California Broadband Internet Privacy Act, AB 375, Introduced

Advertising, Legislation, Online privacy, Regulation

As a response to the repeal of FCC broadband privacy rules in April 2017, CA Assemblymember Ed Chau (D-Monterey Park) has introduced the California Broadband Internet Privacy Act, or AB 375. This bill is modeled after the FCC’s regulations and includes an “Ask Me First” principle, requiring Internet Service Providers (ISPs) to only use, sell, or share identifiable customer data if the customer opts in. Such information includes internet browsing history, downloaded applications, and time spent on each site. AB 375 would also prohibit any ISP practices that would require customers to pay more for their privacy or penalize those who did not consent to share their data. Eighteen other states, including Oregon, have already introduced similar bills to protect internet data privacy following the Congressional repeal of the FCC rules. At least 25 consumer, privacy, and labor advocacy groups are endorsing this bill, including the ACLU of CA, EFF, and the Privacy Rights Clearinghouse.

Sources: The Recorder, Consumer Federation of California

Targeted Voter Profiling in Kenya

Advertising, Online privacy, Politics, Surveillance

Privacy International is condemning Kenyan President Uhuru Kenyatta’s party for its hiring of Western data firm Cambridge Analytica to sway his re-election bid. The firm is also tied to the election of Donald Trump and Brexit. Cambridge Analytica occupies an entire floor of a building owned by Kenyatta’s coalition, and it ties data such as income, health status, political opinions, websites visited, and hobbies to individual-level voter registration records. Cambridge Analytica also creates psychometric profiles, essentially a quantification of personality: i.e. how neurotic or extroverted someone is. These data are used to target political advertising to the individual, possibly resulting in psychological manipulation or campaigns of misinformation (fake news?). Privacy International argues that this individual profiling is especially dangerous in Kenya, where ethnicity remains extremely political. Kenya also has no data protection laws, or rules governing how data are collected, stored, and accessed, leaving this voter database, and those in it, vulnerable. Privacy International is asking Cambridge Analytica to provide information on their risk assessment of mass data profiling in Kenya and how it will protect data privacy.

Sources: Privacy International, Snopes

UK Grocery Store Fined £10,500 ($13,373) for Spamming Opt-Out Customers

Advertising, Regulation

Morrison’s, a UK grocery chain, has been fined by Britain’s Information Commissioner’s Office (ICO) for sending marketing emails to customers who had opted out of receiving email advertising from the store. The chain was found to have sent out 130,671 emails to opt-out customers at the end of 2016 and so has been fined £10,500 ($13,373). The emails in question asked recipients to change their marketing preferences to receive coupons and newsletters, a practice that violates the nation’s Privacy and Electronic Communication Regulations (PECR). This law contains specific rules for marketing communications, cookies, communications security, itemized billing, and customer location data. The ICO stated that enforcement of the PECR through fines will also help to prepare for corporate adherence to the EU’s General Data Protection Regulation (GDPR).

Sources: ICO, ITPro

100 Years Under the Espionage Act

Exposure, Legislation

Yesterday marked 100 years since the Espionage Act was passed on June 15, 1917. This law was created amid the widespread xenophobic and anti-immigrant sentiment that shrouded World War I. Its purpose was to tackle draft evasion and anti-state activity that was seen as subversive to American democracy. The law was upheld in 1919 in Schenck v. United States, in which it was ruled that mailing anti-draft letters is not protected by the First Amendment. This was upheld again in Debs v. United States (1919), after which Eugene V. Debs, a Socialist Party leader, protested involvement in WWI during a speech and was found guilty of violating the act. The Espionage Act resurfaced in the 40s and 50s during the Red Scare, in which it was used to suppress communist and left-wing influences. Most recently, the Espionage Act has been applied to leaking confidential government information and used to prosecute whistleblowers including Daniel Ellsberg, Chelsea Manning, and Edward Snowden. The Justice Department is now looking into prosecuting entities that disseminate documents, such as WikiLeaks or journalistic organizations, in addition to individuals who leak classified information, under the act. Supporting this development, CIA Director Mike Pompeo recently described WikiLeaks as a “non-state hostile intelligence service” which is not protected by the First Amendment.

Source: EFF

Enforcement of the EU Global Data Protection Regulation (GDPR) < 1 Year Away: Are Marketers Prepared?

Advertising, Online privacy, Regulation

Short answer: No

The GDPR requires that companies obtain explicit and informed permission before collecting personal data from EU residents. This includes IP addresses and cookies. While it is already in effect, it doesn’t hit the enforcement stage until May 25, 2018. A study of 250 businesses conducted by the Data & Marketing Association finds that half of companies will still not be prepared to comply by next year’s deadline.

Among the adjustments that companies have to make are deleting or updating non-compliant databases of personal information and ceasing use of “clickwrap” forms (lengthy terms of service that people click through quickly), as well as pre-checked consent boxes. Any business that collects information from EU residents, even businesses based abroad, must comply with the GDPR terms. And, the repercussions will be hefty: €20 million or 4% of global turnover, whichever is higher.

