Privacy Archives - Page 2 of 7 - Disruptive Competition Project

Is Drone Policy Ready to Take Flight?

by Kacee Taylor on July 22, 2016

Leaders of innovation constantly challenge the federal government to maintain pace with the rapidly developing demands of emerging technologies. A nascent area of development that has recently garnered policy and regulatory interest surrounds machines that defy gravity — drones. As previously discussed on DisCo, drone use policies have been nebulous, with the Federal Aviation Administration’s (FAA) ban on commercial use and the hovering possibility that production and sale would move overseas due to outdated and tenuous laws. Recently, regulatory agencies have shifted their views towards recreational and commercial drone use, enabling innovation to flourish under the nation’s airspace.

Last month the National Telecommunications and Information Administration (NTIA) released voluntary Best Practices for unmanned aircraft systems (UAS), focusing on privacy, transparency, and accountability. These guidelines stem from a presidential memorandum last year requesting a policy-by-design approach to address issues related to the private and commercial use of UAS. Shortly thereafter, the FAA announced Rule 107, which regulates the operation of routine commercial drones.

NTIA’s best practices are “intended to encourage positive conduct that complements legal compliance” in an effort to support active growth within industries. The main points, containing similar language to two legislative bills introduced in 2013, include provisions that encourage UAS operators to “inform affected persons of UAS use and the collection of data; take care in the collection and storage of information that identifies a particular person; limit the use and sharing of such data; secure data; and monitor and comply with the law as it evolves.” The major exception stated in the best practices is for news reporters and newsgathering organizations. The public benefit of reporters’ First Amendment rights is seen as too valuable to restrict the capture, storage, retention, and use of data or images in public spaces via UAS.

These voluntary best practices and new FAA regulations are small steps towards shaping the legal landscape for new technology, and generally speaking, show that regulators are receptive to the exploration of drone technology in the private sector. This responsiveness encourages further conversations on the policy questions that remain in the jetstream that relate to data and privacy.

Europe drifts further into data isolation…

by Christian Borggreen on June 8, 2016

Europeans could be in for an unfortunate surprise as their data transfers to the world begin to look like a thing of the past.

Globalisation and digitisation have made Europe a leading global exporter of digitally delivered services. European firms, ranging from energy companies to truck manufacturers, rely on global information exchanges to monitor machine performance, enhance security, manage global value chains, and more.

Europe’s legal framework for data transfers, however, was written in the early 1990s, before the Internet revolution and the rise of data global flows. In consequence, the EU has since the 1990s had restrictions in place for the transfer of personal data, which is only allowed under a few legal exceptions.

One of the legal tools for data transfers was the EU-U.S. Safe Harbour framework. This mechanism enabled thousands of European and U.S. companies to transfer commercial data, such as payroll data, from the EU to the U.S. The EU and U.S. negotiators were on track to finalise an updated and strengthened framework when the Court of Justice of the EU (CJEU) struck down the old Safe Harbour in October 2015.^[1]

Since then, EU and U.S. negotiators have significantly revised the text (re-named “Privacy Shield”) and are working to finalize a far more robust set of obligations on companies that sign up to the framework. In a few weeks a group of EU Member States (the “Article 31 Committee”) is slated to vote on Privacy Shield, which will clear the way for it to be officially adopted.

Back when the CJEU invalidated Safe Harbour, I warned that other EU legal tools could be questioned and also invalidated by the EU’s highest court. This dangerous game of dominoes is now materialising.

The Supreme Court clarifies digital privacy harms in Spokeo v. Robins

by Bijan Madhani on June 6, 2016

The Internet is all about sharing. We share memes with our friends on Facebook, messages with our coworkers on Slack, and 140 characters of witty repartee with the public on Twitter. These platforms are fueled by data, which allows providers to better tailor their services to our desires and develop new, innovative ways for us to create, interact, and transact both online and in the physical world.

Other entities use data in different ways. Spokeo, a data broker, is one such entity. Spokeo collects, collates, and cross-references publicly available data from a variety of databases, and presents that information in profiles about individuals, basic details of which it then makes freely available, with greater detail available to interested parties for a fee. Spokeo’s services, though very different from the consumer-facing platforms we enjoy every day, can help illustrate a key distinction in the ever-shifting balance between consumer privacy and innovation online.

Last month, the Supreme Court ruled in Spokeo, Inc. v. Robins that Robins, whose Spokeo-generated online profile contained inaccurate information, failed to meet minimum constitutional requirements to show harm in order to have standing to bring a case when alleging that Spokeo willfully failed to comply with the compliance requirements of the Fair Credit Reporting Act (FCRA) in making an inaccurate profile available to its users.

