I was interviewed for this PC World piece on the potential impact of Facebook's recently announced IPO on data privacy. My take: being a public company brings with it more transparency and more regulation, which will force Facebook to be more cautious and ultimately more open about its privacy policies. This seems obvious to me, but there are those who suggest that being public will add a profit motive that will push Facebook in the other direction.
Here is an excerpt from my interview yesterday with Jon Mitchell of ReadWriteWeb:
"From a legal perspective, I'm not seeing anything that's much different in what's being proposed to take effect on March 1 and what's in place right now," Zick says. "In particular, the language about sharing across services has been in [Google's policies] for a long time."
Zick points out that all the past versions of Google's privacy policies are on the website, and the last two versions offer line-by-line comparisons to the previous version. Zick expects that Google will do the same with the new policy once it's officially issued.
"What we have is not a reaction to a change in legal language," Zick says, "but it's a change in perception. ... People are just reflexively reacting to the idea that Google is big."
The entire article can be viewed here, and our earlier post here.
As many of you have probably seen already, Google is changing its privacy policies, effective March 1, 2012. These changes will be effective across all of Google's platforms, and users will not be able to opt out. A user's only choice to avoid these changes will be to leave Google's search engine, Gmail, Calendar, Search, and YouTube; there is no "opt out" or selective acceptance/rejection of these new policies. In this regard, Google noted that it remains committed to data liberation, "so if you want to take your information elsewhere you can."
These changes are likely to draw FTC scrutiny, especially in light of the recent decision by Google to incorporate data from its social network, Google+, into search results, which has already resulted in a FTC antitrust investigation.
In a settlement announced today by the Federal Trade Commission and Facebook, the social networking service agreed to settle "charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC's press release.
In its complaint, the FTC alleged, among other things, that Facebook “users could not restrict access to their profile information to specific groups, such as “Only Friends” or “Friends of Friends” through their Profile Privacy Settings,” despite Facebook's representations that users could impose such restrictions on their accounts.
In the extensive consent order Facebook entered with the FTC, Facebook agreed (among other things) to “obtain initial and biennial assessments and reports . . . from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession,” which assessments and reports will:
This consent order will last for an astoundingly long time: 20 years. (Query whether this agreement's terms and length will become the standard for future FTC privacy settlements.)
Facebook founder Mark Zuckerberg also released a blog post on the settlement, and in it he announced a split in the company's privacy officer role: Erin Egan will become Facebook's Chief Privacy Officer, Policy, and Michael Richter, currently Facebook's Chief Privacy Counsel, will become Facebook's Chief Privacy Officer, Products.
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital's $1 million settlement with OCR.
The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without legitimate reasons looked at the electronic protected health information of these patients. OCR's subsequent investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.
The corrective action plan requires UCLAHS to implement Privacy and Security policies and procedures approved by OCR, to conduct regular and robust trainings for all UCLAHS employees who use protected health information, to sanction offending employees, and to designate an independent monitor who will assess UCLAHS compliance with the plan over 3 years. All in all, a very expensive proposition for UCLAHS.
I give my perspective on issues of physician privacy in this video from The HealthCare Channel, including:
In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy --
Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers:
A subscription is required to access the entire article.
Earlier today, I delivered a presentation on "Data Security and Privacy for Medical Device, Pharmaceutical and Life Sciences Companies: How to manage your obligations under HIPAA, the HITECH Act and other federal and state data privacy and security laws" with colleagues Ara Gershengorn and Sarah Altschuller.
My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:
If Tuesday night’s failure to give fast-track approval to an extension of certain surveillance powers under the Patriot Act is any indication, Congress is in the mood to protect individual privacy. As such, a series of anticipated online privacy protection bills are likely to garner bipartisan support in the weeks and months ahead.
Proposals will come from both sides of the aisle. According to Hillicon Valley, Rep. Jackie Speier (D-Calif.) will shortly introduce an online privacy bill directing FTC to implement a “do not track” regime applicable to online advertisers (this although public comments to the FTC report supporting such a measure, Protecting Consumer Privacy in an Era of Rapid Change, are still coming in). Rep. Speier’s bill is said not to include any safe harbor provision. In contrast, the privacy bill forthcoming from Rep. Bobby Rush (D-Ill.) will not include a “do not track” mandate, but is anticipated to be very similar to the bill he proposed in 2010 that provided a safe harbor to marketers participating in a FTC-approved, self-regulatory “Choice Program.” Any approved “Choice Program” would, true to its name, be required to provide users with a robust set of options concerning the collection and use of their information.
