Privacy News: November 22

Privacy after Roe, ADPPA and KOSA in Congress, FTC comments, a big new lawsuit by Foxglove against Meta ... and that's only the tip of the iceberg.

FTC Comments

The extended deadline for comments on the FTC potential rulemaking on Commercial Surveillance and Data Security was 8:59 pm Pacific time on Monday (11:59 pm Eastern) and I got mine in with well over an hour to spare.  

Several other Washington privacy organizers submitted comments as well as me, and so did a lot of individuals, non-profits, and businessess.  Twitter is the best place to find short summaries and links to comments; for example, here's Willmary Escoto with Access Now's comments.  EPIC has a good overview page with information about the process, a link to their own 232-page (!) comments, and a roundup of several other organizations' comments  including Parent Coalition on Student Privacy, Upturn, the Irish Council for Civil Liberties, Open Markets Institute, and Trans Atlantic Consumer Dialogue, Fight for the Future and more.  

One of the most entertaining comments, submitted by former FTC Chief Technologist Neil Chilson, was text generated by the GPT-3 language model from various prompts. If you replace "AI" with "commericial surveillance", they're remarkably pithy summaries of many of the corporate submissions.

My full comments, available here, framed things somewhat differently.  The summary:

1. Consent is a vital complement to data minimization and completely prohibiting some commercial surveillance activities.  Opt-out is not meaningful affirmative consent, and an opt-in approach to regulation will enhance innovation. (Questions 26, 73-81)
2. Algorithmic error and discrimination is pervasive across multiple sectors – and the harms fail disproportionately on the most vulnerable people. (Questions 53, 57, 65, 66, 67)
3. The FTC should build on the recommendations of Algorithmic Justice League’s Who Audits the Auditors, the White House OSTP’s Blueprint for an AI Bill of Rights, and the California Privacy Protection Agency’s AI equity work. (Questions 41-46, 56, 67)
4. The FTC should develop its regulations working with the people most likely to be harmed by commercial surveillance – and prioritize their needs. (Questions 29, 39, 43)

ALSO

• The FTC must act against unfair and deceitful commercial surveillance Transatlantic Consumer Dialogue (tacd.org)
• ICCL, Open Markets, and TACD (75 NGOs) urge the U.S. FTC to crack down on surveillance advertising, Johnny Ryan on Irish Council for Civil Liberties (iccl.ie)
• The FTC can finally regulate online privacy protections, Emily Peterson-Cassin on The Dallas Morning News (dallasnews.com)

Privacy after Roe

National Women's Law Center's FTC comments focused on the harms that people who seek, provide, or facilitate abortion care can face due to commercial surveillance – the elephant that American Data Privacy Protection Act (ADPPA) supporters don't want to talk about. NWLC's analysis is much more detailed than anything I've seen in ADPPA discussions.  One section looks at privacy issues relating to "crisis preganancy centers", fake clinics run by anti-abortion groups, and details how Harmony International provides a CMS to its 2,000 affiliates in the US.  How well does ADPPA address this threat? None of the testimony supporting the bill that I've seen discusses this.  Neither do any of the op-eds.  And none of the news pieces comment on this absence which you have to admit is kind of weird in a year where the Supreme Court took away pregnant people's right to an abortion and Democrats just did better than expected in midterms due to how much people care about this issue.

An Update on the Federal and State E-Roe-sion or P-Roe-tection of Abortion Rights

Amy J. Dilcher on The National Law Review (natlawreview.com)

A roundup of noteworthy developments that occurred over the past month, including several significant events at both federal and state levels as well as recent activity by registered voters during the midterms to protect access to reproductive care.

Federal privacy legislation

Will Congress kill the push for data privacy?

Marc Rotenberg on The Hill (thehill.com)

Rotenberg cuts to the heart of the thorny debate about preemption in the ADPPA:

"There is a simple solution to the objection from California: Remove the language that preempts stronger state laws. If the federal bill is indeed stronger, as the backers contend, then compliance with the California law should be easy."

