Privacy and Security TidBits

Dissection of a Twitter Chat on Privacy and Data Protection with @JulieBrillFTC

Unknown-2

FTC Comissioner Julie Brill recently held her first Twitter chat on the topic of privacy and the FTC.

TWITTER LINGO FOR BEGINNERS:

Those who are regular twiteratti can skip the following paragraph, but for those still not familiar with Twitter lingo, I have included a short introduction to Twitter shorthand:

  • @JulieBrillFTC: This is Julie Brill’s twitter handle, or twitter user name. Tweeters need to create a twitter handle in order to tweet.
  • RT: Re Tweet; When @JulieBrillFTC tweets: RT@soandso, she re-tweets @soandso’s tweet; in other words, she repeats that person’s tweet.
  • MT: Modified Tweet; When @JulieBrill tweets: MT@soandso, she retweets @soandso’s tweet, but with a slight modification, usually in order to remain within the 140 character limit.
  • In the Twitter chat, @JulieBrillFTC RT’d or MT’d participant’s questions (Q). She preceeded her answers with an A.
  • #: Hashtag. A hashtag on Twitter is the pound sign, followed by an acronym or word to group all tweets related to a particular topic. If you click on that particular hashtag link, you will see all tweets that were posted with that hashtag included in their tweets. In @JulieBrillFTC’s Twitter chat, the chosen hashtag was #FTCpriv
  • Tweets have a limit of 140 characters. A lot more can be crammed into a tweet by the use of a link to an article, something which @JukieBrillFTC avails herself of in her answers to tweeters’ questions. There are even several ways of shortening the links, to leave more characters free for use in the tweet.

I reposted @JulieBrill’s Twitter chat in a user friendly way. Tweets that were not directly relevant to the Q&A were omitted. Tweets by those who posted the questions were omitted as well to avoid unnecessary duplication of the questions, since @JuliBrillFTC re-tweeted them anyway. Since Twitter operates as a live feed, later tweets appear before earlier tweets. Therefore, for someone not used to Twitter, it might be disconcerting to read the answers before the questions. I therefore reversed the order of the tweets, and posted the earlier ones before the older ones.

@JULIEBRILLFTC’s TWITTER CHAT:

