Rina Steenkamp - Privacy and technology
[Request for investigation of 30 companies' violation of the U.S.-EU Safe Harbor program | Rethinking personal data - A new lens for strengthening trust | The future of work - A journey to 2022 | The most wanted man in the world | What's the matter with PGP? | The National Programme for IT in the NHS - A case history | Is Big Data spreading inequality? | Platform neutrality - Building an open and sustainable digital environment | Elastic pathing - your speed is enough to track you | Surviving on a diet of poisoned fruit - Reducing the national security risks of America's cyber dependencies | A large-scale analysis of the security of embedded firmwares | The social laboratory - Singapore is testing whether mass surveillance and big data can not only protect national security, but actually engineer a more harmonious society | [Google's answers to the] Questionnaire addressed to Search Engines by the Article 29 Working Party regarding the implementation of the CJEU judgement on the "right to be forgotten" | EU Data Protection law - a 'right to be forgotten'? | What's the deal? An FTC study on mobile shopping apps | Insurance 2020 - The digital prize - Taking customer connection to a new level | Surveillance costs - the NSA's impact on the economy, internet freedom & cybersecurity | With liberty to monitor all - How large-scale US surveillance is harming journalism, law and American democracy | Jewel v. NSA - Plaintiffs Jewel, Knutzen and Walton's motion for partial summary judgment | [Open letter to the U.S. Federal Trade Commission and the Irish Data Protection Commissioner] | Big data and data protection | Review of the impact of ICO civil monetary penalties | Smart meters, smarter regulation - Balancing privacy and innovation in the electric grid]
Request submitted by the Center for Digital Democracy.
From the Executive Summary:
"This request for investigation arises from research by the Center for Digital Democracy (C24) and its ongoing investigation of data marketing and profiling companies that have joined to the U.S.-EU Safe Harbor framework, as developed by the U.S. Department of Commerce (DOC) and formally accepted by the European Commission (EC). These 30 companies (data marketing and profiling companies) are similar in that they collect, use and share EU consumers' personal information to create digital profiles about them, analyze their behavior, and use the data to make marketing and related decisions regarding each of them. While these companies are largely unknown to EU citizens, they pride themselves on knowing everything about individuals and how to comprehensively profile and target them. The commercial surveillance of EU consumers by U.S. companies, without consumer awareness or meaningful consent, contradicts the fundamental rights of EU citizens and European data protection laws, and also violates the intention of the Safe Harbor mechanism to adequately protect EU consumers' personal information. This filing is intended to provide the Federal Trade Commission (FTC) with factual information and legal analysis on probable violations of Safe Harbor commitments that materially mislead EU consumers."
Read more:
See also:
A report by World Economic Forum / A.T. Kearney.
From the Executive Summary:
"As we look at the dynamic change shaping today's data-driven world, one thing is becoming increasingly clear. We really do not know that much about it. Polarized along competing but fundamental principles, the global dialogue on personal data is inchoate and pulled in a variety of directions. It is complicated, conflated and often fueled by emotional reactions more than informed understandings. The World Economic Forum's global dialogue on personal data seeks to cut through this complexity. A multi-year initiative with global insights from the highest levels of leadership from industry, governments, civil society and academia, this work aims to articulate an ascendant vision of the value a balanced and human-centred personal data ecosystem can create."
Read more:
See also:
A report by PwC.
From 'The Blue World of 2022':
"The data profiling that drives customer management will increasingly be replicated among employees as screening and monitoring move to a new level. Sensors check their location, performance and health. The monitoring may even stretch into their private lives in an extension of today’s drug tests. Periodic health screening gives way to real-time monitoring of health, with proactive health guidance and treatment to enable staff to perform more efficiently, reduce sick leave and work for more years before needing to retire. [...] The 'contract' with employees is defined by the handing over of data (e.g. health, performance, possibly even private life) in return for job security. More than 30% of the participants in our global survey would be happy for their employers to have access to their personal data. Younger people tend to be more open to this than older generations, so this kind of monitoring could become routine in the years to come."
Read more:
An article by James Bamford (Wired).
From the article:
"The message arrives on my 'clean machine,' a MacBook Air loaded only with a sophisticated encryption package. 'Change in plans,' my contact says. - Be in the lobby of the Hotel ______ by 1 pm. Bring a book and wait for ES to find you.' ES is Edward Snowden, the most wanted man in the world. For almost nine months, I have been trying to set up an interview with him - traveling to Berlin, Rio de Janeiro twice, and New York multiple times to talk with the handful of his confidants who can arrange a meeting. Among other things, I want to answer a burning question: What drove Snowden to leak hundreds of thousands of top-secret documents, revelations that have laid bare the vast scope of the government's domestic surveillance programs?"
