Privacy News: December 19

A big FTC settlement, student privacy, state and federal privacy legislation, security and privacy issues on Mastodon … and more!  

Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges

the Premerger Notification Office Staff on Federal Trade Commission (ftc.gov)

Epic will pay a $275 million penalty for violating children’s privacy law, change default privacy settings, and pay $245 million in refunds for tricking users into making unwanted charges.  Of course it’s still just a “cost of doing business”, but $500 million. here, $500 million there, and pretty soon you’re talking some real money!

ALSO:

  • Top FTC official warns companies on data, Ashley Gold on axios.com, with more general perspectives from  Samuel Levine, director of the FTC’s bureau of consumer protection.  Levine tells Axios the agency won’t hesitate to sue companies that abuse customers’ data — and warns companies (like Twitter) that have signed FTC consent decrees that “there’s no pause button” on such agreements.

David A. Zetoony on The National Law Review (natlawreview.com)

In the latest in a series based on Greenberg Traurig LLP’s review of the publicly available privacy notices and practices of 555 companies, Zetoony looks at the dreaded cookie banners.  From a privacy perspective, the best option is “opt in”: you don’t get cookies unless you explicitly request them.  By contrast, an “opt out” approach (cookies unless you say know) means that companies can exploit your data unless you say otherwise.  Even worse is what Zetoony describes as “deemed consent” and “notice only”: a  notice telling you that they’re using cookies and there’s nothing you can do about it; or no banner at all, so you don’t even know what they’re using cookies for.  

This analysis shows that 28.5% of the sites they looked at are opt in … kudos to them for doing the right thing, and brickbats to everybody else.  And kudos to Zetoony and Greenberg Traurig LLP, this kind of data

Student Privacy

Most apps used in US classrooms share students’ personal data with advertisers, researchers find

Tonya Riley on CyberScoop (cyberscoop.com)

96% of the apps used in U.S. K-12 schools share children’s personal information with third parties —  including advertisers — often without the knowledge or consent of users or schools, according to a study by Internet Safety Labs published Tuesday.

Researchers looked at 13 schools in every state, leading to a total of 663 schools representing nearly half a million students. They found that most schools had more than 150 approved technologies for classrooms, a dizzying number for parents and school administrators to monitor. One school had as many as 1,411.

The report follows previous research from the group, formerly known as the Me2B Alliance, finding hundreds of advertisers collected valuable student data from a website specializing in school sports data.

KCKPS leaders consider cameras in classrooms for virtual learning; some concerned about privacy, trust

By: JuYeon Kim on KSHB 41 Kansas City News (kshb.com)

Kansas City, Kansas, Public Schools is considering cameras in classrooms, but some community members are concerned.

Federal privacy legislation

Dangerous “Kids Online Safety Act” Does Not Belong in Must-Pass Legislation

Jason Kelley and Aaron Mackey on Electronic Frontier Foundation (eff.org)

Everybody agrees that doing something about the abuses of kids’ privacy is critical … but even though the controversial and unconstitutional  Kids Online Safety Act (KOSA) has some privacy-related provisions, it’s still a bad bill.  The sponsors have made some changes in response to the letter that more than 90 human rights and LGBTQ Groups sent opposing KOSA last mongth, but as Kelley and Mackey discuss they don’t address the underlying problems.

Last week Emily Brinbaum of Bloomberg reported that the White House is making calls to legislators pressuring them to attach this anti-LGBTQ bill to the must-pass “omnibus” spending bill, but House Democrat leadership is pushing back.  As I was writing this newsletter, Ashley Gold of Axios reported that she’s heard that KOSA isn’t in the omnibus.  If so that’s good news.  Keep your fingers crossed!

ADPPA and Twitter: eight questions and an elephant

Jon Pincus, the Nexus of Privacy (thenexusofprivacy.net)

The American Data Privacy and Protection Act (ADPPA) consumer privacy bill also seems unlikely to be attached to the omnibus at this point (although it ain’t over til its over) but with its bipartisan sponsorship it’s likely to be back on the table next year.  Recent events at Twitter provide some clear examples of what’s at stake with real-world privacy-abuses to test how effective ADPPA is going to be in practice.