Source: DigiDay

MIT Study Finds Students Will Give Away Friends’ Emails for Pizza

Exposure, Online privacy, Surveys

If you were asked to provide the email addresses of your closest friends in exchange for a free pizza to share with them, would you do it?

Would you give their real emails?

A study of 3,108 MIT students (Athey, Catalini, and Tucker 2017) found that 98% were willing to give up the email addresses to get the pizza, and 94% were still willing to do so for no incentive. Within these high percentages, there is some evidence of masking. The collected email addresses were checked for validity against a MIT directory to tell whether or not they were fake. In the group that did not receive a pizza incentive (at first), 6% provided fake email addresses. To count as deliberate masking, all the addresses the students provided had to be mismatches with the database, in order to rule out any inadvertent typos. The researchers found that when students are offered the pizza incentive, there is a 54% reduction in the probability that they will provide all fake email addresses. There were no significant differences in the results by gender, technology preferences, year of study, or even stated privacy preferences. Even those who were considered “privacy-sensitive” by their reported privacy concerns did not respond differently to the pizza incentive than the rest of their peers. This is solid continued evidence of the privacy paradox: that our privacy behaviors contradict our privacy attitudes.

Is the Geek Squad Spying for the FBI?

Computers, Police, Surveillance

EFF is suing the FBI through the Freedom of Information Act to obtain information on how it recruits Best Buy Geek Squad employees to report on illegal contents of devices they take in. This interest originates from a federal case in California, where Best Buy confirmed that members of its Geek Squad in Kentucky received compensation for reporting on customers who possessed child pornography on their devices. If the FBI is recruiting private industry employees to spy on personal computers, EFF argues, it constitutes an unlawful government search in violation of the Fourth Amendment. Relying on private vendors represents a means of accessing hidden data without the requirement to file a warrant, thus circumventing traditional protections for privacy. Best Buy has stated that the employees’ decision to accept payment goes against its policies. However, when you drop a device off at Geek Squad, you sign a document acknowledging that Best Buy will turn over devices containing child pornography to the FBI. Employees cannot search for such material; they instead must come across it while conducting the customer-requested service. Court documents from the California case demonstrate suspiciously close ties with the Geek Squad, referring to the employees as “sources.” It will be interesting to see what documents EFF’s FOIA suit uncovers regarding the cozy relationship between the FBI and private industry.

Source: SF Chronicle

Former Intelligence Director Clapper Calls for Police Access to Encrypted Data

Police, Regulation, Smartphones, Social Media, Surveillance

Former U.S. Director of National Intelligence (under the Obama administration) James Clapper spoke in Australia last week, calling on Silicon Valley to develop encryption that allows law enforcement to access the encrypted content while investigating criminal acts. He claims that technology companies have a “social responsibility” to provide this access to the government. Clapper likened full encryption to giving a “pass” to “criminals, terrorists, rapids, murderers, et cetera.” The encryption debate came to widespread public attention following the 2015 San Bernardino shooting, after which Apple refused to unlock the iPhone 5c used by the shooter. The FBI sidestepped Apple by working with a third party to unlock the phone. Clapper also called for filtering out “some of the more egregious material that appears on social media.” At the same time, the former intelligence chief has also been outspoken in his criticism of Trump, stating last week that the Watergate scandal “pales” in comparison with Trump’s strong pro-Russia stance in the face of evidence of Russian interference in the 2016 election.

Sources: TechCrunch, Reuters

Coats Backtracks on Promise to Provide Number of Americans Tracked by NSA

Legislation, Online privacy, Politics, Smartphones, Surveillance

Director of National Intelligence Dan Coats promised at his confirmation hearing to obtain and reveal the number of Americans affected by NSA surveillance. At a hearing this week before the Senate Intelligence Committee, Coats reversed course on this, claiming that it is infeasible to provide such an estimate. He argued that revealing this statistic would potentially violate privacy by verifying subject identities [I don’t follow…]. Section 702 of the Foreign Intelligence Surveillance Act (FISA), which is used to justify “upstream” mass collection of email and phone call data, is set to expire this year. The Trump administration is looking to make this surveillance statute permanent. In a strange twist, NSA Director Mike Rogers argued this week that Section 702 surveillance allowed the NSA to generate “insights” on Russian interference with the 2016 election [what are those insights?].

Sources: ZDNet, Washington Examiner

Uber Exec Obtains Rape Victim’s Medical Records Without Consent, Is Fired

Medical Records, Smartphones

The president of Uber’s business relations in the Asia Pacific region, Eric Alexander, has been fired after a report surfaced that he obtained the medical records of a woman in India who had been raped by an Uber driver. Alexander may also face criminal charges for obtaining these records without the patient’s consent, as well as for sharing her medical information with other employees, including CEO Travis Kalanick. While Indian law is still being developed with respect to medical privacy, rules issued by the Medical Council of India require the patient’s written consent and an explanation of intended use as a prerequisite to access such records. Alexander allegedly sought the records as evidence that the victim had not truly been raped and that the incident was engineered by Ola, a ride-share competitor in India. The fallout from the initial reporting of the rape resulted in Uber shutting down in New Delhi for several months. This story of medical privacy invasion comes amidst yesterday’s firing of 20 other Uber employees as a result of a sexual harassment investigation.

Source: The Verge