Posts Tagged: "privacy"

There is often a tension between the needs of law enforcement and the companies that collect and store the electronic data of individuals. Law enforcement may seek this data from the companies through subpoenas, search warrants, and other court orders as part of its investigation and request that the companies did not disclose their interaction with authorities to maintain the confidentiality of the investigation. In contrast, companies may wish, or be obligated under the terms of their agreements or privacy policies, to disclose to their customers that they have produced the customers’ electronic data to law enforcement pursuant to legal process. To prevent the companies from doing so, federal law enforcement typically obtains a non-disclosure order pursuant to 18 U.S.C. § 2705(b) from a federal magistrate court. These orders have generally not had a definite expiration date. However, companies have recently begun to challenge the limits and scope of such orders. The recent case of Microsoft Corp. v. United States Dep’t of Justice, No. C16-0538 JLR, represents the most serious challenge to date.

This new e-Privacy Regulation, if adopted, will replace the current e-Privacy Directive and will establish, together with the General Data Protection Regulation, GDPR, a new privacy legal framework for electronic communications. The proposal aims to be lex specialis to the GDPR. Probably to ensure consistency with the new privacy legal framework for electronic communications, the entry into force provision of the leaked text has been amended to state expressly that the e-Privacy Regulation will come into force on the same date as the GDPR (25 May 2018). With many legislative hurdles still remaining before it is approved, this represents an ambitious timeline for EU legislators.

In creating a privacy and security plan, IOT companies should be mindful of regulatory enforcement for failure to fully comply with their own advertised practices. For example, companies should honor representations made to consumers regarding privacy and security practices, or risk regulatory scrutiny. If not, the FTC may bring an enforcement action, which it did against IOT company, TRENDnet, Inc. According to the FTC, TRENDnet failed to implement reasonable security practices, monitor security vulnerability reports from third parties, test and review potential security vulnerabilities, and implement reasonable guidance for its employees, and thus was in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The case settled, and the terms of the settlement prohibited TRENDnet from misrepresenting its privacy and security practices and required it to establish a comprehensive security risk program.

The FCC’s broadband privacy rules require ISPs to present their customers with a choice to opt in or opt out of providing consent to use certain categories of information which are deemed to be sensitive. Such sensitive information includes any data pertaining the the customer’s geo-location, health, finances, children, Social Security number, browsing history, app usage history or the content of electronic communications. Information related to a customer’s e-mail address or tier level of broadband service, however, is considered non-sensitive.

The privacy implications of the driverless car are significant. The data that such a vehicle could collect and the potential uses of that data could be extraordinarily intrusive. Driverless cars could provide both historic and real-time, continuous geolocation data. Companies could utilize this data to determine not only your current location and destination but also every place that you have been. This data could lead to commercially valuable, but extremely sensitive and intimate information about individuals being discovered. Advertisers may be able to discern the purchasing patterns of individuals by tracking what stores they frequent. Insurers may be able to determine what the lifestyle of individuals is like by following their daily activities (e.g., constant trips to the gym) and dining habits (e.g., persistent trips to fast food restaurants).

On the morning of Tuesday, July 12th, members of the U.S. Senate Committee on Commerce, Science, & Transportation convened for a hearing on a notice of proposed rulemaking recently issued by the Federal Communications Commission (FCC). The hearing, titled How Will the FCC’s Proposed Privacy Regulations Affect Consumers and Competition, did much to talk about the potential effects of the FCC’s increased oversight of broadband Internet service providers even as partisan viewpoints among committee members were exposed.

Without getting into the substance of the Hogan vs. Gawker lawsuit, the issue of posting bonds to appeal is a contentious one, and if you ask me there is something fundamentally unfair about requiring a party to pay in order to challenge what they believe is an erroneous or unfair ruling. It seems particularly wrong in the patent space where we know that strange and mysterious things transpire in the name of “efficiency,” but which over the years increasingly seem like code for nothing short of denying property rights to patent owners. Yet, pending patent legislation would impose a bond requirement to exercise what seems like a fundamental right — to seek redress for an incorrect, unfair or unjust ruling.