Read more:
See also:
A blog post by Matthew Green (A few thoughts on cryptographic engineering).
From the text:
"Last Thursday, Yahoo announced their plans to support end-to-end encryption using a fork of Google's end-to-end email extension. This is a Big Deal. With providers like Google and Yahoo onboard, email encryption is bound to get a big kick in the ass. This is something email badly needs. So great work by Google and Yahoo! Which is why following complaint is going to seem awfully ungrateful. I realize this and I couldn't feel worse about it. As transparent and user-friendly as the new email extensions are, they're fundamentally just re-implementations of OpenPGP -- and non-legacy-compatible ones, too. The problem with this is that, for all the good PGP has done in the past, it's a model of email encryption that's fundamentally broken. It's time for PGP to die."
Read more:
A paper by Oliver Campion-Awwad, Alexander Hayton, leila Smith and Mark Vuaran.
From the Introduction:
"The National Programme for IT in the [National Health Service] (NPfIT) was the largest public sector IT programme ever attempted in the UK, originally budgeted to cost approximately £6 billion over the lifetime of the major contracts. After a history marked by delays, stakeholder opposition and implementation issues, the programme was dismantled by the Conservative-Liberal Democrat Government in 2011, almost ten years after Prime Minister Tony Blair initiated it at a seminar in Downing Street in 2002."
Read more:
A series of articles published by the NYT.
The introduction to the series:
"Social media companies depend on selling information about their users' clicks and purchases to data brokers who match ads to the most receptive individuals. But the Federal Trade Commission and the White House have called for legislation that would inform consumers about the data collected and sold to companies, warning of analytics that have 'the potential to eclipse longstanding civil rights protections.' Does the collection of data by companies threaten consumers' civil rights?"
Read more:
An opinion by the Conseil National du Numérique.
From 'Part II - Ensure data system fairness':
"Data has many and varied sources. It may originate from individuals, groups or machines in a private or public environment, geared towards market or non-market wealth generation. It is increasingly processed, stored, exchanged and aggregated, and has become a critical input and a key driver for the new economy, enabling new value chains to be established. Platforms benefit from collecting this readymade and easily-accessible commodity together with an increasing stream of personal data and digital footprints. These represent yield value that grows with user traffic and the widening of the catchment area. The very nature of data is currently being debated. Is it an unsaleable asset, a common asset, private transferable property, or a right of use or usage? There are also many ethical and economic issues, as well as issues concerning the enforcement of fundamental freedoms. This new economic and social landscape has to be organised, in compliance with core values to guarantee sustainable development."
Read more:
See also:
A paper by Xianyi Gao, Bernhard Firner, Shridatt Sugrim, Victor Kaiser-Pendergrast, Yulong Yang and Janne Lindqvist.
From the Abstract:
"Today, people have the opportunity to opt-in to usage-based automotive insurances for reduced premiums by allowing companies to monitor their driving behavior. Several companies claim to measure only speed data to preserve privacy. With our elastic pathing algorithm, we show that drivers can be tracked by merely collecting their speed data and knowing their home location, which insurance companies do, with an accuracy that constitutes privacy intrusion."
Read more:
See also:
A paper by Richard J. Danzig (Center for a New American Security).
From the Executive Summary:
"Digital technologies, commonly referred to as cyber systems, are a security paradox: Even as they grant unprecedented powers, they also make users less secure. Their communicative capabilities enable collaboration and networking, but in so doing they open doors to intrusion. Their concentration of data and manipulative power vastly improves the efficiency and scale of operations, but this concentration in turn exponentially increases the amount that can be stolen or subverted by a successful attack. The complexity of their hardware and software creates great capability, but this complexity spawns vulnerabilities and lowers the visibility of intrusions. Cyber systems' responsiveness to instruction makes them invaluably flexible; but it also permits small changes in a component's design or direction to degrade or subvert system behavior. These systems' empowerment of users to retrieve and manipulate data democratizes capabilities, but this great benefit removes safeguards present in systems that require hierarchies of human approvals. In sum, cyber systems nourish us, but at the same time they weaken and poison us."
Read more:
See also:
A paper by Andrei Costin, Jonas Zaddach, Aurélien Francillon and Davide Balzarotti.
From the Abstract:
"our society, their security is becoming an increasingly important issue. However, based on the results of many recent analyses of individual firmware images, embedded systems acquired a reputation of being insecure. Despite these facts, we still lack a global understanding of embedded systems' security as well as the tools and techniques needed to support such general claims. [...] In summary, without performing sophisticated static analysis, we discovered a total of 38 previously unknown vulnerabilities in over 693 firmware images. Moreover, by correlating similar files inside apparently unrelated firmware images, we were able to extend some of those vulnerabilities to over 123 different products. We also confirmed that some of these vulnerabilities altogether are affecting at least 140K devices accessible over the Internet. It would not have been possible to achieve these results without an analysis at such wide scale. We believe that this project, which we plan to provide as a firmware unpacking and analysis web service, will help shed some light on the security of embedded devices."
