Privacy News: December 19
A big FTC settlement, student privacy, state and federal privacy legislation, security and privacy issues on Mastodon ... and more!
A big FTC settlement, student privacy, state and federal privacy legislation, security and privacy issues on Mastodon ... and more!
Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges
the Premerger Notification Office Staff on Federal Trade Commission (ftc.gov)
Epic will pay a $275 million penalty for violating children’s privacy law, change default privacy settings, and pay $245 million in refunds for tricking users into making unwanted charges. Of course it's still just a "cost of doing business", but $500 million. here, $500 million there, and pretty soon you're talking some real money!
- Top FTC official warns companies on data, Ashley Gold on axios.com, with more general perspectives from Samuel Levine, director of the FTC's bureau of consumer protection. Levine tells Axios the agency won't hesitate to sue companies that abuse customers' data -- and warns companies (like Twitter) that have signed FTC consent decrees that "there's no pause button" on such agreements.
What’s more common: opt-in, opt-out, or notice cookie banners?
David A. Zetoony on The National Law Review (natlawreview.com)
In the latest in a series based on Greenberg Traurig LLP's review of the publicly available privacy notices and practices of 555 companies, Zetoony looks at the dreaded cookie banners. From a privacy perspective, the best option is "opt in": you don't get cookies unless you explicitly request them. By contrast, an "opt out" approach (cookies unless you say know) means that companies can exploit your data unless you say otherwise. Even worse is what Zetoony describes as "deemed consent" and "notice only": a notice telling you that they're using cookies and there's nothing you can do about it; or no banner at all, so you don't even know what they're using cookies for.
This analysis shows that 28.5% of the sites they looked at are opt in ... kudos to them for doing the right thing, and brickbats to everybody else. And kudos to Zetoony and Greenberg Traurig LLP, this kind of data
Most apps used in US classrooms share students’ personal data with advertisers, researchers find
Tonya Riley on CyberScoop (cyberscoop.com)
96% of the apps used in U.S. K-12 schools share children’s personal information with third parties — including advertisers — often without the knowledge or consent of users or schools, according to a study by Internet Safety Labs published Tuesday.
Researchers looked at 13 schools in every state, leading to a total of 663 schools representing nearly half a million students. They found that most schools had more than 150 approved technologies for classrooms, a dizzying number for parents and school administrators to monitor. One school had as many as 1,411.
The report follows previous research from the group, formerly known as the Me2B Alliance, finding hundreds of advertisers collected valuable student data from a website specializing in school sports data.
KCKPS leaders consider cameras in classrooms for virtual learning; some concerned about privacy, trust
By: JuYeon Kim on KSHB 41 Kansas City News (kshb.com)
Kansas City, Kansas, Public Schools is considering cameras in classrooms, but some community members are concerned.
Federal privacy legislation
Dangerous “Kids Online Safety Act” Does Not Belong in Must-Pass Legislation
Jason Kelley and Aaron Mackey on Electronic Frontier Foundation (eff.org)
Everybody agrees that doing something about the abuses of kids' privacy is critical ... but even though the controversial and unconstitutional Kids Online Safety Act (KOSA) has some privacy-related provisions, it's still a bad bill. The sponsors have made some changes in response to the letter that more than 90 human rights and LGBTQ Groups sent opposing KOSA last mongth, but as Kelley and Mackey discuss they don't address the underlying problems.
Last week Emily Brinbaum of Bloomberg reported that the White House is making calls to legislators pressuring them to attach this anti-LGBTQ bill to the must-pass "omnibus" spending bill, but House Democrat leadership is pushing back. As I was writing this newsletter, Ashley Gold of Axios reported that she's heard that KOSA isn't in the omnibus. If so that's good news. Keep your fingers crossed!
ADPPA and Twitter: eight questions and an elephant
Jon Pincus, the Nexus of Privacy (thenexusofprivacy.net)
The American Data Privacy and Protection Act (ADPPA) consumer privacy bill also seems unlikely to be attached to the omnibus at this point (although it ain't over til its over) but with its bipartisan sponsorship it's likely to be back on the table next year. Recent events at Twitter provide some clear examples of what’s at stake with real-world privacy-abuses to test how effective ADPPA is going to be in practice.