On the Republican side, Rep. Cliff Stearns (R-Fla.) plans to introduce a new version of the 2010 draft Boucher-Stearns bill which would have required websites to inform users of how they collect and use personally identifiable information and then allow users to opt out of having such information collected. Collection of certain sensitive information and the sharing of personally identifiable information with third parties would require users to opt in.
Other politicians reported to have an interest in addressing internet privacy this year include Rep. Joe Barton (R-Texas), and Senators Jay Rockefeller (D-W. Va.) and John Kerry (D-Mass.).
So with the ink barely dry on public comments to the Commerce Department’s Dynamic Policy Framework, and with public comments to the FTC Report still incoming, it appears legislators may be ready to run with the presumption inherent in both reports that the existing notice and choice mechanism for protecting Internet user privacy is outdated and ineffective.
All this activity is focused on achieving increased transparency, simplification of consumer choice, and ensuring users are able to give true informed consent to the collection and use of their information. However, a rush to regulate without providing sufficient flexibility for different business models could stunt innovation and hurt the user experience. In this dynamic marketplace, where large businesses and emerging companies alike are beginning to innovate consumer privacy solutions and may soon compete on that basis, passage of rigid laws and reactionary regulations may be counter-productive.
By Brian Bialas
I recently attended the 10th Annual Legal and Compliance Forum on Privacy & Security of Consumer and Employee Information in Washington, DC. It featured a particularly lively panel on “Oversight of Third-Parties and Vendors: Managing and Controlling Relationships Through Effective Due Diligence and Contract Negotiation.” Below are some key points the panelists discussed; some may seem obvious, but they are nevertheless important measures to consider as part of your vendor relationships:
A company’s contract with a vendor should include the ability to terminate the agreement without cause and should guarantee continuing assistance from the vendor after termination.
Do not be the first (or even second) company to contract with a vendor for a particular service. There are too many bugs to work out of new services before you know they are safe and secure.
Consider hiring a consultant to facilitate conversations with companies that have used a particular vendor and are not provided as references.
Vendors should be able to go into detail about their procedures—a company should understand what the vendor is doing with its data down to the IT level.
The vendor’s laptops should be encrypted, along with USB drives, memory sticks, portable hard drives, etc.
The vendor should be obligated to provide immediate notice to the company of any actual or suspected breach of the company’s data.
I was on a panel today with Stuart N. Brotman, former Special Assistant to Communications and the President's principal communications policy adviser and Chief of Staff at the National Telecommunications and Information Administration. My slides are here.
Posted below is another contribution from my colleague David Broadwin on our Emerging Enterprise Center blog about the potential for legislative change in 2011. I agree with the conclusions he draws:
1) This is an area where bipartisan concensus is possible.
2) The industry powers will fight against “Do Not Track” and will win that fight.
3) Industry will accept some other form of regulation in exchange for defeating “Do Not Track.”
We could see passage of a federal data security and privacy statute, not unlike those that the various states have been adopting. The states have already passed models for such legislation and have shown that these increased protections can be implemented without too much opposition from the business sector. Also, adoption of a single standard for data security and privacy could actually relieve some of the regulatory burden on business: instead of having to comply with 50 different state laws, there would just be one federal law. This is the very same logic that led to the passage of HIPAA (and its standards for health information privacy) in 1996.
The other day at Mass TLC’s Mobility Summit I had a brief conversation with Mark Herrmann (an entrepreneur here in Boston) that touched on the FTC’s recent proposal for protecting consumer privacy online. We were talking about the “do not track” proposal and the consensus in the tech industry that it just won’t fly.
Mark’s comment:
“It is creepy that ‘they’ can and do track you out in the net, but ‘creepy is the new cool.’” There is just no question that some people accept the fact that they are being tracked and fed targeted online advertising. It is not just OK by them; it’s a value add. I don’t disagree. But, for anyone who has read “1984” (and even a lot of people who haven’t) the notion of being tracked is creepy. There are a lot of these folks – perhaps a significant majority of the U.S. population – that feel this way.
