Skip to content

Privacy News: December 2

Travel privacy, Spotify Wrapped, a lawsuit against a spyware maker ... and more!

A chalkboard with the word "privacy" on it

A lot of links for your weekend reading pleasure!

The airport of the future is the airport of today — and that’s not good

Ed Hasbrouck on Papers Please (

Hasbrouck looks at the integrated and largely-invisible surveillance infrastructure in airports today and the convergence of interests between government agencies, airlines, and airports.  

During the pandemic, largely unnoticed, the dystopian surveillance-by design airport of the future that we’ve been worried and warning about for many years has become, in many places, the airport of today....

A characteristic feature of almost all new or newly-renovated major airports in the U.S. and around the world is that they are designed and built on the assumption that all passengers’ movements within the airport will be tracked at all times, and that all phases of “passenger processing” will be carried out automatically using facial recognition, as shown in this video from a technology vendor, Airport of the Future.


TSA now wants to scan your face at security. Here are your rights.

Geoffrey A. Fowler on The Washington Post (

Speakingn of which, sixteen major domestic airports are testing facial-recognition tech to verify IDs – and the TSA hopes to expand the pilot to airports all across the country next year.  What could possibly go wrong?

The TSA says facial recognition, which has been banned by cities such as San Francisco, helps improve security and possibly also efficiency. But it’s also bringing an unproven tech, with civil rights ramifications we still just don’t understand, to one of the most stressful parts of travel....

the TSA hasn’t actually released hard data about how often its system falsely identifies people, through incorrect positive or negative matches. Some of that might come to light next year when the TSA has to make its case to the Department of Homeland Security to convert airports all over the United States into facial recognition systems.

“I am worried that the TSA will give a green light to technology that is more likely to falsely accuse black and brown and nonbinary travelers and other groups that have historically faced more facial recognition errors,” said [Alfred Fox] Cahn of STOP.

As Fowler notes, you don't have to participate: you can tell the officer that you do not want their photo taken, and they'll turn off camera. There are supposed to be signs around informing you of your rights, although we'll see how prominent they are.  As Hasbrouck says in The airport of the future is the airport of today

“Opting out” is, in these new airports and terminals, a largely theoretical option available only to those travelers who already know their rights (without being given notice of them), who figure out how to assert them (again without notice),  and who are willing to put up with additional questioning, search, and/or delay.

The Big Problem With Spotify Wrapped

Amanda Hoover on WIRED (

According to Spotify, "Spotify Wrapped is all about celebrating the endless ways that millions of creators and fans connect through audio each and every day." It does that based on all the data it tracks about its users and what they're listening to.

“This is a particularly shining example of the fact that Spotify’s business model is based on surveillance,” says Evan Greer, director of the digital rights advocacy group Fight for the Future. “Spotify has done an amazing job of marketing surveillance as fun and getting people to not only participate in their own surveillance, but celebrate it and share it and brag about it to the world.”

Unfortunately, the Wired article leaves out another big proble.  Spotify Wrapped was originally developed by Jewel Ham as an intern there, and she's never gotten credit for it.   Yes, data privacy is a huge issue ... but it's not the only issue!  Whizy Kim's The Intern Who Created Spotify Wrapped’s Story Format Never Got Her Due on Refinery 29 and Keyaira Boone's A Black Howard Alumna Claims She Was Influential In Creating Key Spotify Wrapped Features Without Credit on Essence have more.

And ...

How China’s Police Used Phones and Faces to Track Protesters

Paul Mozur, Claire Fu and Amy Chang Chien in the New York Times (

After a weekend of protests, the authorities in China are using the country’s all-seeing surveillance apparatus to find those bold enough to defy them.

A Hacked Newsroom Brings a Spyware Maker to U.S. Court

Ronan Farrow on The New Yorker (

When Roman Gressier, an American reporter working in El Salvador, found out that he and his colleagues were being surveilled, he feared persecution due to his sexual identity and worried for his sources’ safety.  In a lawsuit filed today in federal court in San Jose, Gressier will become the first U.S. citizen whose phone was infected by Pegasus to sue NSO Group for damages, according to lawyers representing him at the Knight First Amendment Institute at Columbia University.

ALSO: Why We’re Suing NSO Group, Jameel Jaffer on Knight First Amendment Institute (

The Irish Times view on the use of facial recognition technologies

The Irish Times (

The Government needs to think again about plans to introduce this new technology in policing, giving its patchy record and privacy fears

Companies use design to take our time, money and personal data

Øyvind Kaldestad on Forbrukerrådet (

Many companies use deceptive design to hold on to customers, increase sales, or acquire personal data. In many cases, this is illegal, the Norwegian Consumer Council says.

Amazon’s Creep Into Health Care Has Some Experts Spooked

Grace Browne on WIRED (

Using the tech giant’s new telehealth service will mean trusting it with your private data.