Read more:
See also:
An article by Shane Harris (Foreign Policy).
From the article:
"In October 2002, Peter Ho, the permanent secretary of defense for the tiny island city-state of Singapore, paid a visit to the offices of the Defense Advanced Research Projects Agency (DARPA), the U.S. Defense Department's R&D outfit best known for developing the M16 rifle, stealth aircraft technology, and the Internet. Ho didn't want to talk about military hardware. Rather, he had made the daylong plane trip to meet with retired Navy Rear Adm. John Poindexter, one of DARPA's then-senior program directors and a former national security advisor to President Ronald Reagan. Ho had heard that Poindexter was running a novel experiment to harness enormous amounts of electronic information and analyze it for patterns of suspicious activity - mainly potential terrorist attacks. The two men met in Poindexter's small office in Virginia, and on a whiteboard, Poindexter sketched out for Ho the core concepts of his imagined system, which Poindexter called Total Information Awareness (TIA). It would gather up all manner of electronic records - emails, phone logs, Internet searches, airline reservations, hotel bookings, credit card transactions, medical reports - and then, based on predetermined scenarios of possible terrorist plots, look for the digital 'signatures' or footprints that would-be attackers might have left in the data space. The idea was to spot the bad guys in the planning stages and to alert law enforcement and intelligence officials to intervene. [...] Ho returned home inspired that Singapore could put a TIA-like system to good use. Four months later he got his chance, when an outbreak of severe acute respiratory syndrome (SARS) swept through the country, killing 33, dramatically slowing the economy, and shaking the tiny island nation to its core."
Read more:
See also:
A letter by Peter Fleischer (Google).
From the letter:
"Thank you for inviting Google representatives to the meeting organized on July 24 by the Article 29 Working Party with three US-based search engines to discuss the challenges of implementing the European Court of Justice's recent decision in the 'Costeja' case. Please find below the responses to the questionnaire that you sent to us. In the interest of transparency, we will follow your lead and make our responses public."
Read more:
See also:
A report by the House of Lords - European Union Committee.
From the news release:
"The Court's interpretation of Article 12 of the 1995 Data Protection Directive, which was drafted three years before Google was founded, has resulted in the ruling that the search engine's European sites must process more than 70,000 data removal requests that it has received since its web form went live on 30th May, 17 days after the judgment. After having heard evidence from data protection experts, the Information Commissioner's Office, the Minister for Justice and Civil Liberties, Simon Hughes, and Google itself, the Committee recommends that the UK Government must continue to fight to ensure that the updated Regulation no longer includes any provision on the lines of the Commission's 'right to be forgotten' or the European Parliament's 'right to erasure'."
Read more:
See also:
A staff report by the FTC.
From 'Privacy policy recommendations':
"Consumers should be able to evaluate and compare the data practices of different services in order to make informed decisions about the apps they install. The number of readily available privacy policies addressing the collection, use, and sharing of data is a step in the right direction. However, many disclosures used vague language, reserving broad rights to collect, use, and share consumer information, rather than describe how the apps actually handle consumers' data. Such disclosures preserve broad rights but fail to achieve what should be the central purpose of any privacy policy — making clear how data is collected, used, and shared.48 Further, they suggest that these app developers may not be evaluating whether they have a business need for the data they are collecting."
Read more:
A report by PwC.
From 'Wave two - New and enhanced products':
"Tracking sensors have already paved the way for the development of 'pay as you go' motor cover, which matches the premium to how much the car is used. This is now giving way to a more risk-sensitive 'pay how you drive' model, which allows insurers to judge how well the policyholder drives and reflect this in their pricing. Examples include Discovery Insure in South Africa. Drivers rated as good or excellent by the company's Vitalitydrive programme can receive monthly cash rewards of up to 50% of their fuel expenditure. The benefits for Discovery include higher retention and lower claims costs. Even more important for the company are the benefits for society. The service is encouraging safer driving and reducing the incidence of serious accidents among policyholders in a country with one of the highest motor vehicle fatality rates in the world (33 per 100,000 inhabitants per year, more than twice the rate in China and the US). The next level of 'information advantage' is going to come from extracting risk and customer profiling data from the purchasing, GPS, social media and other digital trails people leave. A lot of this information is unstructured and new analytical techniques are emerging to get the insights from it. [...] What underlies these developments is an important shift from the insurer being a reactive claims' payer to a proactive risk manager. By helping customers to understand and mitigate their risks more effectively, the true value and differential of insurers' risk management expertise would become more tangible and they would be in a better position to increase their prices and returns."