In 2011 the FTC and Congress are going to pay attention to these concerns. It is good politics.
Prediction #1: Legislation in this area will be one of the few places where we will see bipartisan consensus in the next Congress.
Why: No Congressperson wants to be opposed to consumer privacy, and they all want to have supported some legislation that passed, when running in the next election. Mark (and others) made the point that if you really end tracking, you will end Facebook. So, whatever happens it won’t be that. However, the political snowball is rolling down the mountain - there will be regulatory activity around consumer privacy. The only question is: What will be the nature and scope of the activity? The big boys (those with well established businesses that either make money or have ready access to capital) are going to be lobbying hard for a regulatory framework that does not dent their current business model.
Prediction #2: The big boys will fight anything that disrupts tracking and they are going to win this battle – no one in Congress wants to run on the platform that they put Facebook (or others) out of business. But the big boys are going to have to trade something. The easy things for them to trade are procedural protections for the consumer.
Prediction #3: The big boys will trade lots of procedural protections for the consumer to prevent substantive regulation that will directly affect their business models.
Why: The big boys can afford the administrative burden implicit in procedural protections. It is just a matter of more money, more people and more oversight. A company that is well established and profitable or that has easy access to capital can afford to write the code, hire an army of new engineers, consultants, lawyers etc. and create an entire Department of Privacy Compliance and Protection. In fact, to the extent that having to do all that makes it harder for start-ups, it may even be helpful to the established companies. Some folks I talk to have expressed real concern about this looming regulatory push and how it might affect the entire ecosystem for digital media start-ups. There is still a chance to influence the inevitable regulation that is upcoming and I am working on assembling a group of industry leaders to do just that. I recently sent out a letter (here’s a link) to people I thought might be concerned enough to actually do something.
Read it and let me know what you think.
Our colleagues in Foley Hoag's Emerging Enterprise Center have summarized the FTC preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," which we posted on December 1. We are cross-posting the analysis from their blog below.
It seems likely that the next two years will bring significant changes to this area, either through legislation or regulation. During this period, businesses and consumers will continue to seek an equilibrium that balances business needs and consumer expectations. If they cannot find it, one will likely be imposed on them.
* * *
The Federal Trade Commission (FTC) just published its preliminary Staff report setting out its proposed framework for protecting privacy in the digital economy. View the FTC’s press release here. The FTC is seeking comments on its proposed framework by January 31, 2011 and expects to issue a final report in 2011.
Every digital media business that attracts advertising revenue online and/or through mobile devices, as well as the venture capital and private equity funds that invest in them, has a stake in the outcome of this proposed framework. It can affect current business models, future financial performance and potential exit opportunities for current and potential companies that rely on collecting data from consumers.
The final report, and possible new regulations and/or federal legislation to follow, will help shape substantive law, enforcement policies and commercial best practices regarding consumer privacy practices that will need to be followed.
Notably, the FTC staff cites flaws in commercially available, privacy-related plug-ins and browser features, and supports a more uniform and comprehensive consumer choice mechanism for online behavioral advertising than currently exists. This is often called “Do Not Track,” in a nod to the currently mandated “Do Not Call” registry that restricts the activities of telemarketers. FTC staff identified and requested comment on a number of issues concerning the formulation and adoption of any such “Do Not Track” mechanism.
Other important components of the proposed framework include:
Before this framework is submitted in final form to the FTC for a vote by its commissioners, which will accelerate the process further, the FTC is requesting comment by interested parties on a variety of key related issues, including:
Earlier today, the FTC released a preliminary staff report entitled, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers." The report is over 100 pages long and suggests that changes need to be made regarding consumer privacy, stating:
Industry must do better. For every business, privacy should be a basic consideration –
similar to keeping track of costs and revenues, or strategic planning. To further this goal, this report proposes a normative framework for how companies should protect consumers’ privacy.
We'll have our more detailed thoughts on this document posted shortly.
In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health.
The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World Privacy Forum. They allege (in 144 pages, complete with web page screen-shots) that:
"Digital marketing raises many distinct consumer protection and privacy issues, including an overall lack of transparency, accountability and personal control, which consumers should have over data collection and the various interactive applications used to track, target, and influence them online (including on mobile devices). The use of these technologies by pharmaceutical, health product, and medical information providers that directly affect the public health and welfare of consumers requires immediate action."
