Common Sense Media Student Privacy Summit All About Self-Regulation

The biggest takeaway from Common Sense Media’s School Privacy Zone Summit was, in the words of U.S. Secretary of Education Arne Duncan, that “privacy needs to be a higher priority” in our schools.  According to Duncan, “privacy rules may be the seatbelts of this generation,” but getting these rules right in sensitive school environments will prove challenging.  As the Family Educational Rights and Privacy Act (FERPA), one of the nation’s oldest privacy laws, turns forty this year, what seems to be apparent is that are schools lack both the resources and training necessary to even understand today’s digital privacy challenges surrounding student data.

Dr. Terry Grier, Superintendent of the Houston Independent School District, explains that his district of 225,000 students is getting training from a 5,000 student district in North Carolina.  The myriad of different school districts, varying sharply in wealth and size, has made it impossible for educators to define rules and expectations when it comes to how student data can be collected and used.

Moreover, while privacy advocates charge that schools have effectively relinquished control over their students’ information, several panelists noted that we haven’t yet decided who the ultimate custodian of student data even is.  One initial impulse might be to analogize education records to HIPAA health records, which belong to a patient, but Cameron Evans, CTO of education at Microsoft, suggested that it might be counterproductive to think of personalized education data as strictly comparable to individual health records.  On top of this dilemma, questions about how to communicate and inform parents have proven difficult to answer as educational technology shifts rapidly, resulting in a landscape that one state educational technology director described as the “wild wild west.”

There was wide recognition by both industry participants at the summit and policymakers that educational technology vendors need to establish best practices – and soon.  Secretary Duncan noted there was a lot of energy to address these issues, and that it was “in the best interest of commercial players to be self-policing.”  The implication was clear: begin establishing guidelines and helping schools now or face government regulation soon.

The Cost of Counterterrorism Review

My synopsis of Laura Donohue’s The Cost of Counterterrorism: Power, Politics, and Liberty is now up on the JustSecurity blog.  A couple of quick thoughts on the book:

First, it was impossible not to read in various Snowden revelations throughout the book.  It read very much like a prelude to all of the different programs and oversight problems we have learned about over the past year, which suggests that Snowden’s leaks really just confirmed what security critics were already surmising.  Further, considering the book was release right at the start of the smartphone explosion and the rise of “Big Data,” it’s fascinating to see how Professor Donohue talked about the capabilities of these technologies.

Second, my major criticism of the book is that it reads like a bunch of law review articles duct-taped together.  This may speak volumes for how legal scholarship is produced, or how many non-fiction books are collections that build upon a certain idea or original essay. Regardless, it was impossible not to notice how jarring portions of the book were.  Professor Donohue’s overall framework is to compare the national security regimes of the United States with the United Kingdom, and this leads to chapters that bounce from the Irish Troubles to American military policy in Iraq.  The comparison doesn’t always hold, and it some spots feels unwarranted.

Average Folks and Retailer Tracking

Yesterday evening, I found myself at the Mansion on O Street, whose eccentric interior filled with hidden doors, secret passages, and bizarrely themed rooms, seemed as good as any place to hold a privacy-related reception. The event marked the beta launch of my organization’s mobile location tracking opt-out.  Mobile location tracking, which is being implemented across the country by major retailers, fast food companies, malls, and the odd airport, first came to the public’s attention last year when Nordstrom informed its customers that it was tracking their phones in order to learn more about their shopping habits.

Today, the Federal Trade Commission hosted a morning workshop to discuss the issue, featuring representatives from analytics companies, consumer education firms, and privacy advocates. The workshop presented some of the same predictable arguments about lack of consumer awareness and ever-present worries about stifling innovation, but I think a contemporaneous conversation I had with a friend better highlights some of the privacy challenges mobile analytics presents.  Names removed to predict privacy, of course!