To replace the now-defunct Safe Harbor agreement, last week the European Commission published the first details of its transatlantic Privacy Shield. The Privacy Shield is meant to strengthen obligations on US companies to protect European personal data, and improve regulations regarding data monitoring by US government agencies. With the release of the draft Privacy Shield, many are skeptical that it will ensure proper privacy protection and some believe that it may be challenged after implementation.

Much of the data security world has been abuzz since a blog post at the digital privacy website DataBreaches.net reported the disconcerting news that the personal information of 191 million voters participating in U.S. elections going back to the year 2000 was made available on the Internet by a party who is yet unknown. These records include voter information which is requested at the time of registration, which in many cases includes home addresses, date of birth, telephone number and state voter identification. Making these voter records available online violates confidentiality restrictions on accessing records put in place by California and other states.

Chinese legislators have attempted to enact anti-terror legislation purportedly designed to protect Chinese citizens against terrorist threats. In late December, China passed a law requiring both telecommunications and Internet companies operating in the country to provide decryption, technical interfaces and other assistance to public and state security organizations to conduct investigations of potential terrorist activities. The tech sector has misgivings about Chinese regulations that would force the handing over of sensitive data. Imagine a leak of encryption keys leading Chinese hackers to degrade performance of a foreign tech provider, all in the name of promoting indigenous innovation. That’s a pretty extreme scenario, but one that’s not completely unimaginable considering recent cybersecurity headlines.

Safe harbor in the world of international digital data transfer has been a major topic of discussion in the tech world in recent weeks. Since 1998, data transferred from European citizens to American shores by U.S. tech companies have been regulated by the U.S.- EU safe harbor agreement. Under these rules, American companies have been able to make international data transfers if they can self-certify that they can keep the personal data of European citizens secure to the privacy standards of the European Union, which operates a much different data security regime than is implemented in the United States. These rules have come under the crosshairs of a recent ruling by the European Court of Justice, the EU’s highest court, which has invalidated the safe harbor agreement in light of revelations made by Edward Snowden on the data surveillance tactics of America’s National Security Agency (NSA).

Our latest Tech Round-Up here on IPWatchdog takes a brief glance at many of the stories which have caught our attention in recent days. As he often does, Elon Musk takes center-stage in a couple of news items regarding challenges he’ll be facing in the realms of space travel as well as electric vehicles. In Europe, the first successful installation of light-based wireless Internet could be the first step in a new age of Internet connectivity. Data breaches and genetically modified foods round out our discussion of recent events in the worlds of high-tech and science.

American business interests could be adrift at sea after the European Court of Justice invalidated the U.S.-EU Safe Harbor agreement, which governs the transfer of data from European citizens to data centers outside of Europe. Meanwhile, the high tech world of Silicon Valley is getting a new, well-heeled neighbor when Japanese automaker Toyota Motors Corp. (NYSE:TM) realizes its plans of establishing a new five-year corporate venture focused on developing artificial intelligence (AI) technologies. Google is also undertaking the push to develop its own processing chips in an effort to stem fragmentation of Android device development.

In June, authorities in France served a formal notice to Google that it must delete certain links from it’s Google.com domain on a legal basis known as ‘the right to be forgotten.’ The right to be forgotten is implicated when an individual contacts a search engine company, such as Google, asking for a search result to be de-listed, essentially taking it out of their available search results. The provider assesses whether the privacy issue at stake has enough merit to de-list the link. If they don’t, the individual then has another avenue to take with a regulatory agency which may overturn the search engine provider’s decision.

The mainstream media has been aflame over a recently unveiled Google innovation which poses an Orwellian challenge to family privacy in the eyes of some critics. A patent application published May 21st by the U.S. Patent and Trademark Office describes a smart toy developed by Google which can respond to a child’s voice or gestures. Some of the creep factor inspired by this invention might simply be the result of Google’s ability to create products which naturally ingratiate themselves with users. For instance, the patent application cites the benefits of the anthropomorphic device taking on a “cute” and “toy-like” form, specifically where it comes to attracting the attention of young children.