Privacy News: November 29
Killer robots, privacy after Roe, state and federal privacy legislation, and more!
It's been a week since our last news roundup, so we've got a lot of links! But first, since it's Giving Tuesday, if you're considering donating, please keep these options in mind:
- Maya Morales of WA People's Privacy is raising funds to support her local, state, and national grassroots organizing efforts. WA People's Privacy doesn't have official 501c status yet, but this people-focused grassroots organizing is a powerful complement to the work larger non-profits. Organizing & Mobilizing: What we’ve been up to in 2022! gives an overview of what WA People's Privacy has done in its first year of existence. Donate here.
- Media Justice fights for freedom from oppression and the freedom to communicate, takes on big tech's sales of data to large organizations, expose racialized disinformation and its role in the criminalization and marginalization of Black, brown and poor communities and activists, battle oppressive technologies like e-carceration, a false solution to mass incarceration ... and so much more. Donate here.
And now, on to the links!
SFPD authorized to kill suspects using robots in draft policy
Will Larsen, Mission Local (missionlocal.org)
A policy proposal heading for Board of Supervisors approval next week would explicitly authorize the San Francisco Police Department (SFPD) to kill suspects using robots. What could possibly go wrong?
“We are living in a dystopian future, where we debate whether the police may use robots to execute citizens without a trial, jury, or judge,” said Tifanei Moyer, senior staff attorney at the Lawyers’ Committee for Civil Rights of the San Francisco Bay Area. Moyer leads the organization’s work on police misconduct and militarization.
- Red Alert: The SFPD want the power to kill with robots, Matthew Guariglia on Electronic Frontier Foundation (eff.org)
- San Francisco considers allowing law enforcement robots to use lethal force, Ari Shapiro and Brianna Scott, NPR's All Things Considered
- We Can Put A Man On The Moon, But We Can’t Make Killer Robot Police?, The Onion (1997). Well, now we can ... progress, I guess.
Meta Fined $275 Million for Breaking E.U. Data Privacy Law
Adam Satariano on the New York Times (nytimes.com)
The Irish Data Protection Commissioner imposed a €265 million fine on Meta-owned Facebook and Instagram over their data scraping practices and ordered a set of remedial actions. This brings European fines against Facebook’s parent company to more than $900 million since last year. It's still just a "cost of doing business" for Facebook so far, but a billion here and a billion there, pretty soon you're talking real money!
- Meta hit with ~$275M GDPR penalty for Facebook data-scraping breach, Natasha Lomas on TechCrunch (techcrunch.com)
- Meta fined €265m by Irish watchdog for data breach, Brian O’Donovan on RTÉ (rte.ie)
- Meta sanctioned with €265m over data scraping practices, Luca Bertuzzi on EURACTIV (euractiv.com)
- Irish regulator fines Meta $275 million for violations of Europe’s data privacy law, Brian Fung on CNN (cnn.com)
- Meta Fined $277 Million for Leak of Half a Billion Users, on Slashdot (yro.slashdot.org)
- Irish Data Protection Commission's press release
Privacy after Roe
Sneaky ways cops could access data to widely prosecute abortions in the US
Ashley Belanger on Ars Technica (arstechnica.com)
Third-party data brokers give police warrantless access to 250 million devices.
‘Gap’ in App Store Rules Endanger Reproductive Data, Top Law Enforcement Chiefs Say
Dell Cameron on Gizmodo (gizmodo.com)
Nine attorneys general (including Washington's AG Ferguson) have written to Apple CEO Tim Cook urging Apple to up its privacy game in the wake of Roe's demise.
The officials are asking Cook to implement new rules on app developers requiring the deletion of non-essential data, including the location and search histories of users “seeking, accessing, or helping to provide reproductive health care.”
Additionally, the officials urged Apple to demand app makers certify they’d only disclose reproductive health data in response to a “valid subpoena, search warrant, or court order.” App makers should be required, the officials said, to provide “clear and conspicuous notices” to consumers whenever there’s a potential for such health data to be disclosed to third parties.