Technology Policy Institute Tackles Big Data

A recent paper by the Technology Policy Institute takes a pro-business look at the Big Data phenomenon, finding “no evidence” that Big Data is creating any sort of privacy harms.  As I hope to lay out, I didn’t agree with several of the report’s findings, but I found the paper especially interesting as it critiques my essay from September’s “Big Data and Privacy” conference.  According to TPI, my “inflammatory” suggestion that ubiquitous data collection may harm the poor was presented “without evidence.” Let me first say that I’m deeply honored to have my writing critiqued; for better or worse, I am happy to have my thoughts somehow contribute to a policy conversation.  That said, while some free market voices applauded the report as a thoughtful first step at doing a a Big Data cost-benefit analysis, I found the report to be one-sided to its detriment.

As ever in the world of technology and law, definitions matter, and neither myself nor TPI can adequately define what “Big Data” even is.  Instead, TPI suggests that Big Data phenomenon describes the fact that data is “now available in real time, at larger scale, with less structure, and on different types of variables than previously.”  If I wanted to be inflammatory, I would suggest this means that personal data is being collected and iterated upon pervasively and continuously.  The paper then does a good job of exploring some of the unexpected benefits of this situation.  It points to the commonly-lauded Google Flu Trends as the posterchild for Big Data’s benefits, but neglects to mention the infamous example where Target was able to uncover a teenage customer was pregnant before her family.

At that point, the paper looks at several common privacy concerns surrounding Big Data and attempts to debunk them. Read More…

Recapping EPIC’s Failing the Grade Educational Privacy Event

The arrival of new technologies in the field of education, from connected devices, student longitudinal data systems, and massive open online courses (MOOCs) present both opportunities and potential privacy risks for students and educators.  As part of my work at the Future of Privacy Forum, I have started surveying the issue of privacy in education, and early, anecdotal conversations suggest a pressing need for more education and awareness among all stakeholders.  With that in mind, I was pleased to see the Electronic Privacy Information Center (EPIC) host an informative discussion on education records and student privacy.

The focus of the discussion was on the growing “datafication” of student’s personal information.  Sen. Edward Markey (D-Mass), who has been active in the field of children’s privacy, opened the event with an introduction to the topic area.  In addition to discussing his Do Not Track Kids legislation, which would extend COPPA-type protections to 13, 14, and 15 year-olds, the Senator highlighted his new student privacy legislation.  The goals of the legislation were explained as follows:

  1. Student data should never be available for commercial purposes (focus on advertising);
  2. Parents should have access and rectification rights to data held by private companies, similar to what is afforded for records held by schools;
  3. Safeguards should be put in place to ensure that there are real protections for student records held by third parties; and
  4. Private companies must delete information that they no longer need. Student records should not be held permanently by companies, only by parents.

The panel itself featured Marc Rotenberg and Khaliah Barnes of EPIC; Kathleen Styles, Chief Privacy Officer at the Department of Education (DOE); Joel Reidenberg of Fordham Law School; Deborah Peel of Patient Privacy Rights; and Pablo Molina, Chief Information Officer at Southern Connecticut State University.

Read More…

National Security Journalism: From Watchdog to Lapdog

In 2011, as I was wrapping up law school, I wrote a lengthy, ranting paper about the problems watchdog journalism faced in effectively reporting about national security and foreign affairs.  Fueled by a combination of a course on media law, a recent set of disclosures by WikiLeaks, and an unhealthy amount of Sunday morning talk show viewing, I blamed the “systemic professionalization” of our major media for weakening the press’ watchdog function vis-a-vis government.  Specifically, I argued that objectivity in journalism had the unintended consequence of making major media extremely susceptible to having its coverage of foreign affairs and national security issues in general manipulated by outside actors, especially the government.

A combination of cost-cutting and the twenty-four hour news cycle has forced the media to rely on information provided directly from government officials, and this sort of access has become arguably as valuable as rigorous documentation, critical analysis, or investigations. This leads to an outcome where government becomes the arbiter of what news the public gets to learn.  Over time, my thinking was that reliance on government for the story indirectly reduces the press’s credibility. Since government briefings have become notoriously managed and “spun,” the perverse result is that government information is often considered more reliable or more truthful if it given anonymously and off-the-record, which produces the deluge of anonymous sourcing we see in the media today.