Sharing isn’t caring: Online Security, Responsibility and You

by Frances Robinson on January 19, 2016

Imagine if a friend casually dropped into conversation that they left their shiny new car unlocked, because it made getting into it easier. Or a company decided to stop locking its offices because it was too much of a faff to make sure they had enough keys for all their employees. Your jaw would hit the floor. But take the same approach to online security and you’re lovably flaky, or perhaps inventing a new lifestyle trend.

In a piece in The Guardian to promote her new book, Sarah Knight explains how she went from feeling “overextended and overburdened by life” to happiness by learning not to care what others think. While that’s a brilliant idea when it comes to dutiful, resentful attendance at social occasions she also added this gem to her list of things not to care about.

“Passwords. I used to feel so much anxiety about personal security, but then I read a number of articles by experts that suggest we’re all one pimply Slavic teenager away from getting hacked anyway, so I thought, maybe I could just use the same password for everything. Would it really matter?”

Yes, Sarah, yes it would. I too have read a number of articles by experts and they all suggest — without indulging in any lazy stereotyping about what hackers look like — that having different passwords, or using a password manager, is actually super important.

This ‘oh but it’s so complicated to remember my passwords’ attitude is particularly prevalent amongst journalists, writers and creative people in general, which is ironic, because if you’re that creative, surely you could create some catchy new passwords?

What a safer Safe Harbour could look like

by Christian Borggreen on January 12, 2016

EU and U.S. negotiators are working against the clock to agree on a new and strengthened framework for transatlantic data flows by the end of January. This is the deadline provided by European data protection authorities after which they could start procedures against companies still relying on the old framework invalidated by the Court of Justice of the European Union (CJEU).^[1]

A halt to commercial data transfers between the EU and the U.S. could severely damage our economies, worsen the transatlantic partnership and fragment the global Internet.^[2] Negotiators are therefore scrambling to agree on a new framework that addresses the CJEU’s points of criticism.

So what should a new and improved Safe Harbour framework look like? Here are some ideas:

A streamlined and transparent framework

The main advantage of the original Safe Harbour was that it was a streamlined and cost-effective framework. Other types of transfer mechanisms exists, but they are costly, bureaucratic, limited in use, or take time to put in place. The main feature of Safe Harbour is the concept of companies’ self certification. These are binding legal commitments which are fully transparent to the public. Small- and medium-sized enterprises (SMEs), which constituted 60% of Safe Harbour companies, particularly benefitted from the framework.^[3]

Is Europe drifting into data isolation?

by Christian Borggreen on December 1, 2015

In October the European Court of Justice invalidated the 15 year old “Safe Harbour framework” which enabled commercial data to flow between Europe and the United States. This ruling was groundbreaking as it sets in motion a domino effect which, unless addressed, may entail serious, uncomfortable consequences for Europe. Let me guide you through this domino effect towards data isolationism and finally point out some possible solutions.

That Viral Facebook Notice Is Still Meaningless – Why That’s Good for Users

by Matt Schruers on September 30, 2015

By now you’ve probably seen an article or five taking down the viral Facebook “notice” appearing in people’s feeds, which purports to revoke rights from Facebook regarding one’s Facebook feed content and data (e.g., Jeff John Roberts here, or Caitlin Dewey here). This hoax reappears on Facebook with the regularity of some astronomical phenomenon, and is regularly debunked. But like a horror movie villain, it keeps coming back.

It is one thing to understand that this notice is ineffective. However, it is worth having a clear explanation why such unilateral proclamations aren’t enforceable for when this thing comes back again in six months dressed up with even more preposterous legal incantations citing the Rule Against Perpetuities.

More to the point, the fact that such a declaration is irrelevant actually turns out to be a pretty good thing for Internet users.

One version of the viral message is reproduced here.

Blast from the Past: Learning Lessons From Previous Panics Over Ubiquitous Strong Encryption

by Bijan Madhani on September 10, 2015

Over the past several months, the tech industry has been experiencing a terrible bout of déjà vu. In a campaign led by FBI Director James Comey, law enforcement and intelligence community voices have argued against the proliferation of ubiquitous strong encryption in consumer devices and communication platforms. By ubiquitous strong encryption, I mean both the expanded availability of device encryption for smartphones, and end-to-end encryption of communications protocols with only the sender and recipient (but no third parties) holding keys.

This sort of strong encryption has proliferated for a variety of reasons. Hacks and data breaches are larger, more consequential, and more prevalent than ever. The last two years have also been marked by controversy over widespread government surveillance in the U.S. and elsewhere. These circumstances have caused consumers to demand, and technology companies to develop, the tools to protect sensitive personal and financial information from those who consumers would prefer not have access.