Anker’s Eufy lied to us about the security of its security cameras

Sean Hollister on The Verge (

The cameras have a flaw that Eufy insisted would be impossible

Hungary: Data Misused for Political Campaigns

Human Rights Watch (

The Hungarian government’s misuse of personal data during the 2022 national elections campaign undermined privacy and further tilted an already uneven playing field in favor of the ruling party, Fidesz.

ALSO: Orbán used Hungarians’ COVID data to boost election campaign, report says, Louis Westendarp on POLITICO (

Online Safety Bill’s ‘spy clause’ will pave way for ‘mass state surveillance’ of WhatsApp

Richard Vaughan on (

The Government has tabled amendments to strengthen powers to ‘scan and intercept’ end-to-end encrypted messages

Musk at Twitter has ‘huge work’ ahead to comply with EU rules, warns bloc

Natasha Lomas on TechCrunch (

European Union regulators have fired another warning shot at Elon Musk over his erratic piloting of Twitter since his takeover last month.

Microsoft 365 faces more GDPR headwinds in Germany

Jude Karabus on The Register (

Redmond disputes report that ‘it is not possible to use without transferring personal data to the USA’

Making Government Data Publicly Available: Guidance for Agencies on Releasing Data Responsibly

Hugh Grant-Chapman, Hannah Quay-de la Vallee on Center for Democracy and Technology (

Government agencies rely on a wide range of data to effectively deliver services to the populations with which they engage. Civic-minded advocates frequently argue that the public benefits of this data can be better harnessed by making it available for public access. Recent years, however, have also…

Irish DPC greenlights Facebook’s “GDPR bypass”.

noyb (

Schrems: “Decision undermines key element of GDPR.”

The Best Privacy-Focused Browsers You’ve Never Heard Of

Pranay Parab  on Lifehacker (

Reduce tracking and improve your privacy with these lesser-known browsers.

France’s CNIL Fines Discord €800,000 for GDPR Violations

Scott Ikeda on CPO Magazine (

Though the fine is not one of the largest issued by CNIL (or for general GDPR violations across the bloc), the case is noteworthy in that Discord is mostly being taken to task for not providing default or built-in security options rather than the fallout of a specific data breach.

Contending with data privacy concerns in 5 charts

Sara Lebow on Insider Intelligence (

Apple’s AppTrackingTransparency, Google’s cookie deprecation, and the impending threat of regulation are challenging data collection. Trust in social platforms is declining. As consumers shy from sharing information, marketers need to meet customers where they’re comfortable. That means finding crea…

Invasion of Privacy Lawsuits Will Be On The Rise In California Where Employers Use Monitoring/Tracking Technology

Dan Forman on JD Supra (

Employee monitoring and tracking technologies implemented to ensure remote employee productivity for remote work during the COVID-19 pandemic need to...

Privacy Isn’t Just an Edge Case for Crypto

Leah Callon-Butler on CoinDesk (

Financial privacy is useful for dissidents in extreme situations. But nobody should have to justify keeping their personal lives private, says our columnist.

Usercentrics Study: 90% of All Apps Do Not Comply With the GDPR

Business Wire on Yahoo (

Nine out of ten apps collect personal data from users without their consent, a clear violation of the European Union’s General Data Protection Regulation (GDPR) and the ePrivacy Directive. This is the result of an analysis of 250 apps in the EU apps market, conducted by privacy tech company Usercentrics.

Census Bureau chief defends ‘differential privacy’ tool

Mike Schneider, The Associated Press on Federal Times (

Differential privacy algorithms add intentional errors to data to obscure the identity of any given participant.

A Look Ahead: Lisa Sotto’s Privacy, Security Outlook in 2023

Michael Novinson on

A multitude of state privacy laws taking effect in 2023 has forced organizations to revamp their compliance programs to incorporate the disparate requirements, says

The GDPR and the AI Act Interplay: Highlights from FPF and Ada Lovelace Institute’s Joint Event

on Future of Privacy Forum (

On November 9, 2022, FPF, along with the Ada Lovelace Institute (Ada), organized a closed roundtable in Brussels where experts met to discuss the lessons that can be drawn from General Data Protection Regulation (GDPR) enforcement precedents when deciding on the scope and obligations of the European… is getting new anti-fraud tools, but privacy advocate raises concerns

Natalie Alms on FCW (

GSA is taking comments on a Federal Register notice detailing new fraud prevention and identity verification efforts through Dec. 21.

New details on commercial spyware vendor Variston

Clement Lecigne on Google (

The Threat Analysis Group shares new information on the commercial spyware vendor Variston.