It is my belief that one of the key values of a free press is to serve as a check on government action, but when this sort of government access is combined with a slavish devotion to objectivity, it has the unintended consequence of making our watchdog press more a neutral arbiter than an antagonistic body that oversees government behaviors. Cloaked in secrecy, national security issues provide government officials with an opportunity to shape reality as they wish it — as we have seen repeatedly over the last year.  I.F. Stone one famously stated that “every government is run by liars and nothing they say should be believed,” but how often do our most esteemed journalists dare call a politician’s lie a lie?

In 1947, the Commission on Freedom of the Press suggested that market forces and citizen efforts could be used to improve the media’s watchdog capability.  When I wrote this paper in 2011, I concluded that this casual observation may be more feasible now than six decades ago due the rise of so-called new media. Collaborative journalism is on the rise:

Reporting is becoming more participatory and collaborative. The ranks of news gatherers now include not only newsroom staffers, but freelancers, university faculty members, students, and citizens. Financial support for reporting now comes not only from advertisers and subscribers, but also from foundations, individual philanthropists, academic and government budgets, special interests, and voluntary contributions from readers and viewers. There is increased competition among the different kinds of news gatherers, but there also is more cooperation, a willingness to share resources and reporting with former competitors.

Maybe now the solution is the professionalize the blogosphere?

In any event, doesn’t this entire enterprise of collaborative journalism sound like exactly how this past year’s reporting on NSA surveillance has been carried out?  Glenn Greenwald is, in the best sense of the word, a blogger by tradition, and numerous organizations, from establishment media to ProPublica and independent researchers like Ashkan Soltani, have brought information to the public.  In the coming year, Greenwald has teamed with billionaire Pierre Omidyar to launch First Look Media.

I had largely forgotten about the paper, but considering its the new year, I thought it worth something to share publicly.  Please feel free to read and criticize — that’s what being a watchdog is all about!

The Supreme Court’s Say on Surveillance?

Big national security news yesterday: a federal court judge has ruled that the NSA’s Section 215 metadata collection program is an unconstitutional violation of the Fourth Amendment.  TechDirt has a great wrap-up of Judge Leon’s opinion, but more than the excellent legal analysis on display, the case is one of the first big demonstrations of how the federal judiciary is being brought into the surveillance discussion post-Snowden.  The secretive structure of FISA Court, and the difficulty – if impossibility – of getting those cases into the Supreme Court or out into the sunshine made it very easy for the the courts to avoid judging the constitutionality of broad government surveillance.

Just last year in Clapper v. Amnesty International, the Supreme Court was able to side-step today’s question by holding that a group of international lawyers and journalists had no standing to challenge the FISA Amendments Act of 2008 because they could prove no harm.  The narrow majority deferred to the FISA Court’s ability to enforce the Fourth Amendment’s privacy guarantees, an assertion that has proven to be ridiculous. Snowden’s revelations have changed Clapper‘s standing equation, and this may force the Supreme Court’s hand.

After today, it appears all three branches of government may have a say in the future of the Fourth Amendment, and it seems likely they won’t be in agreement.  Involving the Third Branch in an active dialog about surveillance is essential not only because it can clarify the scope of Fourth Amendment but also because it may be in a position to break a separation of powers stalemate between Congress and the President.  In the end, the steady stream of lawsuits challenging the NSA’s activities may end up having a bigger legal impact than any congressional theatrics.

Read More…

Future of Privacy Forum Releases US-EU Safe Harbor Report

Today, some four months after we first announced it, my organization put out our Safe Harbor Report on the effectiveness of the U.S.-EU Safe Harbor in protecting EU citizen privacy and promoting trans-Atlantic data transfers.  That’s something of a mouthful, but I’m proud of my contributions to the report, which include the paper’s discussions on enforcement, government access to information (e.g., NSA activity), and some of the recommendations and case studies.  I now know entirely too much about trans-Atlantic data transfers under the program, so here’s hope the European Union doesn’t and suspend the Safe Harbor now!

Europe Misdirects Rage on the US Safe Harbor

This morning, the European Commission released its report on the state of the US-EU Safe Harbor, a mechanism that provides for international data transfers, proposing a series of recommendations designed “to restore trust in data flows between the EU and the U.S.”  Europeans have long been critical of the Safe Harbor — and America’s free-wheeling attitude toward privacy in general — but the Summer of Snowden provided a perfect pretext to “reconsider” the efficacy of the Safe Harbor.

America’s hodgepodge or “sectoral” approach to privacy has increasingly placed U.S. officials on the defensive, and there’s no question the Safe Harbor can be improved.  However, conflating Safe Harbor reform with justified anger about expansive NSA snooping is counterproductive.  First and foremost, while public and private data sharing is increasingly intermingled, government access to data is not the same as commercial data use.  The Safe Harbor was explicitly designed to protect the commercial privacy interests of EU citizens.

It was not created to address national security issues, and the Safe Harbor specifically provides an exception from its requirements “to the extent necessary to meet national security, public interest, or law enforcement requirements.”  As FTC Commissioner Julie Brill has noted, national security exceptions to legal regimes are not unusual.  For example, the HIPAA Privacy Rule permits the disclosure of private health information in the interest of national security, and even the EU’s stringent Data Protection Directive includes an exception for state security or defense.

Read More…

From Collected Criticism to “Slamming” an Attorney General

Last Friday, I helped draft a few thoughts on behalf of the Future of Privacy Forum regarding the New York Attorney General’s efforts to subpoena information from 15,000 Airbnb users in New York City.  We wondered about the breadth of the AG’s request, and suggested only that “wide grabs of consumer data by well-meaning regulators can have a serious impact on consumer privacy.”

Later that day, Kaja Whitehouse of the New York Post declared that FPF had “slammed” the AG, proceeding to pull some line from our “open letter” to suggest FPF was far more critical of AG than it intended–or certainly I intended.  Another victory for overstrong rhetoric against even-keeled moderation!

Ephemeral Communication and the Frankly App Podcast

My former coworker was utterly enamored with Snapchat, on the grounds that she liked being able to express herself in ways that were not permanent.  In terms of our interpersonal relationships, it used to be that only diamonds were forever — now most of our text messages are, too.

Should a simple text last forever?  Last week, I reached out to Frankly, a new text-messaging app that provides for self-destructing texts, to talk about the development of the app and the future of ephemeral communication.

Click on the media player above to listen, or download the complete podcast MP3 here.

Sen. Markey’s Drone Aircraft Privacy and Transparency Act Summarized

On Monday, Sen. Markey introduced legislation designed to expand legal safeguards to protect individual privacy from invasion by commercial and government use of drones. The bill amends the FAA Modernization and Reform Act of 2012, which directed the FAA to integrate unmanned aircraft systems (UAS) into U.S. airspace by October 2015. The law, however, was silent as to the transparency and privacy implications of domestic drone use. Under pressure from advocacy groups and Congress, the FAA solicited public comment about potential privacy and civil liberties issues during its UAS test site selection process, ultimately suggesting only that UAS privacy policies “should be informed by the Fair Information Practice Principles.”

This section-by-section summary looks at how Sen. Markey’s bill would amend current law to establish national guidelines for domestic drone use.

Sec. 1 – Short Title

Drone Aircraft Privacy and Transparency Act of 2013

Sec. 2 –  Findings

The bill notes that the FAA projects that 30,000 drones could be in sky above the United States by 2020, and further, that current law provides for no explicit privacy protections or public transparency measures with regards to drone use by public or private entities.

Sec. 3 –  Guidance and Limitations for UAS

The major substance of this section details new requirements for data collection statements by commercial drone operators and data minimization statements by law enforcement. The bill’s provisions with regards to law enforcement appear to bolster significantly Fourth Amendment privacy protections. Agencies would be subject to a warrant requirement for any generalized drone surveillance absent exigent circumstances, such as (1) imminent danger of death or serious injury or (2) DHS has determined credible intelligence points to a high risk of terrorist attack. Moreover, any information collected that was unrelated to a potential exigency is required to be destroyed.