Top Prosecutors in CA, NY and DC Are Speaking Up For End-to-End Encryption
Joe Mullin on Electronic Frontier Foundation (eff.org)
Several states are already enforcing abortion bans, and the Brennan Center for Justice has noted more than 100 state bills that were introduced in 2022 to further limit abortion access. At the same time, many states, including California and New York, have moved to protect or expand the right to abortion access, including for out-of-state persons. In this month’s elections, voters in California, Michigan, and Vermont enshrined the right to abortion in their state constitutions.
In recent months, we’ve been pleased to see statements from attorneys general in New York, California, and Washington D.C., all advising citizens to use end-to-end encrypted services when seeking abortion services.
Federal privacy legislation
Rights groups: Kids’ online safety bill could put vulnerable teens at risk
Tonya Riley on CyberScoop (cyberscoop.com)
The groups say KOSA has laudable goals but could come with unintended consequences for vulnerable children. I discussed the letter this in yesterday's Will anything pass this session? Federal privacy legislation update , but Riley has some good perspectives – including this:
“The LGBTQ+ community is actively under attack, and it’s unthinkable that Democrats are considering advancing a bill that will further harm us and disproportionately target queer and trans young people,” Evan Greer, director of Fight for the Future, said in a statement. “Congress needs to pass real laws that rein in the abuses of Big Tech and protect everyone’s privacy and human rights rather than using kids as pawns to advance poorly drafted legislation in order to score political points.”
The letter follows reports that members of the Senate are angling to fold KOSA into either the must-pass year-end spending or defense bill. Senate Commerce Committee Chair Sen. Maria Cantwell, D-Wash., as well as bill co-sponsors Sens. Marsha Blackburn, R-Tenn., and Richard Blumenthal, D-Conn., met earlier this month with parents whose children had died in incidents tied to social media, such as cyberbullying and the purchase of fentanyl-laced drugs, in a push to pass the bill.
EARN IT Act Will Make The Internet Worse For Everyone By Undermining Privacy And Security
Tim Cushing on Techdirt (techdirt.com)
To save the children, we must destroy everything. That’s the reality of the EARN IT Act.
[G]iven the name, it seems like this would be Congress putting funding towards supporting moderation efforts that target abusive content.
But it’s nothing like that. It’s all about punishing tech companies for the acts of their users. Like FOSTA before it, the bill has zero interest in actually targeting the creators and distributors of illegal content, like child sexual abuse material (CSAM). Instead, it’s only interested in allowing prosecutors to go after the easiest entities to locate: sites that rely on or facilitate the distribution of third-party content.
- Two Things the US Should Do to Protect the Internet and the Security of Billions of People Online, Natalie Campbell and John Morris on Internet Society (internetsociety.org)
What a Republican-controlled House could mean for Silicon Valley
Brian Fung on CNN (cnn.com)
With Republicans projected to take control of the House as a result of the midterm elections, tech giants such as Amazon, Google and Meta, who’ve been in the crosshairs of Democrats in recent years, are soon set to face a very different — but no less hostile — political climate in Washington.
State privacy legislation
The Future of State Privacy Legislation After the 2022 Election
David Stauss on Byte Back (bytebacklaw.com)
Stauss looks at the impact of the midterms on some key states. Unfortunately he doesn't discuss Washington, where AG Ferguson, Rep. Slatter, Sen. Dhingra are proposing legislation to protect Washingtonians’ health data. Still, there's lots of good stuff in here. For example:
The changes in Michigan and Minnesota created Democrat trifectas with Democrat governors in control in both states. In fact, both of those states have Democrat quadfectas with Democrats retaining the state Attorney General positions in both states (see here and here). Attorney General support for a privacy bill can either significantly boost a bill’s chance of passage – as happened in Colorado and Connecticut – or create another roadblock – as has happened in Washington state.
The Minnesota and Michigan quadfectas are notable because Democrat lawmakers in those states previously proposed privacy bills. In Minnesota, Representative Steve Elkins has long been a proponent of state privacy legislation although he did not run a bill last year. In Michigan, as first reported by Future of Privacy Forum’s Keir Lamont, Democrat Senator Rosemary Bates introduced SB 1182 – the Michigan Personal Data Privacy Act – in September 2022. Democrat House members previously introduced HB 5989 in April 2022.
Massachusetts also now has a quadfecta with Maura Healey flipping the governorship to Democrat and Democrat Andrea Campbell replacing Healey as Attorney General. Last year, the Massachusetts Joint Advanced Information Technology, the Internet and Cybersecurity Committee voted a privacy bill out of committee although the bill never advanced beyond that point.
The Utah Consumer Privacy Act (UCPA) is Here
K Royal, JD, PhD on TrustArc Privacy Blog (trustarc.com)
Utah became the 4th State to pass a consumer data privacy law on March 24, 2022. What effects will the Utah Consumer Privacy Act (UCPA) have on organizations?
Mastodon’s Privacy: Who actually holds your data in Mastodon
Prashant MahajanNovember 28, 2022 on Privado (privado.ai)
Good info, but given recent vulnerabilities – including one that exposed all of the DMs on the server hosting Privado's Mastodon account – take their recommendation that "we believe that the Mastodon application is safe to use" with a grain of salt.
What Twitter Users Need To Know About Mastodon Privacy
Davey Winder on Forbes (forbes.com)
If privacy is a primary concern, what do you need to know before signing up with Mastodon? For one thing:
"I've said it before, and I'll keep on saying it until people start listening; if you want or need direct message privacy, then use a service that exists to provide it."
The case for collective action against the harms of data-driven technologies
Jef Ausloos on Ada Lovelace Institute (adalovelaceinstitute.org)
To what extent are the GDPR’s data rights an effective tool for enabling collective action?
Tax filing websites have been sending users’ financial information to Facebook
Colin Lecher, Angie Waller, and Simon Fondrie-Teitler on The Verge (theverge.com)
The Markup found that tax preparation services including TaxAct, TaxSlayer, and H&R Block have sent users’ personal financial information to Facebook through the Meta Pixel.
Content governance declaration in times of crisis
Marwa Fatafta on Access Now (accessnow.org)
This new content governance declaration lays out principles for social media platforms to help ensure human rights in crises.
Enigma 2023 Conference Program
on USENIX (usenix.org)
Enigma 2023 will take place January 24–26, 2023, at the Hyatt Regency Santa Clara in Santa Clara, CA, USA. Enigma centers on a single track of engaging talks covering a wide range of topics in security and privacy. to clearly explain emerging threats and defenses in the growing intersect…
Facial recognition technology ‘inappropriate for policing,’ say privacy rights advocates
Simon Carswell on The Irish Times (irishtimes.com)
Irish Council for Civil Liberties and academics raise concerns about plans for law to enable technology that is banned for policing in other countries
The Exploited Labor Behind Artificial Intelligence
Adrienne Williams on NOEMA (noemamag.com)
Supporting transnational worker organizing should be at the center of the fight for “ethical AI.”
Privacy Act reforms
Salinger Privacy on salingerprivacy.com.au
The Privacy Act is under review, with significant proposals for reform being considered by the Australian Government. The first tranches of reforms are imminent, while others are likely to land in 2023. Salinger Privacy know-how will guide you through.
FCC bans import, sale of certain Chinese tech over ‘unacceptable risk to national security’
Adam Barnes on The Hill (thehill.com)
The Federal Communications Commission (FCC) has banned the import and sale of certain Chinese technology equipment that it determined poses “an unacceptable risk to national security.” FCC Co…
Microsoft 365 faces darkening GDPR compliance clouds after German report
Natasha Lomas on TechCrunch (techcrunch.com)
Legal trouble may be brewing for Microsoft in the European Union where an assessment by a working group of German data protection regulators that’s spent around two years looking into a swathe of privacy concerns attached to its cloud-based 365 productivity products — including by engaging directly…
A Leak Details Apple’s Secret Dirt on a Trusted Security Startup
Lorenzo Franceschi-Bicchierai on WIRED (wired.com)
A 500-page document reviewed by WIRED shows that Corellium engaged with several controversial companies, including spyware maker NSO Group.
3 ways the data privacy wars could pan out – and how marketers can navigate each scenario
Andrew Frank on The Drum (thedrum.com)
Gartner’s Andrew Frank spells out three potential outcomes of the rising tensions between the data brokering economy and demands for consumer privacy – and how the marketing and advertising industry can navigate each possibility.
Consumer privacy predictions—how marketers will be affected in 2023
Abhay Singhal on Ad Age (adage.com)
Will Apple’s privacy moves help it join the triopoly?
The secret bias hidden in mortgage-approval algorithms
EMMANUEL MARTINEZ and LAUREN KIRCHNER/The Markup on Associated Press (apnews.com)
The new four-bedroom house in Charlotte, North Carolina, was Crystal Marie and Eskias McDaniels’ personal American dream, the reason they had moved to this Southern town from pricey Los Angeles a few years ago.
Watchdog: NHS data platform could damage patients’ trust
Lindsay Clark on The Register (theregister.com)
‘This store of confidential data is a national treasure that must never be compromised or treated carelessly’
UK Online Safety bill could compromise encryption, privacy experts warn
Charlotte Trueman on CSO Online (csoonline.com)
As the controversial legislation makes its way back to Parliament next month, privacy and cybersecurity experts warn that the bill will make UK businesses more susceptible to cyberattacks and intellectual property theft.
Privacy & Cybersecurity for Your Life During the Holidays
on The VoiceAmerica Talk (voiceamerica.com)
Are you armed with the privacy and security knowledge and awareness necessary to identify all the holiday scams and cybercrooks that emerge and try not only new scams and crimes, but also all the same scams and crimes that have proven to be effective year after year for decades? Are you prepared to…
Common Sense Media Says School VR Tools Violate Privacy Laws
Alyson Klein, Education Week, Bethesda, Md. on GovTech (govtech.com)
According to a recent analysis by the research and advocacy organization Common Sense Media, the seven most popular VR devices in schools collect so much user data that they present serious privacy concerns.
The Chinese government’s problematic quest to judge online comments
Zeyi Yang on MIT Technology Review (technologyreview.com)
The Chinese social credit system doesn’t have an all-knowing algorithm—but it still has significant implications, particularly on free speech.
MetaMask will start collecting user IP addresses
Zhiyuan Sun on Cointelegraph (cointelegraph.com)
Many Web 3.0 firms have began collecting users’ IPs due to tougher regulations.
Surveillance powers in UK’s Online Safety Bill are risk to E2EE, warns legal expert
Natasha Lomas on TechCrunch (techcrunch.com)
Independent legal analysis of a controversial UK government proposal to regulate online speech under a safety-focused framework warns the bill poses a risk to the integrity of end-to-end encryption.
Ofcom ‘will get more power than spies’ to monitor apps
Mark Sellman, Technology Correspondent on The Times (thetimes.co.uk)
The media regulator will have greater surveillance powers than spy agencies under laws being considered by parliament, a legal analysis has claimed.Ofcom is be
RCMP use of spyware warrants update to Canada’s privacy laws, MPs say
Maura Forrest on POLITICO (politico.com)
The federal ethics committee says Ottawa should make a list of banned spyware vendors and set export controls.
Documents Show DOJ’s Multi-Pronged Effort to Undermine Section 230
Aaron Mackey on Electronic Frontier Foundation (eff.org)
In the summer of 2020, the Department of Justice was closely monitoring the public and congressional debate about a key law protecting internet users’ speech at the same time that it pushed to undermine the law, documents show. DOJ was tracking multiple efforts to repeal or frustrate 47 U.S.C. §...
Be like Gmail? Proton Mail will soon offer email categorization, message scheduling, and more
Paul Sawers on TechCrunch (techcrunch.com)
Proton has teased a fairly substantial roadmap of features for its flagship Proton Mail and calendar services.
