Skip to content

Privacy News: December 26

Police using health data for surveillance, TikTok spying on journalists, state privacy legislation, and more!

The word "privacy" written on a small chalkboard.  To the saide, glasses, a book, and a pen.

Police using health data for surveillance, TikTok spying on journalists, state privacy legislation, and more!

Police seize on COVID-19 tech to expand global surveillance

Garance Burke, Josef Federman, Huizhong Wu, Krutika Pathi, and Rod McGuirk

Remember in the early days of the pandemic when techies scoffed at privacy concerns about contact tracing apps?  Three years later, AP looks at how the technologies and data are being used in China, Israel, India, and Australia to halt travel for activists and ordinary people, harass marginalized communities and link people’s health information to other surveillance and law enforcement tools. In some cases, data was shared with spy agencies. For example:

Majd Ramlawi was serving coffee in Jerusalem’s Old City when a chilling text message appeared on his phone. “You have been spotted as having participated in acts of violence in the Al-Aqsa Mosque,” it read in Arabic....

Ramlawi, then 19, was among hundreds of people who civil rights attorneys estimate got the text last year, at the height of one of the most turbulent recent periods in the Holy Land. Many, including Ramlawi, say they only lived or worked in the neighborhood, and had nothing to do with the unrest. What he didn’t know was that the feared internal security agency, the Shin Bet, was using mass surveillance technology mobilized for coronavirus contact tracing, against Israeli residents and citizens for purposes entirely unrelated to COVID-19.

EXCLUSIVE: TikTok Spied On Forbes Journalists

Emily Baker-White on Forbes (

Back in August, Baker-White reported (on BuzzFeed News) that revealing that China-based ByteDance employees had repeatedly accessed U.S. user data, based on more than 80 hours of audio recordings of internal TikTok meetings.  In response, ByteDance (TikTok's parent company) started spying on Baker-White and other journalists. Forbes had earlier reported on this in October, but ByteDance denied it.  Turns out they lied: they were in fact using TikTok to monitor journalists’ physical location using their IP addresses.

According to materials reviewed by Forbes, ByteDance tracked multiple Forbes journalists as part of this covert surveillance campaign, which was designed to unearth the source of leaks inside the company following a drumbeat of stories exposing the company’s ongoing links to China. As a result of the investigation into the surveillance tactics, ByteDance fired Chris Lepitak, its chief internal auditor who led the team responsible for them. The China-based executive Song Ye, who Lepitak reported to and who reports directly to ByteDance CEO Rubo Liang, resigned.


A look back at privacy and data protection in 2022

Alex LaCasse, Jennifer Bryant, and Joseph Duball on International Association of Privacy Professionals (

Data privacy made more news than ever in 2022. What developments does IAPP think were most noteworthy for the privacy profession?  It's an interesting roundup, starting with Ukraine, including a focus on international and US privacy regulation, and ending with the Supreme Court decision overturning Roe and opening the door for states criminalizing abortions.

State privacy legislation

California Privacy Protection Act Ends 2022 Without CPRA Regulations, But CPPA Targets Risk Assessments and AI for Additional Rulemaking

Mary Costigan on JD Supra (

The California Privacy Rights Act (CPRA), which amends California's privacy law, takes effect starting on January 1.  The California Privacy Protection Agency (CPPA) still hasn't finalized its rulemaking.  Final proposed rules are anticipated to be released at the end of January and after going through the various administrative requirements will take effect in April. In the meantime, regulations previously promulgated by the California Attorney General’s Office will remain in effect.

’Tis the Season: Colorado Attorney General Releases New Draft CPA Regulations

David P. Saunders on The National Law Review (

On December 21, 2022, the Colorado Attorney General released its newest set of draft regulations to the Colorado Privacy Act (CPA), which will take effect in July 2023. Comments are open until January 18, and there's a rulemaking hearing on February 1.

