ThinkProgress Logo

Stories tagged with “privacy

Economy

Meet The Real-Life Tracking Database That Could Include You

By Andrea Peterson on Mar 14, 2013 at 2:30 pm

Most of us know cookies are tracking our online behavior for advertising purposes, but a company specializing in retail analytics called Euclid, Inc. is moving that concept into real world shopping experiences — and Sen. Al Franken (D-MN) has some questions about their practices.

Euclid’s newest product Euclid Zero, launched in January, uses open WiFi access points to track shopper behavior across stores: It does this by collecting the MAC address of smart phones as they passively connect to open networks while people shop, anonymizing the data, putting it into a giant database that then recognizes the device when it goes near any other Euclid customer’s network and then gives the data to the retailers essentially in the form of a human Google Analytics browser.

Euclid doesn’t disclose who their clients are online (although they claim “Top 100 retailers in numerous categories, including specialty apparel, department stores, auto parts and home improvement” as clients), and the only notice consumers get is a vague sign hidden somewhere in the physical store, meaning consumer data is collected largely without their knowledge or consent. And while the MAC data is relatively anonymous, it’s also a unique ID — and the only way to opt out is giving Euclid your MAC address, thus identifying yourself.

Euclid raised $17 million in venture funds earlier this year and have information on over 50 million mobile devices right now. Considering that there are 114 million people in the U.S. using smart phones, that’s a pretty large segment of the consumer audience — large enough to garner interest from at least one senator: In a statement yesterday, Franken expressed concerned about the privacy implications of the system:

“It’s one thing to track someone’s shopping habits through a loyalty card or credit card purchase; folks understand that their information may be collected. It’s another thing entirely to track consumers’ movements without their permission as they shop, especially when someone doesn’t buy anything or even enter a store. People have a fundamental right to privacy, and I think neglecting to ask consumers for their permission to track them violates that right.”

The statement was released in conjunction with a letter Franken sent to Euclid’s CEO inquiring about their business practices. The letter includes a laundry list of important questions ranging from law enforcement access to data (with or without warrants?) and how data is being secured in the cloud down to if users are being tracked without even entering stores and how demographic data is being inferred based on smart phone data that provides a good summary of the most pressing privacy concerns — read the full thing here.

Justice

Federal Appeals Court Shuts Down Suspicionless Searches Of Laptops At The Border

By Ian Millhiser on Mar 11, 2013 at 12:00 pm

Given enough time, law enforcement can break through the password that blocks access to a laptop. They can also access password-encrypted files and potentially even read the files a user deleted from their computer. As a recent opinion from the United States Court of Appeals for the Ninth Circuit puts it, “[i]t is as if a search of a person’s suitcase could reveal not only what the bag contained on the current trip, but everything it had ever carried.”

In light of the sweeping and unpredictable nature of laptop and similar searches, the court’s opinion places an important new restriction on government searches of electronic devices as the border. As a general rule, “the long-standing right of the sovereign to protect itself by stopping and examining persons and property crossing into this country” justifies nearly any search of a person crossing into the United States from another country. So if you are secreting contraband away in your luggage, you are out of luck. As the Ninth Circuit’s opinion explains, however, searches of electronic devices are far greater intrusions into a traveler’s privacy, and thus must be justified by a greater degree of suspicion before they can occur:

The amount of private information carried by international travelers was traditionally circumscribed by the size of the traveler’s luggage or automobile. That is no longer the case. Electronic devices are capable of storing warehouses full of information. The average 400-gigabyte laptop hard drive can store over 200 million pages—the equivalent of five floors of a typical academic library. Even a car full of packed suitcases with sensitive documents cannot hold a candle to the sheer, and ever-increasing, capacity of digital storage.

The nature of the contents of electronic devices differs from that of luggage as well. Laptop computers, iPads and the like are simultaneously offices and personal diaries. They contain the most intimate details of our lives: financial records, confidential business documents, medical records and private emails. This type of material implicates the Fourth Amendment’s specific guarantee of the people’s right to be secure in their “papers.” The express listing of papers “reflects the Founders’ deep concern with safeguarding the privacy of thoughts and ideas—what we might call freedom of conscience—from invasion by the government.” These records are expected to be kept private and this expectation is “one that society is prepared to recognize as ‘reasonable.’”

