The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

White House Announces Privacy Policy Framework

The Executive Office of the President today released a 52-page framework document setting out the Obama Administration’s policies "for protecting privacy and promoting innovation in the global digital economy."  The policy framework includes four principal elements: A Consumer Privacy Bill of Rights, a multistakeholder process to agree how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts, effective enforcement, and a commitment to increase interoperability with the privacy frameworks of international partners. 

The Administration acknowledges that existing United States privacy law and policy "effectively address some privacy issues" but adds that "additional protections are necessary to preserve consumer trust" in the online environment.  The framework therefore calls for consumer data privacy legislation, under which the FTC and State Attorneys General would have authority to enforce the Consumer Privacy Bill of Rights.

The baseline protections – described as "privacy principles recognized throughout the world" – established in the Consumer Privacy Bill of Rights are:

Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how it is used.

Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which they provide the data.

Security: Consumers have a right to secure and responsible handling of personal data.

Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is accurate.

Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure that they adhere to the Consumer Privacy Bill of Rights.

Going forward, the Administration encourages privacy stakeholders, including the private sector, to implement the Consumer Privacy Bill of Rights through the auspices of the Commerce Department; it also commits to work with Congress to "write these flexible, general principles into law."


Leave a comment

The FTC Publishes a Staff Report on Mobile Apps for Children and Privacy

The Federal Trade Commission (FTC) just released a Staff Report (the Report) titled ‘Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing.

 

Mobile Applications (Apps) are getting increasingly popular among children and teenagers, even very young. Indeed, the Report found out that 11% of the apps sold by Apple have toddlers as their intended audience (Report p. 6). Apps geared to children are often either free or inexpensive, which makes them easy to purchase, even on a pocket-money budget (Report p. 7-8).

As such, according to the Report, these apps seem to be intended for children’s use, and some may even be “directed to children” within the meaning of the Children’s Online Privacy Protection Act (COPPA) and the FTC’s implementing Rule (the Rule). The Rule defines what is a “[w]ebsite or online service directed to children”) at 16 C.F.R. § 312.2. Under COPPA and the Rule, operators of online services directed to children under age 13 of age must provide notice and obtain parental consent before collecting children’s personal information. This includes apps. Yet, the FTC staff was unable, in most instances, to find out whether an app collected any data, or, if it did, the type of data collected, the purpose for collecting it, and who collected or obtained access to such data (Report p. 10).

 

‘The mobile app market place is growing at a tremendous speed, and many consumer protections, including privacy and privacy disclosures, have not kept pace with this development’ (Report p.3)

 

Downloading an app on a smart phone may an impact on children’s privacy, as apps are able to gather personal information such as the geolocation of the user, her phone number or a list of contacts, and this, without her parent’s knowledge. Indeed, if app stores and operating systems provide rating systems and controls which allow parents to restrict access to mobile content and features, and even to limit data collection, they do not provide information about which data is collected and whether it is shared. (Report, p. 15)

 

The Report concludes by recommending that app stores, app developers, and third parties providing services within apps, increase their efforts to provide parents with “clear, concise and timely information” about apps download by children. Parents would then be able to know, before downloading an app, what data will be collected, how it will be used, and who will obtain access to this data (Report p. 17). This should be done by using “simple and short disclosures or icons that are easy to find and understand on the small screen of a mobile device.” (Report p. 3)

 

One remembers that United States of America v. W3 Innovations, LLC, in August 2011, was the first FTC case involving mobile applications.

 


Leave a comment

Employers, Employees, and Social Media Passwords

An Illinois bill, H.B.3782, would amend the Illinois “Right to Privacy in the Workplace Act”, by providing that:

it shall be unlawful for any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile.”

A similar bill, S.B.971, which was proposed last year in Maryland, would have prohibited employers from requiring a prospective employee, or an employee,to disclose user names or passwords for Internet sites. The Maryland bill did not become law.

