Facebook took major steps today in protecting user privacy by announcing significant changes to the way third-party applications can access user data. Whereas developers previously had access to all profile data on a user, the new system will require applications to specify categories of information they wish to access and obtain express consent before data is shared. Users will have to specifically approve any applications access to their friends’ information and that information would still be subject to the friend’s privacy and application settings.

This is a big win for protecting user privacy on social networks as often times, users do not know how much of their data is being shared with third party applications. Now developers will only have access to user information relevant to the application, which will decrease the amount of personal data transmitted between user and developer and web site. It will also help curb developers or ad networks that purposely create misleading applications for the sole purpose of taking user data for advertising.

The blog Inside Facebook has a great post on this development here.

Yesterday, the New York Times published an editorial on the revising the tracking policy on federal government web sites. This piece aligns closely with recommendations CDT and EFF made recently about updating the “cookie” policy to provide both transparency and privacy protection.

As mentioned in a blog post from EFF’s Tim Jones, this piece really nails it in terms of what the administration needs to do to ensure that citizen privacy is taken into account in web site measurement and tracking. It is important to note from the CDT and EFF recommendations that this type of notice does not need to be legalistic to be useful. We recommend that agencies have regular for users on each page that users can find more information about.

Last week, China’s Minister of Industry and Information Technology announced that pre-installation of the Green Dam/Youth Escort filtering software on computers sold in China would no longer be mandatory. Officials had previously only delayed implementation of the program. You can find a translation of the press statement here.

However, the software will still be installed in schools, Internet cafes, and other public venues. And, of course, Chinese authorities still maintain extensive filtering mechanisms and other strategies to block access to information online.

Green Dam is only the latest skirmish in the ongoing struggle over control of information in an increasingly networked China. We can make several observations and draw several lessons here to inform the efforts of stakeholders and advocates working to expand the space for expression online.

First, this incident highlights China’s increasing adoption of child safety rhetoric as a pretext (at least in part) for politically motivated censorship. Second, Green Dam draws attention to the growing market for third-party filtering software among governments in countries looking to implement pervasive systems of censorship. A variety of types of transactions with such governments raise dicey ethical issues for ICT companies. Companies must grapple with these issues in an affirmative way or risk complicity with human rights violations.
(more…)

On Wednesday, the U.S. Dept. of Health and Human Services (HHS) released its interim final rule on health data breach notification. The interim rule establishes, among other things, technological standards regarding how to secure health information strongly enough to obviate the need to notify consumers of a data breach. The public has 60 days to comment on the interim rule provisions before they are final. CDT had issued comments to the HHS rulemaking in May 09.

Health care providers are required by law to notify consumers when unsecured protected health information is breached. In this interim ruling, HHS offered guidance on what “unsecured protected health information�? means. HHS identified technologies and methodologies that would adequately “secure�? personal health data. If the data is breached, health care providers properly using these technologies or methodologies need not notify consumers of the breach. Two of those technologies/methodologies are strong data encryption and destruction standards. CDT supported the approach of offering this exception to notification because it gives companies an incentive to strongly protect consumer data. However, CDT’s comments made clear that such data protections are but one necessary component of a comprehensive framework needed to foster HIT privacy.

CDT’s comments recommended that HHS decline to add the “limited data set�? to the methodologies that secure health data. Under the HIPAA law, the “limited data set�? is data with certain identifiers stripped from it. However, CDT cited research indicating that a significant portion of the population could still be re-identified with the information contained in the limited data set. Referencing this risk in the interim ruling, HHS agreed that the limited data set alone was not a proper way to secure health information. However, HHS offered an exception to this standard: health care entities and business associates must perform a risk assessment after a data breach of a limited data set, and if this assessment determines that there is “no significant risk of harm�? to the individual, then the entity does not need to notify the individual. This appears to be an internal decision on the part of the company.
(more…)

For some years now, when speaking about privacy, I have often told my audience: “Everyone in this room, whether they know it or not, is carrying a tracking device.”  I was referring to their cellphones.  Every few seconds, whenever it is turned on, a cellphone sends out a signal registering its location — and its user’s location — with the nearest towers.  I used the example to illustrate the way in which consumer-driven changes in technology and the way we use it are dramatically eroding privacy, creating more and more data about our daily activities, held by services providers, shared for advertising and other purposes, and available to the government, often under very weak controls.

Expanding on this theme, Jeff Jonas has pulled together in his latest blog post some of the implications of the growing prevalence of what he calls “space-time-travel” data.  Jonas highlights trends CDT has been talking about for some time – see our report on digital search and seizure and our recent Policy Post on the location-enabled web — but he sure says it in a much more interesting way than we have been.
(more…)

Yesterday, the Federal Trade Commission (FTC) released its final rule on health breach notification. The rule sets guidelines for vendors of personal health records (PHRs) on how and when to notify consumers when their health information has been breached.

PHRs are typically Internet-based programs that enable consumers to collect, retain and share their personal health information. A defining characteristic of PHRs is the high level of control consumers exert over information in the PHR. The FTC final rule applies to PHRs that are operated by entities that are not covered by HIPAA, such as Google and Microsoft. Other PHRs are operated by health care providers that are covered under HIPAA laws, like hospitals; the Dept. of Health and Human Services (HHS) is expected issue separate final breach notification rules for these PHRs very soon.

CDT submitted comments to the FTC’s proposed rule in June 09. The FTC’s final rule implements most, although not all, of CDT’s recommendations. Among CDT’s recommendations that the FTC agreed to implement in its final rule:
- The FTC and HHS rules on health data breach notification must be harmonized,
- Privacy and security protections should apply both to data in storage and in transit,
- This rule represents an appropriate expansion of the FTC’s traditional consumer protection authority,
- Breach notices should be issued from the entity with the closest direct relationship to the consumer, and only one notice per breach, and
- Companies’ disclosures regarding how consumers’ information is used must give consumers meaningful choices and not be buried in lengthy privacy policies.
(more…)

The federal government has recently announced its intention to revise the current policy governing how federal agency web sites use cookies and other tracking technologies on the web. This is a really significant development for those interested in technology, open government, and privacy, because it has the potential to change the way that federal agencies interact with citizens online. It’s so important that we’d like to demystify some of the rumors floating around out there about the current policy, the new policy, and what it all means for privacy.

First things first: the government already has a policy governing how federal web sites can use cookies and other persistent tracking technologies. As established in 2000 (and updated in 2003 — see our previous post for a brief history), the policy prohibits federal agencies from using persistent tracking technologies unless there’s a compelling need, that usage is disclosed, and the agency head (or a delegate) personally approves that use. While that last provision about agency head approval may have stymied many agencies’ efforts to use cookies, that doesn’t mean there is currently an outright ban on cookie use. There isn’t. Today, if an agency head wanted to approve the use of cookies to track and record intimate details about how citizens engage with the agency’s site, the current policy would not stand in the way.
(more…)

While we often concentrate on the Executive and Legislative branches when we talk about government transparency, the federal court system lags behind them both. The Public Access to Court Electronic Records (PACER) system – the only online source for “public” court documents – is hardly a modern system for openness. Sure, it was when it launched several years ago, but it has fallen far behind the times. In order to access court records, users must use a confusing and outdated system to pay eight cents per page for PDFs of court documents.

A new project from Princeton University’s Center for Information Technology Policy aims to “turn PACER around” with a Firefox extension called RECAP. This extension is crowd-sourcing the task of making documents available, letting users know when a document can be had for free at the RECAP archive and letting users donate documents they purchase to the free collection.

As I noted in February, these opinions and documents often form the basis for our understanding of legislation and law. They are currently locked behind a pay wall. RECAP is working with Public.Resource.Org and Justia to build on their existing free court documents, consolidating them with user submissions at the Internet Archive. This is exactly the kind of project that we need in order to show that the courts shouldn’t rely on high user fees to make information public – in fact, the information can and should be shared easily.

Transparency advocates are not the only people pushing PACER to modernize it’s system; Senator Lieberman continues to question the fees levied on users. He’s right- the courts are not making documents “freely available to the greatest extent possibleâ€? as mandated in 2002 as part of the E-Government Act. When the government won’t free information, third parties stepping in to compile and share information is the next best thing.

RECAP will be presenting on their new extension as well as the policy context of their work at the O’Reilly Gov 2.0 Expo next month, and I’m looking forward to hearing more about it.

The Congressional Research Service is a $100 million a year think tank that researches and writes informative and non-partisan reports on topics suggested by members of Congress. The catch–and the reason you might not have read their work–is that CRS reports are only made easily available to members of Congress. Citizens can request these reports from lawmakers, but without a public index, they can’t request something they don’t know exists. The CRS Reports currently rank first on CDT’s Most Wanted Government Documents. In an ongoing effort liberate these documents, CDT runs Open CRS, an online repository of public CRS Reports. To spotlight these reports, I will be writing “CRS Report of the Week�? posts and feature a relevant report each week. These reports are informative in both that they serve as excellent primers to political issues and that they offer a degree of insight into what information is circulating around Congress.

Privacy: An Abbreviated Outline of Federal Statutes Governing Wiretapping and Electronic Eavesdropping
Report Number: 98-327
Date: September 02, 2008

Wiretapping and electronic eavesdropping laws are important knowledge for anyone concerned about privacy. This CRS Report offers a brief introduction to what the Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) actually mean. The report covers what is prohibited, the procedure for court ordered wiretapping (and how FISA is different), and the Protect America Act. The section on the history on the evolution of wiretapping is particularly interesting as it shows the piecemeal development of wiretap law. This provides a glimmer of insight into how the current situation of incomplete protections developed. CDT’s work on warrantless surveillance and wiretap can offer information on the most recent developments in the area.

The detail-oriented may have noticed that this CRS Report is an abbreviated outline. For the determined, the original 164 page overview is available here.

Federal agents attending this year’s DefCon hacker convention were in for a surprise when top RFID researchers revealed that they scanned five convention attendees’ and potentially one Federal agent’s RFID-enabled cards. Researchers set up an RFID reader with a web camera that skimmed RFID-enabled cards and took a picture of their owners as they passed within two to three feet. Using information read on an RFID chip, a hacker could clone the chip and impersonate the card’s owner. Depending on the chip, a hacker could also discover personal information about the owner. Federal agents, including those from the FBI and Department of Defense, only found out about this project when they were told by a DefCon staffer. One former agent’s response: “I saw a few jaws drop when he said that.�?

RFID chips aren’t just found in government IDs–several states are currently issuing enhanced drivers’ licenses (EDLs) that incorporate vicinity-read RFID chips as part of the Western Hemisphere Travel Initiative. The State Department’s new PASScard (passport card) also incorporates the same RFID technology. We have seen independent demonstrations of how easily RFID chips can be skimmed using inexpensive, off-the-shelf equipment. Vicinity-read RFID chips in particular are more vulnerable to being scanned because of their ability to be read at a greater distance. The security researchers at DefCon have once again highlighted the risks insecure, long-range chips may pose to the privacy and security of the cardholder.

Vicinity-read RFID technology was developed for tracking inventory; the risks to privacy and security the technology poses to EDL and PASScard holders far outweighs the justifications asserted for its use in human identification credentials. Citizens should be given the option of applying for cards without vicinity-read RFID—or at least consider more secure RFID technologies. The privacy and identity theft implications are why CDT urges Congress to reject the use of vicinity-read RFID technology in PASS ID.