State privacy legislation

Tech industry group sues to block California law designed to protect kids online over free speech concerns

Lauren Feiner on CNBC (cnbc.com)

The group that sued Texas and Florida over social media laws that seek to restrict the tech industry’s liability shield for content is going after California.

Looking Forward and Back at the California State Legislature

Hayley Tsukayama on Electronic Frontier Foundation (eff.org)

As California’s new two-year session kicks off, EFF looks back at the past session which featured several victories for EFF and its allies advocating for digital rights victories. California is often seen as a leader in recognizing the importance of privacy, innovation, and free expression.  Similar bills are being considered this y year in Washington, and no doubht other states, so hopefully we’ll be able to build on California’s leadership.

U.S. State Privacy Laws in 2023: California, Colorado, Connecticut, Utah and Virginia

Theodore Augustinos on JD Supra (jdsupra.com)

A look at new consumer privacy laws coming into effect in California, Colorado, Connecticut, Utah, and Virginia.  We’ve included similar analyses in past issues of the newsletter, but it’s interesting to see the different perspectives.  This one for example has a useful chart comparing the different laws, which highlights both similarites and some important differences.

Mastodon

Fleeing Twitter users face uncertain privacy, security features on alternative platforms

Tonya Riley, Cyberscoop (cyberscoop.com)

An excellent high-level look at the security and privacy risks of Mastodon and other Twitter alternatives.  A lot of the articles I’ve seen stop with the basics: Mastodon, like Twitter and Facebook, doesn’t encrypt private messages, so admins can read them.  But that’s just the tip of the iceberg.  For example:

As the number of Mastodon grow, so too will data requests from law enforcement. In recent years, law enforcement has increasingly leaned on tech companies for data that can be used to prosecute crimes — including criminalized abortion. In just the first six months of 2022, Twitter received nearly 50,000 legal demands, including a 103% increase in legal demands from governments targeting journalists.

Privacy and security experts are concerned that platforms such as Mastodon are poorly positioned to properly deal with data requests like these. Addressing them would likely fall on independent Mastodon server administrators or their hosting companies, not Mastodon. While Mastodon is based in Germany, its administrators and their hosting companies span the globe.

Yeah really.  Riley quotes several Mastodon instance admins who basically say, well, if it happens they’ll get a lawyer.  As privacy and security expert Violet Blue pointed out in her Cybersecurity Roundup on December 13, there are some big red flags here.  Not to sound like a broken record, but assume that nothing on Mastodon is private, and do not use it for confidential information!

Riley also briefly discusses Hive Social, another Twitter alternative.  Hive had a very high-profile security problem, and shut down for a few weeks to address the underlying issues (although it’s now back up).  As Violet Blue points out, Hive did the right thing here by prioritizing user safety.  

And …

How to spot AI-generated text

Melissa Heikkilä on MIT Technology Review (technologyreview.com)

The internet is increasingly awash with text written by AI software. We need new tools to detect it.

Under Surveillance: (Mis)use of Technologies in Emergency Responses

23-12-2021 on ECNL (ecnl.org)

ECNL, INCLO and Privacy International joint report focuses on global lessons from the COVID-19 pandemic.

Dayton-area police departments expanding license plate reader use as privacy concerns remain

Nick Blizzard on Dayton Daily News (daytondailynews.com)

Dayton, Miamisburg have added automated license plate readers in past several months; Beavercreek and Kettering among police departments that say they help solve crimes while Ohio ACLU, others raise questions.

EU takes step towards US data-sharing agreement

Lindsay Clark on The Register (theregister.com)

Campaigners say it’s unlikely to pass a test in the courts, though

Sen. Elizabeth Warren Questions Tax Filing Companies, Meta, and Google About Sharing of Financial Data

Colin Lecher on The Markup (themarkup.org)

Letters to the companies, signed by Warren and others, cite a recent Markup investigation

Violation of Right to Privacy: Karti Chidambaram on ‘Orwellian’ usage of facial recognition by Chennai police

Aihik Sur on Moneycontrol (moneycontrol.com)

This comes a few days after the Greater Chennai Police admitted to using the technology in response to a tweet by a Chennai resident.