It remains to be seen if the same fate will occur to H.B. 3782, but one can regret that the Illinois legislator only refers to a ‘prospective employee,’ especially considering a recent Illinois case. In Maremont v. Susan Fredman Design Group, Ltd., et al. (N.D. Ill.; Dec. 7, 2011), Plaintiff, the employee of a design company, had stored the passwords to her personal Twitter and Facebook accounts on her employer’s server, using a computer owned by the employer, but had not given this information to anyone. Defendant, the employer, allegedly accessed these two personal social media accounts while plaintiff was on medical leave, in order to post information promoting the design company. Plaintiff argued that this violated the Stored Communication Act (SCA), which forbids the unauthorized access to a wire or electronic communication while in electronic storage, 18 U.S.C. § 2701(a).The Court held that Plaintiff had not yet proven actual damages, a prerequisite to recover statutory damages under the SCA, as the discovery was not yet completed, and that is was thus premature for the Court to address the issue. It will be interesting to follow further developments in this case.

Hat tip to Venkat Balasubramani for posting the Maremont case online.


Leave a comment

EPIC is Suing the FTC to Compel Enforcement of Google Buzz Consent Order

The Electronic Privacy Information Center (EPIC) is suing the Federal Trade Commission (FTC) in order to compel the federal agency to enforce the October 2011 Google Buzz consent order, In the Matter of Google, Inc., FTC File No. 102 3136, which was issued following a complaint filed by EPIC with the FTC in February 2010.

 

Pursuant to this consent order, Google may not misrepresent the extent to which it maintains and protects the privacy and confidentiality of the information it collects, including the purposes for which the information is collected, and the extent to which consumers may exercise control over the collection, use, or disclosure of this information. Also, Google must obtain the express affirmative consent of Google users before making any new or additional sharing of information to third parties, which must be identified, and the purpose(s) for sharing the information must be disclosed to Google users. The consent order also requires Google to establish and implement a comprehensive privacy program.

 

Google announced in last January changes in its privacy policy, which will be effective March 1, 2012. Google will then start collecting user data across all the different Google sites, such as Gmail or YouTube, provided that the user logged into her Google account. Ms. Alma Whitten, Google’s Director of Privacy, Product and Engineering, stated that Google can thus provide “a simpler, more intuitive Google experience.” A Google user will have one single Google profile. There is, however, no opt-out available. The new privacy policy states that:

 

We may use the name you provide for your Google Profile across all of the services we offer that require a Google Account. In addition, we may replace past names associated with your Google Account so that you are represented consistently across all our services. If other users already have your email, or other information that identifies you, we may show them your publicly visible Google Profile information, such as your name and photo.”

 

According to EPIC’s complaint, these changes are “in clear violation of [Google] prior commitments to the Federal Trade Commission.” EPIC is arguing that Google violated the Consent Order “by misrepresenting the extent to which it maintains and protects the privacy and confidentiality of [users] information, by misrepresenting the extent to which it complies with the U.S.-EU Safe Harbor Framework… [and] by failing to obtain affirmative consent from users prior to sharing their information with third parties.

 

Indeed, the European Union (EU) is also concerned by these changes. The Article 29 Working Party sent a letter to Google on February 2, to inform the California company that it will “check the possible consequences for the protection of the personal data of [E.U. Member States ]citizensof these changes. Google answered to the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s Data Protection Authority, in charge of coordinating the enquiry into Google Privacy changes, that changes were made in order to insure that Google’s privacy policy is “simpler and more understandable” and also “to create a better user experience.”

 

Meanwhile, EPIC is arguing that the FTC has a non-discretionary obligation to enforce a final order, yet has not yet taken any action with respect to changes ahead in Google’s privacy policy.


Leave a comment

Congress: Slowly, Inexorably Moving to Cyber Security Legislation

Congress, the bastion of gridlock and acrimony that shut down the FAA; hasn’t passed a budget since the middle of the Bush Administration; and almost caused a default on the debt looks increasingly poised to consider legislation to dramatically overhaul and systematize how the United States responds to a cyber attack.  With lasting reprucussions on private and public sector operations. 

 Both the House and Senate are working on bi-partisan legislative vehicles which are poised to see significant floor time in the next few weeks.  The bi-cameral consideration could even be followed by a substance based conference committee and enactment by the President before Election Day.  For the School House Rocks fans (www.schoolhouserock.tv/Bill.html), a major piece of legislation moving through the regular order just as Saturday morning infomercials told you about, would be a major accomplishment in present day Washington. 

So what are the bills? Where do they stand? And what’s in them?

Continue reading