Any business that has a web presence should read this complaint; it will show you what these (and other) advocacy groups are complaining about. While I do not expect the FTC to jump into action based on this complaint alone, it would not surprise me to see an increase in the discussion of regulation and enforcement in this patch of cyberspace during 2011. It is only a matter of time until a consumer health web site has a significant data breach. Traditionally, such breaches bring increased inforcement activity.
The complaint also cites a FTC complaint made in June 2009 against Sears Holding Management concerning that company’s dissemination of "a software application for consumers to download and install onto their computers” that violated the FTC Act. That FTC complaint alleged that Sears Holding:
"failed to disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers’ computers, including information exchanged between consumers and websites other than those owned, operated, or affiliated with respondent, information provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts, and headers of web-based email; track certain non-Internet-related activities taking place on those computers; and transmit nearly all of the monitored information (excluding selected categories of filtered information) to respondent’s remote computer servers. These facts would be material to consumers in deciding to install the software. Respondent’s failure to disclose these facts, in light of the representations made, was, and is, a deceptive practice."
The American Medical Association recently published a policy on "Professionalism in the Use of Social Media," in an apparent attempt to address growing concerns about patient confidentiality and privacy in various internet settings.
While the policy mostly consists of "considerations" that physicians should "weigh" when maintaining an online presence (none of which are new or earth-shattering), there was one notable exception -- a snitch rule:
"When physicians see content posted by colleagues that appears unprofessional they have a responsibility to bring that content to the attention of the individual, so that he or she can remove it and/or take other appropriate actions. If the behavior significantly violates professional norms and the individual does not take appropriate action to resolve the situation, the physician should report the matter to appropriate authorities."
(Emphasis added.)
The specific considerations in the AMA policy are as follows:
(a) Physicians should be cognizant of standards of patient privacy and confidentiality that must be maintained in all environments, including online, and must refrain from posting identifiable patient information online.
(b) When using the Internet for social networking, physicians should use privacy settings to safeguard personal information and content to the extent possible, but should realize that privacy settings are not absolute and that once on the Internet, content is likely there permanently. Thus, physicians should routinely monitor their own Internet presence to ensure that the personal and professional information on their own sites and, to the extent possible, content posted about them by others, is accurate and appropriate.
(c) If they interact with patients on the Internet, physicians must maintain appropriate boundaries of the patient-physician relationship in accordance with professional ethical guidelines just, as they would in any other context.
(d) To maintain appropriate professional boundaries physicians should consider separating personal and professional content online.
(e) When physicians see content posted by colleagues that appears unprofessional they have a responsibility to bring that content to the attention of the individual, so that he or she can remove it and/or take other appropriate actions. If the behavior significantly violates professional norms and the individual does not take appropriate action to resolve the situation, the physician should report the matter to appropriate authorities.
(f) Physicians must recognize that actions online and content posted may negatively affect their reputations among patients and colleagues, may have consequences for their medical careers (particularly for physicians-in-training and medical students), and can undermine public trust in the medical profession.
Interesting article in this week's Economist about social network analysis, outlining how companies are using increasing sophisticated forms of data-mining on their customers, and how industry is spending billions to advance the process.
In a recent article in the New York Times discussed the "growing tension between communications companies and governments over how to balance privacy with national security." This tension is not limited to that context, however. Nearly every workplace that uses email faces a similar tension between open access and secure communications. And this debate splits people. An ongoing informal survey by The Economist suggests that the number of people who want more control and restrictions over communication are nearly equally balanced by those who chafe at such restrictions.
So, what's the right answer? It would seem that continual balancing and re-balancing between too much/too little privacy and too much/too little security is the necessary (if not quick or easy) solution. In the workplace, that means not always siding with one faction or the other on these issues, but addressing issues pragmatically as they arise.
A recent article in the Wall Street Journal suggests that "top-tier venture-capital firms" have invested in start-up businesses in the privacy space in recent months. This could be a sign that the so-called "smart money" sees data privacy and security as a viable long-term industry, and not this decade's version of Y2K. It seems likely that were are due for a long-term presence of privacy and security protection in our business and private lives. While Y2K was a one-time event and and the huge amounts spent (waste?) on it left investors with a New Year's Day hangover, the digitization of commerce grows day by day, resulting in concomitant needs for information privacy and security, which may justify the faith of investors.