The upshot of this opinion is that border agents cannot randomly select a person and comb through their laptop for incriminating data, nor can they conduct a comprehensive search of every iPad that enters the United States. Rather, before conducting a complete search of an electronic device, they must have “reasonable suspicion” that the search will uncover evidence of a crime.

Justice

GOP Bill Seeks To Force Welfare Applicants To Waive Fourth Amendment Rights

By Andrea Peterson and Nicole Flatow on Mar 5, 2013 at 1:30 pm

Rep. Stephen Fincher (R-TN) introduced a bill in the House Friday that would require states that want to receive full funding for welfare assistance to force its citizens to waive their Fourth Amendment rights and submit to random drug testing. In a press release, Fincher describes the Welfare Integrity Act of 2013:

The bill requires each state participating in the Temporary Assistance for Needy Families (TANF) program to certify that applicants and current recipients are being randomly test for illegal drug use. In order to pass constitutional muster, the bill requires states to provide a consent and waiver form, where applicants are given the choice to waive their Fourth Amendment Rights and submit to a random drug test. If welfare beneficiaries fail a drug test or are arrested on a drug related offense, they will be unable to receive the benefit and cannot reapply for one year. Further, the legislation requires states that receive funding from the TANF program to certify that there is a program in place to test 20% of applicants and recipients for illegal drugs. States that do not comply would forfeit 10% of their TANF funding.

A federal appeals court has already blocked Florida’s mandatory drug-testing law, making it clear a blanket testing of public assistance applicants is likely unconstitutional. “The simple fact of seeking public assistance does not deprive a TANF applicant of the same constitutional protection from unreasonable searches that all other citizens enjoy,” the court held.

In a remarkable acknowledgment of the constitutional problems with the bill, the text of Fincher’s legislation actually calls for states to require citizens to “sign a waiver of constitutional rights with respect to testing.” Fincher suggests in his press release that the waiver is not forced because applicants can opt not to apply for benefits, but the federal appeals court made clear in its recent decision that a coerced waiver violates “the well settled doctrine of ‘unconstitutional conditions,’ the government may not require a person to give up a constitutional right . . . in exchange for a discretionary benefit conferred by the government where the benefit sought has little or no relationship to [the right].” The bill, then, would seek to require every state that wants to maintain its current level of funding to pass its own unconstitutional law.

As the Huffington Post points out, the bill is unlikely to succeed. Similar legislation introduced in 2011 “garned just seven cosponsors and failed to clear a committee.” But state bills that impose drug testing on applicants and beneficiaries are seeing increasing success, and at least seven states have already passed legislation requiring some form of drug testing for public assistance applicants or recipients. Mitt Romney even endorsed the idea during his presidential campaign.

Justice

Oops: Top Republican Senator Inadvertently Embraces Roe v. Wade

By Scott Keyes on Feb 21, 2013 at 9:00 am

Sen. Chuck Grassley (R-IA)

CHARITON, Iowa — During a town hall on Wednesday, the top Republican on the Senate Judiciary Committee embraced the reasoning behind the landmark 1973 Supreme Court decision legalizing a woman’s choice to get an abortion, although he did not appear aware of the significance of his statement.

Speaking to a small group of constituents in rural Chariton, Sen. Chuck Grassley (R-IA) was asked about a Facebook rumor that the government would soon be implanting microchips in children and government workers in order to track their health records. After informing the constituent that the claim had no merit, Grassley continued by endorsing the same “right to privacy” that was the backbone of Roe v. Wade and similar decisions.

CONSTITUENT: They’re saying that they’re going to start, in 2013, putting microchips in government workers and then any kid that enrolls in school, starting in pre-school, will have a microchip implanted in them so that they can track them. [...] Is that true?

GRASSLEY: No. First of all, nothing can be done to your body without your permission. It’d be a violation of the constitutional right to privacy if that were to happen.

