Online privacy

Palantir had been selling its data storage, analysis, and collaboration software to police departments nationwide on the basis of rock-solid security. “Palantir Law Enforcement provides robust, built-in privacy and civil liberties protections, including granular access controls and advanced data retention capabilities,” its website reads. The scale of Palantir’s implementation, the type, quantity and persistence of the data it processes, and the unprecedented access that many thousands of people have to that data all raise significant concerns about privacy, equity, racial justice, and civil rights. But until now, we haven’t known very much about how the system works, who is using it, and what their problems are. And neither Palantir nor many of the police departments that use it are willing to talk about it.

Lawyers representing a man convicted of six robberies in the Detroit area have now filed their opening brief at the Supreme Court in one of the most important digital privacy cases in recent years. This case, Carpenter v. United States, asks a simple question: is it OK for police to seize and search 127 days of cell-site location information (CSLI) without a warrant? Previously, lower courts have said that such practices are compatible with current law. But the fact that the Supreme Court agreed to hear the case suggests that at least four justices feel that perhaps the law should be changed.

In Carpenter, as is the case in countless modern criminal cases, law enforcement was able to obtain the relevant records directly from the mobile phone provider with a court order that has less stringent requirements than a warrant. This is not a trivial distinction. A so-called "d-order" can be circumspect with how information is obtained by authorities. It does not, as the Fourth Amendment demands, require as much particularity. A warrant, unlike a d-order application, also mandates a signed and sworn affidavit ("on oath or affirmation"), as the Constitution requires, which describes the "places to be searched and the things to be seized." Carpenter's attorneys, many of whom are from the American Civil Liberties Union, argue in their filing that the current legal standard gives the government too much leeway. "If the Court were to accept this argument, the government could use this tool to monitor the minute-by-minute whereabouts of anyone—from ordinary citizens to prominent businesspersons to leaders of social movements," they wrote in their August 7 brief.

The Walt Disney Co secretly collects personal information on some of their youngest customers and shares that data illegally with advertisers without parental consent, according to a federal lawsuit filed late last week in California. The class-action suit targets Disney and three other software companies — Upsight, Unity and Kochava — alleging that the mobile apps they built together violate the law by gathering insights about app users across the Internet, including those under the age of 13, in ways that facilitate “commercial exploitation.”

The plaintiffs argue that Disney and its partners violated COPPA, the Children’s Online Privacy Protection Act, a federal law designed to protect the privacy of children on the Web. The lawsuit, filed in U.S. District Court for the District of Northern California, seeks an injunction barring the companies from collecting and disclosing the data without parental consent, as well as punitive damages and legal fees. The lawsuit alleges that Disney allowed the software companies to embed trackers in apps such as “Disney Princess Palace Pets” and “Where’s My Water? 2.” Once installed, tracking software can then “exfiltrate that information off the smart device for advertising and other commercial purposes,” according to the suit. Disney should not be using those software development companies, said Jeffrey Chester, the executive director of the Center for Digital Democracy. “These are heavy-duty technologies, industrial-strength data and analytic companies whose role is to track and monetize individuals,” Chester said. “These should not be in little children’s apps.”

Verizon has a new rewards program out, called Verizon Up, which awards users a credit for every $300 they spend on their Verizon bill that can be redeemed toward various rewards. Customers will be able to get rewards such as “Device Dollars toward your next device purchase, discounts on an accessory, or partner rewards,” along with other surprise offerings and first-come, first-serve ticket opportunities, which all seems like a nice occasional thing to get for regularly paying your cellphone bill.

But, the new program comes with a pretty big catch: you have to enroll in Verizon Selects, a program that allows the company to track a huge chunk of your personal data. That includes web browsing, app usage, device location, service usage, demographic info, postal or email address, and your interests. Furthermore, that data gets shared with Verizon’s newly formed Oath combination (aka AOL and Yahoo), plus with “vendors and partners” who work with Verizon. Which is kind of a long list of people who have access to what feels like a fairly significant amount of your data.

US companies are largely unprepared for what's about to hit them when sweeping new European Union data laws take effect in 2018. The regulation — the General Data Protection Regulation (or GDPR) — is intended to give users more control of how their personal data is used and streamline data processes across the EU. Companies that fail to comply with the complex law will face steep fines of up to 4% of their global annual revenue.

Europe has by far taken the most aggressive regulatory stance on protecting consumer privacy and will in many ways be a litmus test for regulating the currency of the data economy. It impacts a huge number of businesses from advertisers to e-commerce platforms whose data flows through EU countries. That means everyone from Google to your neighbor who sells shoes on eBay could be affected.