Read more:
A report by Danielle Kehl with Kevin Bankston, Robyn Greene & Robert Morgus (New America's Open Technology Institute).
From the Executive Summary:
"It has been over a year since The Guardian reported the first story on the National Security Agency’s surveillance programs based on the leaks from former NSA contractor Edward Snowden, yet the national conversation remains largely mired in a simplistic debate over the tradeoffs between national security and individual privacy. It is time to start weighing the overall costs and benefits more broadly."
Read more:
See also:
A report by Human Rights Watch and the American Civil Liberties Union.
From the Summary:
"Specifically, this report documents the effects of large-scale electronic surveillance on the practice of journalism and law, professions that enjoy special legal protections because they are integral to the safeguarding of rights and transparency in a democracy. To document these effects, we interviewed 92 people, including 46 journalists and 42 lawyers, about their concerns and the ways in which their behavior has changed in light of revelations of largescale surveillance. We also spoke to current and former senior government officials who have knowledge of the surveillance programs to understand their perspective, seek additional information, and take their concerns into account in our analysis. Whether reporting valuable information to the public, representing another's legal interests, or voluntarily associating with others in order to advocate for changes in policy, it is often crucial to keep certain information private from the government. In the face of a massively powerful surveillance apparatus maintained by the US government, however, that privacy is becoming increasingly scarce and difficult to ensure. As a result, journalists and their sources, as well as lawyers and their clients, are changing their behavior in ways that undermine basic rights and corrode democratic processes."
Read more:
See also:
A brief by the EFF.
From 'II. Statement of facts':
"The information revealed by a person's Internet activities paints an intimate and richly detailed portrait of the person's life—often on a day-by-day or minute-by-minute basis. It is precisely this deeply personal information that the government is seizing and searching. The Washington Post recently examined a sample of 160,000 Internet communications intercepted and retained by the NSA. Even after significantly more filtering and minimization than is at issue here, the Post reported: 'Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.' The government conducts its domestic surveillance by seizing and searching Internet communications as they flow through major fiber-optic network junctions on the Internet 'backbone.' Almost all ordinary Internet traffic travels at some point over the Internet backbone - high-capacity, long-distance fiber-optic cables controlled by major Internet providers such as AT&T. The seizures at issue here occur on the junctions between AT&T and other providers on the backbone."
Read more:
See also:
A letter by Kostas Rossoglou and Jeffrey Chester (Trans Atlantic Consumer Dialogue).
From the letter:
"We are writing to express deep alarm about the announcement on June 12, 2014, that Facebook is planning to collect the web browsing activities of Internet users for targeted advertising. Facebook already installs cookies and pixel tags on users' computers to track browsing activity on Facebook.com and Facebook apps. If Facebook is permitted to expand its data collection practices, those cookies and pixel tags will also track users' browsing activity on any website that includes a few lines of Facebook code."
Read more:
See also:
A report by the Information Commissioner's Office.
From the Introduction:
"This paper is intended to give an overview of the issues as we see them and contribute to the debate on big data and privacy. This is an area in which the capabilities of the technology and the range of potential applications are evolving rapidly and there is ongoing discussion of the implications of big data. Our aim is to ensure that the different privacy risks of big data are considered along with the benefits of big data - to organisations, to individuals and to society as a whole. It is our belief that the emerging benefits of big data will be sustained by upholding key data protection principles and safeguards. The benefits cannot simply be traded with privacy rights."
Read more:
See also:
A report by SPA Future Thinking.
From '2. Key findings':
"The research findings indicate that CMPs are effective at improving data protection compliance. [...] The research confirmed that this positive impact was extended to ‘peer’ organisations, where CMPs had a wider impact as a useful deterrent and an incentive to ‘get it right first time’. A substantial proportion of this sample said that they had reviewed or changed their data protection practices and policies as a result of hearing about CMPs being issued to other organisations."
Read more:
See also:
A comment by Samuel J. Harvey (61 UCLA L. Rev. 2068).
Abstract:
"Transitioning from our current energy infrastructure to a smart grid will be essential to meeting future challenges. One key component of the smart grid is advanced metering infrastructure (AMI). AMI allows for the grid to be run more effectively and efficiently by making granular near real-time data about customers' energy usage available. Coupled with the input and innovation of third-party companies and researchers, the potential benefits of this technology are immense. But given the granularity of AMI data, some academics and consumer advocates are concerned that the technology could place customer privacy at risk. It is therefore essential that regulators appropriately tailor privacy protections to strike the proper balance between the innovative potential of AMI data and consumers' privacy concerns. When possible, regulators should opt for regimes allowing for the protected sharing of granular AMI data with third parties."
Read more: