Privacy News: September 17 mega-update

With even more links than normal!

Privacy News: September 17 mega-update
From EFF Award winner Digital Defense Fund's Guide to Abortion Privacy

It's been ten days since our last privacy news update, so we've got even more links than normal.

Electronic Frontier Foundation to Present Annual Awards to Alaa Abd El-Fattah, Digital Defense Fund, and Kyle Wiens

Electronic Frontier Foundation (eff.org)

This year's EFF awards for helping to ensure that technology supports freedom, justice, and innovation for all people:

  • blogger, software developer, activist, and political prisoner Alaa Abd El-Fattah

    TAKE ACTION: Sign the petition to Free Alaa!  As Alaa's sister Mona Seif writes, "if enough people demand it, the UK can bring Alaa home. He is an Amnesty International Prisoner of Conscience, an Honorary Member of English PEN and dozens of UK MPs have called for his release. We just need the UK government to be firm in their negotiations."
  • abortion rights technology organization Digital Defense Fund.

    TAKE ACTION: If you're a software developer, website builder, UI designer, digital security trainer, IT technician, or a technologist of any kind, volunteer with Digital Defense Fund!
  • iFixit CEO and co-founder Kyle Wiens (who's been very active in the Right to Repair Movement)

Congratulations to all of the above!  We talked about Digital Defense Fund's excellent  Guide to Abortion Privacy a couple months ago in Privacy in a post-Roe America, and that's only one small piece of the digital security work they do for the abortion rights movement.

Customs officials have copied Americans’ phone data at massive scale

Drew Harwell on The Washington Post (washingtonpost.com)

U.S. government officials are adding data from as many as 10,000 electronic devices each year to a massive database they’ve compiled from travelers’ devices.

The rapid expansion of the database and the ability of 2,700 CBP officers to access it without a warrant — two details not previously known about the database — have raised alarms in Congress about what use the government has made of the information, much of which is captured from people not suspected of any crime. CBP officials told congressional staff the data is maintained for 15 years.

Details of the database were revealed Thursday in a letter to CBP Commissioner Chris Magnus from Sen. Ron Wyden (D-Ore.), who criticized the agency for “allowing indiscriminate rifling through Americans’ private records” and called for stronger privacy protections.

Student and youth privacy

With ‘Don’t Say Gay’ Laws & Abortion Bans, Student Surveillance Raises New Risks

Mark Keierleber, The 74 (the74million.org)

With states adopting anti-LGBTQ laws and criminalizing abortion, privacy and civil rights advocates warn that school-issued devices could end up exposing students to legal peril.

For years, schools across the U.S. have used digital surveillance tools that collect a trove of information about youth sexuality — intimate details that are gleaned from students’ conversations with friends, diary entries and search histories. Meanwhile, student information collected by student surveillance companies are regularly shared with police, according to a recent survey conducted by the nonprofit Center for Democracy and Technology. These two realities are concerning to Elizabeth Laird, the center’s director of equity in civic technology. Following the Supreme Court’s repeal of Roe v. Wade in June, she said information about youth sexuality could be weaponized.

“Right now — without doing anything — schools may be getting alerts about students” who are searching the internet for resources related to reproductive health,” Laird said. “If you are in a state that has a law that criminalizes abortion, right now this tool could be used to enforce those laws.”

FIND OUT MORE:

Also

Federal privacy legislation

An Alphabet Soup of Privacy Legislation

Maya Morales and Jon Pincus (that's me!), hosted by Electronic Frontiers Georgia

Maya and I discussed the Fourth Amendment is Not For Sale Act, My Body My Data, HLDPA, ADPPA, CTOPPA, and KOSA.  We planned on an hour but had so many great questions that we went for 90 minutes – many thanks to the attendees!  I'll have a fuller report soon; for now, the video's available on EF Georgia's Facebook and Twitch pages.

FIND OUT MORE:

TAKE ACTION:
Tell Congress: The Fourth Amendment is Not For Sale using EFF's handy web form

Reviewing the House Committee changes to the proposed ADPPA

on International Association of Privacy Professionals (iapp.org)

IAPP Westin Research Fellow Amy Olivero breaks down the changes to the draft American Data Privacy and Protection Act (ADPPA).  Note that both the description of the changes and the chart at the bottom makes ADPPA look stronger than it really is.  For example,

  • the list of changes is at a very high level.  While this improves readability, it also creates a very false impression by omitting many important changes that significantly weakened the bill.
  • the chart helpfully provides information on how long covered entities of different sizes have to respond to access, correction, and deletion requests – but it leaves out the fact that they also get an automatic 45-day exemption.  
  • the chart accurately notes that service providers and businessess with less than $250,000,000 annual revenue are subject to ADPPA's civil rights protections (Section 207(a)) – but omits the fact that they're exempt from the requirement to do algorithmic impact assessments.

Editorial: Congress must fix data privacy bill so it doesn’t hurt Californians

The Times Editorial Board on Los Angeles Times (latimes.com)

The LA Times argues that California should get a waiver exempting their privacy law for ADPPA.  I discuss this, along Jennifer Haberkorn's excellent September 6 LA Times news story Congress mulls data privacy bill that would void California’s tougher protections, in the footnotes of Who could have predicted? A potential “new compromise” for ADPPA!

Internet service providers drop challenge of privacy law

Patrick Whittle, on Associated Press (apnews.com)

A group of telecommunication providers has dropped its bid  to overturn Maine's opt-in privacy law, which Whittle accurately describes as "one of the strictest internet privacy laws in the United States." Looks like they're pinning their hopes on ADPPA, which would preempt Maine's law (as well as other current and future state and local consumer privacy laws).

Advocacy Groups Urge Senators to Advance Bills Protecting Children’s Data

Lynn F. Freedman, National Law Review (natlawreview.com)

Provider groups and privacy advocates have joined together to put pressure on Congress to pass two bipartisan bills designed to bolster children and nd teens’ privacy.  The Kids Online Safety Act (S. 3663) and the Children and Teens’ Online Privacy Protection Act (S. 1628) were both passed out of the Senate subcommittee with bipartisan support.

Note, however, that EFF opposes the Kids Online Safety Act.  Jason Kelley's The Kids Online Safety Act Is a Heavy-Handed Plan to Force Platforms to Spy on Young People. from March, discusses why.

Post-Roe privacy

Rumored Apple Watch fertility tracking is a potential post-Roe nightmare

Cecily Mauran on Mashable (mashable.com)

The possible Apple Watch feature is ill-timed

FTC

FTC Report Shows Rise in Sophisticated Dark Patterns Designed to Trick and Trap Consumers

Federal Trade Commission (ftc.gov)

The Federal Trade Commission released a report today showing how companies are increasingly using sophisticated design practices known as “dark patterns” that can trick or manipulate consumers into buying products or services or giving up their privacy. IAPP's Cobun Zweifel-Keegan's  What color are your patterns? has a short summary.

The FTC Is Closing in on Runaway AI

Khari Johnson, WIRED (wired.com)

The US regulator is eager to end unfair use of artificial intelligence and commercial surveillance, but experts remain skeptical.

Even with the FTC mulling a rewrite of data privacy rules, don’t expect change to come soon

Chris Morris on Fast Company (fastcompany.com)

The FTC could borrow from the European Union’s legal framework for what personal data can be collected by companies. But the agency often moves at a glacial pace.

Congresswoman Urges FTC to Investigate Newly Revealed Police Software Surveilling Americans’ Movements

The A.V. Club on Gizmodo (gizmodo.com)

Rep. Anna Eshoo says the tool, Fog Reveal, “presents a new threat” in the post-Roe landscape.

And ...

Cops wanted to keep mass surveillance app secret; privacy advocates refused

Ashley Belanger on Ars Technica (arstechnica.com)

Fog Reveal is “almost invisible” when attempting to search for it online.

