October 2016

Here’s what we know: Every time you tag a friend in a Facebook photo, Facebook stores their image in its database. And here’s what we’re about to find out: whether that’s an illegal violation of users’ privacy.

On Oct 27, a class-action lawsuit alleging that the world’s largest social network is violating its users’ privacy will enter phase two. Specifically, a San Francisco court will assess whether Facebook is breaking the law by using its facial-recognition tool, to identify faces in photographs uploaded by users, or by collecting those photographs into a central database. In use since 2010, Facebook claims its facial-recognition tool is now 97.35% accurate, which is great news if you’re trying to tag overcrowded party pictures, but less so if you’re worried about privacy. Plaintiffs in the case are concerned on a number of fronts: Facebook could be selling identifying information to retailers or other third parties. More importantly, they worry that biometric data is just as susceptible to theft, hacking, and the long and invasive arm of law enforcement as other types of data. It also alleges that Facebook failed to acquire consent before collecting “faceprints.”

The class-action suit hinges on a unique Illinois law passed in 2008, called the Biometric Information Privacy Act. It states that if companies fail to get consent from users before storing biometric information, they can be subject to a $5,000 fine, plus $1,000 in damages if the violation shows negligence. That’s per violation. For a company with 7 million users in Illinois, that could mean fines as high as $35 million. So far, Facebook and Google have insisted that gathering data on what you look like isn’t against the law, even if it’s done without your explicit permission. Facebook says the current class-action lawsuit should be dismissed because there is no proof of actual damage, such as someone losing their job or a relationship being harmed because of embarrassing or compromising photos getting out. Still, a judge in May allowed the case to proceed.

A widely expected legal challenge has been filed by an Irish privacy advocacy group to an European Union-US commercial data transfer pact underpinning billions of dollars of trade in digital services just two months after it came into force. The EU-US Privacy Shield was agreed earlier in 2016 after the European Union's highest court struck down the previous Safe Harbour agreement over the transfer of Europeans' personal data to the United States, on concerns about intrusive US surveillance. The new agreement gives businesses moving personal data across the Atlantic - from human resources information to people's browsing histories to hotel bookings - an easy way to do so without falling foul of tough EU data transferral rules.

Digital Rights Ireland has challenged the adoption of the Privacy Shield pact by the EU executive in front of the second-highest EU court because it does not contain adequate privacy protections, apparently.

[Commentary] When a slew of websites couldn’t be reached Oct 21, suddenly people across the US started paying attention to the Internet of Things. It turns out that tens of millions of digital video recorders and other devices connected to the internet and protected only by factory-encoded, easily-brute-force-guessable passwords can be harnessed in the service of gigantic distributed denial-of-service attacks. When those devices were instructed to send huge numbers of messages to computers providing pointers to some very popular websites, the computers on the receiving end were brought to their knees—incapable of processing any requests. Without the directional signs in place, suddenly huge numbers of sites couldn’t be found. Who knew the Internet of Things could have such a big effect on our daily lives? Actually, a lot of people knew.

IoT is very big business these days.While we’re patching those insecure home DVRs, routers, and webcams, let’s back up and talk about the implications of IoT for public values generally. Because it’s not just websites that could be affected by unrestrained Internet of Things deployments. We’re not just using IoT in our homes. We’re also going to be using it, in a big way, in the places where 80 percent of Americans live, work, and play: in cities.

[Susan Crawford is the John A. Reilly Clinical Professor of Law at Harvard Law School and a co-director of the Berkman Center.]

So what happened to Google Fiber? For one thing, building out a brand new wireline communications network from scratch is costly, difficult work. Permits must be obtained, partnerships with local governments must be struck, and obstacles thrown up by incumbent Internet service providers and their allies in statehouses must be overcome. Then there’s the small matter of actually building out the network—laying fiber in the ground, or stringing fiber on utility poles—which is an expensive, labor-intensive, and time-consuming endeavor. "I suspect the sheer economics of broad scale access deployments finally became too much for them," said Jan Dawson, an analyst with Jackdaw Research. "Ultimately, most of the reasons Google got into this in the first place have either been achieved or been demonstrated to be unrealistic."

Then there’s the changing nature of Alphabet itself. Alphabet is under increasing pressure from Wall Street to rein in the costs associated with its more fantastical moonshots. One thing seems clear: Alphabet's decision to halt its fiber expansion increases the urgency for cities and municipalities around the country to build community broadband networks if they want faster, cheaper alternatives to the dominant internet service providers. It appears increasingly likely that Google Fiber won’t save you, people, so maybe it’s time to take matters into your own hands.