Privacy News: January 12

President Biden weighs in, facial recognition in Iran, ISO adopts Privacy by Design, details on the big EU decisions against Facebook and Instagram, Medium on Mastodon ... and more!

Opinion | Republicans and Democrats, Unite Against Big Tech Abuses

Joe Biden on The Wall Street Journal (wsj.com)

President Biden calls on Congress to "find common ground on the protection of privacy, competition and American children."  I certainly agree with his framing that "the risks Big Tech poses for ordinary Americans are clear," and at in principle I even agree with his three recommendations.  Congress should pass "serious federal protections for Americans’ privacy," algorithmic regulation, and laws to rein in anti-competitive behavior.  And the draft AI Bill of Rights and the FTC's proposed rulemaking on Commercial Surveillance is developing new privacy rules for commercial data are both important developments.

However, Biden also says we must "fundamentally reform Section 230 of the Communications Decency Act," and in December Biden backed the well-intentioned but harmful Kids Online Safety Act (KOSA) instead of pushing for antitrust legislation that would have reined in big business.  And while I'd be overjoyed if he starts pushing to strengthen the proposed American Data Privacy Protection Act (ADPPA), right now despite its bipartisan sponsorship it's a giveaway to the big tech companies he claims to want to do something about.  So, we shall see.

Iran Says Face Recognition Will ID Women Breaking Hijab Laws

Khari Johsnson on WIRED (wired.com)

Iranian women are baring their heads to protest government controls. A top official said algorithms can identify anyone flouting dress codes.  Johnson's reporting is always solid; he quotes Mahsa Alimardani on the digital surveillance systems Iran’s government (like China's and the US's) has spent years building, Freedom House research analyst Cathryn Grothe, and former US State Department surveillance expert Steven Feldstein (author of The Age of Digital Repression)

Privacy by Design to become an ISO standard next month

Howard Solomon on IT World Canada (itworldcanada.com)

Fourteen years after being introduced by Canadian privacy commissioner Anne Cavoukian, Privacy by Design (PbD) is about to become an international privacy standard for the protection of consumer products and services.

Adoption by the ISO “gives life to operationalizing the concept of Privacy by Design,” said Cavoukian, “helping organizations figure out how to do it. The standard is designed to be utilized by a whole range of companies — startups, multinational enterprises, organizations of all sizes. With any product, you can make this standard work because it’s easy to adopt. We’re hoping privacy will be pro-actively embedded in the design of [an organization’s] operations and it will complement data protection laws.”

EU's Facebook and Instagram decisions

Major EU privacy decisions against Meta’s legal basis for ads raise fresh complaints

Natasha Lomas on TechCrunch (techcrunch.com)

If you want to dig into the details of the major decisions requiring Facebook and Instagram to get opt-in consent to personal data for behavioral advertising requires, you're in luck!  Privacy rights group noyb, published the 188-page Facebook decision here and the 196-page Instagram decision here.  

Facebook and Instagram decisions: “Important impact on use of personal data for behavioural advertising”

European Data Protection Board (edpb.europa.eu)

The European Data Protection Board, which overruled the Irish Data Protection Commission's much-friendlier-to-Meta draft ruling, has a press release out as well as their Binding Decisions.

Also ...

• VIDEO: Unpacking DPC Ireland's Meta decisions: AdTech and beyond, hosted by IAPP  on LinkedIn
• What the DPC-Meta decision tells us about the EU GDPR dispute resolution mechanism, Isabelle Roccia on International Association of Privacy Professionals (iapp.org)

Mastodon

Medium embraces Mastodon

Tony Stubblebine, Medium (medium.com)

Medium has raised well over $100 million in venture funding since Twitter founders Ev Williams started it a decade ago, trying and abandoning many different business models.  Now, they're setting up a Mastodon instance at me.dm. In his opinion post, CEO Stubblebine writes:

Mastodon is an emerging force for good in social media and we are excited to join this community.

The 19th CTO Ben Werdmuller sees this as a really great thing:

1. It's an endorsement of the platform. In particular, the statements from Twitter co-founders are great.
2. Medium will put resources behind maintaining a well-run community.
3. It's not trying to own Mastodon - it's participating like everyone else.
4. Other startups, newsrooms, etc, will take note and join in.
5. It'll bring people in too.
5. Should it close in the future, Mastodon already has the concept of portable identities.

However, the sentiment is far from universal.  In a poll by happyborg, a quarter of the respondents to date support defederating commercially-owned instsances such as me.dm.  

In Flocking to Mastodon?, I noted that Mastodon has historically been anti-ad, anti-surveillance, anti-influencer, and anti-large corporations and that we should expect culture clashes.  It wouldn't surprise me if the "fediverse" (the decentralized network-of-networks that Mastodon and compatible software are part of) will split into a "corporate fediverse" and an "indie fediverse."  We shall see!

And ...