Earlier this month, Congressmen Rick Boucher and Cliff Stearns released a discussion draft of comprehensive federal privacy legislation (.pdf).
Among the many provisions of the draft bill is the requirement that any entity that collects information on individuals such as name, address, email address and telephone number, maintain "appropriate administrative, technical, and physical safeguards" to secure the personal information. The draft bill would also require the FTC to implement new privacy rules and police the new safeguards.
The bill is also available from Rep. Boucher's website.
Is the FTC moving to a "Post-Disclosure Era," in which consumer online privacy would be regulated in a radically different manner than the status quo? That was a suggestion made by the chairman of the FTC, Jon Leibowitz, and David Vladeck, chief of the FTC's Bureau of Consumer Protection, during a recent on-the-record discussion about online privacy, reported in the New York Times.
For some time, I have been asking the question, "Is Consent Dead, and Should We Even Care?" Now it appears the FTC is asking the very same question. According to FTC Chair Leibowitz, companies “haven’t given [online] consumers effective notice, so they can make effective choices” about the privacy of their online information. Mr. Vladeck similarly views traditional advise-and-consent privacy notice models as dependent upon “the fiction that people were meaningfully giving consent. The literature is clear” that few people read privacy policies.
What, if anything, will this new way of thinking mean in terms of future regulation of consumer online privacy by the FTC? More information may be forthcoming at the FTC's next privacy roundtable, to be held on January 28 (and available to the public via webcast).
As part of the settlement of a federal court action, the State of Texas has agreed to destroy more than 5 million blood samples taken from babies without parental consent and stored indefinitely for the purpose of scientific research. The Texas Department of State Health Services announced earlier this week that it would destroy the samples in connection with the settlement of a federal lawsuit filed in March 2009 by the Texas Civil Rights Project on behalf of five parents of children whose blood was being held for use in research without their consent.
The parents' complaint alleged that the state’s failure to ask parents for permission to store and possibly use the blood - originally collected lawfully in order to screen for birth defects - violated constitutional protections against unlawful search and seizure. The parents also expressed fears that their children’s private health data could be misused and that the disclosure of that data could lead to discrimination against them later in life. Under the settlement, the blood samples collected without parental consent must be destroyed by early next year. State authorities estimated that some 5.3 million samples would be destroyed as part of this process. The State of Texas also is required to publish a list of all research projects that used the blood specimens.
Earlier this year, the Wisconsin and New York state courts split on whether police may install a covert GPS tracking device on a suspect's car without a warrant. On September 17, the Massachusetts Supreme Judicial Court addressed the GPS tracking device issue, ruling that Article 14 of the Massachusetts Declaration of Rights requires a warrant before such a device may be installed and used.
The defendant, Everett Connolly, was a suspected drug dealer and who was investigated by police for more than a year. The investigation included surveillance and controlled drug purchases by confidential informants and, towards the end of the surveillance period, by an undercover officer. Based on this investigation, the police applied for a warrant to place a GPS tracking device on Connolly's van for fifteen days. The application was granted and Connolly was eventually arrested (based on a separate arrest warrant), tried and convicted. He argued to the SJC that, among other things, "surreptitious GPS monitoring without a warrant constitutes an unreasonable search and seizure that violates the Fourth Amendment . . . and art. 14 of the Massachusetts Declaration of Rights." He based this argument on the theory that, although police had a search warrant, they continued to obtain information from that warrant after it had expired.
Read on for more detail and analysis of the SJC's opinion.
The majority ruled that "installation and use of the GPS device in the circumstances of this case was a seizure requiring a warrant," but held that the warrant obtained had not expired. After declining to make a ruling under the Fourth Amendment, the majority concluded that a warrant was required because the installation and use of a GPS tracking device on a vehicle constituted a seizure under art. 14 of the Massachusetts Declaration of Rights. Regarding installation, the majority reasoned that it required entry by police into the van for an hour, operation of the van's electronic system and power from the vehicle. Regarding use, the majority reasoned that the government's use and control of the vehicle to track its movements interfered with the defendant's interest in the vehicle, as the police were using private property to obtain information for their own purposes.
