Is Letter to Larry Page the First Step Towards Legislating Google Glass?

Eight members of the Congressional Bi-Partisan Privacy Caucus sent last week a letter to Google’s CEO, Larry Page, requesting him to answer several questions about Google’s Project Glass by June 14. The eight representatives are seeking to find out if and how Google Glass could infringe on people’s privacy.

Google announced its Google Glass project in April 2012. It was first introduced as a cool gadget allowing young men to woo their girlfriends playing the ukulele and parents to take pictures of their children while holding them by both hands. It immediately caught a lot of media attention and was even named one of the best inventions for 2012 by Time.

It not only allows users to take pictures on the go, without having to hold a camera, but also to receive and send emails, to talk to friends and colleagues while seeing them on video, to share their geolocation by checking in, to access the internet, and to update their social media status.

Multitasking, yes, and some of these features may be a possible threat to the privacy of persons around a Google Glass user. In their letter, the congressmen noted that one does not yet know if Google has plans to incorporate privacy protection in its new product.

8 Questions to Google

Here are the 8 questions asked to Larry Page in the letter:

1. Does Google have plans to prevent Google Glass from unintentionally collecting data from persons around the device, just as Google Street View did in 2010?
2. Are privacy frameworks, such as Privacy By Design, incorporated in the device?
3. Will Google Glass use Facial Recognition Technology?
4. When would Google reject requests which would be intrusive to other’s privacy?
5. Will there be changes made to Google’s privacy policy?
6. Will Google Glass collect device-specific information, such as mobile network information, and collect personal data of its users?
7. How will privacy be protected in Google Glass apps, such as the one recently released by the New York Times?
8. Does Google Glass have the capacity to store data?

 

Regulating by Etiquette, or Regulating by Law?

These questions are not hypothetical, as Google Glass is already selling, for about $1,500, to a few chosen customers. Maybe you have already spotted someone wearing them?

The letter to Larry Page notes that a bar in Seattle has already banned the device. A tongue-in-cheek video about how obnoxious a Google Glass user could be is circulating on the Internet.

Facial recognition is probably the most potentially invasive feature of Google Glass. Motorola Mobility, owned by Google, acquired last Fall Viewdle, a facial recognition company, just like Facebook had acquired Faces.com a few months earlier. Facebook reintroduced its photo tag suggestion feature on January 30, 2013.

However, Google’s Chairman Eric Schmidt stated in 2011 that his company would not build a facial recognition database. He was quoted then saying that “[h]opefully the French or any other country won’t pass laws that are so foolish they force Google to not be able to operate in those countries.”

Would it be “foolish” for legislators to regulate Google Glass? And should the new challenges to privacy that Google Glass may cause be regulated by law or by… etiquette? Indeed, Google Glass offers many opportunities to break social etiquette, including surreptitious filming. In April, Eric Schmidt declared that people will have to develop a new etiquette for Google Glass and similar products.

But etiquette may not be the best path to regulate the privacy intrusion risks caused by Google Glass, and Little Miss Manners should not be sole in charge of regulating privacy. We’ll soon see the letter sent last week is the legislators’ first step toward legislation.

Image courtesy of Flickr user tedeytan under a CC BY-SA 2.0 license.

Categories: Facial Recognition, Uncategorized | Permalink.

FTC Retains Effective Date for the Amended COPPA Rule

On May 6, the Federal Trade Commission (“FTC”) voted unanimously to retain the July 1, 2013 date for implementation of the updated Children’s Online Privacy Protection Rule (“COPPA”).  The FTC vote took place approximately two weeks after online industry and business organizations, including the Direct Marketing Association (“DMA”) and the U.S. Chamber of Commerce, sent a letter to the FTC seeking an extension of the effective date for the COPPA Rule amendments, from July 1, 2013 to January 1, 2014. 

In voting to retain the original date for implementation of the updated Rule, the Commission noted that the July 1 implementation date, along with the rule changes, were announced in December 2012, which provided affected companies with more than six month to prepare for the updated Rule.  The FTC also noted various meetings and consultations it has held during the past several months with organizations and individual businesses to discuss how companies can ensure compliance with the amended Rule.  In addition, the FTC noted the recent release of its updated COPPA Rule Frequently Asked Questions (“FAQs”) document that includes a number of questions (and answers) that directly address how the amended Rule differs from the original Rule, including the following:

• What should I do about information I collected from children prior to the effective date that was not considered personal under the original Rule but now is considered personal information under the amended Rule?