State privacy legislation
Tech industry group sues to block California law designed to protect kids online over free speech concerns
Lauren Feiner on CNBC (cnbc.com)
The group that sued Texas and Florida over social media laws that seek to restrict the tech industry’s liability shield for content is going after California.
Looking Forward and Back at the California State Legislature
Hayley Tsukayama on Electronic Frontier Foundation (eff.org)
As California’s new two-year session kicks off, EFF looks back at the past session which featured several victories for EFF and its allies advocating for digital rights victories. California is often seen as a leader in recognizing the importance of privacy, innovation, and free expression. Similar bills are being considered this y year in Washington, and no doubht other states, so hopefully we'll be able to build on California's leadership.
U.S. State Privacy Laws in 2023: California, Colorado, Connecticut, Utah and Virginia
Theodore Augustinos on JD Supra (jdsupra.com)
A look at new consumer privacy laws coming into effect in California, Colorado, Connecticut, Utah, and Virginia. We've included similar analyses in past issues of the newsletter, but it's interesting to see the different perspectives. This one for example has a useful chart comparing the different laws, which highlights both similarites and some important differences.
Fleeing Twitter users face uncertain privacy, security features on alternative platforms
Tonya Riley, Cyberscoop (cyberscoop.com)
An excellent high-level look at the security and privacy risks of Mastodon and other Twitter alternatives. A lot of the articles I've seen stop with the basics: Mastodon, like Twitter and Facebook, doesn't encrypt private messages, so admins can read them. But that's just the tip of the iceberg. For example:
As the number of Mastodon grow, so too will data requests from law enforcement. In recent years, law enforcement has increasingly leaned on tech companies for data that can be used to prosecute crimes — including criminalized abortion. In just the first six months of 2022, Twitter received nearly 50,000 legal demands, including a 103% increase in legal demands from governments targeting journalists.
Privacy and security experts are concerned that platforms such as Mastodon are poorly positioned to properly deal with data requests like these. Addressing them would likely fall on independent Mastodon server administrators or their hosting companies, not Mastodon. While Mastodon is based in Germany, its administrators and their hosting companies span the globe.
Yeah really. Riley quotes several Mastodon instance admins who basically say, well, if it happens they'll get a lawyer. As privacy and security expert Violet Blue pointed out in her Cybersecurity Roundup on December 13, there are some big red flags here. Not to sound like a broken record, but assume that nothing on Mastodon is private, and do not use it for confidential information!
Riley also briefly discusses Hive Social, another Twitter alternative. Hive had a very high-profile security problem, and shut down for a few weeks to address the underlying issues (although it's now back up). As Violet Blue points out, Hive did the right thing here by prioritizing user safety.
How to spot AI-generated text
Melissa Heikkilä on MIT Technology Review (technologyreview.com)
The internet is increasingly awash with text written by AI software. We need new tools to detect it.
Under Surveillance: (Mis)use of Technologies in Emergency Responses
23-12-2021 on ECNL (ecnl.org)
ECNL, INCLO and Privacy International joint report focuses on global lessons from the COVID-19 pandemic.
Dayton-area police departments expanding license plate reader use as privacy concerns remain
Nick Blizzard on Dayton Daily News (daytondailynews.com)
Dayton, Miamisburg have added automated license plate readers in past several months; Beavercreek and Kettering among police departments that say they help solve crimes while Ohio ACLU, others raise questions.
EU takes step towards US data-sharing agreement
Lindsay Clark on The Register (theregister.com)
Campaigners say it’s unlikely to pass a test in the courts, though
Sen. Elizabeth Warren Questions Tax Filing Companies, Meta, and Google About Sharing of Financial Data
Colin Lecher on The Markup (themarkup.org)
Letters to the companies, signed by Warren and others, cite a recent Markup investigation
Violation of Right to Privacy: Karti Chidambaram on ‘Orwellian’ usage of facial recognition by Chennai police
Aihik Sur on Moneycontrol (moneycontrol.com)
This comes a few days after the Greater Chennai Police admitted to using the technology in response to a tweet by a Chennai resident.
Privacy Breaches to Cost More in Australia as Maximum Penalty Increases to AUD 50 Million
Scott Ikeda on CPO Magazine (cpomagazine.com)
Organizations found to be responsible for a privacy breach now face a maximum penalty of AUD 50 million, 30% of adjusted annual domestic turnover, or three times the value of any benefit obtained through the misuse of the leaked information.
Microsoft to roll out ‘data boundary’ for EU customers from Jan. 1
Martin Coulter on Reuters (reuters.com)
Microsoft Corp said on Thursday its European Union cloud customers will be able to process and store parts of their data in the region from Jan. 1.
Federal Agencies Keep Rejecting FOIA Requests for Their Procedures for Handling FOIA Requests
Beryl Lipton on Electronic Frontier Foundation (eff.org)
The majority of federal agencies — including law enforcement agencies like Customs and Border Protection — are refusing to release some of the most basic guidance materials used by their Freedom of Information Act (FOIA) offices: procedures for how they do their jobs.Government Attic, a website...
The post-Merge Ethereum ecosystem needs privacy more than ever
Warren Paul Anderson, Discreet Labs on VentureBeat (venturebeat.com)
Privacy in Ethereum must not be a bolt-on feature; it should should become a built-in foundation that enhances user experience.
Hulu customer claims an employee violated her privacy by using personal information to contact her after a virtual service chat
Jordan Hart on Insider (businessinsider.com)
“How many other women has he done this to, and how else is he using my information?” Strauss asked in a TikTok post that went viral earlier this week.
Is privacy is possible on the Internet? An interview with Neeva founder and former Google exec Sridhar Ramaswamy
Jim Love on IT World Canada (itworldcanada.com)
On Dec 13th, a new search engine, described by some as the “anti-google” called Neeva will be available to use in Canada. Here's an interview with Neeva's CEO.
EFF Agrees With the NLRB: Workers Need Protection Against Bossware
José EFA and Hayley Tsukayama on Electronic Frontier Foundation (eff.org)
The general counsel of the National Labor Relations Board (NLRB) issued an important memo that calls for regulators to protect workers against what she described as “unlawful electronic surveillance and automated management practices.”
Is Your Secret Santa App on the Privacy Naughty List?
Mia Armstrong-López on Slate (slate.com)
Plus, stories from the recent past of Future Tense.
Secrecy v. Privacy in Donor Conception Families
Wendy Kramer is Co-Founder and Director of the Donor Sibling Registry (DSR). on Psychology Today (psychologytoday.com)
Walking the fine line between privacy and secrecy is inherent in donor families.
Leo Varadkar nightclub footage triggers privacy debate in Ireland
Rory Carroll on The Guardian (theguardian.com)
Leaked clip of deputy leader also fuels moves to tighten social media regulation
Hongkonger jailed for 8 months in first doxxing sentence under revised privacy law
Brian Wong on South China Morning Post (scmp.com)
Ho Muk-wah received 8 months’ jail for seven counts of disclosing personal data without consent, including creating fake online accounts under ex-partner’s name.
Standing to Sue: Is Theft of Drivers’ License Numbers Sufficient to Allege Imminent Threat of Future Harm?
Ryan P. Blaney on The National Law Review (natlawreview.com)
Judge Jeffrey White of the Northern District of California recently dismissed a putative class action lawsuit in which plaintiffs claimed they faced an imminent threat of future of harm in the form of identity theft and fraud because their personal information, specifically their driver’s license numbers, may have been compromised in a data breach. In doing so, the court determined that driver’s license numbers “are not as sensitive as social security numbers,” and that they don’t rise to the level of sensitive personal information “needed to establish a credible and imminent threat of future harm” for Article III standing.
Exhibit At University Of Oxford Shows Differences Between Algorithmic And Human Curation
iednewsdesk on India Education (indiaeducationdiary.in)
Researchers at the Oxford Internet Institute are launching ‘The Algorithmic Pedestal,’ a public exhibition taking place at J/M Gallery in London from 11-17 January 2023, which will highlight differences between human and algorithmic ways of seeing. Artist Fabienne Hess is bringing her human perspective, while the Instagram algorithm adds the machine perspective.