Walmart is facing a class action suit for allegedly violating an Illinois privacy law by using surveillance cameras and Clearview AI’s facial recognition data

Caroline Haskins on Insider (businessinsider.com)

Walmart is facing a class action lawsuit over its alleged use of surveillance cameras and Clearview AI’s facial recognition database.

What It Really Means to “Hold Big Tech Accountable”

Brian Fishman on Lawfare (lawfareblog.com)

Four principles for U.S. lawmakers to keep in mind as they open the messy and unsatisfying Pandora’s box of tech regulation.

The MTA’s switch to OMNY machines is a privacy nightmare

Max Ufberg on Fast Company (fastcompany.com)

The fare payment system’s connections with the public and private sectors make it a dangerous upgrade for subway riders.

A view from DC: What color are your patterns?

on International Association of Privacy Professionals (iapp.org)

IAPP Managing Director, Washington D.C.,  offers his thoughts on the privacy happenings in and around D.C.

TikTok won’t commit to stopping US data flows to China | CNN Business

Brian Fung on CNN (cnn.com)

TikTok repeatedly declined to commit to US lawmakers on Wednesday that the short-form video app will cut off flows of US user data to China, instead promising that the outcome of its negotiations with the US government “will satisfy all national security concerns.”

Open Call for Tor Board Candidates | Tor Project

Kendra on The Tor Project (blog.torproject.org)

The Tor Project is happy to announce an open call for candidates to join the Tor Project Board of Directors.

S.Korea fines Google, Meta billions of won for privacy violations

Soo-Hyang Choi on Reuters (reuters.com)

South Korea levied millions of dollars in fines on Alphabet’s Google and Meta Platforms for privacy law violations, authorities said on Wednesday, as Meta considers fighting the decision in court.

Tech tool offers police ‘mass surveillance on a budget’

GARANCE BURKE AND JASON DEAREN on Associated Press (apnews.com)

Local law enforcement agencies from suburban Southern California to rural North Carolina have been using an obscure cellphone tracking tool, at times without search warrants, that gives them the power to follow people’s movements months back in time, according to public records and internal emails o…

NYPD Camera Project

on S.T.O.P. - The Surveillance Technology Oversight Project (stopspying.org)

If you can see an NYPD camera from your window at home, please get in touch with us. We are hoping to sue NYPD to force them to take these cameras down, or at the very least physically block them from viewing New Yorkers’ homes. You may also be entitled to some monetary compensation for violation

TikTok claims it’s not collecting U.S. users’ biometric data, despite what privacy policy says

Sarah Perez on TechCrunch (techcrunch.com)

Last year, TikTok quietly updated its privacy policy to allow the app to collect biometric data on U.S. users, including “faceprints and voiceprints” — a concerning change that the company declined to detail at the time, or during a subsequent Senate hearing held last October. Today, the tech compan…

Indonesia Set to Pass New Data Privacy Law After Spate of Leaks

Bloomberg News on ITPro Today: IT News, How-Tos, Trends, Case Studies, Career Tips, More (itprotoday.com)

The passing of the bill would make Indonesia the fifth Southeast Asian country to have a specific law on personal data protection after Singapore, Malaysia, Thailand and the Philippines.

Opinion: The most disturbing aspect of Vanessa Bryant’s case

Danielle Keats Citron,John C.P. Goldberg,Benjamin C. Zipursky on CNN (cnn.com)

Vanessa Bryant’s recent verdict against the Los Angeles County Sheriff’s and Fire Departments represents a federal jury’s response to immoral and grotesquely offensive conduct by some of their employees.

Loyalty Programs in the California AG’s Crosshairs Once Again

Kyle Dull on Consumer Privacy World (consumerprivacyworld.com)

With a nod to Data Privacy Day (January 28), California Attorney General Rob Bonta announced an enforcement sweep of loyalty programs operated by retail,

TikTok Denies Data Breach Reportedly Exposing Over 2 Billion Users’ Information

Ravie Lakshmanan on The Hacker News (thehackernews.com)

TikTok has denied reports of a data breach after a hacker group claimed to have gained access to information on two billion of its users.