Privacy Breaches to Cost More in Australia as Maximum Penalty Increases to AUD 50 Million

Scott Ikeda on CPO Magazine (cpomagazine.com)

Organizations found to be responsible for a privacy breach now face a maximum penalty of AUD 50 million, 30% of adjusted annual domestic turnover, or three times the value of any benefit obtained through the misuse of the leaked information.

Microsoft to roll out ‘data boundary’ for EU customers from Jan. 1

Martin Coulter on Reuters (reuters.com)

Microsoft Corp said on Thursday its European Union cloud customers will be able to process and store parts of their data in the region from Jan. 1.

Federal Agencies Keep Rejecting FOIA Requests for Their Procedures for Handling FOIA Requests

Beryl Lipton on Electronic Frontier Foundation (eff.org)

The majority of federal agencies — including law enforcement agencies like Customs and Border Protection — are refusing to release some of the most basic guidance materials used by their Freedom of Information Act (FOIA) offices: procedures for how they do their jobs.Government Attic, a website…

The post-Merge Ethereum ecosystem needs privacy more than ever

Warren Paul Anderson, Discreet Labs on VentureBeat (venturebeat.com)

Privacy in Ethereum must not be a bolt-on feature; it should should become a built-in foundation that enhances user experience.

Hulu customer claims an employee violated her privacy by using personal information to contact her after a virtual service chat

Jordan Hart on Insider (businessinsider.com)

“How many other women has he done this to, and how else is he using my information?” Strauss asked in a TikTok post that went viral earlier this week.

Is privacy is possible on the Internet? An interview with Neeva founder and former Google exec Sridhar Ramaswamy

Jim Love on IT World Canada (itworldcanada.com)

On Dec 13th, a new search engine, described by some as the “anti-google” called Neeva will be available to use in Canada. Here’s an interview with Neeva’s CEO.

EFF Agrees With the NLRB: Workers Need Protection Against Bossware

José EFA and Hayley Tsukayama on Electronic Frontier Foundation (eff.org)

The general counsel of the National Labor Relations Board (NLRB) issued an important memo that calls for regulators to protect workers against what she described as “unlawful electronic surveillance and automated management practices.”

Is Your Secret Santa App on the Privacy Naughty List?

Mia Armstrong-López on Slate (slate.com)

Plus, stories from the recent past of Future Tense.

Secrecy v. Privacy in Donor Conception Families

Wendy Kramer is Co-Founder and Director of the Donor Sibling Registry (DSR). on Psychology Today (psychologytoday.com)

Walking the fine line between privacy and secrecy is inherent in donor families.

Leo Varadkar nightclub footage triggers privacy debate in Ireland

Rory Carroll on The Guardian (theguardian.com)

Leaked clip of deputy leader also fuels moves to tighten social media regulation

Hongkonger jailed for 8 months in first doxxing sentence under revised privacy law

Brian Wong on South China Morning Post (scmp.com)

Ho Muk-wah received 8 months’ jail for seven counts of disclosing personal data without consent, including creating fake online accounts under ex-partner’s name.

Standing to Sue: Is Theft of Drivers’ License Numbers Sufficient to Allege Imminent Threat of Future Harm?

Ryan P. Blaney on The National Law Review (natlawreview.com)

Judge Jeffrey White of the Northern District of California recently dismissed a putative class action lawsuit in which plaintiffs claimed they faced an imminent threat of future of harm in the form of identity theft and fraud because their personal information, specifically their driver’s license numbers, may have been compromised in a data breach.  In doing so, the court determined that driver’s license numbers “are not as sensitive as social security numbers,” and that they don’t rise to the level of sensitive personal information “needed to establish a credible and imminent threat of future harm” for Article III standing.

Exhibit At University Of Oxford Shows Differences Between Algorithmic And Human Curation

iednewsdesk on India Education (indiaeducationdiary.in)

Researchers at the Oxford Internet Institute are launching ‘The Algorithmic Pedestal,’ a public exhibition taking place at J/M Gallery in London from 11-17 January 2023, which will highlight differences between human and algorithmic ways of seeing. Artist Fabienne Hess is bringing her human perspective, while the Instagram algorithm adds the machine perspective.