 • Other than the changes to the definition of personal information, in what ways is the new Rule different?

 • Will the amended COPPA Rule prevent children from lying about their age to register for general audience sites or online services whose terms of service prohibit their participation?

Notably, the online industry had cited the lack of an updated FAQs document a key reason for its request to extend the implementation date to January 2014.

Categories: Uncategorized | Permalink.

FTC Announces Internet of Things Workshop

The FTC recently announced a public workshop to examine the privacy and data security implications of the Internet of Things (IoT). The workshop, which will take place on November 21 this year, indicates a growing interest – both here and in Europe – in the policy issues raised by this rapidly emerging business model. The FTC announcement follows a signal from new FTC Chairwoman Edith Ramirez that she intends to include IoT in her privacy agenda.

The Internet of Things describes a world in which machines can communicate with one another via the Internet without human intervention. The Swedish mobile device vendor Ericsson estimates that around 50 billion devices worldwide will be IoT enabled by 2020.

The business model has many positive applications. Included here are energy efficient smart grids, which have the proven potential to promote energy efficiency. Another interesting IoT application concerns auto insurance. If the key variables used to calculate insurance premiums are distance driven, location, time of day, and driving style, and these variables can be measured with precision using IoT technologies, then drivers and insurance providers may be positioned to better calculate bespoke insurance rates.

These and other IoT applications look set to become more and more ubiquitous as the technologies underpinning them – data storage, mobile data transfer, and cloud computing – look set to come down the cost curve in the coming years. However, as with Internet enabled technologies generally, IoT raises potential privacy and data security concerns. The FTC is therefore requesting public comments on the following issues prior to the November workshop:

• What are the unique privacy and security concerns associated with smart technology and its data? For example, how can companies implement security patching for smart devices? What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
• How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision making or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

FTC staff welcomes submissions to its IoT email account before June 1, 2013.

Meanwhile, on the other side of the Atlantic both the EU and the OECD are tracking IoT from a policy standpoint in general; and a privacy and security standpoint in particular. The EC Commission launched a public consultation similar in nature to the FTC’s in April last year, and recently published its findings. According to the Commission, these findings will be relied on in “future policy initiatives.”

Categories: Federal Trade Commission, Uncategorized | Permalink.

U.S. Supreme Court Holds that Government’s Use of Trained Police Dogs to Investigate Front Porch is a “Search” within the Meaning of the Fourth Amendment

On March 26, 2013, the U.S. Supreme Court affirmed the decision by the Florida Supreme Court that suppressed evidence obtained following a trained police dog’s positive alert for narcotics from the defendant’s front porch. See Florida v. Jardines, 569 U.S. ____ (2013).   Writing for the majority in a 5-4 opinion, Justice Scalia focused on the government’s physical intrusion into the constitutionally protected area immediately surrounding the home and declined to consider whether the search violated the defendant’s reasonable expectation of privacy. 

Law enforcement had received an unverified tip that marijuana was being grown in the home of respondent/defendant Joelis Jardines.  Agents arrived at Jardines’ home with a drug-sniffing police dog and stood on the porch while the dog was given 6 feet of slack to sniff for narcotics.  The dog signaled an airborne odor that was emanating from base of the front door.  Based on the alert, the officers obtained a search warrant, found marijuana plants inside the home, and charged Jardines with trafficking in cannabis.  The trial court suppressed the evidence as the product of an unreasonable search under the Fourth Amendment, which ultimately was upheld by the Florida Supreme Court.

The majority (Justice Scalia, joined by Justices Thomas, Ginsburg, Sotomayor, and Kagan) affirmed, holding that law enforcement’s use of trained police dogs to investigate the home and its immediate surroundings constituted a “search” within the meaning of the Fourth Amendment.  The constitutional violation was based on what the Court characterized as “the traditional property-based understanding of the Fourth Amendment.”  Otherwise put, the act of “march[ing] a bloodhound” to “trawl for evidence” was a physical intrusion on constitutionally protected areas that defied the Fourth Amendment’s “very core” of “the right of a man to retreat into his home and there be free from unreasonable governmental intrusion.” 

A concurring opinion from Justice Kagan (with Justices Ginsburg and Sotomayor) went one step further, calling the police action both a constitutional trespass and an invasion of privacy, as defined in Kyllo v United States, 533 U.S. 27 (2001) (finding a constitutional privacy violation for the government’s use of a thermal imaging device that was “not in general public use”).  Justice Kagan classified drug-detection dogs as specialized law enforcement tools for discovering objects not in plain view and likened their use to “super-high-powered” binoculars.   