The shift we need to stop mass surveillance

Albert Cahn on TED Talks (ted.com)

Mass surveillance is worse than you think, but the solutions are simpler than you realize, says lawyer, technologist and TED Fellow Albert Cahn. reaking down the crude tactics law enforcement uses to sweep up massive amounts of data collected about us by our everyday tech, he lays out how new legal firewalls can protect the public from geofence warrants and other surveillance abuses -- and how we might end the looming dystopia of mass surveillance.

Peter Eckersley Helped Encrypt Internet Traffic to Foil Snoops

James R. Hagerty and Robert McMillan on WSJ (wsj.com)

Australian computer scientist, who has died at age 44, worked at a San Francisco nonprofit on projects designed to protect privacy.

Third circuit shows how to establish standing in data breach cases

on International Association of Privacy Professionals (iapp.org)

A recent decision by the federal court of appeals in Philadelphia gives new hope to plaintiffs in class action lawsuits over data breaches.

Scant resources might threaten enforcement on Big Tech, EU data protection bodies warn

Luca Bertuzzi on EURACTIV (euractiv.com)

Facebook Engineers: We Have No Idea Where We Keep All Your Personal Data

Sam Biddle on The Intercept (theintercept.com)

In a discovery hearing, two veteran Facebook engineers told the court that the company doesn’t keep track of all your personal data.

If Caring About Your Digital Privacy Makes Me a Cult Member, Sign Me Up

Jason Kelley on Slate (slate.com)

An Arkansas prosecutor recently said that Americans who care about their digital security belong to a “cult of privacy.”

Data tracking poses a ‘national security risk’ FTC told

Jessica Lyons Hardcastle on The Register (theregister.com)

‘We’re making China’s job easier’

One year later, Apple’s privacy changes helped boost its own ads business, report finds

Sarah Perez on TechCrunch (techcrunch.com)

A new report examing the impact of Apple’s privacy feature, App Tracking Transparency, indicates Apple’s ads business appears to have financially benefitted as a result of the feature’s launch. Now over a year old, App Tracking Transparency, or ATT, reached mass adoption in June 2021, allowing for a…

UK data protection reform: How the UK GDPR may change

on Hogan Lovells Engage 5.7.2 (engage.hoganlovells.com)

On 18 July 2022, the UK government introduced the Data Protection and Digital Information Bill to Parliament for its first reading. Following the UK leaving the European Union in 2020, the Bill sets o...

Big California Privacy News: Legislative and Enforcement Updates

Colleen Theresa Brown on Data Matters Privacy Blog (datamatters.sidley.com)

Privacy never sleeps in California. In recent days and as California’s legislative session comes to a close, there have been a number of significant legislative and regulatory developments in the state , each of which will likely (again) change the privacy landscape in California and, by extension, the rest of the country.  In a surprise to many observers, the California legislature failed to extend the employee- and B2B-exemptions.  The exemptions will now expire at the end of 2022 and require businesses to extend CCPA rights to all California residents whose personal information they collect, without regard to their employment status.


Image description

Image Credit: from Digital Defense Fund's Guide to Abortion Privacy.

Image description: The image is titled “Digital Security for Abortion and Pregnancy Privacy.” A white person with braces and short dark curly hair says, “Worried about someone reading your messages or browser history?” Small images provide advice. A hand holds a phone with a green lock screen displaying the word “Enter” and a dial pad. Text reads: “Use a strong PIN on your devices.” A green circle in a pink background contains an illustration of a purple mustache, black glasses, and a pink hat. Text reads: “Browse in an incognito window.” A white magician with brown hair wearing a white shirt and purple cape uses a purple wand to make a purple hat’s contents disappear. Text reads: “Turn on disappearing messages in secure messaging app like Signal.” A brown broom sweeps dust. Text reads: “Clear browsing history.” The image is signed “The Digital Defense Fund x Hazel Mead.”