Category: Privacy

I
0

4 Points About the Target Breach and Data Security

There seems to be a surge in data security attacks lately. First came news of the Target attack. Then Neiman Marcus. Then the U.S Courts. Then Michael’s. Here are four points to consider about data security:

1. Beware of fraudsters engaging in post-breach fraud.

After the Target breach, fraudsters sent out fake emails purporting to be from Target about the breach and trying to trick people into providing personal data. It can be hard to distinguish the real email from an organization having a data breach from a fake one by fraudsters. People are more likely to fall prey to a phishing scheme because they are anxious and want to take steps to protect themselves. Post-breach trickery is now a growing technique of fraudsters, and people must be educated about it and be on guard.

2. Credit card fraud and identity theft are not the same.

The news media often conflates credit card fraud with identity theft. Although there is one point of overlap, for the most part they are very different. Credit card fraud involving the improper use of credit card data can be stopped when the card is cancelled and replaced. An identity theft differs because it involves the use of personal information such as Social Security number, birth date, and other data that cannot readily be changed. It is thus much harder to stop identity theft. The point of overlap is when an identity thief uses a person’s data to obtain a credit card. But when a credit card is lost or stolen, or when credit card data is leaked or improperly accessed, this is credit card fraud, and not identity theft.

3. Data breaches cause harm.

What’s the harm when data is leaked? This question has confounded courts, which often don’t recognize a harm. If your credit card is just cancelled and replaced, and you don’t pay anything, are you harmed? If your data is leaked, but you don’t suffer from identity theft, are you harmed? I believe that there is a harm. The harm of credit card fraud is that it can take a long time to replace all the credit card information in various accounts. People have card data on file with countless businesses and organizations for automatic charges and other transactions. Replacing all this data can be a major chore. People’s time has a price. That price will vary, but it rarely is zero.

Read More

1

Atrocious Privacy Invasion: Non-Consensual Videotaping of Sex Indicted in NY

Criminalizing privacy invasions has a long history. In their ground-break article The Right to Privacy published in 1890, Samuel Warren and Louis Brandeis argued that “[i]t would doubtless be desirable that the privacy of the individual should receive the added protection of the criminal law.” Since that time, lawmakers have banned the non-consensual recording of individuals in a state of undress in contexts where they have reasonable expectation of privacy. New York’s unlawful surveillance law, for instance, prohibits use of an imaging device to secretly record or to broadcast another person undressing or having sex for the purpose of degrading that person in cases where the person had a reasonable expectation of privacy.

In November 2013, a New York former private wealth adviser was indicted for nineteen counts of unlawful surveillance and attempted unlawful surveillance for secretly taping himself having sex with different women without their consent. The illegal tapings allegedly occurred over a year’s time and apparently were many.

The New York Post talked to one of the victim’s attorney, Daniel Parker, who explained that the man posted the illegal videos on Internet sites. According to Parker, the man “used an elaborate system of surveillance using multiple devices in both his bedroom and their homes.” In other words, the man not only had various cameras in his own bedroom to tape himself having sex with women who had no idea and never consented but he also secretly taped himself having sex with the women in their homes. Parker explained that the man “left a trail and it was on YouTube and Vimeo.” What were those hidden devices? The man apparently used a hidden camera, a web cam and a stealth phone app to film the women engaged in various sexual acts. According to Parker, the man installed a hidden camera in the bookshelf of his East 69th Street apartment.

The victims delivered the video footage to the Manhattan District Attorney’s Office prompting the investigation. Kudos to prosecutor Siobahn Carty for bringing the case, though my sense is that it took the victims considerable energy and time to convince law enforcement to take their case seriously and to understand the technology used to perpetrated the egregious privacy violations. Technical ignorance is common amongst law enforcement, well, and common for may people. Troubling cultural attitudes and “I don’t get the tech” response are notorious responses to different forms of harassment, including non-consensual taping of individuals in their most intimate moments. I will report more on the case as I get a hold of the indictment.


 

CoreHarms

What President Obama’s Surveillance Speech Should Have Addressed

In his recent speech on surveillance, President Obama treated the misuse of intelligence gathering as a relic of American history. It was something done in the bad old days of J. Edgar Hoover, and never countenanced by recent administrations. But the accumulation of menacing stories—from fusion centers to “joint terrorism task forces” to a New York “demographics unit” targeting Muslims—is impossible to ignore. The American Civil Liberties Union has now collected instances of police surveillance and obstruction of First Amendment‐protected activity in over half the states. From Alaska (where military intelligence spied on an anti-war group) to Florida (where Quakers and anti-globalization activists were put on watchlists), protesters have been considered threats, rather than citizens exercising core constitutional rights. Political dissent is a routine target for surveillance by the FBI.

Admittedly, I am unaware of the NSA itself engaging in politically driven spying on American citizens. Charles Krauthammer says there has not been a “single case” of abuse.* But the NSA is only one part of the larger story of intelligence gathering in the US, which involves over 1,000 agencies and nearly 2,000 private companies. Moreover, we have little idea of exactly how information and requests flow between agencies. Consider the Orwellian practice of “parallel construction.” Reuters has reported that the NSA gave “tips” to the Special Operations Division (SOD) of the Drug Enforcement Administration, which also shared them with the Internal Revenue Service.
Read More

Surveillance Man 02
0

10 Reasons Why Privacy Matters

Why does privacy matter? Often courts and commentators struggle to articulate why privacy is valuable. They see privacy violations as often slight annoyances. But privacy matters a lot more than that. Here are 10 reasons why privacy matters.

1. Limit on Power

Privacy is a limit on government power, as well as the power of private sector companies. The more someone knows about us, the more power they can have over us. Personal data is used to make very important decisions in our lives. Personal data can be used to affect our reputations; and it can be used to influence our decisions and shape our behavior. It can be used as a tool to exercise control over us. And in the wrong hands, personal data can be used to cause us great harm.

2. Respect for Individuals

Privacy is about respecting individuals. If a person has a reasonable desire to keep something private, it is disrespectful to ignore that person’s wishes without a compelling reason to do so. Of course, the desire for privacy can conflict with important values, so privacy may not always win out in the balance. Sometimes people’s desires for privacy are just brushed aside because of a view that the harm in doing so is trivial. Even if this doesn’t cause major injury, it demonstrates a lack of respect for that person. In a sense it is saying: “I care about my interests, but I don’t care about yours.”

3. Reputation Management

Privacy enables people to manage their reputations. How we are judged by others affects our opportunities, friendships, and overall well-being. Although we can’t have complete control over our reputations, we must have some ability to protect our reputations from being unfairly harmed. Protecting reputation depends on protecting against not only falsehoods but also certain truths. Knowing private details about people’s lives doesn’t necessarily lead to more accurate judgment about people. People judge badly, they judge in haste, they judge out of context, they judge without hearing the whole story, and they judge with hypocrisy. Privacy helps people protect themselves from these troublesome judgments.

Read More

6

Online Voter Information and Privacy

Donny-Osmond-007Did you ever want to know Donny Osmond’s birthday, along with his voter registration status? Now you can find out, through a simple website which has posted the entire Utah state voting roll to the internet in easily searchable form. What if you’re looking in Colorado, Connecticut, or a half dozen other states? Their voter rolls are online too, sometimes with additional information like addresses.

Is this troubling? It’s one thing to post Donny Osmond’s birthday to the internet; that information is on Wikipedia anyway. It’s more troubling to post the private information of tens of thousands of everyday people, many of whom may have no idea that this online database exists.

The website pooh-poohs potential privacy concerns and touts the potential value of this information — it could help in genealogical projects, for instance. The site also points out that this information is legally available already as public records which anyone could order. That is troubling itself (it illustrates what kind of information marketing companies and others could be buying right now).

But I’m also not convinced by the “this is available anyway” argument. As scholars like Dan Solove and Danielle Citron have pointed out, sometimes structural barriers and transaction costs create a sort of informal, de-facto privacy protection, which everyday citizens may depend on. When a company acts to strip away those barriers, it threatens everyone’s privacy.

3

We Will All Be Jaime Sommers – 3D printing ears

Thanks to 3D printing and advances in material sciences, questions I had a few years ago about what data is sent, how we are regulated, and of course illusive ownership are hitting home for biomedical, implanted devices. I wrote about some of these issues in a short piece about the implications of a post-human world. I thought about implanted medical devices and the idea that we are becoming appliances with all the contracts and data issues we see online moving to the body.

On the one hand, I love some of the outcomes of this engineering. For example, what if we all could be the Bionic Woman? Michael McAlpine of Princeton may be making it so that anyone could have a bionic ear, and he wants to improve us even more. He is engineering:

a synthetic ear made with a 3-D bioprinter, is a realization of that vision. The complex biomechanical structure was fabricated by depositing live cells and conductive silver in layers. It started as an exploration of material properties, but commercial applications started to appear rapidly. He discovered that cochlear implants, a leading treatment for those with some hearing impairment, are made by hand in a slow and laborious process with costs to match.

His work draws on the way hearing works. The interface sends “the electronic signal right into your medula and brings us one step closer to a world where we can learn kung fu by plugging into a computer.” That idea is fantastic (as in fantasy) but his main point, “It will just be considered normal that you have electronics embedded in your body, … You won’t think its weird that a door will just open up as you walk towards it. We will become cyborgs and it will be seen as just a normal thing” connects to my piece.

So on the other hand, as these changes move forward, we will have to consider what is control over health and other data that may come from within us. Security and hacking will take on new dimensions. I also think that class will play a role. If devices and surgery are expensive but “natural” will only the rich get to have them? Will the poor be stuck sneaking steroids will the privileged pay for dexterity enhancement?

I don’t think dystopia is ahead. I think these questions are the right and fun ones to consider and manage. Again the New Year looks good.

P.S. Jamie Boyle’s Shamans, Software, and Spleens is ever more relevant, as we move into the next technology era.

0

Digital Death – What Happens to Your Digital Stuff

What happens to your to your email and other digital content after you die? That question continues to pop up. Back in 2008, I wondered about the issue in a paper called Property, Persona, and Preservation. I noticed a sort of cloud effect. Once we moved email to the web, we were distanced from our creations. For those interested in the theories behind my argument, read the whole paper. But if you want to skip to the policy and application material, skip to part III starting at page 111.

In fact, while I was at Google, Google and a few other email providers started to come up with ways to let heirs access content and to let creators of content signal whether they wanted that work to be shared with heirs. Those solutions tracked some ideas I offered. I am not sure whether the paper was part of their reading but was happy to see the changes. Nonetheless as Pew shows, how we preserve, protect, and control that work will continue to be a problem. The Pew report notes that states and the Uniform Law Commission are starting to come up with laws to address digital estate issues. I will write a follow up to this post, but for now, I offer that any solution should allow Service Providers the ability to set defaults and users to alter them. In short, if someone wants to have an email account for things he or she would rather not have known, the user should be able to click a setting that says “This email account will self-destruct upon the provision of a death certificate.” Now we might want to let an executor verify these wishes and so on rather than relying on Service Provider’s insight or discretion. Still a clear signal about what one wants can be built into how we preserve or destroy our digital history.

0

NSA Metadata Surveillance and the Fourth Amendment

Phone NSA 01

 

A U.S. District Court recently held that the NSA surveillance of telephone metadata likely violates the Fourth Amendment. The case is Klayman v. Obama.

The NSA surveillance program involves an incredibly broad gathering of metadata about people’s conversations. Metadata doesn’t include the conversations themselves, just data about when and to whom they are made — i.e., not the content of the phone conversations but the phone numbers of the people having the conversations.

The key Fourth Amendment case at issue is Smith v. Maryland, 442 U.S. 745 (1979), which held that a pen register device capturing the phone numbers a person dialed wasn’t protected by the Fourth Amendment partly because the phone company had access to the phone numbers and partly because phone numbers weren’t viewed to be as sensitive as the phone conversations themselves.

The court in Klayman has an interesting view of why Smith v. Maryland is no longer applicable. Essentially, the court argues that the pen register information the government could gather when Smith was decided is much different from the very broad systematic gathering of phone records today.

The Klayman court relies on the U.S. Supreme Court’s fairly recent decision in United States v. Jones, 132 S.Ct. 945 (2012), where five justices in concurrences noted that wide-scale extensive surveillance technologies have different implications than there older more limited counterparts. Jones involved GPS, and the Court there distinguished an earlier case involving a beeper device that tracked a car. In a concurring opinion, Justice Alito wrote that “relatively short-term monitoring of a person’s movements on public streets accords with expectations of privacy that our society has recognized as reasonable. But the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy. For such offenses, society’s expectation has been that law enforcement agents and others would not—and indeed, in the main, simply could not—secretly monitor and catalogue every single movement of an individual’s car for a very long period.”

I find much merit to the Klayman court’s analysis. I have long argued that Smith was wrongly decided, and not too long ago, I wrote here about why there are strong privacy interests in metadata.

Read More

0

Exciting news for the Center on Democracy & Technology: Nuala O’Connor Appointed President and CEO

Brilliant news: CDT’s Board of Directors just announced that Nuala O’Connor has been named President & CEO, effective January 21, 2014. O’Connor will succeed Leslie Harris, who is stepping down after leading CDT for nearly nine years. As the privacy community knows well, Harris provided extraordinary leadership: vision, enthusiasm, and commitment. O’Connor will build on that tradition in spades. She is the perfect leader for CDT.

From CDT’s announcement:

“Nuala drove an ambitious civil liberties agenda as the first Chief Privacy Officer at the Department of Homeland Security in a post 9-11 world. She fought for and implemented policies to protect the human rights of U.S. and global citizens in a climate of overreaching surveillance efforts. The Board is thrilled to have Nuala at the helm as CDT expands on 20 years of Internet policy work advancing civil liberties and human rights across the globe,” said Deirdre Mulligan, CDT Board Chair.

O’Connor is an internationally recognized expert in technology policy, particularly in the areas of privacy and information governance. O’Connor comes to CDT from Amazon.com, where she served both as Vice President of Compliance & Customer Trust and as Associate General Counsel for Privacy & Data Protection. Previously she served as the first Chief Privacy Officer at the U.S. Department of Homeland Security (DHS). At DHS, O’Connor was responsible for groundbreaking policy creation and implementation on the use of personal information in national security and law enforcement.

“I am honored to join the superb team at the Center for Democracy & Technology. CDT is at the forefront of advocating for civil liberties in the digital world,” said O’Connor. “There has never been a more important time in the fight to keep the Internet open, innovative and free. From government surveillance to data-driven algorithms to the Internet of things, challenges abound. I am committed to continuing to grow CDT’s global influence and impact as a voice for the open Internet and for the rights of its users.”

“Nuala is a brilliant choice to lead CDT. She is a passionate advocate for civil liberties, highly expert about the emerging global challenges and fully committed to CDT’s mission. She is a bold leader who will guide CDT into its next chapter. I have had the honor of working with CDT’s talented and thoughtful team for almost nine years. I am confident that they will thrive with Nuala at the helm,” said Leslie Harris.

Beyond her experience at Amazon and DHS, O’Connor has also worked in consumer privacy at General Electric, and as Chief Counsel for Technology at the U.S. Department of Commerce. She also created the privacy compliance department at DoubleClick and practiced law at Sidley Austin, Venable, and Hudson Cook.

O’Connor, who is originally from Belfast, Northern Ireland, holds an A.B. from Princeton University, an M.Ed. from Harvard University, and a J.D. from Georgetown University Law Center. She currently serves on numerous nonprofit boards, and is the recipient of a number of national awards, including the IAPP Vanguard Award, the Executive Women’s Forum’s Woman of Influence award, and was named to the Federal 100, but is most proud of having been named “Geek of the Week” by the Minority Media & Telecom Council in May 2013. She lives in the Washington, D.C. area with her three school-aged children.