Yeah really.  But of course in reality there are a lot of ways in which California's law is stronger, and the even bigger opportunity for data brokers and big tech is that ADPPA also preempts other current and future state and local laws.   And as Rotenberg notes, preemption is only the start. He also discusses

• the weak private enforcement scheme (aka "private right of action")
• the two-year delay before even the weak scheme kicks in
• the way the bill's exclusion of European citizens is almost certain to sink the latest attempt to establish a legal framework that will permit the continued flow of personal data of European consumers to United States internet companies, which is critical to the digital economy.
• the problem with putting so much of the enforcement authority with the FTC (a coalition of ten Attorneys General including Washington, New York, Maine, and Illinois have warned that ADPPA would unnecessarily interfere with their investigative and enforcement abilities)

Of course these could all be addressed if there's the political will, and Rotenberg offers some straightforward solutions.  Then again these aren't the only issues with ADPPA – Rotenberg doesn't discuss the elephant or the ways that ADPPA's algorithmic impact assessments are too weak to protect civil rights – so there's a lot of improvement needed.

Still, now's as good a time as any.  As Roternberg says:

The public attitude toward the tech industry has clearly shifted since work on a federal privacy bill began. Tech lobbyists no longer hold the pen on legislation. Twitter is teetering on the edge. Layoffs have diminished Facebook, Google, and others. Compromises with powerful tech companies — such as federal preemption — that might have looked good a year ago now seem unnecessary. This is not a time for a retribution, but it is a time for Congress to enact effective baseline legislation that provides real protection for consumers and leaves the door open for future innovation in the states.

KOSA Would Let the Government Control What Young People See Online

Jason Kelley and Aaron Mackey on Electronic Frontier Foundation (eff.org)

The latest version of the Kids Online Safety Act (KOSA) is focused on removing online information that people need to see—people of all ages. Letting governments—state or federal—decide what information anyone needs to see is a dangerous endeavor.

Grieving parents push for kids’ online safety bills during lame duck

Rebecca Klar on The Hill (thehill.com)

Congress has a busy itinerary in the lame duck session, but some grieving parents believe lawmakers should have a clear legislative priority: protecting minors from the harms they say led to their kids death.

And ...

Meta’s surveillance biz model targeted in UK ‘right to object’ GDPR lawsuit

Natasha Lomas on TechCrunch (techcrunch.com)

Meta’s surveillance business model is facing an interesting legal challenge in the UK from Foxglove Senior fellow Tanya O'Carroll over its continued processing of her data for ad targeting despite her objection. If this suit succeeds, it could create a precedent where if any one of us objects to Facebook creepily tracking us across the internet and tells them to stop, Facebook has to stop.  

• Foxglove Senior Fellow Tanya O’Carroll sues Facebook for collecting personal data to sell adverts, Foxglove's statement (foxglove.org)
• Tanya O’Carroll v Meta; Landmark case to stop Facebook spying on us, the  Tanya O’Carroll relating to her case against Meta (awo.agency)
• Facebook sued for collecting personal data to sell adverts, Mark Sellman, Technology Correspondent on The Times (thetimes.co.uk)

US Supreme Court ruling due on spy cams around homes

Thomas Claburn on The Register (theregister.com)

The American Civil Liberties Union on Friday asked the US Supreme Court to consider whether surveillance cameras placed on utility poles by police without a warrant should be allowed to watch people in their homes.

Twitter is making DMs encrypted and adding video, voice chat, per Elon Musk

Alex Heath / @alexeheath on The Verge (theverge.com)

Encrypted DMs are a good thing, and Twitter should have added them years ago. They didn't, and now Elmo and his investors like Larry Ellison (owner of a data broker) and Saudi Prince Alawaeed have special data rights to every DM that's ever been sent – including from tech whistleblowers and activists in the Middle East. Maybe Twitter really will encrypt DMs but even if they do it's locking the barn after the data has been stolen.  Also wasn't Tesla  going to ship fully automated driving in 2015 or something?  So take it with a grain of salt.

Also:

• Is Elon Musk Bringing Encrypted Messages To The $8 Twitter Blue Party?, Davey Winder on Forbes (forbes.com)

Can anyone avoid CCTV surveillance? We ask an expert

Coco Khan on The Guardian (theguardian.com)

Hailed as a tech solution to crime, security cameras throw up questions of accountability and privacy

Google employees are concerned about data privacy, court documents reveal

Daniel Konstantinovic on Insider Intelligence (insiderintelligence.com)

How much information is Google collecting on users? It seems even company employees don’t know, according to court documents unveiled via a class-action privacy suit.

‘I don’t have the faintest idea what Google has on me’: Google fell short on privacy promises, employees say.

Shoshana Wodinsky on MarketWatch (marketwatch.com)

Newly unsealed court records reveal executives candidly talking discussing about subverting user consent in their products.

FIFA World Cup apps stoke data privacy concerns

Chase DiBenedetto on Mashable (mashable.com)

The international event has privacy and human rights experts on edge.

Why Meta’s latest large language model only survived three days online

Will Douglas Heaven on MIT Technology Review (technologyreview.com)

Galactica was supposed to help scientists. Instead, it mindlessly spat out biased and incorrect nonsense.

Inside the Business of Digital Privacy: A Profitable Opportunity

Rakesh Soni on Security Boulevard (securityboulevard.com)

Digital privacy is the key that drives business growth as it offers valuable insights to empower businesses to provide personalized experiences to users. This blog explores the aspects of leveraging digital privacy and how businesses can stay ahead of the curve.

Is the Video Privacy Protection Act a New Litigation Weapon for Consumers?

Adam Aguirre on JD Supra (jdsupra.com)

On September 19, 2022, a Massachusetts federal District Court denied Boston Globe Media Partners LLC’s motion to dismiss a consumer class action suit...

Federal Court Dismisses Biometric Privacy Class Action Brought Against University, On Basis It Was a Regulated “Financial Institution”

Kristin L. Bryan on The National Law Review (natlawreview.com)

For almost four years now, attorneys have remained relentless in their quest to extend the outer boundaries of the Illinois Biometric Information Privacy Act (BIPA) as far as courts are willing to all

Video surveillance in 7 Yukon schools collecting too much info on students, says privacy watchdog

CBC News on CBC (cbc.ca)

The Yukon's information and privacy watchdog says the Department of Education need to immediately stop using video surveillance in schools to collect personal information about students, and securely destroy any such information it has already collected.  She also found the department is collecting too much info, in violation of its own video surveillance policy, and cameras were in multipurpose rooms, sports facilities and pointed at bathroom entrances.

Two provincial privacy watchdogs confirm Sobeys experiencing data breach

on The Globe and Mail (theglobeandmail.com)

Sobeys has been dealing with ‘IT system’ issues for much of the past week affecting customers seeking prescriptions at some pharmacies it operates

Santa’s Data: This Holiday’s Tech Gifts Are Creepier Than Ever

The A.V. Club on Gizmodo (gizmodo.com)

Mozilla’s Privacy Not Included Project looked at the year’s hottest gadgets and found they’re rife with privacy issues.

New DuckDuckGo Tool Brings Apple-Style Privacy to Android

Thomas Germain on Gizmodo (gizmodo.com)

The easy to use App Track Protection feature will block third party companies snooping in your apps

The Viral Effect of the CPRA’s Definition of a Business

Steven Millendorf on The National Law Review (natlawreview.com)

California’s Consumer Privacy Rights Act of 2020 (CPRA) purports to shield small and not-for-profit organizations from the scope of the act.  But the CPRA also includes two more, often overlooked, provisions which may ensnare organizations that are not-for-profit or otherwise do not meet one or more of the above thresholds.

Facebook’s $90M Privacy Deal Gets Final Nod Over Objections

Hunton Andrews Kurth’s Privacy and Cybersecurity on The National Law Review (natlawreview.com)

Despite numerous objections that the settlement amount was inadequate, the judge found the final settlement to be “fair, reasonable and adequate.”

Keynote: Privacy in sports (IAPP Europe Data Protection Congress 2022)

on iapp.org

Keynote: Privacy in sports and the FIFA World Cup (IAPP Europe Data Protection Congress 2022).

How much privacy do you deserve?

Guardian Nigeria on The Guardian Nigeria News - Nigeria and World News (guardian.ng)

When The People’s Daily published a story in 2018 stating that the ruling Communist Party had developed and implemented software to detect individual faces using CCTV cameras, many in the West decried the move as another incremental step towards a draconian police state in line with China’s existing…