  • JulieBrillFTC ‏@JulieBrillFTC  Feb 5 Welcome to my 1st Twitter chat! Happy to answer your questions about big data, data security, internet of things, & privacy. #FTCpriv
  • I’ll try to answer as many questions as I can in the next 60 minutes. So, what do you want to know? #FTCpriv
  • Q1 MT @alexanderhanff can u explain why links to so many privacy papers on FTC web site are broken? Hard 2 cite studies that vanish #FTCPriv
  • A1 FTC recently went through redesign of its website to improve functionality. Please send problematic links to ftcgovweb@ftc.gov. #FTCpriv
  • Q2 RT @hfienberg What is the definition of a data broker, according to the @FTC ? #FTCpriv
  • A2 We set out definition of data broker in its 2012 Privacy Report http://go.usa.gov/BKNk  . 3 categories: FCRA, eligibility, or marketing.
  • Q3 RT @PaulNemitz #ftcpriv How important is the US – EU #Safeharbour arrangment for the protection of #privacy of americans?
  • A3 Our enforcement of Safe Harbor protects both U.S. & EU consumers through our casework. #FTCpriv
  • Q4 MT @JeramieScott Do u have thoughts on how to ensure integrity of big data algorithms that make decisions that impact people? #FTCpriv
  • A4 Consumers need more access to data sets to see impact of these decisions, and to reclaim their names http://go.usa.gov/BKjh  #FTCpriv
  • Q5 MT @ lexanderhanff In Jan 2013, Brussels ou stated FTC ready to work w/EU on mutual enforcement prog. has discussion evolved? #FTCPriv
  • A5 The FTC remains committed to improving mutual enforcement cooperation with EU partners. #FTCpriv
  • Q6 MT @CWLiedtke #FTCpriv EU Comm. Reding threatens to end US-EU safe harbor if US doesn’t implement legislation until summer. Thoughts?
  • A6 VP Reding acknowledged imprtnce of cntining U.S.-EU Safe Harbor. USG & EU Commission discussing helpful ways to improve SH. #FTCpriv
  • Q7 RT @TouroLawIBLT How does the FTC differentiate between cos that sell #bigdata and those that use and amass it? #FTCpriv
  • A7 Same principles apply: PBD, effective transparency, simplified choice. Co.’s shd give careful thought to data collection & use. #FTCpriv
  • Q8 MT @MHJCarlson Does @FTC see proliferation of mobile devices in hospitals as a threat to patient data security? Solutions? #FTCpriv
  • A8 Doc-controlled mobile devices present opps for innovation in HC; but patient #datasecurity & #privacy must be protected. #FTCpriv
  • Q9 MT @PogoWasRightQ Does FTC rec national #datasecurity standard that incl encryption 4 data at rest 4 all entities storing SSN? #FTQ9 
  • A9 1/2 We support fed leg on data security & breach notice. Stds for security should require reasonable and appropriate practices. #FTCpriv
  • Q10 RT @StuartLevi Dont recent FTC actions discourage companies from saying anything about their security practices to the public? #FTCPriv
  • A10 FTC examines co statements & underlying data security practices. We consider both potentially deceptive and unfair activity. #FTCpriv
  • Q11 RT @ajamietalbot Among all the data issues facing FTC, which do you think are the most pressing and deserve FTC focus? #FTCpriv
  • A11 Pressing issues: health, financial, & other sensitive data; data broker practices; #IoT; mobile; facial recognition & #COPPA#FTCpriv
  • Q12 RT @sharemindfully #ftcpriv – What steps is the #FTC taking to increase consumer awareness of #privacy issues?
  • A12 1/2 FTC has very robust consumer education program, including blogs, publications, staff outreach. See http://consumer.ftc.gov  #FTCpriv
  • A12 2/2 Also, lots of Commission outreach on emerging issues. I speak a lot too. :>) #FTCpriv
  • We are at 60 minutes. You all have asked lots of great questions. I’ll take a few more minutes to answer a few more. #FTCpriv
  • Q13 RT @Vitiell0 When will the data standards outlined in the 2012 consumer privacy BOR be enforceable? #FTCpriv
  • A13 I support baseline consumer privacy legislation and am eager to work with Congress, the Administration, and others to that end. #FTCPriv
  • Q14 MT @Abine Has FTC been in communication w/FB, Google, the DAA, on their plans for post-cookie consumer tracking tech? #FTCpriv
  • A14 We all need to focus on tracking that will take place in post-cookie world. Talking with lots of stakeholders. Welcome input. #FTCpriv
  • Q15 RT @Cellular1988 Do u think that the Safe Harbor give to all EU citizens good protection of their fundamental rights (redress)? #FTCpriv
  • A15 Safe Harbor gives FTC effective tool for protecting privacy of EU consumers. On redress, I support reducing ADR fees. #FTCpriv
  • I’m going to answer one final question. #FTCpriv
  • Q16 RT @Cellular1988 How many processor[s] can process data for one Safe Harbor certified company? #FTCpriv
  • A16 1/2 There’s no set number of permissible processors, but all agents have to apply privacy protections. #FTCpriv
  • A16 2/2 Mechanisms for agents incl. being in SH, being subject to the directive or under adequacy finding, or by contract. #FTCpriv
  • JulieBrillFTC ‏@JulieBrillFTC  Feb 5 Thanks so much for participating in my Twitter chat. Sorry I couldn’t answer all of your great ?s. Let’s do this again soon. #FTCpriv

 

IS TWITTER CHAT AN EFFECTIVE WAY OF COMMUNICATION ON IMPORTANT ISSUES SUCH AS PRIVACY?

This Twitter chat is a perfect example to illustrate the advantages, as well as the pitfalls of communication through Twitter.

A few examples where Twitter works well:

 

  • The practical question:
  •  Q1 MT @alexanderhanff can u explain why links to so many privacy papers on FTC web site are broken? Hard 2 cite studies that vanish #FTCPriv
  • A1 FTC recently went through redesign of its website to improve functionality. Please send problematic links to ftcgovweb@ftc.gov. #FTCpriv
  • Practical solution to a concrete question. Bravo!

 

  •  The clarification question:
  •  Q9 MT @PogoWasRightQ Does FTC rec national #datasecurity standard that incl encryption 4 data at rest 4 all entities storing SSN? #FTQ9 
  • A9 1/2 We support fed leg on data security & breach notice. Stds for security should require reasonable and appropriate practices. #FTCpriv
  • The FTC, as well as many other U.S. regulatory and enforcing agencies have always stayed away from imposing specific technologies for ensuring data security, since technology changes at the speed of light and the type of technology to be applied is always contextual and depending on the type of data handled and the type of company handling the data. “Reasonable and appropriate practices” it is. And @JulieBrillFTC managed to squeeze in the FTC’s opinion on the need for FEDERAL legislation on data security and data breach notification, since the U.S. doesn’t have one yet. (Most of the States have data security and data breach notification laws, but they are all different from each other and create an impossible patchwork of laws). All this in 140 characters. Hats off! On the other hand, in order to make any sense of those <140 characters, one does need to have some background knowledge of the topic.