Engage and Evade

Asad L. Asad on Princeton University Press (press.princeton.edu)

How everyday forms of surveillance threaten undocumented immigrants—but also offer them hope for societal inclusion

Privacy and/or Trade

Anupam Chander on The University of Chicago Law Review (lawreview.uchicago.edu)

A Police App Exposed Secret Details About Raids and Suspects

on WIRED (wired.com)

SweepWizard, an app that law enforcement used to coordinate raids, left sensitive information about hundreds of police operations publicly accessible.

Roomba testers feel misled after intimate images ended up on Facebook

Eileen Guo on MIT Technology Review (technologyreview.com)

An MIT Technology Review investigation recently revealed how images of a minor and a tester on the toilet ended up on social media. iRobot said it had consent to collect this kind of data from inside homes—but participants say otherwise.

EU Tells TikTok Chief To Respect Data Privacy Laws

EduardKovacs on SecurityWeek.Com (securityweek.com)

The European Union warns online giant TikTok to respect EU law and ensure the safety of European users’ data, as the video-sharing app’s CEO met with top officials in Brussels.

EU data protection supervisor warns on migrant privacy rights

Alessandro Mascellino on BiometricUpdate.com (biometricupdate.com)

Wiewiórowski says that people reaching EU borders seeking international protection are required to provide personal data in order to gain access.

Age verification law for adult websites comes with privacy, technical concerns

Piper Hutchinson on Louisiana Illuminator (lailluminator.com)

Users of adult websites voiced concerns on social media about a new law requiring age verification for pornography websites

Boffins break VoLTE privacy in LTE and 5G networks

Thomas Claburn on The Register (theregister.com)

Call metadata can be ferreted out

Apple Faces Second Class-Action Suit Over Privacy After Gizmodo Story

The A.V. Club on Gizmodo (gizmodo.com)

Tests showed Apple collects data even when its own settings promise not to. Two lawsuits and several months later, the company hasn’t answered any questions.

The foundation: Inside the LAPD’s secretive, multimillion-dollar private funding arm

Kevin Rector on Los Angeles Times (latimes.com)

A Times investigation reveals how LAPD officials work with the Los Angeles Police Foundation to solicit private funding for the public agency.

Breaking down enforcement of Meta’s legal basis for personalized ads

on International Association of Privacy Professionals (iapp.org)

The Irish DPC’s decision on Meta’s personalized advertising model highlights disagreements between regulators and raises uncertainty around GDPR compliance.

Are Quantum Computers about to Break Online Privacy?

Davide Castelvecchi,Nature magazine on Scientific American (scientificamerican.com)

A new algorithm is probably not efficient enough to crack current encryption keys—but that’s no reason for complacency, researchers say

Louisiana's new porn law carries user privacy risks

Andrew Limbong and Jason Kelley on Northern Public Radio (northernpublicradio.org)

Louisiana's new Act 440 requires people visiting porn sites to hand over information from your driver's license or other government ID to a third-party website to make sure they're of legal age.  What could possibly go wrong?  EFF's Kelley highlights some of the privacy issues this brings up.

South Carolina Weighs In; Privacy Rights in the Wake of Dobbs

Mark Ashton on JD Supra (jdsupra.com)

Yesterday, the Supreme Court of South Carolina offered its response to the decision last June by the U.S. Supreme Court in Dobbs v. Jackson Women’s...

Colorado AG Updates Draft Rules for Colorado Privacy Act

Linn Freedman on JD Supra (jdsupra.com)

Colorado Attorney General Phil Weiser’s office recently published an updated version of the draft rules governing the Colorado Privacy Act, which goes...

In Consumer Tech, Privacy Is A Distant Concern

AdExchange (adexchanger.com)

Consumer tech startups at CES last week seemed blissfully unaware of privacy concerns.

Walmart Slammed for Delivery Service That Critics Say Violates Privacy

Zachary Mack on Yahoo Life (yahoo.com)

Drone delivery, what could possibly go wrong?

Australian Government Serious About Data Privacy: Substantial Increases in Fines and Enhanced Regulatory Powers

Daniel Moloney on JD Supra (jdsupra.com)

Following a number of high-profile cyber incidents resulting in significant data breaches, the Australian Government has doubled down on its efforts to strengthen privacy laws and cybersecurity resilience, passing the most significant reforms to the Privacy Act 1988 (Cth) ("Privacy Act") since the introduction of the notifiable data breach scheme in 2017, as well as announcing that it will soon begin consulting on a revised Cybersecurity Strategy for 2023–2030.

Demystifying the cookieless future: looking ahead to a new era of privacy

Federico D’Uva on The Drum (thedrum.com)

Rawnet’s Federico D’Uva argues that marketers are missing the point of phasing out cookies, suggesting that now’s the time to reassess how (and why) we exchange data.

Image Credit: Privacy by Nick Youngson CC BY-SA3.0 Alpha Stock Images via picserver.org.