While these provide practical, procedural limitations on surveillance, the bill also forces law enforcement to consider how they plan to use drones prior to their implementation. Law enforcement offices will be required to file an explanation about any policies adopted to minimize the collection of data unrelated to a warrant-requirement, how excess data will be destroyed, and detailing any audit or oversight mechanisms. By making licenses contingent on these statements, the bill may encourage careful consideration of privacy challenges before law enforcement begins broad use of drones.

For commercial operators, the bill would prohibit the FAA from issuing licences without a statement that provides information about who will operate the drone, where the drone will be flown, what data will be collected and how that data will be used, including information about whether any information will be sold to third parties, the period for which information will be retained, and contact information to receive complaints. Depending upon how onerous these statement requirements become, this section may present some First Amendment challenges, particularly public efforts to advance newsgathering and the free flow of information.

The FAA would be charged with creating a publicly searchable website that would list all approved drone licenses, including copies of data collection or minimization statements, any data security breaches, and details about the time and location of all drone flights.

This section also calls for the Departments of Homeland Security, Commerce, and Transportation and the FTC to conduct a study to identify any potential challenges presented by drones to the OECD privacy guidelines. It would also require the current UAS rulemaking underway to take those privacy guidelines into consideration.

Sec. 4 – Enforcement

The section provides for concurrent enforcement by state authorities and the Federal Trade Commission under its Section 5 authority. It also allows for a private right of action for violations of either an entity’s data collection or data minimization statement. Remedies include equitable relief, and the greater of actual monetary damages or statutory damages of up to $1,000 for each violation.

Sec. 5 – Model Aircraft Provision

Finally, the bill provides for an exception for model aircraft.

***

Sen. Markey introduced a largely identical version of the Drone Aircraft Privacy and Transparency Act of 2013 earlier this year as a member of the House of Representative, and last year, as well.

Idealism Lost: From The West Wing to Scandal

Televised depictions of the cities in which I’ve lived have always captured my imagination — Law & Order gave me a taste of New York City long before I’d ever set foot in that city and David E. Kelley made Boston seem like it was full of diabolical whackos —  but the way Washington, D.C., is drawn on the small screen goes a long way toward justifying why I find this city so compelling.

Read More…

A Few Thoughts on Two Different Privacy “Call to Arms”

On Tuesday, author Evgeny Morozov published a provocative essay in the MIT Technology Review, arguing that today’s privacy problem is really a democracy problem.  He argues that the imagination of privacy advocates has become constrained, fixating on giving individuals more “control” over their data without considering the negative effect of information automation in general.  In a timely coincidence, FTC Commissioner Julie Brill gave a speech where she declared a “call to arms” on new thinking about how to protect privacy . . . in the realm of engineers and technologists.

Both privacy “call to arms” have me rethinking what I want from protecting my privacy.  // More on the Future of Privacy Forum Blog.

Government Shutdown and Collapse: A Constitutional Crisis Caused by Rural America

As this government shutdown has come to absorb not merely the day-to-day functioning of government but also our national health care policy and the looming debt ceiling, it becomes harder and harder not to see this episode as the beginnings of a legitimate constitutional crisis.

By all accounts, this shutdown was formally instigated by 80 Republicans House members who wanted the Speaker to more aggressively work to “defund” Obamacare.  Whatever one thinks of Obamacare, of Big Government, these Republicans are hardly representative of the public as a whole:

These eighty members represent just eighteen per cent of the House and just a third of the two hundred and thirty-three House Republicans. They were elected with fourteen and a half million of the hundred and eighteen million votes cast in House elections last November, or twelve per cent of the total. In all, they represent fifty-eight million constituents. That may sound like a lot, but it’s just eighteen per cent of the population.

I actually thought one of the big takeways from November’s election was that the United States and our public policies increasingly faces a vast landed majority that is very much a numerical minority.

Read More…

1 2 3 4 5 6  Scroll to top