In soliciting additional comments to the revised CPA regulations, the Colorado AG is seeking specific input on: (1) clarifications to definitions; (2) use of IP addresses to verify consumer requests; (3) a universal opt-out mechanism; (4) streamlining the privacy policy requirements while maintaining their comprehensiveness; and (5) bona fide loyalty programs. The latest draft regulations include detailed questions from the AG to stakeholders on each of these topics.

California Courts Must Protect Data Privacy

Adam Schwartz and Corynne McSherry on Electronic Frontier Foundation (

The U.S. Supreme Court has been chipping away at private enforcement by rewriting a legal doctrine called “standing,” which determines who has been harmed enough to deserve their day in court.  California’s standing rules are different, and far more protective. But a recent state appeals court decision may change those rules, closing the courthouse doors to victims of corporate violations of data privacy laws.

EFF and Electronic Privacy Information Center (EPIC) have  filed an amicus letter with the California Supreme Court, urging it to review that decision and keep those doors open (with assistance from Hunter Pyle Law and Feinberg, Jackson, Worthman & Wasow).

Also ...

Mastodon and the Fediverse

Corynne McSherry on Electronic Frontier Foundation (

People hosting their own Mastodon instances face some legal risk. Fortunately, there are some relatively easy ways to mitigate that risk – if you plan ahead. To help people do that, this guide offers an introduction to some common legal issues, along with a few practical considerations.

And ...

Lawyer mom barred from Rockettes by facial recognition tech

Brandon Vigliarolo on The Register (

No Girl Scout cookies for you

Google is making its internal video-blurring privacy tool open source

on Engadget (

Google has announced that two of its latest privacy-enhancing technologies (PETs), including one that blurs objects in a video, will be provided to anyone for free via open source..

Are your gadgets watching you? How to give the gift of privacy

Johana Bhuiyan on The Guardian (

Our guide to the data collected by popular smart devices, from sleep and fitness trackers to DNA kits

FCC Deadlock Shields Wireless Companies From Privacy Penalties

Drew FitzGerald on The Wall Street Journal (

Cellphone carriers facing roughly $200 million in fines are for now shielded from paying by a partisan deadlock at the FCC, according to people familiar with the matter.

Shadowy US Spy Firm Promises To Surveil Crypto Users For the Highest Bidder

Kit Klarenberg on MintPress News (

Leaked documents reveal the secret operations of Anomaly 6, a shadowy private spying firm tracking crypto users on behalf of the US government.

Data brokers raise privacy concerns — but get millions from the federal government

Alfred Ng on POLITICO (

How an old privacy law and new security demands force Washington to rely on an industry in the crosshairs.


on Retourner à l’accueil CNIL.FR (

Following a complaint about the conditions for depositing cookies on “”, the CNIL carried out several investigations on the website in September 2020 and May 2021. It found that when users visited this site, cookies were deposited on their terminal without their consent.

Despite enforcement delays, attorneys urge preparation for AI, privacy laws

Ginger Christ on Legal Dive (

New legislation extends to employers with applicants or workers who are residents of New York City or California — and may be a harbinger of what’s to come elsewhere.

GitHub Cooperates with Tencent’s WeChat to Secure User Privacy

Pandaily on Pandaily (

GitHub, an Internet hosting service for software development and version control using Git, announced on December 19 that it has partnered with Tencent’s social app WeChat to scan for their tokens and help secure their mutual users on all public and private repositories with GitHub Advanced Security…

EU-US Data Privacy Framework in Activist’s Crosshairs

Akshaya Asokan on

Europe took a key step in formalizing a framework to underpin the trans-Atlantic flow of commercial data but privacy activists say the EU-U.S. agreement won’t stand

Eufy responds to privacy allegations, admits it must do better

Ben Patterson on TechHive (

Anker’s Eufy has promised to be “more clear” about when its security cameras store data in the cloud.

Apple brings new privacy security features to AirTags

DH Web Desk, on DH News Service (

Apple AirTags are a wonderful accessory to tag vehicle keys, house keys, and other daily-use objects at home. Thanks to the expansive Apple devices’ network is very easy to locate misplaced items. However, privacy advocates had raised concerns over user privacy, as some people with bad intentions us…

Dolan’s Radio City facial software a gross ‘privacy invasion,’ could bring suit: booted lawyer’s attorney

Jeanette Settembre on New York Post (

An attorney representing the lawyer who was flagged by facial recognition and kicked out of Radio City said the ordeal was an outrageous “privacy invasion.”

