ThinkProgress Logo

Stories tagged with “privacy

Justice

Police Groups Vie For Mandatory Collection Of All Private Text Messages

By Nicole Flatow on Dec 4, 2012 at 5:00 pm

As Congress mulls changes to an outdated law intended to protect electronic privacy, a group of law enforcement officers is lobbying for a provision that would erode privacy by requiring that text messages be saved and stored for at least two years. According to CNET, police and prosecutors’ groups say they have increasingly come to rely on text messages as evidence in criminal cases, and they are vying for a mandated storage period for wireless providers in amendments to the 1986 Electronic Communications Privacy Act now being considered:

[T]he Senate Judiciary committee … approved sweeping amendments to the Electronic Communications Privacy Act last week. Unlike earlier drafts, the latest one veers in a very privacy-protective direction by requiring police to obtain a warrant to read the contents of e-mail messages; the SMS push by law enforcement appears to be a way to make sure it includes one of their priorities too.

It wasn’t immediately clear whether the law enforcement proposal is to store the contents of SMS messages, or only the metadata such as the sender and receiver phone numbers associated with the messages. Either way, it’s a heap of data: Forrester Research reports that more than 2 trillion SMS messages were sent in the U.S. last year, over 6 billion SMS messages a day.

Among the groups urging the mandate are the Mayor Cities Police Chiefs Association, the National District Attorneys’ Association, the National Sheriffs’ Association, and the Association of State Criminal Investigative Agencies. These agencies are not alone in vying for more data collection and retention. The Department of Justice last year called for laws requiring Internet providers to retain data. But the American Civil Liberties Union’s Christopher Calabrese points out that any such proposal certainly doesn’t belong in discussions on reform of the law intended to protect electronic privacy.

Evidence suggests that wireless carriers have a range of evolving policies on retaining text messages, from no retention at all to 180 days. Most companies, however, appear not to have policies that messages be stored for a time period even close to two years. A spokesman for U.S. Cellular told CNET that data is stored for just 3-5 days, due to the volume of the content.

Both wireless companies and law enforcement agencies do increasingly store and monitor other kinds of phone data. The New York City Police Department is retaining cell phone logs collected when phones are reported stolen, and other wireless carriers recently reported fielding 1.3 million law enforcement requests last year for various types of data.

Security

A Real Privacy Threat To Global Internet Users From The U.N. International Telecommunications Union

By Andrea Peterson on Dec 4, 2012 at 4:02 pm

Logo for the International Telecommunications Union

While much of the coverage leading up to the International Telecommunications Union’s (ITU) World Conference on International Telecommunications in Dubai focused on the red herring threat of a U.N. plot to steal the internet, last week ITU Telecommunications Standardization Sector (ITU-T) quietly approved new standards that — if mandated — could pose an actual threat to user privacy.

The new standards outline requirements for Deep Packet Inspection (DPI) technology in future systems — a technique for snooping into the web content with legitimate uses all too often used by repressive regimes to identify and punish dissenters or preemptively censor online communication through fear of reprisal. However, while setting technical standards, ITU made practically no mention of the user implications of the technology, nor did it outline guidelines for appropriate use. The Center for Democracy and Technology outlines the issues:

The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications.

By adopting these standards, ITU is essentially supporting a future where all networks have an infrastructure in place for internet service providers and governments to go in and snoop on any web traffic, but not giving clear guidance on when that invasion of privacy is acceptable and what safeguards the average user should expect for their personal communications. This is especially troubling because of DPI’s potential for and history of use as a tool of oppression.

ITU-T standards are not binding, and although some states have proposed changing that, it is unlikely to happen — especially without U.S. support. But while the media rails against the bogeyman of a U.N. internet take over, ITU-T has given tacit approval to technological standards that could have a very real, detrimental effect on long-term internet privacy without so much as giving lip service to the freedom of information online ITU claims to champion.

Justice

Senate Committee Considers Requiring Warrants For Access To Cloud Data

By Andrea Peterson on Nov 29, 2012 at 9:04 am

Today the Senate Judiciary Committee debates major changes to federal agencies’ and law enforcement’s ability to access the content of digital communications by updating the Electronic Communications Privacy Act (ECPA) to require warrants for the first time for cloud data over 180 days old. Somewhat ironically, the ECPA changes are tied to legislation lobbied for by Netflix that would reduce the privacy of video viewing habits by requiring only one-time consent to share viewing history.

The update to the ECPA is a long time coming: The law dates back to 1986, long before the dawn of many of the platforms it applies to, including Facebook, Twitter, Gmail, and smartphones. Under ECPA, agents can snoop around in remotely stored data that is more than 180 days old by merely asking service providers for the information or getting an administrative subpoena — no warrant needed, meaning no need to prove probable cause. Cyrus Farivar at Ars Technica explained the historical context when the update first appeared on the horizon earlier this fall:

When Congress passed the 1986 Electronic Communications Privacy Act (ECPA), a time when massive online storage of e-mail was essentially unimaginable, it was presumed that if you hadn’t actually bothered to download your e-mail, it could be considered “abandoned” after 180 days. By that logic, law enforcement would not need a warrant to go to the e-mail provider or ISP to get the messages that are older than 180 days.

Privacy advocates have long considered the law to be inadequate for current technology and practices, such as the increasing consumer use of smartphones — a position supported by the 1.3 million requests for user information in the last five years that wireless carriers reported responding to, as warrants for wiretap surveillance dropped 14 percent.

Last week Senate Judiciary Chair Patrick Leahy (D-VT), the author of the original ECPA and the proposed amendment to require warrants, denied reports his update had been altered to continue allowing more than 22 federal agencies access to cloud data without a warrant.

Justice

Senate’s Privacy Bill Would Allow Warrantless E-Mail Surveillance

By Rebecca Leber on Nov 20, 2012 at 4:00 pm

Under the Electronic Communication Privacy Act, data stored on the cloud lack the privacy standards that apply to locally stored data, like a person’s hard drive. Senate Judiciary Chair Patrick Leahy has pledged to update digital privacy law, but CNET reports that a rewritten version of the bill would grant more than 22 federal agencies access to “Americans’ e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages” without a search warrant.

The bill potentially up for committee vote next week would require a subpoena for searches, and still requires police to obtain warrant under many circumstances. According to CNET, the earlier version of the bill had stricter protections that would have required probable cause for a search warrant. The rewrite reportedly includes major changes:

Grants more than 22 federal agencies warantless access to American’s electronic correspondence warrantless, with a subpoena.

– Authorizes law enforcement agencies to access accounts without a warrant or court review if there is an “emergency” situation.

– Providers “shall notify” law enforcement in advance of telling users they were target of warrant, order or subpoena.

– Would delay notification of accounts accessed from 3 days to “10 business days,” that can be postponed up to 360 days.

As Americans increasingly use digital services, wireless monitoring has soared, revealing information about users’ location, travel, calling patterns, and texting, while warrants for wiretap surveillance have dropped 14 percent. The 1986 Electronic Communications Privacy Act already leaves e-mails unprotected after 180 days. While it “requires a warrant for the government to access photos, calendars and other private data stored on laptops or desktop computers at home” it does not do the same for “files stored with a service provider in the “cloud.”’

Update

Forbes notes that CNET’s report appears to be based on one of many versions of the bill, but may not be the draft seriously considered next week. A Senate Judiciary aide said Leahy “does not support broad carve outs for warrantless searches of email content. He remains committed to upholding privacy laws and updating the outdated Electronic Privacy Communications Act.”

LGBT

Facebook Privacy Policy Outs LGBT Users

By Zack Beauchamp on Oct 15, 2012 at 3:02 pm

The outing of University of Texas-Austin students to their parents as a consequence of a little-known Facebook privacy glitch has reignited longstanding concerns over the social network’s treatment of its LGBT users’ private information. According to a report in the Wall Street Journal, the two students — Bobbi Duncan and Taylor McCormick — had placed highly restrictive privacy controls on the information , but were unintentionally outed by the head of their LGBT choir when they joined its Facebook group to get access to the rehearsal schedule:

The president of the chorus, a student organization at the University of Texas campus here, had added Ms. Duncan and Mr. McCormick to the choir’s Facebook group. The president didn’t know the software would automatically tell their Facebook friends that they were now members of the chorus.

The two students were casualties of a privacy loophole on Facebook—the fact that anyone can be added to a group by a friend without their approval. As a result, the two lost control over their secrets, even though both were sophisticated users who had attempted to use Facebook’s privacy settings to shield some of their activities from their parents.

The consequences for Ms. Duncan and Mr. McCormick were dire — the former’s father “left vitriolic messages on her phone, demanding she renounce same-sex relationships, she says, and threatening to sever family ties,” causing her to spiral into a depression (she’s thankfully improved since). The latter’s dad “didn’t talk to his son for three weeks.”

The Journal notes that Facebook is making an admirable effort to make its privacy policies clearer to LGBT users, but this isn’t the first time the company’s opaque rules have outed LGBT individuals. In 2009, Library of Congress employee Peter TerVeer was outed to his supervisor as a consequence of a Facebook policy change; he was met with a systematic pattern of discrimination that cost him his job and ultimately his home. A glitch in Facebook’s advertising programming had previously sent confidential information on users’ sexual orientation to third-party advertisers.

LGBT

Self-Proclaimed ‘Ex-Gay’ And Therapists File Outlandish Suit Against California Law

By Zack Ford on Oct 4, 2012 at 3:07 pm

Following through on its promise to challenge California’s new ban on ex-gay therapy for minors, the Pacific Justice Institute has filed suit on behalf of a self-proclaimed “ex-gay” therapist-in-training, Aaron Bitzer, and two other therapists, Donald Welch and Anthony Duk, who provide reparative therapy. The suit is rife with spurious claims and meritless demands that essentially equate to whining about the law’s limitations, none of which comes close to meeting a Constitutional challenge. Here is a sampling from the complaint, aptly filed under “Plaintiffs’ Beliefs”:

Forced to discriminate?

If a minor’s objectives are to bring his or her sexual conduct and desires into conformity with the religious traditions, cultural norms, and moral standards of the minor, Dr. Duk can provide treatment so long as the minor is heterosexual. However, under the statute in question, a minor who has unwanted same sex behaviors or attractions cannot be treated with either counseling or prescription medications. [...] Dr. Duk is therefore required to discriminate against minor patients for no other reason than their sexual orientation.

The complaint refers to such conduct as “sexual behaviors, desires, and addictions such as pornography.” Under the law, there’s no reason that gay youth could not pursue therapy for the very same things so long as it’s not in the context of denying, repressing, or attempting to change their sexual orientation. These therapists are basically admitting that they would intentionally discriminate against any gay kid who still wanted affirmation for his or her orientation.

Violation of professional ethics?

The statute materially interferes with the plaintiff mental health professionals’ exercise of their independent professional judgment in providing treatment to minors who have unwanted same sex behaviors or attractions… This is in violation of these plaintiff mental health professionals’ obligations under the rules of professional ethics to provide treatment to persons regardless of their sexual orientation.

Providing ex-gay therapy is already a violation of their professional ethics, as all major professional psychotherapy organizations have condemned the practice as ineffective and harmful. That they seek to provide it nevertheless demonstrates that their “independent professional judgment” is severely compromised.

Read more

Economy

How Europe Is Taking Online Privacy Far More Seriously Than The U.S.

By Andrea Peterson on Sep 25, 2012 at 5:05 pm

Last week, Facebook announced it would cease using facial recognition technology on European Union users and delete all data following complaints from member states and an inquiry by the Irish Data Commissioner. While the Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission here in the U.S. over Facebook’s use of the same technology, the complaint remains pending — repeating a familiar narrative of online giants facing higher levels of scrutiny in European Union countries than in the United States.

In the U.S. numerous agencies enforce a “patchwork” of laws defining online privacy protections in different sectors, leaving some areas with very little oversight and users without a clear path to pursue if they feel their rights have been violated. It’s a different story in the E.U., where online privacy policy is guided by the Data Protection Directive — a sort of bill of rights for online users that provides member nations with guidelines for national level laws guaranteeing a base level of control for users.

European protections are on the cusp of becoming even more robust with proposed regulation this year that would implement rules superseding national level laws and extending the scope of protections to apply to all foreign companies processing the data of EU residents. The new regulation also comes with some teeth: Penalties up to two percent of global revenues for offending companies.

To put that into perspective, this summer Google agreed to pay the largest Federal Trade Commission settlement ever to an individual company: It amounted to five hours of 2011 revenues. Under the proposed European Commission Data Protection rules it could have amounted to one hundred seventy-five hours of revenue.

Read more

Alyssa

Kate Middleton, Alison Pill, And A Tale Of Two Nude Pictures

By Alyssa Rosenberg on Sep 14, 2012 at 12:04 pm

It seems like the leaking of nude photos of famous women has become a routine occurrence, a perhaps-inevitable consequence of the social media age and human error. But the publications of two sets of topless photographs of celebrities this week, a phone camera photo actress Alison Pill intended for her fiance, Jay Baruchel but accidentally tweeted publicly, and a set of paparazzi shots of the Duchess of Cambridge, Kate Middleton, illustrate that while we may have come to expect to see women in public life naked, we’re a long way for establishing where the zones of privacy lie—and how far we should go to enforce them.

When Pill accidentally Tweeted out a playful picture of herself topless in bed, she apologized, but didn’t agonize. “Yep. That picture happened,” she tweeted. “Ugh. My tech issues have now reached new heights, apparently.” Baruchel added “My fiancee is an hilarious dork. #imustjgladitdidnthappentomefirst…Smartphones will get ya.” Pill may be embarrassed, but both she and Baruchel seem to have accepted that her mistake is the kind of inevitable risk people take when they distribute intimate shots of themselves on pieces of technology that are perhaps too powerful for our own good. Nobody’s suing. Nobody’s outraged. It may not have been tasteful for news outlets to publish the picture after Pill released it, but no one suggested it was a gross violation of privacy for them to do so, or that the photograph itself tarnished her reputation.

By contrast, the pictures of Kate Middleton sunbathing that the French magazine Closer published weren’t taken by her and leaked, or hacked, accidentally tweeted, or as was the case with pictures of her brother-in-law, Prince Harry, naked after a game of strip pool, taken by so-called friends and sold. They were taken by paparazzi photographers. Closer maintains that Prince William and his wife were on a balcony that was visible from the street, though “full view of a public road” may mean rather different things to the naked eye and to one enhanced by an extremely long-range telephoto lens.

While strict British press laws have generally protected the Duke and Duchess of Cambridge from the publication of photos of them in private moments at home, Closer apparently felt secure enough in its interpretation of French privacy laws to print the pictures, though it may face a suit from the royal family. But individual countries’ speech, publication, and privacy laws mean much less in the age of the internet, and while Afghanistan may demand that YouTube be blocked in response to the anti-Islam video that’s contributed to protests in a number of Middle Eastern countries, privacy violations are hardly likely to spark similar complains. It’s not just the internet—camera technology, be it embedded in smartphones or available to enhance a DSLR body, makes the terms of existing law up for debate.

That gets at a larger issue. Press and privacy laws, whether we think they’re desirable or not, function less to prevent the publication of the images of famous people than to help establish the market for them. When celebrities sue magazines and newspapers that print images like the ones of Middleton, the speed with which they act and the damages they request set precedents that help publications calculate whether it’s worth it to run the pictures, whether they can sell enough copies and garner enough clicks to make the cost of the pictures and the cost of the damages worth it. But those laws don’t, and never have, curbed the efforts of professionals to get pictures of famous women or of amateurs to sell them, and they certainly can’t protect us from mistakes in handling the photos we take of ourselves. Alison Pill will probably take better care with her camera phone in the future, and the leak may dispel whatever curiosity existed about what she looks like naked. But Kate Middleton has a bigger problem: it’s one thing to try to affect the supply of pictures of her, when the conversation about demand is the one that we’ve always needed, and that we’ll never meaningfully be able to have.

Economy

Google To Pay $22.5 Million F.T.C. Settlement For Bypassing Safari Privacy Settings

By Andrea Peterson on Aug 10, 2012 at 9:30 am

Google LogoYesterday, the Federal Trade Commission announced that it approved a settlement requiring Google to pay $22.5 million for bypassing the security settings of millions of customers using the Apple’s Safari web and mobile browser, but admit no liability. The penalty roughly amounts to five hours of 2011 revenues for the search giant, according to the Wall Street Journal, despite being the single largest fine to an individual corporation in F.T.C. history.

The penalty comes six months after Google and other advertisers were discovered exploiting a Safari loophole that allowed it to monitor web behavior if a user interacts with a page, regardless of permission settings.

This is not the first time that Google’s forays into social media have been investigated by the FTC — it also settled over Google Buzz violations in 2011 — and privacy missteps have plagued the search giant across the board in recent years. Last month, it was reported that Google failed to delete street view data in France, resurrecting yet another privacy violation scandal, this one about private data collected by scraping unencrypted WiFi networks by Street View vehicles.

Commentators have noted the minimal financial scale of the F.T.C.  penalty in comparison to Google revenues — some citing the potential public relations fallout as a greater threat to the business. It’s no real surprise regulatory action was minimal: Congressional Research Service reports call current privacy protections a “patchwork” policy, with Wired and ProPublica decrying the privacy watchdog as “toothless” in June.

The lack of serious enforcement has led to a market where privacy violations and F.T.C action is par for the course. The F.T.C. settled investigations into other high profile online brands including Facebook and Twitter in 2011.

The visibility of online privacy issues has become more prominent in recent years despite this enforcement gap. The Pew Internet and American Life Project reported as far back as 2008 “68% of cloud users are very concerned about targeted ads based on online behavior.”  January’s SOPA blackouts demonstrated the commitment of online news and advocacy communities to online privacy, and their ability to organize an effective grassroots lobbying campaign.

Security

Senate Defeat Of Flawed Cybersecurity Bill Allows Time For Improvement

By Andrea Peterson on Aug 2, 2012 at 7:00 pm

Today the Senate failed to reach cloture on the Cybersecurity Act of 2012 by a margin of 52-46 of the necessary 60 votes, effectively killing the current iteration. The bill would have directed the Department of Homeland Security to conduct sector-by-sector cybersecurity risk assessments of critical infrastructure, identify risk-based cybersecurity performance requirements, implement cyber response and restoration plans, develop voluntary requirements for notifications and data-sharing in the event of significant cyber incidents affecting critical infrastructure.

President Obama previously called on Congress to pass the legislation, naming the cyber threat “one of the most serious economic and national security challenges we face”, despite having threatened to veto CISPA earlier this year due to privacy concerns similar to those raised by some opponents of the Cybersecurity Act of 2012.

Thethreat of cyber attack is very real. Public and private infrastructure around the world are vulnerable to attacks and the rate of incidents involving U.S. critical infrastructure have jumped from 9 in 2009 to 198 in 2011. But there are good reasons why this bill failed:

  • The figures used to justify the bill don’t stand up to academic scrutiny. Backers of the legislation and bills like it relied on statistics quantifying the financial stakes of cybersecurity from private cybersecurity companies Symantec Corp. and McAfee Inc. to justify immediate action, but ProPublica reports their numbers don’t add up.
  • It lacked privacy safeguards: While not as hated by privacy advocates as previous cybersecurity proposals, if left un-amended the Cybersecurity Act would have given internet service providers the “explicit right to monitor private user communications.”
  • The death of the Cybersecurity Act of 2012 isn’t the death of cybersecurity. Amendments made to this bill only put privacy advocates in a better position for the next round of debate. As Michelle Richardson, legislative counsel with ACLU, notes:

“When Congress inevitably picks up this issue again, the privacy amendments in this bill should remain the vanguard for any future bills. We’ll continue to work with Congress to make sure that the government’s cybersecurity efforts include privacy protections. Cybersecurity and our online privacy should not be a zero sum game.”

Richardson is right, and this much needed debate will be continued in the future. More details on todays vote via the New York Times.

Older

Newer

Switch to Mobile
ThinkProgress Signup Overlay Skip and Continue to ThinkProgress Skip and Continue to ThinkProgress

Sign Up