Leap Day Review of Recent Developments in Privacy

Posted
By John L. Nicholson

Given how busy the privacy world has been recently, we thought we'd take this "extra day" to catch up on some of the bigger recent developments:

  • The White House unveiled its Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (see the White House "Fact-Sheet" on the proposal here). The Framework contains five key elements: a "Consumer Privacy Bill of Rights" (CPBoR); a "stakeholder-driven" process to specify how the principles in the CPBoR apply in particular business contexts; stronger enforcement by the FTC and states Attorneys General; a commitment to increase interoperability between the US privacy framework and those of the international partners of the United States; and various proposals and recommendations for data privacy legislation, including a call for a national standard for security breach notification.
  • Google was accused of circumventing privacy protections in the Safari and Internet Explorer browsers, and the fallout continued from Google's announcement of its new harmonized privacy policy in advance of its March 1 implementation.
  • The California Attorney General announced its agreement with the largest mobile app providers (Google, Facebook, Hewlett Packard, Research in Motion/Blackberry) under which these companies have committed to provide mobile app purchasers with access to a clear, conspicuous, privacy policy before they download an app from the relevant provider's site. At the same time, the mobile provider trade association GSMA announced a set of Privacy Design Guidelines for Mobile Application Development.
  • The 11th Circuit held that being forced to reveal the password for an encrypted drive would violate the 5th Amendment. This is the first time this issue has been considered at the Circuit Court level.

WHITE HOUSE PRIVACY FRAMEWORK

Consumer Privacy Bill of Rights

  • Broad Definition of "Personal Data" - The proposed CPBoR defines "personal data" as any data or aggregations of data that are linkable to a specific individual. This is a change from the more limited approach generally taken under US laws, and this definition is very similar to the definition used by the EU Data Protection Directive and the recently-proposed revisions to the EU Data Protection Regulation. As proposed, "personal data" could also include data that is linked to a specific computer or other device, which could include IP addresses or other device identifiers.

  • Seven Principles - The CPBoR is a comprehensive statement of the rights that consumers should expect, and the obligations to which companies should commit. Treating privacy as a right is also a new approach for the US and, again, is similar to the approach taken in the EU. The CPBoR is based on the Fair Information Practice Principles (FIPPs) and identifies seven fundamental consumer rights:

  • Individual Control: Consumers have a right to exercise control over what personal data companies collect and how they use the data;

  • Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices;

  • Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which the consumers provide the data;

  • Security: Consumers have a right to secure and responsible handling of personal data.

  • Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate;

  • Focused Collection: consumers have a right to reasonable limits on the personal data that companies collect and retain; and

  • Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the CPBoR.

Multi-stakeholder Processes to Develop Enforceable Codes of Conduct

Part of the Administration's legislative proposal is to work with Congress to enact comprehensive privacy legislation based on rights outlined in the CPBoR to promote trust in the digital economy and extend baseline privacy protections to commercial sectors that existing federal privacy laws do not cover. In an election year, and in an environment where Republicans have adopted the mantra "job-killing regulations" to describe virtually everything the Administration has proposed, it will be interesting to see whether privacy can be a bi-partisan effort.

Since legislation might not happen, the Framework also outlines a process to produce enforceable voluntary codes of conduct that implement the CPBoR. The Commerce Department's National Telecommunications and Information Administration (NTIA) will convene open industry and privacy advocates to develop enforceable codes of conduct that implement the CPBoR for specific industry sectors.

Strengthening FTC and State AG Enforcement

As another part of the Administration's legislative proposals, the Administration encourages Congress to provide the FTC with specific authority to enforce the CPBoR, and proposes that Congress give the FTC the authority to create a "safe harbor" for companies that comply with an FTC-approved code of conduct. Even without such authority, the "voluntary" but enforceable codes of conduct come with a carrot and an eventual stick. The "carrot" is that if an industry adopts any voluntary code that is developed, then in any investigation or enforcement based on an FTC Section 5 unfair and deceptive trade practices action, the FTC would likely consider a company's adherence to the voluntary codes favorably. In a few weeks the FTC is expected to release the final version of its Staff Report on Consumer Privacy, which is expected to be in sync with the Administration's blueprint. Failure to comply with the findings in the Final FTC Staff Report could be used as evidence of a Section 5 violation, even in the absence of any general privacy federal legislation.