Leaked EU Anti-Money Laundering Regulations Indicate Bloc Plans to Ban Privacy Coins
Scott Ikeda on CPO Magazine (cpomagazine.com)
New EU anti-money laundering regulations currently under discussion would include a ban on privacy coins such as Dash, Monero and Zcash that add further layers of anonymity to the standard blockchain transaction.
BYU, U. researchers say medical health privacy forms can lead to more lies, misdiagnoses
Emily Ashcraft, KSL.com on ksl.com (ksl.com)
A recent study done by researchers at Brigham Young University and the University of Utah shows when patients are given a HIPAA form before filling out the health survey, they tend to lie more on the survey — causing a higher likelihood of misdiagnoses.
Microsoft erfüllt und übertrifft europäische Datenschutzgesetze
on News Center Microsoft Deutschland (news.microsoft.com)
Heute haben die unabhängigen Datenschutzaufsichtsbehörden des Bundes und der Länder (DSK) Bedenken zu der Vereinbarkeit von Microsoft 365 (M365) mit den Datenschutzgesetzen in Deutschland und der EU geäußert.
Apple Tracks You More Than You Think
Matt Burgess on WIRED (wired.com)
UK bans Chinese cameras from government buildings
Shannon Van Sant on POLITICO (politico.eu)
Remove and replace without waiting for upgrades, British government advises.
Tax prep software sent back personal consumer data to Meta and Google, report says
Lauren Feiner on CNBC (cnbc.com)
Sending such information violates Meta’s policies and a spokesperson said its system is designed to filter out potentially sensitive data.
EU gets serious on privacy, but too many companies ignore the risk
Seth Batey, Fivetran on VentureBeat (venturebeat.com)
To reduce impacts of breaches and fines, orgs must focus on privacy as well as security, and ensure employees know the difference.
Deep Dive: The United Kingdom’s Online Safety Bill
Wikimedia Policy on Wikimedia Policy (medium.com)
Without Further Revision, Bill Will Harm Wikipedia and Other Open Knowledge Projects
The AI Bill of Rights makes uneven progress on algorithmic protections
Alex Engler on Brookings (brookings.edu)
AI regulation is perpetually going to be a key issue into the future, and the White House should give it the same attention and dedication it has directed toward AI research and AI commerce, argues Alex Engler.
Govt, NIRA under fire over ‘data breaches’
Arthur Arnold Wadero on Monitor (monitor.co.ug)
Experts warn that the absence of either a recovery or backup centre for the country’s data on National ID cards, could cost the country dear
Privacy Isn’t Just an Edge Case for Crypto
Leah Callon-Butler on CoinDesk (coindesk.com)
Financial privacy is useful for dissidents in extreme situations. But nobody should have to justify keeping their personal lives private, says our columnist.
Usercentrics Study: 90% of All Apps Do Not Comply With the GDPR
Business Wire on Yahoo (yahoo.com)
MUNICH, November 15, 2022--Nine out of ten apps collect personal data from users without their consent, a clear violation of the European Union’s General Data Protection Regulation (GDPR) and the ePrivacy Directive. This is the result of an analysis of 250 apps in the EU apps market, conducted by pr…
The Best Privacy-Focused Browsers You’ve Never Heard Of
The A.V. Club on Lifehacker (lifehacker.com)
Reduce tracking and improve your privacy with these lesser-known browsers.
Census Bureau chief defends ‘differential privacy’ tool
Mike Schneider, The Associated Press on Federal Times (federaltimes.com)
Differential privacy algorithms add intentional errors to data to obscure the identity of any given participant.
A Look Ahead: Lisa Sotto’s Privacy, Security Outlook in 2023
Michael Novinson on bankinfosecurity.com
A multitude of state privacy laws taking effect in 2023 has forced organizations to revamp their compliance programs to incorporate the disparate requirements
Trucking groups cite privacy concerns over electronic ID proposal
Mark Schremmer on Land Line (landline.media)
Privacy concerns were common among the more than 2,000 comments about a proposal to require electronic IDs on commercial motor vehicles.
Image Credit: Privacy by Nick Youngson licensed under CC BY-SA 3.0 from Alpha Stock Images via Picpedia.