Rina Steenkamp - Privacy and technology
[Connecting the dots - Analysis of the efectiveness of bulk phone records collection | Obama's NSA speech has little impact on skeptical public | What secrets your phone is sharing about you - Businesses use sensors to track customers, build shopper profiles | Transaction costs, privacy and trust - The laudable goals and ultimate failure of notice and choice to respect privacy online | Big data for development - Challenges and opportunities | FTC settles with twelve companies falsely claiming to comply with international Safe Harbor privacy framework | On the security, privacy and usability of online seals - An overview | Do NSA's bulk surveillance programs stop terrorists? | Tiny constables and the cost of surveillance - Making cents out of United States v. Jones | How law enforcement tracks cellular phones | How the NSA almost killed the internet | Twenty privacy bills to watch in 2014 | Use of sensitive health information for targeting of Google ads raises privacy concerns | Relational Big Data | Social media for selection? Validity and adverse impact potential of a Facebook-based assessment | What happens in the hospital doesn't stay in the hospital | Mr. Wemmick's condition - or, privacy as a disposition, complete with skeptical observations regarding various regulatory enthusiasms | Privacy and cloud computing in public schools | The hidden truth behind shadow IT - Six trends impacting your security posture | Privacy in mobile apps - Guidance for app developers | In-car location-based services - Companies are taking steps to protect privacy, but some risks may not be clear to consumers | Information security - Agency responses to breaches of personally identifiabe information need to be more consistent | How to forget passwords (Many faces of passwords)]
A paper by Marshall Erwin.
From the paper:
"Intelligence community officials have given two primary examples of the value or prospective value of Section 215 bulk phone records collection: the disrupted 2009 al-Qaeda plot targeting the New York City subway and the case of Khalid al-Mihdhar, the 9/11 hijacker who was under surveillance by NSA and who, the government alleges, could have been found if NSA had Section 215 authorities before the 9/11 attacks. Upon review of the facts of these two cases, neither is compelling. Bulk phone records collection would not have helped disrupt the 9/11 plot and did not make a significant contribution to success against the 2009 plot."
Read more:
Media coverage:
A survey report by Pew Research.
From the report:
"Today, 40% approve of the government's collection of telephone and internet data as part of anti-terrorism efforts, while 53% disapprove. In July, more Americans approved (50%) than disapproved (44%) of the program. In addition, nearly half (48%) say there are not adequate limits on what telephone and internet data the government can collect; fewer (41%) say there are adequate limits on the government’s data collection. About four-in-ten Republicans (39%) and independents (38%) – and about half of Democrats (48%) – think there are adequate limits on the information that the government can collect."
Read more:
Media coverage:
An article by Elizabeth Dwoskin (WSJ).
From the article:
"Mr. Zhang is a client of Turnstyle Solutions Inc., a year-old local company that has placed sensors in about 200 businesses within a 0.7 mile radius in downtown Toronto to track shoppers as they move in the city. The sensors, each about the size of a deck of cards, follow signals emitted from Wi-Fi-enabled smartphones. That allows them to create portraits of roughly 2 million people's habits as they have gone about their daily lives, traveling from yoga studios to restaurants, to coffee shops, sports stadiums, hotels, and nightclubs."
Read more:
Media coverage:
A paper by Kirsten Martin (First Monday).
Abstract:
"The goal of this paper is to outline the laudable goals and ultimate failure of notice and choice to respect privacy online and suggest an alternative framework to manage and research privacy. This paper suggests that the online environment is not conducive to rely on explicit agreements to respect privacy. Current privacy concerns online are framed as a temporary market failure resolvable through two options: (a) ameliorating frictions within the current notice and choice governance structure or (b) focusing on brand name and reputation outside the current notice and choice mechanism. The shift from focusing on notice and choice governing simple market exchanges to credible contracting where identity, repeated transactions, and trust govern the information exchange rewards firms who build a reputation around respecting privacy expectations. Importantly for firms, the arguments herein shift the firm's responsibility from adequate notice to identifying and managing the privacy norms and expectations within a specific context."
Read more:
Media coverage:
A report by Emmanuel Letouzé (UN Global Pulse).
From the Abstract:
"Innovations in technology and greater affordability of digital devices have presided over today's Age of Big Data, an umbrella term for the explosion in the quantity and diversity of high frequency digital data. These data hold the potential - as yet largely untapped - to allow decision makers to track development progress, improve social protection, and understand where existing policies and programmes require adjustment. [...] With the promise come questions about the analytical value and thus policy relevance of this data - including concerns over the relevance of the data in developing country contexts, its representativeness, its reliability - as well as the overarching privacy issues of utilising personal data. This paper does not offer a grand theory of technology-driven social change in the Big Data era. Rather it aims to delineate the main concerns and challenges raised by 'Big Data for Development' as concretely and openly as possible, and to suggest ways to address at least a few aspects of each."
Read more:
See also:
A publication by the FTC.
From the press release:
"Twelve U.S. businesses have agreed to settle Federal Trade Commission charges that they falsely claimed they were abiding by an international privacy framework known as the U.S.-EU Safe Harbor that enables U.S. companies to transfer consumer data from the European Union to the United States in compliance with EU law. The companies settling with the FTC represent a cross-section of industries, including retail, professional sports, laboratory science, data broker, debt collection, and information security. The companies handle a variety of consumer information, including in some instances sensitive data about health and employment."
Read more:
Media coverage:
A report by Hannes Tschofenig, Melanie Volkamer, Nicola Jentzsch, Simone Fischer Hübner, Stefan Schiffner and Rodica Tirtea (ENISA).
From the Executive Summary:
"This report analyses the conditions under which online security and privacy seals (OSPS) can be deployed to support users to make an informed trust decision about Web services and their providers with respect to the provided security and privacy. This report is motivated by the numerous policy documents, that mention marks, seals, logos, icons, (collectively referred as OSPS) as a mean enabling users to judge on the trustworthiness of services offered on the Web. The field of OSPSs has also developed in maturity. Therefore, we aim at analysing the current situation and identified key challenges for online signals in practise. Based on these challenges, this report identifies possible solutions and corresponding recommendations and next steps that ENISA and other stakeholders should follow for enabling users in judging on the trustworthiness of services offered on the Web."
Read more:
Media coverage:
A report by Peter Bergen, David Sterman, Emily Schneider, and Bailey Cahall (New America Foundation).
From the Executive Summary:
"An in-depth analysis of 225 individuals recruited by al-Qaeda or a like-minded group or inspired by al-Qaeda's ideology, and charged in the United States with an act of terrorism since 9/11, demonstrates that traditional investigative methods, such as the use of informants, tips from local communities, and targeted intelligence operations, provided the initial impetus for investigations in the majority of cases, while the contribution of NSA's bulk surveillance programs to these cases was minimal. Indeed, the controversial bulk collection of American telephone metadata, which includes the telephone numbers that originate and receive calls, as well as the time and date of those calls but not their content, under Section 215 of the USA PATRIOT Act, appears to have played an identifiable role in initiating, at most, 1.8 percent of these cases. NSA programs involving the surveillance of non-U.S. persons outside of the United States under Section 702 of the FISA Amendments Act played a role in 4.4 percent of the terrorism cases we examined, and NSA surveillance under an unidentified authority played a role in 1.3 percent of the cases we examined."
Read more:
See also:
Media coverage:
An essay by Kevin S. Bankston and Ashkan Soltani (Yale Law Journal Online).
YLJO's introduction:
"In United States v. Jones, five Supreme Court Justices wrote that government surveillance of one's public movements for twenty-eight days using a GPS device violated a reasonable expectation of privacy and constituted a Fourth Amendment search. Unfortunately, they didn't provide a clear and administrable rule that could be applied in other government surveillance cases. In this Essay, Kevin Bankston and Ashkan Soltani draw together threads from the Jones concurrences and existing legal scholarship and combine them with data about the costs of different location tracking techniques to articulate a cost-based conception of the expectation of privacy that both supports and is supported by the concurring opinions in Jones."
Read more:
Media coverage:
A blog post by Matt Blaze.
From the blog post:
"There are actually a surprising number of different ways law enforcement agencies can track and get information about phones, each of which exposes different information in different ways. And it's all steeped in arcane surveillance jargon that's evolved over decades of changes in the law and the technology. So now seems like a good time to summarize what the various phone tapping methods actually are, how they work, and how they differ from one another."
Read more:
An article by Steven Levy (Wired Threat Level).
From the article:
"On June 6, 2013, Washington Post reporters called the communications departments of Apple, Facebook, Google, Yahoo, and other Internet companies. The day before, a report in the British newspaper The Guardian had shocked Americans with evidence that the telecommunications giant Verizon had voluntarily handed a database of every call made on its network to the National Security Agency. [...] It would be the start of a chain reaction that threatened the foundations of the industry. The subject would dominate headlines for months and become the prime topic of conversation in tech circles. For years, the tech companies’ key policy issue had been negotiating the delicate balance between maintaining customers’ privacy and providing them benefits based on their personal data. It was new and controversial territory, sometimes eclipsing the substance of current law, but over time the companies had achieved a rough equilibrium that allowed them to push forward. The instant those phone calls from reporters came in, that balance was destabilized, as the tech world found itself ensnared in a fight far bigger than the ones involving oversharing on Facebook or ads on Gmail."
Read more:
See also:
A blog post by Jeff Kosseff (Inside Privacy).
From the blog post:
"From electronic surveillance to healthcare privacy to drones, Congress is planning to consider a wide range of privacy legislation this year. The Edward Snowden leaks about the National Security Agency and the recent data breaches at retailers are likely to keep privacy and data security on the top of many lawmakers’ agendas. After the jump is a summary of twenty pending privacy-related bills to keep an eye on during the remainder of the 113th Congress."
Read more:
A report of findings by the Office of the Privacy Commissioner of Canada.
From the news release:
"Google's online advertising service used sensitive information about individuals’ online activities to target them with health-related advertisements, contrary to Canadian privacy law, an investigation has found. In response to the investigation by the Office of the Privacy Commissioner of Canada, Google has agreed to take steps aimed at stopping the privacy-intrusive ads."
Read more:
Media coverage:
An article by Karen E.C. Levy (Stanford Law Review).
From the article:
"I want to complicate matters further by suggesting another way in which data has become big: data now mediate our day-to-day social relationships to an unprecedented degree. This other big data revolution relies on the proliferation of new data collection and analysis tools that allow individuals to track easily, quantify, and communicate information about our own behaviors and those of others. This type of big data arguably touches more of us more directly than the big data practices more commonly discussed, as it comes to reshape our relationships across multiple domains of daily life. In this sense, data is big not because of the number of points that comprise a particular dataset, nor the statistical methods used to analyze them, nor the computational power on which such analysis relies. Instead, data is big because of the depth to which it has come to pervade our personal connections to one another."
Read more:
An article by Chad H. Van Iddekinge, Stephen E. Lanivich, Philip L. Roth and Elliott Junco (Journal of Management).
From the Abstract:
"Recent reports suggest that an increasing number of organizations are using information from social media platforms such as Facebook.com to screen job applicants. Unfortunately, empirical research concerning the potential implications of this practice is extremely limited. We address the use of social media for selection by examining how recruiter ratings of Facebook profiles fare with respect to two important criteria on which selection procedures are evaluated: criterion-related validity and subgroup differences (which can lead to adverse impact). [...] The overall results suggest that organizations should be very cautious about using social media information such as Facebook to assess job applicants."
Read more:
Media coverage:
An article by Melissa Jayne Kinsey (Slate).
From the article:
"[...] now we have a different kind of exposure to worry about: becoming some doctor's 140-character case study or the latest trophy on his Facebook wall. That's what happened to a 23-year-old model admitted to Chicago's Northwestern Memorial Hospital last June for excessive alcohol consumption. An emergency department physician allegedly took photos of her in which she appears anxious and disheveled. He's accused of having posted the unbecoming shots on Facebook and Instagram. In a similar incident in August, an off-duty employee of Spectrum Health in Grand Rapids, Mich., photographed an attractive female patient in the emergency department and posted the image on Facebook, with the blandly pervy caption 'I like what I like.' He and several colleagues implicated in the misconduct are now free to seek upskirt opportunities elsewhere."
Read more:
Media coverage:
A paper by Joel Brenner (Lawfare).
From 'I. In Which We Meet Mr. Wemmick':
"'The office is one thing, and private life is another,' Mr. Wemmick instructs young Pip in Charles Dickens' Great Expectations. Law clerk and factotum to the chancery lawyer Jaggers, Wemmick is a professional cipher, rendering unto Jaggers the services due an employer and keeping to himself his soul and private doings. He’s the personification of privacy, showing us the regimentation of working life, its control by others, and its sharp separation from the private realm. [...] Where did this rigid separation of working life and family life come from, and where did it go? Aristocratic society was always characterized by pride, honor, and reserve, but Mr. Wemmick was no aristocrat, and his outlook was not a feature of aristocratic society, because aristocrats didn't work. Nor was it characteristic of the working class, if only because the crowded conditions of working class life, in which much living took place in common or on the street, would not permit it. Mr. Wemmick's reserve was decidedly middle-class, and it represented the high-water mark of private, and especially familial, resistance to the intrusive demands of institutionalized life, commercial and otherwise."
Read more:
Media coverage:
A report by Joel Reidenberg, N. Cameron Russell, Jordan Kovnot, Thomas B. Norton, Ryan Cloutier, and Daniela Alvarado (Fordham Law School).
From the Executive Summary:
"The goals of the study are threefold: first, to provide a national picture of cloud computing in public schools; second, to assess how public schools address their statutory obligations as well as generally accepted privacy principles in their cloud service agreements; and, third, to make recommendations based on the findings to improve the protection of student privacy in the context of cloud computing."
Read more:
Media coverage:
A paper by Stratecast / Frost & Sullivan (McAfee).
From the Introduction:
"Are we facing a BYOA (Bring Your Own Application) revolution, in which employees claim the right to choose the tools with which they get their work done, while IT scrambles to protect corporate assets? The revolution is already here, according to the results of a recent Stratecast survey. Thanks to the ease of access to Software as a Service (SaaS) applications, even nontechnical employees feel comfortable and entitled to choose their software - and they are doing so in droves. In many cases, IT departments and security officers are unaware of the extent of 'shadow IT,' and therefore unprepared to deal with it."
Read more:
Media coverage:
A publication by the ICO.
From the related blog post:
"A YouGov survey commissioned by the ICO in December has highlighted that concerns around how apps are using people's personal information is hitting developer's sales and usage figures. The survey found that 62% of people who have downloaded an app are concerned about the way apps use personal information, with almost half (49%) of app users having chosen not to download an app due to privacy concerns. [...] It's clear then, that as well as fulfilling a legal requirement, it is in developers' interests to make sure they are looking after people's information correctly by complying with the Data Protection Act. To help them achieve this we have published detailed guidance today that was developed in consultation with key figures within the industry, including academics and other regulators. The guidance explains the key requirements that developers must meet when processing personal information through an app, covering issues such as security and data retention."
Read more:
A report by United States Government Accountability Office.
From 'Why GAO did this study':
"This report addresses (1) what selected companies that provide in-car location-based services use location data for and if they share the data, and (2) how these companies' policies and reported practices align with industry-recommended privacy practices. GAO selected a non-generalizable sample of 10 companies. The companies were selected because they represent the largest U.S. market share or because their services are widely used."
Read more:
See also:
Media coverage:
A report by the U.S. Government Accountability Office.
From 'Why GAO did this study':
"The term 'data breach' generally refers to the unauthorized or unintentional exposure, disclosure, or loss of sensitive information. A data breach can leave individuals vulnerable to identity theft or other fraudulent activity. Although federal agencies have taken steps to protect PII, breaches continue to occur on a regular basis. In fiscal year 2012, agencies reported 22,156 data breaches - an increase of 111 percent from incidents reported in 2009. GAO was asked to review issues related to PII data breaches. The report's objectives are to (1) determine the extent to which selected agencies have developed and implemented policies and procedures for responding to breaches involving PII and (2) assess the role of DHS in collecting information on breaches involving PII and providing assistance to agencies."
Read more:
Media coverage:
A paper by Dan Cvrcek.
Abstract:
"This paper is built around three cornerstones: interviews with IT managers in companies with 200-1,000 employees, our implementation of changes to password authentication systems, and security analysis of passwords. The paper covers some of real-world experiences we have gained in the last 6 months and uses them as a background for common understanding of password and building a simple threat model. The second part of the paper explores options for improving password security while preserving existing infrastructure. We are interested in schemes that can be used in existing password-based systems, from Windows AD-based systems, to cloud-based applications."
Read more: