BlurryEdge Strategies

For the past few months I've been working with BlurryEdge associate Megan Worman to help reddit overhaul its privacy policy. The new version went live today, and I'm participating in a reddit AMA right now. Come ask us anything!

We're keeping up with the latest developments in mobile data collection and have issued an to our 2011 White Paper, Mobile Unique Identifiers and Location Information. The two new events in this area of privacy law include:
- The Location Privacy Protection Act of 2011, which had traction in the Senate, was not presented to Congress by the end of 2012
- Google settled with 38 states and the District of Columbia for $7 million dollars in Wi-Fi data collection investigation.

Download 2013BESWPMobile

I attended the California Public Utilities Commission (CPUC) Energy Data Access Workshop last week (1/15-16) in San Francisco. I have been following the CPUC's numerous proceedings on energy data privacy, including the Privacy Rule for SmartGrid Data and the discussion about implementing processes for users to authorize the utility to directly transfer their energy usage data to third party providers (e.g. for demand response purposes).

This particular meeting was focused on access to users' energy data for research purposes.  A number of research institutes and city planners want access to both personalized and anon/aggregate energy consumption data for energy efficiency planning and research into alternative energy programs. This makes interesting politics because the Privacy Rule places the burden on utilities to protect their users' privacy.

Also interesting was how similar this debate is to other debates (i.e. cookie data or health data) where the question is how to create useful information from data, but to do so in a way that is reasonably aggregated and anonymous to protect user privacy.  There were also interesting presentations, particularly by the census bureau, on secure means to provide access to the data when the research requires data in a form that could not be considered to meet this standard.

This Workshop was meant to give the CPUC enough information to start a proceeding that will likely determine whether a new data center with data from the three IOUs will be created or some other means to facilitate access to data will be pursued.  Hopefully, it will spark some input from researchers and professionals other fields where these issues are being discussed.

The California Attorney General's office today released its long awaited report Privacy on the Go (pdf) with recommendations for application developers, platforms, and ad-networks.  It is a must read-- both for the easy to understand language and clear suggestions, and because it promotes implementations than generally are not considered "required by law."  This is the future of privacy design.  I urge you to take a look.

Highlights:

Limit collection:  Avoid or minimize the collection of personally indentifiable data that you do not need to provide your service and limit the time you keep it.  Or as I tell my clients, make a fair bargain with your users!  Have policies that make sense and describe them in a way so the user thinks the exchange of their data for your service is reasonable.

Surprise Minimization:  Don't collect data or use it in a way that will surprise your users.  In other words-- notice early, contextually, and repeatedly!

Enhanced Notice:  Use "special" notices to highlight things that would or should be important to users of your service.  What are special notices you ask?  Well the report doesn't say, exactly.  But I'm betting it means notice that is not a tiny 8 point disclosure hidden in paragraph 27 of a privacy policy.

Happy 2013!

At Blurry Edge Strategies, we spend a lot of time watching (and
often participating in) significant developments at the intersection of
technology and the law.  And as the new year begins, it’s already
clear that we’re facing an exciting and tumultuous 12 months ahead.

Federal regulators – notably the FTC – are telegraphing a
reinvigorated interest in Internet privacy matters; after last year’s
SOPA debacle, lawmakers are primed to take another swing at copyright
enforcement legislation; and social networking giants are wading deep
into international privacy compliance issues, with mixed results.

That’s all ahead. To close out 2012, we’ve compiled for you a guide to
twelve of the most important developments of the last year.  We hope you
find it useful.

Lauren Gelman
Principal, Blurry Edge Strategies

gelman@blurryedge.com
@laurengelman

1. The Internet fought back against SOPA/PIPA: When Congress proposed SOPA and PIPA, bills whose overreach in the name of copyright protection would have stifled innovation and online speech, Internet users and influential websites responded with unprecedented, concerted zeal. This response culminated in a mass online blackout, with sites as large as Reddit and Wikipedia going dark to protest the legislation. Millions of users contacted their representatives to oppose the bills. While legislative ideas like SOPA and PIPA haven’t disappeared completely, last year’s response made it clear to Congress that users and Internet companies are willing to fight.
2. Governments are getting serious about privacy: In 2012, the FTC proposed more stringent changes in children’s privacy rules and undertook enforcement of its existing privacy rules against app makers and other online businesses for everything from “history sniffing” to data-leaking security flows. California also announced its own mobile privacy rules, requiring privacy policies for mobile apps, and recently launched an enforcement action against Delta for not including a mobile privacy policy in its app. The lesson for business is clear: governments are treating violations of privacy rules as serious breaches that can lead to investigation and enforcement.
3. Do Not Track: Do Not Track, the long-running consumer privacy project aimed at allowing users to tell websites not to track them, has not had the smoothest year. Leadership changes and uncooperative ad industry partners have made the project’s future unpredictable. However, DNT has showed no signs of stopping, either, and the government’s increasing scrutiny of companies that traffic in consumer data (see the FTC’s investigation of data brokers and updating of COPPA) means that the ad industry needs to find a way to self-regulate effectively if it wants to avoid even stricter rules from the government. DNT might still be that solution.
4. Smart Grid privacy concerns started reaching consumers (and businesses): Last year, the California Public Utilities Commission began to draft and propagate new rules on smart grid privacy, including short-form notice and consent forms that could govern the way consumers share data with new smart grid-oriented businesses. Meanwhile, the Ninth Circuit held in Golden Valley that while administrative subpoenas can be easily obtained for things like energy records, businesses that make explicit, detailed promises to keep data confidential might have a better chance in defending against government attempts to get users’ data without a warrant. These developments suggest that even though smart grid data policies are still in development, businesses now know enough about them to make a stand for their users.
5. More data, more FTC investigations: The FTC recently ordered nine data brokerage companies, which collect and aggregate information about millions of consumers, to to explain what they do with their stores of user data. Much of what these brokers do is currently unregulated: they are not necessarily required to allow consumers to access or correct data about them, or to opt out of data collection altogether. Further, it is not entirely clear whether the data these brokers collect renders them subject to existing regulations like the Fair Credit Reporting Act. While data brokers can provide useful services to consumers and businesses, it looks like those services are due for more rules and regulations in the future.
6. Facebook changes its privacy rules (and everyone watches): Late last year, Facebook and its new acquisition Instagram both changed their privacy policies and terms of service. The public responded, annoyed at Facebook’s removal of its voting system and Instagram’s broad new advertising rules. Since then, Instagram has walked back its changes and Facebook has scrambled to respond to both companies’ critics. The lesson seems to be that more users — and competitors, regulators, and journalists — are reading the fine print, and without careful drafting and PR, nuanced policy changes could become big problems.
7. David Petraeus‘ private emails were revealed a little too easily — and Congress realized it might be time to update our ancient email privacy laws: In one of last year’s most publicized scandals, decorated general and CIA director David Petraeus resigned after the FBI began to investigate a cyberstalking complaint. Part of this investigation involved the FBI’s acquisition of emails from all parties involved, revealing on a very public scale exactly how outdated our email privacy laws, like the Electronic Communications Privacy Act, are. (ECPA, for example, requires warrants only for email stored for less than 180 days.) Shortly after the scandal broke, however, the Senate Judiciary Committee backed ECPA amendments that would require the government to obtain a warrant before seizing email and other online data. ECPA isn’t fixed yet, but we might be getting close.
8. 2012 brought some big wins for innovation-friendly copyright laws: We saw several big cases in 2012 that protected fair use and other consumer- and innovation-friendly copyright laws. The district court in Author’s Guild v. HathiTrust held that digitizing books in order to help libraries organize their collections and provide access to digital books to the visually impaired is fair use. In Flava Works v. MyVidster, Judge Posner held that allowing users to embed videos on a website is not itself infringement. And in Viacom v. Google, the Second Circuit affirmed that Internet companies like YouTube have no duty to monitor user activities and are not liable for users’ infringement if they don’t know (and don’t promote). These cases should give at least some businesses confidence in building models that depend on the use and reuse of copyrighted materials.
9. LinkedIn and Zappos reminded everyone (no matter how big or successful) that proper encryption and security are important: In two of last year’s highest-profile data breaches, LinkedIn and Zappos were both hacked, exposing millions of users’ data and requiring both companies to scramble to fix the issue. LinkedIn’s breach specifically resulted in the release of a file containing millions of passwords hashed with the SHA-1 algorithm, whose security flaws were made public years ago. Incidents like these, involving two of the Internet’s biggest businesses, are valuable reminders to companies of all sizes never to forget that your users’ information is yours to protect, and protection takes work.
10. Government surveillance is not slowing down: Last year, Wired broke the story that the U.S. government has been building a $2 billion “data center” in Utah. This “data center” will be capable of sucking in what was previously an unimaginably huge amount of data, analyzing it for unknown purposes, and breaking even military-grade encryption. This data center is just one symbol of the government’s increasing surveillance of all types of once-private digital data. It brings us a step closer to DARPA’s post-9/11 “Total Information Awareness,” and is a reminder that protecting our Fourth Amendment rights is a constant struggle.
11. Twitter began to navigate thorny problems of international speech laws: In 2012, even before clips from the anti-Islam film “Innocence of Muslims” allegedly started riots around the world and made Internet intermediaries’ international speech policies the subjects of conversation and controversy, Twitter enacted a policy in which it would take down certain tweets in response to various countries’ valid legal processes — but only for people with IP addresses in those countries, not for global Twitter users. Twitter also gives users notice of these takedowns and sends the takedown information to Chilling Effects. In navigating a very difficult problem that any internationally expanding speech-oriented business must eventually face, Twitter has managed to promote its increasingly international presence in a way that respects the free speech platform on which its service is based.
12. The FTC targets SMS spam: The FTC updated the Telephone Consumer Protection Act this year to make marketers who send consumers SMS promotions without consent subject to heavy fines and investigations. This change means that consumers have another means of combating unwanted text messages (and avoiding accompanying charges), but even ethical, legally compliant marketers who engage in SMS campaigns must be very careful to build their technological systems and conduct their campaigns within the TCPA’s bounds, or else they risk crippling fines and lawsuits.

I get to talk to a lot of interesting audiences about privacy, security and other issues. Last month was unquestionably the most fun talk-- at DefCon Kids with Jeff Moss (darktangent). CNN was there and wrote about it and I hope parents everywhere will share this information with their 8 year olds.

Computer hacking for 8-year-olds

I have a comment on the NYT Room to Debate forum Google or China: Who Has More to Lose? praising Google's decision not to censor search results on .cn but recognizing that it was the alleged Chinese government's hacking that broke the camel's back as opposed to general disgust with the regime's Internet Freedom policy (I also wrote about this at the time of the initial announcement in January).  I do think it shows that while doing business with China could be justified by a goal of fostering engagement, collaborating with the regime cannot.