In a scathing dissent, Justice Alito (joined by Chief Justice Roberts and Justices Kennedy and Breyer) wrote the conduct of the police officer neither constituted a trespass nor violated Jardines’ reasonable expectation of privacy.  The officer did not exceed the scope the implied license under Fourth Amendment jurisprudence to approach the front door, the license being limited to the amount of time it would customarily take to approach the door, pause long enough to see if someone is home and (if not expressly invited to stay longer), leave.  On the contrary, the officer adhered to the customary path, did not approach in the middle of the night, and remained at the front door for less than a minute.  Justice Alito likened this action to the standard “knock and talk” that has been deemed permissible police activity under the Fourth Amendment, and stated that residents do not have a reasonable expectation of privacy in odors that emanate from the dwelling and reach spots where members of the public may lawfully stand.  Finding no difference between odors that can be smelled by humans and those that are detectible only by dogs, Justice Alito rejected the analogy of the use of a drug-sniffing dog to the use of a thermal imaging device or other forms of technology, as advanced in Justice Kagan’s concurrence.

This sharply divided opinion presages more complicated constitutional privacy cases to come.  Had the canine detected the smell from a public sidewalk and not the curtilage of private property, the case would have been outside the scope of the majority’s property-focused holding.  And if law enforcement’s use of a police dog does not qualify as a “specialized law enforcement tool” to violate reasonable expectations of privacy, as suggested by Justice Alito, the question remains how “specialized” or “high-tech” a police device must be to constitute an unreasonable search under the Fourth Amendment.  

Categories: Uncategorized | Permalink.

Google in the Crosshairs of the European Data Protection Authorities

The following post of the first of a series of guest posts written by students from the US and from all over the world. If you are interested to write a post on a privacy or data security issue, please contact Bridget Calhoun or Marie-Andrée Weiss. The PRIS Committee extends a special invitation to foreign students for whom English is a second language. The following post is written by Clara Steimlé, a law student in France.

On April 2^nd, 6 of the 27 European data protection authorities (DPAs) started legal actions against Google. Despite several warnings, Google did not take any measures to avoid this step.

The story began in March 2012 when Google set up a new Privacy Policy, which integrated in to only one all the privacy policies of its sixty or so services, thus allowing Google to gather Google users’ personal data and to create very precise profiles.

A few months later, in October, 2012, the European DPAs, united in the Article 29 Working Party (G29), which is an independent advisory body on data protection and privacy, asked Google, after consultation of an evaluation made by the French DPA, the Commission Nationale de l’Informatique et des Libertés (CNIL), for more complete and clearer information. The G29 thought that Google’s Privacy Policy did not meet the requirements of Directive 95/46/EC, the Data Protection Directive. The G29 then gave Google 4 months to put itself in conformity.

Pursuant to the Data Privacy Directive, data controllers must inform clearly and precisely the data subjects about the purpose of the data processing and also must respect the principle of data minimization. In particular, the G29 blamed Google on three main points.

First, Google does not supply its users with enough information about how it processes data. Users are not informed about Google’s data collection practices and Google doesn’t make any difference between personal data and special categories of data.

Secondly, Google does not give its users the power to control when their personal data is combined among its numerous different services. However, the DPAs did not criticize the principle to include all privacy policies in one. Lastly, Google does not specify the retention period for the data it collects.

During the audit of October 2012, the G29 had made recommendations to Google which, however, were not followed. The CNIL considered that Google should supply control to users over their data and to simplify their right to opt-out.

In spite of these recommendations, Google did not comply.

On March 19th, 2013, a working group met with representatives of Google but no change was implemented. The French, German, Spanish, Italian, Dutch and British DPAs thus decided to each start legal actions against Google in their respective countries.

Google is moreover known to engage in a bit of arm wrestling and to give in only when it no longer has any excuses not to do so. At the moment, it considers it did not violate European laws. The penalties that Google could incur would be different in each of the European Union countries which chose to start legal actions against Google, but could amount to up to 2% of its total global sales.

Nevertheless, the process is not irreversible as no legal action has yet been started, but could happen by the end of summer and penalties pronounced by the end of 2013. However, Google may give in before, not under the threat of financial penalties, but by fear of degrading its reputation.

Clara Steimlé is a LL.M. student at the University of Strasbourg in France. She graduated in 2012 from the University of La Sorbonne in Paris, where she studied international business law. She expects to graduate with a LL.M. in e-commerce economic law in September 2013. Her studies focus on data protection law, e-commerce law, and Intellectual Property. After graduation, she plans to take the French bar exam and practice IP/IT law, with a focus on international law.

