“Embedded Devices: How Electronic Conveniences Affect Privacy and Discovery” at the Masters Series for Legal Professionals in NYC

This panel was presented at the Masters Series for Legal Professionals, recently held in NYC on July 19, 2011.

The panel was moderated by Steve Akers, CTO and Founder of Digital Reef, Inc. Panelists included Daniel Garrie, ESQ, Special Master and Mediator in eDiscovery and Daniel K. Gelb, Gelb & Gelb LLP.

The panel discussed issues arising when discoverable data are stored in the “cloud”, mobile apps, mobile phones, iPads, GPS tracking devices and more.

The RFID Privacy and Data Protection Impact Assessment Framework in the EU: The Article 29 Working Party and the FTC are in No Rush

On February 11, the Article 29 Working Party adopted an opinion on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment (PIA) Framework for RFID applications. (ARTICLE 29 DATA PROTECTION WORKING PARTY 00327/11/EN WP 180 Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications)

The aricle 29 WP endorses the proposal developed by industry associations, experts, academics, and individual companies from across Europe.

One of the main privacy concerns related to RFID technology arises from uses of RFID technology which entail individual tracking and obtaining access to personal data. While an RFID operator may not have such a goal in mind when deploying an RFID application, it is important to consider the risk that a third party may use tags for such unintended purposes. The revised framework now clearly requires RFID operators to evaluate the risks that may arise when tags may be used outside the operational perimeter of an RFID application and/or are carried by persons.

The European Commission published a recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification on May 12th, 2009.( the “RFID Recommendation”).

One of the recommendations reads:

“Article 7: RFID use in Retail

Article 7.3: (a) Where a RFID application processes personal data or the privacy impact assessment…shows significant likelihood of personal data being generated from the use of the application, the retailer has to follow the criteria to make the processing legitimate as laid down in directive 95/46 and to deactivate the RFID tag at the point of sale unless the consumer chooses to keep the tag operational. (b) Where a RFID application does not involve processing of personal data and where the privacy impact assessment has shown negligible risk of personal data being generated through the application, the retailer must provide an easily accessible facility to deactivate or remove the tag.”

In the U.S. Federal Trade Commission Comments on the the European Commission’s recommendation of May 2009, the FTC stated, in response to recommendation  Article 7.3: (a)

” …Similarly, with respect to RFID, we caution against mandating a specific technological approach, such as mandatory deactivation of tags, before fully understanding the range of benefits the technology might provide to consumers, as well as the range of protective measures that might be available to consumers in the future.”

(The U.S. Federal Trade Commission’s Bureau of Consumer Protection is in charge of protecting consumer rights in the US.)

This is the recent Article 29 WP’s opinion on the subject matter of RFID use in retail:

“This concern (about individual tracking and access to personal data) has received particular attention in the retail sector, where it is feared that tagged items bought by individuals could be misused by retailers or third parties for tracking or profiling purposes. The European Commission addressed this concern in the Recommendation by establishing the principle that tags must be deactivated at the point of sale unless the customers give their informed consent to keep tags operational. The same Recommendation allows an exception to this deactivation principle if the PIA concludes that keeping tags operational after the point of sale does not represent a likely threat to privacy or the protection of personal data. The Working Party observes that a risk management approach, as suggested by the Framework, is an essential tool for the RFID Operator to assess the risks of taking the responsibility to keep tags activated after the point of sale.”

As shown with this example, a key point is that the Revised Framework is based on a risk management approach, which is an essential component of any Privacy and Data Protection Impact Assessment Framework.

The Article 29 WP however would like see implementaion of the Commission’s recommendation no earlier than three years from now.( 2014):

“The European Commission is expected to provide a report on the implementation of the Recommendation, its effectiveness and its impact on operators and consumers, with regards in particular to measures concerning the retail sector. This report is set to be produced 3 years after the Recommendation was published, that is by May 2012. However, considering that the Framework may take 6 months to fully take effect, supplementary time would be beneficial for all stakeholders before such an evaluation is conducted. Therefore, the Working Party would like to suggest to the European Commission to either postpone or supplement the proposed report at a later date set in 3 years from the publication of this opinion.”

In the above mentioned comments on the the European Commission’s recommendation of May 2009, the FTC remarked:

“The FTC staff supports the EC’s risk- based approach to addressing potential consumer privacy and data security issues related to the use of RFID technology. The FTC staff also agrees with the EC that there is a need to raise consumer awareness about RFID technology, in order to enhance consumer trust and to give consumers the tools to protect themselves from the risk of misuse of their information. Given the current stage of deployment of consumer-facing RFID applications, however, the FTC believes that mandating or encouraging specific technological tools for protecting consumer privacy is premature.” (bold added)

Premature?

Implementation no earlier than 2014?

Last summer, Wal-Mart created quite a controversy when it started to use RFID tags to track underwear and jeans and the George Miller III Head Start Program in Contra Costa County, California, created a buzz when they started to make pre-schoolers wear jerseys, with RFID chips inside that track them through the day.