Three justices concurred in the judgment. They agreed with the majority that installation of a GPS device constituted a seizure requiring a warrant. However, they argued that the use of a vehicle to conduct GPS monitoring did not constitute a seizure of the vehicle; rather, they believed that such use invaded the reasonable expectation of privacy of any person authorized to drive the vehicle, and that such invasion was better characterized as a search. According to the concurrence, only by focusing on the "privacy interest at risk from contemporaneous GPS monitoring . . . will we be able to establish a constitutional jurisprudence that can adapt to changes in the technology of real-time monitoring, and that can better balance the legitimate needs of law enforcement with the legitimate privacy concerns of our citizens.
As I noted in an earlier post, the use of GPS devices to monitor suspects' movements is bound to become a hot-button issue over the next few years. The courts that have addressed the issue have expressed great concern about the threat to privacy posed by the rapid progression in monitoring technology. What is interesting about the SJC's decision is that it appears the majority was attempting to craft a more narrow decision by basing its holding on the seizure of the vehicle, which implicates an individual's property interest. The concurrence's position is arguably broader, more subjective, and more flexible, as it requires analysis of a person's expectation of privacy. One wonders, then, if the issue behind the scenes with the SJC was not what result to reach, but how broad to stretch in the opinion.
Links:
Last month, Facebook announced plans to simplify its users' ability to control privacy settings. Facebook will standardize privacy settings, remove overlapping settings, and put all settings on the same page. In an effort to give users more control over how their information is shared, Facebook will allow users to decide, on a post-by-post basis, with whom to share their content. Users will have the option of sharing their posts with: 1) only specific friends, 2) all friends, 3) friends and people in the user’s network, 4) friends of friends, or 5) everyone. According to media reports, the "everyone" option will soon expand to include anyone on the internet – a move widely seen as an attempt to compete with Twitter. Facebook will launch a Transition Tool that will prompt users to set their level of sharing, and will carry over previous privacy settings.
The announcement carefully explained that the changes would not affect the information Facebook provides to its advertisers – a topic related to the controversy earlier this year surrounding proposed revisions to the Facebook terms of service. Instead, Facebook will continue to provide advertisers with only that information that users have authorized.
With the changes, Facebook will provide users with more options for controlling access to their content. As one might predict given the current climate favoring increased user control over privacy, Facebook's proposed changes have largely been well received. Only time will tell whether most users will exercise this control to share their data or whether they will favor keeping their information private.
Links:
On July 13, a federal judge in Miami granted a joint motion to stay an evidentiary hearing that was to be held as a result of a petition from the United States that the Swiss bank UBS be compelled to disclose the names of 52,000 American clients who were suspected of tax evasion. The case has raised concerns about the effects of privacy laws in other nations on the ability of the federal government to enforce its own laws and created tension between the Justice Department, which had said it might fine, or even indict, UBS if the judge ordered it to disclose the names and it continued to refuse to do so, and the Swiss government, which has said it would not allow UBS to disclose any names.
The case began on February 19, 2009, when the United States filed a petition (.pdf) in the U.S. District Court for the Southern District of Florida, asking the court to enforce an IRS "John Doe" summons to UBS. The IRS served the summons in furtherance of an investigation it was conducting to determine the identities of U.S. taxpayers who had allegedly failed to report the existence of, and income earned in, undeclared Swiss accounts with UBS. On February 20, UBS filed a document containing what it termed "background information for the court's consideration" (.pdf). In this filing, UBS argued that the IRS was essentially asking it to violate Swiss privacy laws, thereby exposing its employees and the bank to criminal and civil penalties. UBS argued that the petition raised serious issues of international comity due to Swiss financial privacy laws, violated treaties between the United States and Switzerland and violated a prior agreement between the United States and UBS. That same day, the United States filed a response (.pdf) that disputed the arguments made by UBS.
On April 30, UBS then filed a brief (.pdf) that expounded on its arguments against disclosure. In support of UBS, the Swiss government filed an amicus brief (.pdf). On June 30, the United States then filed its response (.pdf). The federal judge had scheduled a hearing for July 13, 2009, to hear arguments on the petition. On July 12, 2009, however, the parties filed a joint motion to stay the hearing, so they could continue to discuss settlement. The judge granted the motion and re-set the hearing to August 3, in the event the parties could not reach a resolution.