 

  • The policy question:
    • Q6 MT @CWLiedtke #FTCpriv EU Comm. Reding threatens to end US-EU safe harbor if US doesn’t implement legislation until summer. Thoughts?
    • A6 VP Reding acknowledged imprtnce of cntining U.S.-EU Safe Harbor. USG & EU Commission discussing helpful ways to improve SH. #FTCpriv
    • The future of U.S.-EU Safe Harbor is on every privacy professional’s mind these days. Here, with a tweet, @JulieBrillFTC has indicated that Safe Harbor is the subject of negotiations between the US Government and the EU Commission in order to tweak it into a viable solution. The end of Safe Harbor? Not.
    • Another good policy exchange was the following one, assuming one knows that IoT stands for “Internet of Things”:
      • Q11 RT @ajamietalbot Among all the data issues facing FTC, which do you think are the most pressing and deserve FTC focus? #FTCpriv
      • A11 Pressing issues: health, financial, & other sensitive data; data broker practices; #IoT; mobile; facial recognition & #COPPA#FTCpriv
    • This is a clear question, with a very clear answer.

 

A few examples where Twitter doesn’t work as well:

  • The avoiding the question answer:
    • Q14 MT @Abine Has FTC been in communication w/FB, Google, the DAA, on their plans for post-cookie consumer tracking tech? #FTCpriv
    • A14 We all need to focus on tracking that will take place in post-cookie world. Talking with lots of stakeholders. Welcome input. #FTCpriv
    • So, has the FTC been in communication with FB, Google and the DAA?

 

  • The diplomatic answer:
    • Q13 RT @Vitiell0 When will the data standards outlined in the 2012 consumer privacy BOR be enforceable? #FTCpriv
    • A13 I support baseline consumer privacy legislation and am eager to work with Congress, the Administration, and others to that end. #FTCPriv
    • Ah, we all know that the FTC supports legislation to implement the 2012 Privacy Bill of Rights, but when will it become law? When?

 

  • The simplistic answer:
  •              Q4 MT @JeramieScott Do u have thoughts on how to ensure integrity of big data algorithms that make decisions that impact people?   #FTCpriv
    • A4 Consumers need more access to data sets to see impact of these decisions, and to reclaim their names http://go.usa.gov/BKjh  #FTCpriv
    • Well, yes, having access to one’s data and having the ability to correct wrong information is a very good start, but it is far from sufficient to ensure the integrity of the algorithms that are used to make important decisions about an individual. For example, how do we ensure that the algorithm itself is not based on some illegal discriminatory premises? Clearly, Twitter is not an adequate channel to discuss such deep and granular issues.

 

 

  • The incorrect answer?
    • Q3 RT @PaulNemitz #ftcpriv How important is the US – EU #Safeharbour arrangment for the protection of #privacy of americans?
    • A3 Our enforcement of Safe Harbor protects both U.S. & EU consumers through our casework. #FTCpriv
    • Safe Harbor protects U.S. consumers? Really? And I thought that it only protected personal data originating from the EU. Who knew? Maybe the lightning speed at which one must react on Twitter can be faulted for such seemingly erroneous statements. I have no doubt that @JulieBrillFTC did not make a mistake in her area of expertise, but short tweets are conducive to ambiguous meanings and maybe incorrect interpretations.

 

CONCLUSION

A Twitter chat is the democratic communication tool par excellence. Every Jo/Jean Shmo with a twitter handle can instantly communicate with an authority figure, regardless of where in the world he/she resides, as long as he/she has an internet connection.

The format works well for simple, concrete questions that require simple and concrete answers.

As soon as the question requires a more granular response, Twitter fails to deliver. It is simply impossible to convey nuance, cover grey areas and explain complex matters with a 140 character tweet. Inserting a link to an article that deals with the issue at hand is a good way of introducing more nuance and information in a tweet or Twitter chat.

 

Please follow me on Twitter at @AltheimLaw and at @MoniqueAltheim!