Police using health data for surveillance, TikTok spying on journalists, state privacy legislation, and more!
Garance Burke, Josef Federman, Huizhong Wu, Krutika Pathi, and Rod McGuirk
Remember in the early days of the pandemic when techies scoffed at privacy concerns about contact tracing apps? Three years later, AP looks at how the technologies and data are being used in China, Israel, India, and Australia to halt travel for activists and ordinary people, harass marginalized communities and link people’s health information to other surveillance and law enforcement tools. In some cases, data was shared with spy agencies. For example:
Majd Ramlawi was serving coffee in Jerusalem’s Old City when a chilling text message appeared on his phone. “You have been spotted as having participated in acts of violence in the Al-Aqsa Mosque,” it read in Arabic....
Ramlawi, then 19, was among hundreds of people who civil rights attorneys estimate got the text last year, at the height of one of the most turbulent recent periods in the Holy Land. Many, including Ramlawi, say they only lived or worked in the neighborhood, and had nothing to do with the unrest. What he didn’t know was that the feared internal security agency, the Shin Bet, was using mass surveillance technology mobilized for coronavirus contact tracing, against Israeli residents and citizens for purposes entirely unrelated to COVID-19.
Emily Baker-White on Forbes (forbes.com)
Back in August, Baker-White reported (on BuzzFeed News) that revealing that China-based ByteDance employees had repeatedly accessed U.S. user data, based on more than 80 hours of audio recordings of internal TikTok meetings. In response, ByteDance (TikTok's parent company) started spying on Baker-White and other journalists. Forbes had earlier reported on this in October, but ByteDance denied it. Turns out they lied: they were in fact using TikTok to monitor journalists’ physical location using their IP addresses.
According to materials reviewed by Forbes, ByteDance tracked multiple Forbes journalists as part of this covert surveillance campaign, which was designed to unearth the source of leaks inside the company following a drumbeat of stories exposing the company’s ongoing links to China. As a result of the investigation into the surveillance tactics, ByteDance fired Chris Lepitak, its chief internal auditor who led the team responsible for them. The China-based executive Song Ye, who Lepitak reported to and who reports directly to ByteDance CEO Rubo Liang, resigned.
- ByteDance Inquiry Finds Employees Obtained User Data of 2 Journalists, Cecilia Kang on the New York Times (nytimes.com)
Alex LaCasse, Jennifer Bryant, and Joseph Duball on International Association of Privacy Professionals (iapp.org)
Data privacy made more news than ever in 2022. What developments does IAPP think were most noteworthy for the privacy profession? It's an interesting roundup, starting with Ukraine, including a focus on international and US privacy regulation, and ending with the Supreme Court decision overturning Roe and opening the door for states criminalizing abortions.
State privacy legislation
California Privacy Protection Act Ends 2022 Without CPRA Regulations, But CPPA Targets Risk Assessments and AI for Additional Rulemaking
Mary Costigan on JD Supra (jdsupra.com)
The California Privacy Rights Act (CPRA), which amends California's privacy law, takes effect starting on January 1. The California Privacy Protection Agency (CPPA) still hasn't finalized its rulemaking. Final proposed rules are anticipated to be released at the end of January and after going through the various administrative requirements will take effect in April. In the meantime, regulations previously promulgated by the California Attorney General’s Office will remain in effect.
David P. Saunders on The National Law Review (natlawreview.com)
On December 21, 2022, the Colorado Attorney General released its newest set of draft regulations to the Colorado Privacy Act (CPA), which will take effect in July 2023. Comments are open until January 18, and there's a rulemaking hearing on February 1.
Adam Schwartz and Corynne McSherry on Electronic Frontier Foundation (eff.org)
The U.S. Supreme Court has been chipping away at private enforcement by rewriting a legal doctrine called “standing,” which determines who has been harmed enough to deserve their day in court. California’s standing rules are different, and far more protective. But a recent state appeals court decision may change those rules, closing the courthouse doors to victims of corporate violations of data privacy laws.
EFF and Electronic Privacy Information Center (EPIC) have filed an amicus letter with the California Supreme Court, urging it to review that decision and keep those doors open (with assistance from Hunter Pyle Law and Feinberg, Jackson, Worthman & Wasow).
- Biometrics privacy push coming to states in 2023, Austin Jenkins on Pluribus News (pluribusnews.com)
- How the California Privacy Rights Act reshapes U.S. privacy compliance in 2023, Tim Peterson on Digiday (digiday.com).
- Where privacy regulation stands ahead of 2023, ByRyan Barwick on Morning Brew (marketingbrew.com)
- State Privacy Law Applicability Considerations for Midsize and Small Businesses
Mastodon and the Fediverse
Corynne McSherry on Electronic Frontier Foundation (eff.org)
People hosting their own Mastodon instances face some legal risk. Fortunately, there are some relatively easy ways to mitigate that risk – if you plan ahead. To help people do that, this guide offers an introduction to some common legal issues, along with a few practical considerations.
Brandon Vigliarolo on The Register (theregister.com)
No Girl Scout cookies for you
on Engadget (engadget.com)
Google has announced that two of its latest privacy-enhancing technologies (PETs), including one that blurs objects in a video, will be provided to anyone for free via open source..