Categories: International | Permalink.

Less Than Satisfied with Self-Regulation? FTC Chair Renews Push for Do Not Track

FTC Chair Edith Ramirez created some waves in her first speech to the advertising industry this week. Ramirez renewed the call for a universal Do Not Track mechanism—and impliedly ignored the progress of AdChoices, the Digital Advertising Alliance’s opt-out program.  The FTC’s critical stance, along with a renewed initiative in the Senate, signal that the government is unsatisfied with the industry’s progress toward enhanced consumer controls over privacy and may seek a public, rather than private, solution.

“Consumers await a functioning Do Not Track system, which is long overdue,” Ramirez said. “We advocated for a persistent Do Not Track mechanism that allows consumers to stop control of data across all sites, and not just for targeting ads.”

The comments, spoken before the American Advertising Federation at their annual advertising day on Capitol Hill, illustrated a rift between advertisers and regulators over the progress of self-regulatory programs and consumers’ perceptions of online behavioral advertising. Two years ago, the FTC called on advertisers to develop a program that would give consumers a choice to opt out of behaviorally targeted ads. Speaking to AdWeek, Stu Inglis, a partner at Venable who acts as the DAA’s attorney, said of Ramirez’s remarks:  “We have solved it. The DAA’s program covers 100 percent of the advertising ecosystem. We made our agreements.”

The DAA also recently released the results of a poll it commissioned, stating that nearly 70 per cent of consumers responding that they would like at least some ads tailored directly to their interests, and 75 per cent saying that they preferred an ad-supported internet model. (The poll comes with some caveats, described by an AdWeek piece today.)

However, in her speech Ramirez spoke of consumers’ “unease” with online tracking: “An online advertising system that breeds consumer discomfort is not a foundation for sustained growth. More likely, it is an invitation to Congress and other policymakers in the U.S. and abroad to intervene with legislation or regulation and for technical measures by browsers or others to limit tracking,” she said.

Ramirez also urged the advertising community to keep working within the multiparty process led by the W3C  (World Wide Web Consortium) to develop a browser-based Do Not Track program. However, there has been little concrete progress in the talks so far.

The online advertising industry may be running out of time. Senator Jay Rockefeller D-W.Va.), chair of the Senate Commerce Committee, announced that he would hold a hearing next week to discuss legislation that would mandate a Do Not Track standard.  The chairman, along with Sen. Richard Blumenthal (D-CT), introduced the Do Not Track Online Act in February.  The bill would direct the FTC to write regulations governing when internet firms must honor a consumer’s request that their information not be collected, and deputize the FTC and state attorneys general to enforce the rules.

“Industry made a public commitment to honor Do-Not-Track requests from consumers but has not yet followed through,” Rockefeller said of the hearing. “I plan to use this hearing to find out what is holding up the development of voluntary Do-Not-Track standards that should have been adopted at the end of last year.”

If Congress and the FTC agree that the advertising industry hasn’t honored its commitments, the chances for self-regulation without a government mandate may dwindle further.

Sources:

AdWeek:  FTC Chair Stuns Advertisers

The Hill: Sen. Rockefeller to Push for Do Not Track at Hearing

Categories: Behavioral Marketing, Federal Trade Commission, Privacy Programs, Uncategorized | Tags: Do Not Track, Federal Trade Commission, FTC, Privacy programs | Permalink.

California’s Proposed Right to Know Act

California state assemblymember, Bonnie Lowenthal, has introduced a bill entitled the “Right to Know Act 2013.” Were it to be enacted, Assembly Bill No. 1291, would significantly expand the consumer’s right to know what of his information a business has retained, and how the business is using it.

Altering current California law, which provides a right to know in cases where a customer has a “business relationship” with the business and the customer’s information has been shared for “direct marketing purposes,” the bill as currently proposed reads:

“This bill would instead require any business that retains a customer’s personal information, as defined, or discloses that information to a 3rd party, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer.”

The right to know provided by the California bill is similar in many respects to the right to access information held by a business that is afforded under the EU’s Data Protection Directive to EU citizens.

The bill has received positive reviews from organizations such as the Electronic Frontier Foundation. We’ll need to wait to see how Silicon Valley responds.

Because California often advances the conversation in the area of consumer protection and data privacy, it will be important to monitor how, and if, this proposal develops.

Categories: Uncategorized | Permalink.