseph Goldstein on NYTimes (nytimes.com)

GitHub’s new privacy policy sparks backlash over tracking cookies, Ax Sharma on BleepingComputer (bleepingcomputer.com)


Image credit: Daquella manera on Flickr via Wikipedia Commons.  licensed under the Creative Commons Attribution 2.0 license.