DuckDuckGo Will Block Google’s ‘Invasive, Annoying’ Sign-in Popups

The A.V. Club on Gizmodo (

A wave of new Google popups is spreading across the web, but a new feature from DuckDuckGo blocks them automatically.

Google Chrome and Android drop TrustCor support following privacy scare

Craig Hale on TechRadar pro (

Google, Microsoft, and Mozilla all ditch TrustCor

Data privacy rules are sweeping across the globe, and getting stricter

Bob Violino on CNBC (

Businesses in highly regulated sectors and those that operate in multiple countries are faced with a growing number of data privacy regulations.

Massive Twitter data leak investigated by EU privacy watchdog

Sergiu Gatlan on BleepingComputer (

The Irish Data Protection Commission (DPC) has launched an inquiry following last month’s news reports of a massive Twitter data leak.

Facebook parent company to settle Cambridge Analytica scandal lawsuit for $725M

Nicolas Camut on POLITICO (

Leaked court document reveals the social media giant has agreed to settle a long-standing lawsuit filed in the US.

Apple Quietly Rolls Out New Updates That Could Prevent AirTag Stalking

Kyle Barr on Gizmodo (

Despite Apple’s claims of being proactive against AirTag stalking, the issue has not gone away even after multiple updates.

Borrowing from the law to filter training data for foundation models

Katharine Miller, Stanford Institute for Human-Centered AI on VentureBeat (

Using a “Pile of Law” dataset, Stanford researchers explore filtering private or toxic content from training data for foundation models.

TSA’s facial recognition technology raises security, privacy concerns

By: Scripps National on KSBY News (

Holiday travelers may notice that the TSA has been expanding the use of facial recognition technology. It’s now at more than a dozen airports across the country.

Musk’s Twitter draws deeper FTC scrutiny over rising privacy, security concerns

Bloomberg on South China Morning Post (

The multi-billionaire’s acquisition led to an exodus of many of the social media company’s legal, privacy and compliance executives, prompting the wider investigation.

Roomba says leaked pictures including one of a woman on the toilet were taken by test vacuums, not purchased ones

Aaron Mok on Insider (

The leaked images from test Roomba vacuums reportedly came from data-labeling contractors who posted them in private Facebook and Discord groups.

Opportunities and blind spots in the White House’s blueprint for an AI Bill of Rights

Nicol Turner Lee and Jack Malamud on Brookings (

Nicol Turner Lee and Jack Malamud argue that the principles laid out in the Blueprint for an AI Bill of Rights are crucial, but without congressional action, strategies to effectuate change may lack the credible enforcement regime that only legislation can create.

Going digital: How learning and employment records shape access to quality education and jobs

Annelies Goger, Allyson Parco, Rohan Carter-Rau, Jessa Henderson, Kazumi Homma, Ani Meliksetyan, and Natalie Milman on Brookings (

New research draws from three case studies on implementing and governing new digital education assets to help create more equitable learning and employment pathways.

Controversial camera programs raise concerns over privacy in East Providence

Edy Zoo on NewsBreak Original (

EAST PROVIDENCE, R.I. - The city of East Providence, Rhode Island, has announced plans to install 10 new red light cameras and one additional school zone camera in the coming year, following the collection of nearly $3 million in fines in 2022.

Top 10 Blog Posts for the Workplace Privacy, Data Management & Security Report for 2022

Jason C. Gavejian on The National Law Review (

As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular posts of 2022: 1. California Consume

You Can Now Detect An Unknown AirTag With This New Privacy Feature

Praneeth Palli on Mashable India (

The Cupertino-based business recently released the back-to-back firmware upgrades.

Image credit: Originally by Nick Youngson, licensed from Alpha Stock Images under CC BY-SA 3.0 via Picpedia