The dispute between the IRS and UBS is also having effects on third parties. The Wall Street Journal reported on Monday that Swiss banks are curbing or eliminating business with U.S. customers for fear of future action by U.S. authorities. While it is probable that the U.S. and UBS will reach some sort of settlement (likely involving a payment by UBS to the U.S.), if the case goes forward it will interesting to see what future effects the outcome could have, not just on financial transactions between American citizens and Swiss banks, but on transactions between American citizens and any other international bank, as well as on the federal government's ability to enforce tax laws beyond its borders.
Links:
On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising.
In his opening statement, Congressman Bobby Rush (D-IL), Chairman of the Subcommittee on Commerce, Trade and Consumer Protection, noted the lack of federal laws governing behavioral advertising and establishing a comprehensive privacy policy and expressed his hope that the hearing would help answer the question whether such legislation is necessary. In his opening remarks, Congressman Rick Boucher (D-VA), Chairman of the Subcommittee on Communications, Technology and the Internet restated his desire to work with other members to develop legislation "extending to Internet users the assurance that their online experience is more secure."
The subcommittees heard testimony from the following witnesses:
Committee members' questions focused on issues that would be important to drafting legislation. For example, several members asked about the benefits of opt-in as opposed to opt-out requirements. Opt-in and opt-out are two schemes for allowing consumers an option as to whether to participate in targeted advertising. Opt-out requires consumers to affirmatively seek out the company's policy and elect not to participate, while opt-in would require companies to affirmatively notify consumers of their privacy policies and obtain permission before using consumers' data. After hearing from witnesses from Google and Yahoo about their opt-out programs, Chairman Rush asked exactly what consumers "opt-out" of, inquiring whether opt-out ensures that a consumers data will not be collected, or whether opt-out means that a consumer will not see targeted ads. Both witnesses explained "opt-out" allows users to exclude themselves from targeted advertising, but not data collection.
Committee members also focused attention other issues that would be important to the drafting of legislation, including the treatment of personally identifiable and sensitive information, and whether the Federal Trade Commission (FTC) or the Federal Communications Commission (FCC) should be given jurisdiction over new legislation. Consistent with the FTC Chairman's recent questioning of the adequacy of existing industry self-regulation, reported here, members also inquired about whether self-regulation can be effective without an enforcement mechanism and whether industry audits would advance privacy interests.
In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team." In particular, HHS is hiring for two new positions are located in HHS's "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)." As described on USAJOBS.GOV, the people to be hired "will be responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy of health information." If you are a privacy officer, this could be the federal government stimulus you've been waiting for!
In recent weeks, FTC Chairman Jon Leibowitz has encouraged the behavioral advertising industry to adopt increasingly specific "self" regulatory measures to address privacy concerns. Behavioral advertising, which the FTC has described as the practice of “tracking of a consumer’s activities online . . . in order to deliver advertising targeted to the individual consumer’s interests” is a concern for consumer groups. Consumers' concerns range from the transparency of the process to the adequacy of security measures in place to protect information compiled, to the impact of behavioral advertising on vulnerable consumers. In recent statements, Leibowitz has suggested that he remains unsatisfied with industry efforts to address these concerns.
According to Reuters, in late April Leibowitz told the Reuters Global Financial Regulation Summit: “From my perspective, the industry is pretty close to its last clear chance to demonstrate” that it can police itself. Then, on May 12, Leibowitz suggested that the FTC has specific ideas as to how that policing should occur. In an interview on C-Span, Leibowitz questioned the adequacy of provisions giving consumers the option to “opt-out” of behavioral advertising. Leibowitz explained that although “[o]pt-out isn’t illegal necessarily, but I think the better practice is opt-in.” The difference between the two practices lies in the default option: for opt-out, customers who do not take the initiative to change their options allow data tracking, while pt-in would require the industry to obtain express permission from consumers before tracking consumer data for advertising purposes.