The Electronic Privacy Information Center (EPIC), a prominent privacy rights watchdog, is asking the Federal Trade Commission to investigate a new Google advertising program that ties consumers’ online behavior to their purchases in brick-and-mortar stores.

The legal complaint, to be filed with the FTC on July 31, alleges that Google is newly gaining access to a trove of highly sensitive information -- the credit and debit card purchase records of the majority of US consumers -- without revealing how they got the information or giving consumers meaningful ways to opt out. Moreover, the group claims that the search giant is relying on a secretive technical method to protect the data -- a method that should be audited by outsiders and is likely vulnerable to hacks or other data breaches. “Google is seeking to extend its dominance from the online world to the real, offline world, and the FTC really needs to look at that,” said Marc Rotenberg, the organization’s executive director. EPIC alleges that if consumers don’t know how Google gets its purchase data, then they cannot make an informed decision about which cards not to use or where not to shop if they don’t want their purchases tracked. The organization points out that purchases can reveal medical conditions, religious beliefs and other intimate information.

LinkedIn may very well succeed in its effort to stop a San Francisco (CA) startup from using the data of its members. But the Sunnyvale (CA) company, now a division of Microsoft, has certainly lost the moral high ground. In fact, the job-hunting and networking site is guilty of blatant hypocrisy. HiQ Labs makes software that analyzes data from public LinkedIn profiles to help employers determine which workers are likely to leave or stay. But at a hearing at U.S. District Court in San Francisco, lawyers representing LinkedIn argued that HiQ was causing significant harm to its business because members expected LinkedIn to protect their privacy. LinkedIn’s most valuable currency is “trust with customers,” said Donald Verrilli, a partner with Munger, Tolles & Olson law firm in Washington. That sounds very noble. But the very idea of a social media giant serving as the champion of privacy rights seems suspect. When a service tells you it’s free, that means it’s making money another way. And more likely than not, you’re the product.

One out of every seven people on the planet uses the messaging app WhatsApp every day, according a recent blog post from the company. A billion people a day send messages to their friends and family on a service that's end-to-end encrypted by default, up from a billion per month from 2016. That surge in growth stands in sharp contrast to Twitter, which added approximately no new monthly uses last quarter, and had in fact lost two million in the US. WhatsApp and Twitter don't just represent contrary growth curves; they're the polar opposites of messaging. Twitter is public. WhatsApp is private. Twitter has a huge problem with safety, while WhatsApp has made privacy and security the center of its mission. And it's now more clear than ever that people have made their choice.

[Commentary] More than 50 percent of Google Play apps targeted at children under 13—we examined more than 5,000 of the most popular (many of which have been downloaded millions of times)—appear to be failing to protect data. In fact, the apps we examined appear to regularly send potentially sensitive information—including device serial numbers, which are often paired with location data, email addresses, and other personally identifiable information—to third-party advertisers. Over 90 percent of these cases involve apps transmitting identifiers that cannot be changed or deleted, like hardware serial numbers—thereby enabling long-term tracking.

We suspect that most of the developers whose apps fail to protect data do not have nefarious intent, but rather fail to configure their software properly or neglect to scrutinize practices of the third-party advertisers they rely upon to generate revenue. When building an app, developers import ready-to-use code from many different third-parties, including advertising companies. While this code “reuse” results in time savings and fewer errors, app developers likely do not realize that they are liable for all code included in their apps, regardless of whether or not they were the ones who wrote it.

[Serge Egelman is research director of the Usable Security & Privacy group at the International Computer Science Institute and an affiliated researcher at the University of California, Berkeley Center for Long-Term Cybersecurity]

A bipartisan bill, the ECPA Modernization Act, has been introduced that would update communications privacy law to protect cloud storage. It is the latest effort by the Senate to address the issue after the House voted overwhelmingly to protect older data. In the previous Congress, Senate Judiciary Committee chairman Charles Grassley (R-IA) pulled an Electronic Communications Privacy Act update bill from the committee's markup agenda after "poison pill" amendments threatened to expand the bill into areas that neither of its co-sponsors wanted it to go. That baseline bill, which passed the House 419 to zero, would have updated the Electronic Communications Privacy Act to provide protections for cloud storage by requiring a probable cause warrant for accessing information in the cloud and extending the protections to emails and other content stored over 180 days (currently no warrant is required to access those).