Twitter’s security issues predate Elon Musk – and firing staff isn’t going to help

Chiara Castro on TechRadar pro (

Twitter 2.0 is taking shape and privacy experts are worried

As US, UK Embrace ‘Age Verify Everyone!’ French Data Protection Agency Says Age Verification Is Unreliable And Violates Privacy Rights

Mike Masnick on Techdirt (

We keep seeing it show up in a variety of places: laws to “protect the children” that, fundamentally begin with age verification to figure out who is a child (and then layering in a ton…

AI regulation in Brazil: Advancements, flows, and need to learn from the data protection experience

Author links open overlay panelLucaBelliaEnvelopeYasminCurzibEnvelopeWalter B.GasparcPersonEnvelope on ScienceDirect (

Brazil has recently moved forward on two important developments in its regulatory framework for artificial intelligence: the creation of a national AI…

In ruling on disclosure of airplane cockpit voice recordings, SCC considers pilot privacy

Aidan Macnab on Canadian Lawyer (

Case centred on whether Transportation Safety Board could give in camera submissions on disclosure

Kristen Dalli on ConsumerAffairs (

Many of the biggest gifts this holiday season require a WiFi connection, which calls into question companies’ privacy policies for each gadget or device. P

Manish Singh on TechCrunch (

The compliance is a remarkable illustration of the data Telegram stores on its users and can be made to disclose by authorities.

Microsoft 365 banned in German schools over privacy concerns

Sebastian Klovig Skelton, on (

German schools cannot legally use Microsoft Office 365 over lack of clarity about how data is collected, shared and used, as well as the potential for unlawful transfer of European citizens’ personal data to the US.

Let privacy bring us together in the new Congress

Cybersecurity on The Hill (

One issue does bring millions of Americans of all political persuasions together: the need for stronger privacy and security protections for our personal information.

Virginia’s Consumer Data Protection Act Is Not the Commonwealth’s Only Privacy and Data Protection Law — Nor Is It the Nation’s First

Ketan Bhirud on JD Supra (

Virginia’s new Consumer Data Protection Act will take effect on January 1, 2023, adding new consumer privacy rights, a broader interpretation of...

Anker’s Eufy security cameras hit with new privacy brouhaha

Ben Patterson on TechHive (

Eufy cams have been uploading video thumbnails to the cloud without telling users, according to a security researcher.

Common deidentification methods don’t fully protect data privacy: University of Chicago

CRN Team on CRN - India (

University of Chicago recently published a study describing a new kind of attack called “downcoding,” demonstrating the vulnerability of a deidentified data set and sending a warning that these data transformations should not be considered sufficient to protect individuals’ privacy

Data-driven Health Marketing Surveillance in the U.S.

on Center for Digital Democracy (

TikTok CEO offers reassurances over data privacy

Sarah E. Needleman, Alexander Saeedy on MarketWatch (

TikTok Chief Executive Shou Chew said the video-sharing platform is taking greater steps to keep user data secure and that it needs to invest more in protecting young people from getting exposed to harmful content.

Australian Parliament Passes Privacy Penalty Bill

Alessandro Mascellino on Infosecurity Magazine (

The higher penalties and extended powers will become effective after the bill receives royal assent.

ALSO: First patch to the privacy laws in Australia: increased penalties for global companies, Mandi Jacobson on JD Supra (

What Do the Multimillion-Dollar Google Settlement, Meta Fine Mean for Data Privacy?

Carrie Pallardy on InformationWeek (

Google agreed to pay a significant amount in a settlement for violating consumer privacy laws. Could this settlement and Meta’s latest fine be the beginning of a new future for data privacy?

How the new privacy landscape presents opportunities for marketers

Ad Age Studio 30 on Ad Age (

Execs from Uber, Wavemaker and Meta discussed the challenges and opportunities of the new privacy landscape at The Female Quotient during Advertising Week.

Privacy watchdog opens investigation into Medibank breach

Justin Hendry on (

Australia’s privacy watchdog has launched an investigation into the Medibank data breach that compromised the personal details of 9.7 million customers, on the same day the would-be hackers posted the full trove of data on the dark web. The Office of the Australian Information Commissioner (OAIC) an…

Got any shopping apps on your phone? Privacy analysts say you may be sharing too much information with those companies.

Gary Guthrie on ConsumerAffairs (

Now that we’re at the height of the holiday shopping season, researchers at privacy protection company Incogni thought it would be interesting to analyze t

Driver Telematics Programs Face Privacy Concerns, IRC Study Finds

PR Newswire on Yahoo Finance (

More U.S. drivers are open to opting into usage-based insurance (UBI) programs to save on their auto insurance premiums, yet more widespread acceptance of telematics programs and UBI remains elusive due to privacy concerns, according to a new study from the Insurance Research Council (IRC).

Image credit: Originally by Nick Youngson, licensed from Alpha Stock Images under CC BY-SA 3.0 via Picpedia