These comments echo a concurring statement Leibowitz issued with a recent FTC staff report on self-regulation of behavioral advertising. In November 2007, the FTC held a public town hall meeting to discuss behavioral advertising. Then, in December 2007, it issued a report identifying “possible self-regulatory principles” for behavioral advertising. Specifically, the FTC identified the following principles to guide self-regulatory efforts by the industry:
Finally, the report also issued a call for additional information regarding using tracking data for purposes other than behavioral advertising. In February 2009, the FTC issued a follow-up report, Self-Regulatory Principles for Online Behavioral Advertising, advancing the same principles with some clarification. For example, while the first two principles remain unchanged, the FTC staff clarified that express consent for material changes is only suggested for changes that affect information already collected. The report also clarifies that the principles apply to "any data collected for online behavioral advertising that could reasonably be associated with a particular consumer or a particular computer or device. The report continues to urge the industry to obtain consent before using sensitive data -- such as financial or health information -- for advertising. Leibowitz issued a concurring statement to the report, in which he emphasized that "the Report's endorsement of self-regulation" should be "viewed neither as a regulatory retreat by the Agency nor an imprimatur for curent business practice." He stated that "[i]ndustry need to do a better job of meaningful, rigorous self-regulation or it will certainly invite legislation by Congress and a more regulatory approach by our Commission." Leibowitz also cautioned that the FTc "will go after" all companies that fail to keep their promises about they they will use consumers' information. He concluded by warning that "[a] day of reckoning may be fast approaching."
It is unclear why the FTC has encouraged self-regulation in this area, as opposed to pursuing direct regulation. While the industry remains officially unregulated, Leibowitz's recent comments encouraging the use of "opt-in" procedures suggest that he may be attempting to accomplish an increasingly specific regulatory agenda through “self-regulation.” It remains to be seen whether the FTC will continue to encourage the industry to adopt the standards the FTC would like to see, or whether, as Leibowitz has predicted, Congress or the FTC will adopt a more regulatory approach.
Links:
According to the Chicago Tribune, on May 7, 2009, a three-judge panel of Wisconsin Court of Appeals unanimously ruled that police "can attach GPS to cars to secretly track anybody's movements without obtaining search warrants" without violating the Fourth Amendment. The court's opinion in State v. Sveum can be found here. The defendant Sveum was under investigation for stalking when the police obtained a warrant to secretly place a GPS device on his car while it was parked in the his driveway. The device recorded the defendant's movements for five weeks, after which time police retrieved it and used the information on it to obtain a warrant to search the defendant's residence.
More recently, on May 12, the New York Court of Appeals (that state's highest court), ruled that placing a GPS tracking device inside the bumper of a suspect's car without a warrant, and using that device to monitor the suspect's movements for two months, violated the suspect's rights under the New York State Constitution. The court's opinion in People v. Weaver can be found here.
The Wisconsin court first found that placing the device on Sveum's car in his driveway did not violate the Fourth Amendment because the driveway was a public place. In rejecting the defendant's argument that the device followed him into areas out of the public view (such as his garage), the court held that the device only gave the police as much information as visual surveillance would have. As noted by the Wisconsin Law Journal, the court followed a decision from the United States Court of Appeals for the Seventh Circuit and concluded that "no privacy interest protected by the Fourth Amendment [] is invaded when police attach a device to the outside of a vehicle, as long as the information obtained is the same as could be gained by the use of other techniques that do not require a warrant." Nevertheless, the court was "more than a little troubled . . . [that] police are seemingly free to secretly track anyone's public movements with a GPS device."
The New York court was even more concerned. It ruled that under the New York State Constitution, the New York defendant had a reasonable expectation of privacy that was infringed by the placement of the GPS device on his car and the use of that device to monitor his movements for two months. As such, there had been a search under the New York Constitution, and that the search was illegal because it was conducted without a warrant (or justification to excuse the lack of a warrant).
The use of GPS devices to monitor suspect's movements is bound to become a hot-button issue over the next few years. Both the New York and Wisconsin courts expressed great concern about the threat to privacy posed by the rapid progression in monitoring technology. Moreover, the last Supreme Court decision to substantively address a similar issue was over 25 years ago, in, U.S. v. Knotts, 460 U.S. 276 (1983). In Knotts, the Court upheld the surreptitious installation of a beeper tracking device (a radio transmitter emitting periodic signals to enable tracking in a container of chloroform). This was because "a person traveling in automobiles on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another." The New York state court in Weaver noted that the amount of information that could be gathered from by a GPS device is much greater than a beeper in 1983 and so court may reach different results in teh future based on the technology at issue.
Links:
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
The Foley Hoag Security, Privacy and the Law Blog focuses on the security and privacy issues encountered by businesses thatMore...