Improving Global Interoperability

The Framework also lays the groundwork for increasing interoperability between the US data privacy framework and that of its global trading partners, as a means to provide consistent, low-barrier rules for personal data in the user-driven and decentralized Internet environment. Two key principles are promoted: mutual recognition and enforcement cooperation. According to the Framework, mutual recognition depends on effective enforcement and well-defined accountability mechanisms, and enforcement cooperation helps to ensure that countries are able to protect their citizen's rights when personal data crosses national boundaries. A perceived lack of such enforcement in the US has been at the core of many EU criticisms of the Safe Harbor Framework.

Data Privacy Legislation

In addition to the legislation discussed in previous sections, the Framework calls on Congress to:

  • Create comprehensive privacy protections without duplicating burdens already in place under existing privacy regimes, but the Framework notes, for example, that exempting entities that are subject to GLBA from complying with the CPBoR requirements with respect to non-public personal information covered by GLBA would permit an exception to swallow the rule.

  • Amend laws that create inconsistent or confusing requirements. The Administration notes that existing Federal laws treat similar technologies within the communications sector differently and cites to various different laws that require telecommunications carriers, satellite carriers and cable services to protect customers' personal information. The Administration proposes making the FTC responsible for enforcing the CPBoR against all types of communications providers.

  • Set a national standard for security breach notification. The Administration's proposed cybersecurity package included a recommendation for creating a national standard for security breach notification that would replace the roughly fifty different state/territory-level data breach notification laws currently in place in the U.S.

Analysis

If the CPBoR and the ideas outlined in the Framework are implemented, US companies will have clearer guidelines on how they should handle consumers' personal data online, but that's not all the data they handle.

Although this proposal may solve some of the issues associated with the collection and processing of consumer information, it is not clear how it would affect to other forms of collection or use of personal information. While this approach broadens the coverage of US policy from the truly sectoral approach taken under GLBA, HIPAA, COPPA and others, it still creates multiple classes of information distinguishing, for example, between consumer information and employee data. Nor is it clear whether the rules would cover information collected in connection with business-to-business relationships, such as when a company collects the personal information of prospective customers' employees in the context of CRM systems.

Thus, while the proposed CPBoR principles would create a data protection framework that is closer (both conceptually and practically) to that which is in effect in Europe and many other countries around the world, there will still be a gap between the US data protection regime and the data protection laws elsewhere related to information collected as part of employment or as part of a business relationship.

GOOGLE

The Wall Street Journal recently reported that Google has been bypassing privacy settings in Safari, and installing cookies to track the browsing habits of millions of users who didn't know about the tracking. According to the WSJ, Google stopped the practice upon being contacted by the WSJ.

Now, According to ArsTecnica a class-action complaint has been filed against Google in US District Court. The complaint alleges that Google willfully violated the Federal Wiretap Act, which explicitly prohibits companies from monitoring communications without permission. To make matters potentially much worse, last year, as part of a far-reaching legal settlement with the FTC associated with Google Buzz, Google pledged not to "misrepresent" its privacy practices to consumers. The fine for violating the agreement is $16,000 per violation, per day. So far, the FTC has declined to comment on the findings.

In addition to the class-action suit, a complaint has also been filed with the FTC, and just yesterday, Microsoft claimed that Google also bypassed privacy settings in Microsoft Internet Explorer.