But RFID (Radio frequency identification) technology is far from new. It has been used for many years to keep track of cattle, prisoners, goods, and  pets.

RFID technology is already widely adopted, world wide and in many industries, and is also found in enhanced driver’s licenses, credit and debit cards, passports and government IDs, TWIC Cards, Employer ID/Proximity Cards, US EZpasses, London Oyster cards, just to name a few applications.

The risk of tracking, profiling, fraud, identity theft is here and it is real.  RFID readers are used by convenience stores, pharmacies, restaurants, fast food markets, bars, and many other places of business to read the RFID chips.

However, these same readers can be freely purchased and attached to a laptop with very little technical knowledge required. There are even cell phones with built in card readers that can steal your information. By simply walking past you, anyone  equipped with such a device can acquire your credit card number and expiration date. There is even a term for it: electronic pick pocketing.

Here’s a not so recent video by Boingboingtv’: “How to hack RFID-enabled Credit Cards for $8 (BBtv)”

Human RFID Implants are already used for access to car, home, office.

Human RFID implants with personal health and financial information are being used and promoted:

Premature? Seriously?

The Recent Privacy Framework Proposals,The Internet of Things and PET

The CES (Consumer Electronics Show) in Las Vegas  just wrapped up a few days ago to an astounding success.

According to PC magazine, one of the five essential trends to emerge from the CES 2011 was the internet of things.

The internet of things can be explained as follows:

“It is foreseeable that any object will have a unique way of identification in the coming future, what is commonly known in the networking field of computer sciences as “Unique Address“, creating an addressable continuum of computers, sensors, actuators, mobile phones; i.e. any thing or object around us. Having the capacity of addressing each other and verifying their identities, all these objects will be able to exchange information and, if necessary, actively process information.”

At the CES, LG Electronics said it was launching home appliances with internet connectivity. These will include smart refrigerators, dishwashers, laundry machines and ovens.

Your refrigerator, for example, could send you a text message or email saying some of your food is about to go bad or that you need to go to the store to replace items that are just about gone.

Another smart thing, the smartphone, just got smarter:

A start-up company called Viewdle showed off their new smartphone software. Their facial recognition phone app can recognize faces in real time and automatically tag them, using either data from social networks or a user-created database from videos and photos on the phone itself.

The goal is then to link these names with social networks and other online sources, so that their latest tweet or Linked In job title can appear beneath their image.

While these new technologies will undoubtedly improve consumers’ lives, they will also pose an additional threat to consumers’ privacy, since there will be a whole new set of personal data available online for marketers, governments and corporations, employers and ediscovery attorneys to scrape. The unique addresses of the appliances will enable identification of the owners.

In the case of smart appliances, would you want your mom, friends, neighbors,colleagues, employer, insurance company, bank, complete strangers or the government to know that you leave your rotten tomatoes in the fridge for over a week, or that you regularly burn the food you cook in the oven, or that you had many clothes with blood stains in your wash on a particular day?

In the case of an app like Viewdle, the risks to privacy loss are even more evident and immediate: picture yourself at a party. A total stranger, who happens to be curious about you, surrepticiously takes a picture of you with his/her smartphone and immediately finds out all that you have ever posted online and all that others have posted online about you. And you haven’t been introduced yet. If that person is also a stalker, or unstable in any other manner, you may be in real trouble, because that person may  now know your name, your home address, your work address, your phone number, your entire list of friends, all your family members, even the names of your pets. (thank you, Facebook).

The US has started to address these issues through proposals for legislation and/or self-regulation:

The FTC has recently issued a Proposal for Protection of Consumer Privacy.

The US Department of Commerce has recently released a Draft Privacy Green Paper.

In the EU, where comprehensive data protection laws have been in place for the last fifteen years, the Commission has recently issued a Communication regarding the overhaul of the EU personal data protection framework. One of the reasons mentioned was the technological advances of the last decade.

All these proposals have in common that they rely heavily on legal concepts, such as choice, consent, transparency etc..The problems with this approach are manyfold, among others the dependence on costly and questionable enforcement for the system to actually work.

None of the US proposals mention the use of  PET ( Privacy Enhancing Technologies) as an alternative and additional tool to ensure consumer privacy.

PET, according to the Wikipedia definition, is a general term for a set of computer tools, applications and mechanisms which – when integrated in online services or applications, or when used in conjunction with such services or applications – allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by such services or applications.

“One of the most important aspects that deals with personal data is Privacy Enhancing Technologies (PETs). The term was coined in 1995 by the Commissioner of Ontario -Dr. Ann Cavoukian – with the Dutch Data Protection Authority.” - http://www.theinternetofthings.eu/content/privacy-design

While the FTC does  mention Privacy by Design, it is a different concept:

“Privacy by Design:

Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services.

Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.

Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.”

Privacy by Design refers to privacy practices in companies, not privacy embedded in the technology, like PET does.

The US Department of Commerce does not even mention Privacy by Design, let alone PET.

The EU Commission, on the other hand, does include PET in its Communication:

“Addressing the impact of new technologies

Responses to the consultations, both from private individuals and organisations, have confirmed the need to clarify and specify the application of data protection principles to new technologies, in order to ensure that individuals’ personal data are actually effectively protected, whatever the technology used to process their data, and that data controllers are fully aware of the implications of new technologies on data protection. This has been partially addressed by Directive 2002/58/EC (the so-called ‘e-Privacy’ Directive)5, which particularises and complements the general Data Protection Directive in the electronic communications sector6.

Promoting the use of Privacy Enhancing Technologies (PETs), as already pointed out in the 2007 Commission Communication on the issue, as well as of the ‘Privacy by Design’ principle could play an important role in this respect, including in ensuring data security.”

The Madrid Privacy Declaration on Global Standards for a Global World ( November 2009) also recommends the adoption of PETs as part of a privacy protection framework:

“(3) Reaffirm support for genuine Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information..”

Companies will not willingly invest in technologies enhancing the privacy of their customers, unless they see a financial benefit. There must be creative ways for legislators to encourage this investment.

In light of the inevitable movement towards a world where all “things” will become smart and connected to each other and to the internet, as was showcased in the recent CES in Las Vegas, it is a pity that the US does not even consider the use of PET as a additional tool to guarantee the consumer some modicum of privacy.

The US approach, in this way, guarantees that any legislation, if and when it comes into effect, will already be lagging behind the technology, from the moment of its inception.

.

Privacy and Data Protection: A Super Sad True Love Story

Meet Lenny Abramov:

“ZIP code 10002, New York, New York. Income averaged over five-year-span, $289,420, yuan-pegged, within top 19 percent of U.S. income distribution. Current blood pressure 120 over 70. O-type blood. Thirty-nine years of age, lifespan estimated at eighty three (47 percent lifespan elapsed; 53 percent remaining). Ailments: high cholesterol, depression. Born: 11367 ZIP code, Flushing, New York. Father: Boris Abramov, born Moscow, HolyPetroRussia; Mother: Galya Abramov, born Minsk, Vassal State Belarus. Parental ailments: high cholesterol, depression. Aggregate wealth: $9,353,000 non-yuan-pegged, real estate, 575 Grand Street, Unit E-607, $1,150,000 yuan-pegged. Liablities: mortgage $560,330. Spending power: $1,200,000 per year, non-yuan-pegged. Consumer profile: heterosexual, nonathletic, nonautomotive, nonreligious, non-Bipartisan. Sexual preferences: low-functioning Asian/Korean and White/Irish American with Low Net Worth family background; child abuse indicator: on; low self-esteem indicator: on. Last purchases: bound, printed, nonstreaming Media artifact, 35 norther Euros; bound, printed, nonstreaming Media artifact, $126 yuan-pegged; bound, printed, non-streaming Media artifact, 37 northern euros.”

This is Lenny’s profile that the people who inhabit Gary Shteyngart‘s latest novel “Super Sad True Love Story” can freely view on their äppärät.

The novel is set in a near future New York, where everyone walks around with an äppärät around his/her neck, constantly streaming. The streets are lined with Credit Poles, that instantly register and exhibit each passerby’s credit rating from his/her äppärät and giant banners that proclaim: “America celebrates its spenders”. Huge conglomerates named ColgatePalmoliveYum!BrandViacomCredit and AlliedWasteCVSCitigroupCredit call the shots.

At work, there are huge billboards, where each employee’s  health data and mood status are displayed and adjusted daily.

People (with the notable exception of the protagonist, Lenny Abramov) don’t read books anymore, but just scan texts for info.

This world is divided into two categories: The HNWIs (high net worth individuals) and the LNWIs (low net worth individuals). Many LNWIs have lost their homes, their jobs, their health insurance and are camping out in tent cities in Central Park. They don’t even own äppäräts. Riots are about to break out.

Meanwhile, the HNWIs are busy shopping on their äppäräts on sites like AssLuxury. They communicate through a social network site called GlobalTeens. They obsessively  GlobalTrace each other’s locations. Men and women  gage each other in bars by streaming their Personality, F**kability, Male Hotness and Sustainability ratings on their äppäräts. Detailed sexual preferences are instantly revealed.

And of course, the Governement, via the “American Restauration Authority”, keeps a close eye on all its citizens via those very same äppäräts. It sends regular global messages via the äppäräts, always ending with:”By reading this message, you are denying its existence and implying consent.”

At the center of this darkly satirical novel, a genuine and moving love story unfolds between Lenny and the much younger, e-culturally hip Eunice Park.

While reading Super Sad True Love Story, I was struck by how accurately Shteyngart has depicted most of the current issues concerning loss of privacy: Government Surveillance, Profiling, Geotracking, Global tracking, Legalese Nonsensical Disclaimers, Hyper-Sexualization,  Sub-Literacy are exposed with great wit.  Financial and private health information are not protected and are publicly showcased to favor the young, the healthy, the wealthy and the polyanna-happy.

This novel  is a frightening and powerful description of what will happen to us as a society if we don’t take drastic action NOW to halt the increasing erosion of our privacy by the public and private sector alike.

I love my privacy and would not want it to end the way a super sad true love story always does.