Naturally, the renewed focus on product and platform security on behalf of consumers has led to conflict between the tech industry and law enforcement. Governments fear “going dark”—the idea that there will be some set of encrypted communications and content that they will not be able to access even after having obtained the necessary legal process to seek that information, which in the U.S. usually means a search warrant.

If “going dark” sounds somewhat familiar, that’s because these are largely the same fears that led to the first “Crypto Wars” in the United States.

Governments should resolve, rather than create, new conflicts of privacy laws

by Christian Borggreen on September 8, 2015

The cross-border nature of the Internet disrupts the traditional notion of geographically defined national jurisdictions. Increasingly, contradicting privacy laws confuse consumers and force international companies to violate one country’s law in order to comply with another’s.

Three high profile cases have privacy experts, and all the rest of us, really confused:

Case one: The European Parliament vs The U.S. Foreign Intelligence Surveillance Act (FISA)

The European Union is in its final stretch of agreeing a reformed data protection framework. In the frenzy following the Snowden revelations, the European Parliament (EP) looked for ways to force the U.S. Government to reform its surveillance practices. One means for doing so is a well-intended article in the proposed EU general data protection regulation, which is popularly known as the “anti-FISA clause.” This provision, Article 43a, would severely limit the circumstances under which a company is allowed to provide third country authorities with Europeans’ data. Today, companies are often asked to respond to requests for data to be used in a criminal investigation or by a regulatory authority acting in the public interest, e.g., from third countries’ consumer and environmental agencies. As EU negotiators are about to conclude the data protection regulation, it is becoming evident that the EP’s proposal would place companies in legal limbo due to contradictory EU and U.S. laws.

Facial Recognition: Identifying Friends and Foes

by Chelsea Reckell and Bijan Madhani on August 6, 2015

There’s been a lot of buzz lately around facial recognition and what exactly that means to consumers. When the average consumer thinks of facial recognition technology, a Jason Bourne-esque scenario probably comes to mind, with high-tech devices constantly scanning crowds, identifying individuals, accessing vast databases, and using that recognition information to some nefarious end. Present use of facial recognition technology is far more benign and useful to consumers than some would have you think. The emergence of new photo sharing and storage apps like Google Photos and Facebook’s Moments demonstrates that current facial recognition tools are better suited to helping users categorize and share their photos, rather than populating an ominous law enforcement or commercial database. As such innocuous uses of facial recognition become more and more common, consumers’ comfort with and understanding of the technology will grow correspondingly. The next step is ensuring that privacy-focused regulators and legislators are able to develop frameworks that enable this growth and adapt as consumer expectations and facial recognition technology change.

The Google Photos app was recently released as a tool to streamline the photo backup and sharing process. It boasts free and unlimited photo storage and aims not only to keep similar events grouped together, but also to scan, identify, and easily share different photo subjects with others. Part of the identification process involves scanning and recognizing people, places, and things. However, the app doesn’t see faces in the same way humans do. Humans see faces and recognize specific people, whereas a computer scans an image and recognizes colors, patterns, and shapes. This process is called facial detection. Facial recognition is one step above facial detection in that it compares “known faces” or patterns to newly uploaded faces to see if there is a probable match.

Facebook’s Moments utilizes similar technology. Moments is a recent app that was launched to help organize and share photos with frequently photographed friends. When photos are uploaded to the app, Facebook’s technology scans for a face in the photo. If there is a face, then the app compares features and patterns of your profile picture and other tagged pictures to the newly uploaded photo. Like Google Photos, Moments looks for unique characteristics and patterns, such as the shape of your face or distance between facial features, to recognize and connect profiles. In essence, both apps use algorithms to create a system of recognizable models or templates for comparison, rather than referring to an on-file photograph. This pattern of connecting and “recognizing” faces creates tag suggestions of the subjects of the uploaded photo—but only if the photo uploader and picture subjects are friends.

Both apps are a win for consumers. The idea is that quick recognition helps streamline the social sharing process for group events. Whereas people once might have followed a social event like a wedding or reunion with an endless email chain of shared pictures (or exchanged CDs or flash drives), users can instead allow Google Photos or Moments to group and categorize photos into events based on the subjects of the photos and additional metadata. Given that social networking sites and mobile devices are already the chief digital photo curation tools used by consumers, extending their existing functions via facial recognition-based apps seems like the sort of harmless, pro-consumer innovation that ought to be encouraged.

← NEWER ENTRIES

OLDER ENTRIES →