With all this going on, Google is continuing the countdown to the launch of its harmonized, cross-site privacy policy on March 1. The Center for Digital Democracy (CDD) has filed a complaint with the FTC claiming that Google's move to consolidate its dozens of privacy policies violates the Google Buzz settlement agreement. The CDD complaint joins those from the Electronic Privacy Information Center (EPIC), the World Privacy Forum and Consumer Watchdog. If that weren't enough, the National Association of Attorneys General (NAAG) sent a letter signed by 36 state and territorial Attorneys General to Google expressing concern over the new privacy policy.

The criticism of Google's move is not limited to the US. On February 2nd the Chairman of the Article 29 Working Party wrote a letter to Google requesting a delay the launch of the consolidated privacy policy, and, more recently, the French data protection authority CNIL has notified Google that it will lead a European investigation into whether Google's consolidated privacy policy violates European privacy laws.

MOBILE APP PRIVACY

The agreement with the California AG requires app providers to have a privacy policy and to give users the chance to review the policy before they download the app. Under the agreement, the policies will always appear in the same place on the app download screen. The agreement also requires smartphone apps to obtain users' permission before accessing information from their address books.

The app industry has faced significant criticism in recent weeks over its handling of consumer privacy, starting on Feb. 7, when a blogger discovered and reported that an iPhone app for the social network Path had uploaded his contact book without his permission. Twitter has since acknowledged it stores phone numbers and email addresses from contact books for up to 18 months after users sign up for the service.

Under the agreement, app platform operators will establish a way for users to report apps that are not following the new rules, and the platform operators committed to work to teach developers about their obligations to inform consumers about the information they collect and the third parties with whom they share it.

No specific deadline has been specified for app developers to comply with the agreement.

The GSMA mobile app development guidelines are available here.

ENCRYPTION AND THE 5TH AMENDMENT

Several courts have looked at the question of whether being forced to reveal a password is testimony that would be protected by the right against self-incrimination.

Last week the 11th Circuit Court of Appeals became the latest court to rule on the issue, and the three judge panel came down firmly on the side of the 5th Amendment.

District Courts in Vermont and Colorado have ruled that the government may compel suspects to decrypt storage devices or computers in Federal criminal investigations, in certain circumstances. In 2009 the Vermont court ordered a suspect in a child pornography case to produce an unencrypted version of a drive on his laptop. In January of this year, a District Court in Colorado ordered a woman charged with bank fraud to decrypt her computer. The Denver-based U.S. Court of Appeals for the 10th Circuit declined to rule on the order before the case was tried. In the Colorado case, Federal prosecutors argued that "public interests will be harmed absent requiring defendants to make available unencrypted contents in circumstances like these."

In this most recent case, investigators who suspected that the man, identified in court documents only as John Doe because he has not been charged, possessed child pornography seized computers and hard drives from Doe's hotel room in October 2010. According to court documents, Doe's hard drives were encrypted with a program called "TrueCrypt." As a result, the Justice Department couldn't find any files and couldn't even prove that any existed on hidden portions of the drives. Doe was served with a subpoena in April 2011 to appear before a federal grand jury in Florida and produce the unencrypted contents of his laptop hard drives and five external hard drives. Doe refused, invoking his right against self-incrimination. A Federal judge held Doe in contempt of court and ordered him imprisoned. Doe appealed the contempt finding to the 11th Circuit.

Unlike the Vermont case, where investigators had seen evidence of child pornography in the suspect's computers, in this case the government could only show that the storage space on the drives could hold files that number in the millions -- but not that they actually did. According to Judge Gerald Bard Tjoflat writing for the three-judge panel, "It is not enough for the Government to argue that the encrypted drives are capable of storing vast amounts of data, some of which may be incriminating. Just as a vault is capable of storing mountains of incriminating documents, that alone does not mean that it contains incriminating documents, or anything at all."

Judge Tjoflat stated, "We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files."

--------------------------------------------------------------------------------------

With all this going on, March looks to be an interesting month.
A5D59NPCY4NB