Watch it:

The constitutional right to privacy that Grassley refers to is not explicitly stated in the Constitution, but Roe concluded that it is one of the liberties protected by the Fourteenth Amendment, which provides that states many not “deprive any person of life, liberty, or property, without due process of law.” Anti-choice advocates, such as Justice Antonin Scalia, former Gov. Mitt Romney (R-MA), and former Sen. Rick Santorum (R-PA), all contend that women should be stripped of their ability to get an abortion because, in Scalia’s words, “there’s no right to privacy in the Constitution — no generalized right to privacy.”

Of course, Grassley remains a staunch opponent of a woman’s right to choose, receiving a “0” pro-choice score from NARAL in 2011. But for the top Republican on the Senate Judiciary Committee to confirm that the Constitution does, indeed, include a right to privacy is a major concession undercutting conservatives’ legal argument for overturning Roe.

Security

Cybersecurity Bill Supporters Regroup As Executive Order Looms

By Andrea Peterson on Feb 6, 2013 at 2:15 pm

The Hill reports Rep. Dutch Ruppersberger (D-MD), the ranking member of the House Intelligence Committee, plans to re-introduce the Cyber Intelligence Sharing and Protection Act (CISPA), with the committee’s chairman Rep. Mike Rogers (R-MI) this year. CISPA passed the House in 2012 despite significant organized opposition from privacy advocates, but was not considered by the Senate as it focused on its own cybersecurity proposal — one which also stalled, leading to reports the White House plans to issue a cybersecurity executive order calling for the creation of a voluntary program including minimum safety standards in critical infrastructure sectors.

CISPA proposed making information sharing between private companies and the intelligence agencies easier in order to allow collaborative responses to cyberattacks, likely at the expense of internet users’ privacy. While the bill enjoyed the support of many major companies including Facebook, Microsoft, IBM, Oracle, Symantec, AT&T and Verizon, civil liberties organizations expressed major doubts about the proposal and continue to do so. In a comment about renewed interest in CISPA to ThinkProgress today, Gregory T. Nojeim, Director of the Project on Freedom, Security & Technology at the Center for Democracy & Technology said:

“CISPA is deeply flawed. Under a broad cybersecurity umbrella, it permits companies to share user communications directly with the super secret National Security Agency and permits the NSA to use that information for non-cybersecurity reasons. This risks turning the cybersecurity program into a back door intelligence surveillance program run by a military entity with little transparency or public accountability. Members should seriously consider whether CISPA — which inflamed grassroots activists last year and was under a veto threat for these and other flaws — is the right place to start.”

The White House is expected to release a cybersecurity executive order after the State of the Union, although rumors of its imminence have been floating around since September. Nojeim noted that last year there were reasons to be optimistic about the cybersecurity executive order when rumors of it first emerged — including the White House’s threat to veto CISPA.

The executive order wouldn’t be the first foray into cybersecurity for President Obama: He signed a secret directive that redefined some cybersecurity actions previously deemed offensive as defensive in October as part of an effort to enable military personal to be more proactive in thwarting cyberattacks. The move occurred around the same time Secretary of Defense Leon Panetta warned of an impending “cyber-Pearl Harbor.

The threat of cyber attacks on public and private infrastructure is very real, as demonstrated by the huge jump in incidents involving critical infrastructure requiring the involvement of U.S. Industrial Control System Cyber Emergency Response Team jumping from 9 in 2009 to 198 in 2011.

Outside of traditionally defined critical infrastructure, other sectors have also been the target of recent high profile cybersecurity breaches, including many major newspapers and banks.

Economy

What The FTC’s Latest Settlement Says About The State Of Mobile Privacy

By Andrea Peterson on Feb 1, 2013 at 2:15 pm

FTC Chairman Jon Leibowitz, who announced he would be stepping down this month.

The Federal Trade Commission (FTC) announced today that it settled charges against the operator of the Path social networking app for allegedly deceiving consumers. The app was collecting personal information from mobile devices address books without the users’ consent and collecting the personal information of around 3,000 children under the age of 13 in violation of the Children’s Online Privacy Protection Act (COPPA) Rule.

Under the settlement, Path will pay an $800,000 fine, establish a comprehensive privacy program, and be required to obtain independent privacy assessments every other year for the next two decades. A report in February of last year detailed the disappointing privacy protections in apps aimed at children, such as those alleged in today’s settlement.

The announcement came at the same time the FTC released a report of recommendations for privacy protections on mobile devices, which grew out of a May 2012 workshop with industry and consumer representatives, and provides non-binding guidance on mobile privacy for consumers, app developers, and platform development — much of it focused on providing adequate disclosure about what information is being collected and for what purpose, rather than directly limiting the collection of data.

Forty-five percent of adults in the U.S. and two-thirds of young adults owned a smartphone as of September 2012, and those users care about the security of their personal information according to the press release accompanying today’s report:

“[...]57 percent of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons. Less than one-third of Americans feel they are in control of their personal information on their mobile devices.”

But while today’s settlement announcement and recommendations represent a step in the right direction for mobile privacy, their limited scope provides even more evidence that the FTC doesn’t have the authority necessary to protect American consumers in the digital age. An $800,000 fine to a company valued at $250 million amounts to a slap on the wrist and the mobile privacy recommendations are just that: Non-binding guidelines for behavior, not actual privacy standards mobile app or platform developers will be held accountable to.

Economy

How One Company Obtained The Salary Records Of One-Third Of Working Americans

By Andrea Peterson on Jan 31, 2013 at 10:45 am

An NBC News investigation released yesterday revealed that credit reporting agency Equifax has assembled a private database containing the employment and salary records of more than one-third of U.S. adults, and is perfectly fine selling that data off to the highest bidder:

Some of the information in the little-known database, created through an Equifax-owned company called The Work Number, is sold to debt collectors, financial service companies and other entities… [...]

Its database is so detailed that it contains week-by-week paystub information dating back years for many individuals, as well as other kinds of human resources-related information, such as health care provider, whether someone has dental insurance and if they’ve ever filed an unemployment claim. In 2009, Equifax said the data covered 30 percent of the U.S. working population, and it now says The Work Number is adding 12 million records annually.

The information is collected with the cooperation of employers, who pay The Work Number to provide verification services for former employees, surrendering data at the same time. Fortune 500 companies and government agencies representing 85 percent of the federal civilian population contract with The Work Number. And since Equifax is a credit reporting agency, rather than just a data-mining outfit, it’s all perfectly legal for them to provide this information to debt collection agencies.

Sen. Jay Rockefeller (D-WV), Chairman of the Senate Committee on Commerce, Science and Transportation, opened a congressional investigation into the data-mining practices of several corporations including Equifax in October of last year, sending letters to each company asking for extensive details about all data collection operations since the start of 2009. But the investigation focuses on background check services rather than it’s financial reporting services.

Read more

Justice

Surpassing Outdated Law, Google Requires Warrants For Government Access To Email Content

By Andrea Peterson on Jan 25, 2013 at 9:00 am

In a major change to how America’s largest tech companies handle online privacy, Google revealed this week that it requires warrants for users’ email content and data stored in the cloud, imposing hurdles to government access to data beyond the scope of a 1986 electronic privacy law.

But even as Google’s policy is a big step forward for digital due process advocates, it doesn’t extend to a significant portion of the information Google releases to law enforcement agencies such as IP addresses used to access Google accounts, message time stamps, and to and from fields. And Google’s recently released transparency data shows that getting information on your online activities can still largely be done without a warrant.

The report shows less than a quarter of the 8,428 government requests for U.S. user data they received in July to December 2012 were search warrants, and 88 percent of requests were fully or partially complied with. The U.S. led country rankings in terms of total number of requests made and the percentage of requests complied with.

Wired quotes Google spokesman Chris Gaither on Google’s newly outlined warrant policy, which has been in effect for an unclear amount of time: “Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the Constitution, which prevents unreasonable search and seizure.” Google’s interpretation is novel because under the Electronic Communication Privacy Act of 1986 (ECPA), messages over 180 days old stored in the cloud only require an administrative subpoena — rather than a warrant approved by a judge — largely due to how email technology worked in 1986: It was very unusual for data to remain on external servers because of hosting costs, leading to a belief that any data left on an external server for that could be considered abandoned.

While our use of technology has changed dramatically since 1986, the law has not: An attempt to update the law last year stalled over the holidays. And while the law does not require a warrant to access some data, two federal appellate courts came to differing conclusions on the issue in 2010, one stating that obtaining the content of email messages stored on an email provider’s server requires a warrant, and another allowing magistrate judges discretion to require warrants from the government when requesting location information from cellphone providers — although both rulings only apply to their judicial district.

Google’s public stance on warrants may signal that tech companies are no longer willing to quietly accept the lack of progress on technology policy. In many sectors it has become clear our laws have not kept up with the pace of technological innovation, yet the biggest success of the tech sector last year focused on preventing bad legislation rather than updating woefully outdated regulation.

Health

All Your Medical Data In The Cloud? Not So Fast, Says HHS Privacy Official

By Andrea Peterson on Jan 9, 2013 at 7:30 pm

Joy Pritts, Chief Privacy Officer at HHS's Office of the National Coordinator for Health IT

When it comes to electronic health records, “the switch to cloud is inevitable.” That’s according to Joy Pritts, Chief Privacy Officer at the Office of the National Coordinator for Health IT in the Obama administration, who spoke at a “Health Care, the Cloud, and Privacy” panel hosted by the Washington, D.C.-based advocacy group, Patient Privacy Rights.

Electronic health records are exactly what they sound like: A collection of health information in digital format that can include a wide range of data, from intimate details of your medical history and test results to demographic data to your billing information. Digital records are superior to physical ones because they can be transferred quickly when patients switch providers, help doctors get a complete picture of patient health, eliminate the need for redundant testing, and provide new opportunities for analyzing treatments for efficiency and effectiveness.

They are also supposed to be a cost saver. Some estimates have put the potential cost savings for switching over to electronic records as high as $81 billion annually, although the real world implementation hasn’t come close to hitting that target. Cloud storage and computing are part of this equation due to their potential to help make the transition to electronic health records more cost effective and unleash the analytics power of big data on health care information.

But while storing medical records digitally on the cloud may offer great promise for increasing the efficiency of the health care system, it is not without its challenges. Data security and privacy of health information are major obstacles where policy has not yet caught up with practice.

Read more

Politics

Senate Waters Down Privacy Protections For Online Video Streaming

By Jeff Spross on Dec 30, 2012 at 5:30 pm

Last week, the Senate quietly agreed to allow video streaming companies such as Netflix to share data on of their customers’ streaming histories for up to two years — after only asking their permission once. The Video Privacy Protection Act (VPPA), had previously mandated that consent be obtained from an individual each time their video-watching history was shared. It also requires law enforcement to obtain a warrant, court order, or grand jury subpoena to acquire that history, and prevents companies from sharing it for marketing purposes — provisions which all appear to remain in place.

The new bill has already been adopted by the House, and is now on its way to President Obama’s desk. Adam Serwer at Mother Jones has the latest:

Last Tuesday, the Senate quietly altered a key privacy law, making it much easier for video streaming services like Netflix to share your viewing habits. How quietly? The Senate didn’t even hold a recorded vote: The bill was approved by unanimous consent. (Joe Mullin of Ars Technica was among the first to note the vote.) [...] Video streaming companies that want to share your data now only need to ask for your permission once. After that, they can broadcast your video-watching habits far and wide for up to two years before having to ask again.

VPPA was originally passed in 1988 following outrage at the publication of Supreme Court nominee Robert Bork’s video rental history by a Washington newspaper. (An irony, as Serwer notes, given Bork’s own hostility to privacy rights.) The law caused headaches for Netflix’s attempt to integrate their services with Facebook, an arrangement the company has brought to over 40 countries but has yet to debut in the United States. Netflix recently challenged the application of the law to online streaming video, but was rebuffed by a federal district court.

Both Facebook and Netflix lobbied enthusiastically in the second half of 2012 for the changes to the VPPA, spending $1.6 million dollars and $400,000, respectively. Those efforts paid off with last week’s alteration.
Read more

Older

Newer

Switch to Mobile
ThinkProgress Signup Overlay Skip and Continue to ThinkProgress Skip and Continue to ThinkProgress

Sign Up