Johana Bhuiyan on The Guardian (theguardian.com)
Our guide to the data collected by popular smart devices, from sleep and fitness trackers to DNA kits
Drew FitzGerald on The Wall Street Journal (wsj.com)
Cellphone carriers facing roughly $200 million in fines are for now shielded from paying by a partisan deadlock at the FCC, according to people familiar with the matter.
Kit Klarenberg on MintPress News (mintpressnews.com)
Leaked documents reveal the secret operations of Anomaly 6, a shadowy private spying firm tracking crypto users on behalf of the US government.
Alfred Ng on POLITICO (politico.com)
How an old privacy law and new security demands force Washington to rely on an industry in the crosshairs.
on Retourner à l’accueil CNIL.FR (cnil.fr)
Following a complaint about the conditions for depositing cookies on “bing.com”, the CNIL carried out several investigations on the website in September 2020 and May 2021. It found that when users visited this site, cookies were deposited on their terminal without their consent.
Ginger Christ on Legal Dive (legaldive.com)
New legislation extends to employers with applicants or workers who are residents of New York City or California — and may be a harbinger of what’s to come elsewhere.
Pandaily on Pandaily (pandaily.com)
GitHub, an Internet hosting service for software development and version control using Git, announced on December 19 that it has partnered with Tencent’s social app WeChat to scan for their tokens and help secure their mutual users on all public and private repositories with GitHub Advanced Security…
Akshaya Asokan on bankinfosecurity.com
Europe took a key step in formalizing a framework to underpin the trans-Atlantic flow of commercial data but privacy activists say the EU-U.S. agreement won’t stand
Ben Patterson on TechHive (techhive.com)
Anker’s Eufy has promised to be “more clear” about when its security cameras store data in the cloud.
DH Web Desk, on DH News Service (deccanherald.com)
Apple AirTags are a wonderful accessory to tag vehicle keys, house keys, and other daily-use objects at home. Thanks to the expansive Apple devices’ network is very easy to locate misplaced items. However, privacy advocates had raised concerns over user privacy, as some people with bad intentions us…
Dolan’s Radio City facial software a gross ‘privacy invasion,’ could bring suit: booted lawyer’s attorney
Jeanette Settembre on New York Post (nypost.com)
An attorney representing the lawyer who was flagged by facial recognition and kicked out of Radio City said the ordeal was an outrageous “privacy invasion.”
The A.V. Club on Gizmodo (gizmodo.com)
A wave of new Google popups is spreading across the web, but a new feature from DuckDuckGo blocks them automatically.
Craig Hale on TechRadar pro (techradar.com)
Google, Microsoft, and Mozilla all ditch TrustCor
Bob Violino on CNBC (cnbc.com)
Businesses in highly regulated sectors and those that operate in multiple countries are faced with a growing number of data privacy regulations.
Sergiu Gatlan on BleepingComputer (bleepingcomputer.com)
The Irish Data Protection Commission (DPC) has launched an inquiry following last month’s news reports of a massive Twitter data leak.
Nicolas Camut on POLITICO (politico.eu)
Leaked court document reveals the social media giant has agreed to settle a long-standing lawsuit filed in the US.
Kyle Barr on Gizmodo (gizmodo.com)
Despite Apple’s claims of being proactive against AirTag stalking, the issue has not gone away even after multiple updates.
Katharine Miller, Stanford Institute for Human-Centered AI on VentureBeat (venturebeat.com)
Using a “Pile of Law” dataset, Stanford researchers explore filtering private or toxic content from training data for foundation models.
By: Scripps National on KSBY News (ksby.com)
Holiday travelers may notice that the TSA has been expanding the use of facial recognition technology. It’s now at more than a dozen airports across the country.
Bloomberg on South China Morning Post (scmp.com)
The multi-billionaire’s acquisition led to an exodus of many of the social media company’s legal, privacy and compliance executives, prompting the wider investigation.
Roomba says leaked pictures including one of a woman on the toilet were taken by test vacuums, not purchased ones
Aaron Mok on Insider (businessinsider.com)
The leaked images from test Roomba vacuums reportedly came from data-labeling contractors who posted them in private Facebook and Discord groups.
Nicol Turner Lee and Jack Malamud on Brookings (brookings.edu)
Nicol Turner Lee and Jack Malamud argue that the principles laid out in the Blueprint for an AI Bill of Rights are crucial, but without congressional action, strategies to effectuate change may lack the credible enforcement regime that only legislation can create.
Annelies Goger, Allyson Parco, Rohan Carter-Rau, Jessa Henderson, Kazumi Homma, Ani Meliksetyan, and Natalie Milman on Brookings (brookings.edu)
New research draws from three case studies on implementing and governing new digital education assets to help create more equitable learning and employment pathways.
Edy Zoo on NewsBreak Original (original.newsbreak.com)
EAST PROVIDENCE, R.I. - The city of East Providence, Rhode Island, has announced plans to install 10 new red light cameras and one additional school zone camera in the coming year, following the collection of nearly $3 million in fines in 2022.
Jason C. Gavejian on The National Law Review (natlawreview.com)
As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular posts of 2022: 1. California Consume
Praneeth Palli on Mashable India (in.mashable.com)
The Cupertino-based business recently released the back-to-back firmware upgrades.