Recent Developments:
-
In the Apple v. FBI fight, the court filed
motion to vacate Judge Pimm’s order forcing Apple to assist the FBI to unlock
the phone
o
The Justice Department asked
the court to vacate because it found an alternative way into the phone. The
US Attorney stated “Our decision to conclude the litigation was based solely on
the fact that, with the recent assistance of a third party, we are now able to
unlock that iPhone without compromising any information on the phone….”
-
New devices in the Internet of Things
o
Home pregnancy monitor—Monitors the fetus in
real time and sends data to the doctor
§
Parents can monitor their teen’s driving habits
(i.e. tells parents what maximum speed they drove, was there a collision alert,
what distance they drove, etc.)
§
Accident rate up until age 18 is 3 times the
rate of 18-25; after 25 goes way down
§
You just breathe into the device and if you are
over the legal blood alcohol limit, there will be a starter interrupt and you
won’t be able to start your car
-
Judge Cambell, the judge of the Hulk
Hogan trial, was
analyzed for the number of times she has been reversed
o
Since 2012, she has been reversed 22 times,
which is the highest of any state judge in Pinellis County, where the average
reversal rate is 4
-
Verizon Security Solutions announced
that hackers compromised an water treatment plant’s control system, and altered
the chemicals in the water supply
o
Ultimately, this breach posted no safety threat
to customers because there was manual monitoring of the chemicals and they
discovered the hacking in time to prevent harm
o
The breach also exposed the personal data of 2.5
million customers
o
The Dept. of Homeland Security has said that in
their view the US is a prime target for terrorists because much of our
infrastructure is old and hasn’t been technologically updated
o
To underscore this, on Friday, the FBI
announced the indictments of 7 Iranians for a series of attempted hacks on
several banks and a NY dam
Question of the Week: should data brokers be legally
required to disclose the consumers what information they have compiled on an
individual and to whom the information has been sold?
-
everyone in the class said yes
-
This was a relatively easy question to answer,
but it’s harder to parse what information and the time/how to give access, where
the issue becomes more complicated
-
Acxiom is the first broker to allow users to see
their “core data” and to correct/remove the information from your profile. (But
it doesn’t delete the data from Acxiom servers, so it can still be used for
analytics.)
o
But Acxiom does not display the inferences, i.e.
derived information, that they obtain through analytics
o
Acxiom Offers 3 types of data
§
Marketing products
§
Directory products (white pages)
§
Fraud and detection products
o
Categorizes all US households into 70 clusters,
which are broken further into 21 life stage groups
-
Example: Professor Dryer signed up for an
account and requested to see the information they have collected
o
He was sorted into Cluster #2—Established Elite
o
To get the information, he had to file a reference
information report request, providing them with authenticating information:
§
Name, address, SSN, drivers license number, data
e of birth, email address
§
The form says that the information will be used
to verify your identity but won’t be used for any other purpose
·
(author’s note: uh-huh.)
o
Report showed 5 categories
§
Demographics
·
Date of birth, age, marital status, profession,
etc.
§
Home
·
His address, the market value of the home, the
home purchase date, etc.
§
Vehicles
·
Vehicles listed were out of date
·
Must have made an inference—listed him as a
truck and RV owner, which he is not
§
Household Purchases
·
Average monthly spending
·
How many credit cards
·
Average offline and online spending
§
Household Economic
·
Household income (was outdated)
§
Household Interests
·
Identified 24 different categories of interest
·
Specifically identified charities, political,
and religious groups
·
Listed where traveled, international and abroad
-
Acxiom doesn’t tell you what categories they
have put you in (Ex. addictive behavior, etc), based on their analytics. Is
this enough disclosure (a “reasonable amount of detail”)?
o
Perhaps yes, because their derived information
is their work product
-
A possible way to structure regulation of this
industry that doesn’t require greater transparency
o
Focusing on how the information is being used
o
Ex. Acxiom allows you to opt out—will still get
digital ads, but won't get ads based on Acxiom’s advertising partners
§
(If get a new computer/device, have to opt out
again)
o
Maybe approach regulation by asking who has
access to the data and who gets to use it
o
Example: In the Fair Credit Act, information
about your credit that credit agencies gather cannot be used by insurance
companies, for housing, etc. Maybe identify some industry segments or some uses
that we legislatively prohibit. If, for example, in the category of “addictive
behavior” or “gambling,” don’t let your employer get access to that information.
-
Elements of a data broker disclosure
requirement:
o
(1) what level of detail must be disclosed? (i.e.
just the factual information, or also the inferences drawn from the data?)
o
(2) how often must information be disclosed?
o
(3) in what form is the information disclosed?
(online, written form, etc.)
o
(4) who should bear the cost of disclosure?
§
(DATA Act says the cost of disclosing is born by
the company)
o
(5) what enforcement mechanism is appropriate
for non-compliance?
-
Issues include:
o
Storage/Destruction of Data—Should data brokers
be required to disclose how long they store the data about an individual?
o
Encryption—Should data brokers be required to
encrypt their data if it is personally identifiable?
o
Government Access—should state and federal
government be allowed access to the information collected by data brokers?
Do Not Track (DNT): Vik’s
post
-
Problems with DNT
o
It’s voluntary—many companies choose not to
participate in the browser’s decision to give the user the option of “do not
track”
o
Also, much internet browsing today is on mobile
devices, using apps instead of internet browsers, and DNT is not an option
using apps, which are hard-wired to track
o
Vik provided 7 steps to take to protect privacy,
since DNT does not work
Online Behavioral Advertising
-
7 Principles the Direct Advertising Alliance
adopted as the “core” of the self-regulation program, to govern online
behavioral advertising (i.e. “interest-based advertising”)
o
education
o
transparency
o
consumer control
o
data security
o
material changes
o
sensitive data
o
accountability
-
The program was adopted in 2009 and these
principles apply only to third party, behavioral advertising
o
The Education Principle calls for
organizations to participate in efforts to educate individuals and businesses
about online behavioral advertising and the Principles.
·
(Puts
the onus on the business to educate individuals. So far, they have fallen short.)
o
The Transparency Principle calls for
clearer and easily accessible disclosures to consumers about data collection
and use practices associated with online behavioral advertising. It will result
in new, enhanced notice on the page where data is collected through links
embedded in or around advertisements, or on the Web page itself.
o
The Consumer Control Principle provides
consumers with an expanded ability to choose whether data is collected and used
for online behavioral advertising purposes. This choice will be available
through a link from the notice provided on the Web page where data is
collected.
o
The Consumer Control Principle requires
"service providers", a term that includes Internet access service
providers and providers of desktop applications software such as Web browser
"tool bars" to obtain the consent of users before engaging in online
behavioral advertising, and take steps to deidentify the data used for such
purposes.
o
The Data Security Principle calls for
organizations to provide appropriate security for, and limited retention of
data, collected and used for online behavioral advertising purposes.
o
The Material Changes Principle calls for
obtaining consumer consent before a Material Change is made to an entity's
Online Behavioral Advertising data collection and use policies unless that
change will result in less collection or use of data.
o
The Sensitive Data Principle recognizes
that data collected from children and used for online behavioral advertising
merits heightened protection, and requires parental consent for behavioral
advertising to consumers known to be under 13 on child directed Web sites.
This Principle also provides heightened protections to certain health and
financial data when attributable to a specific individual.
o
The Accountability Principle calls for
development of programs to further advance these Principles, including programs
to monitor and report instances of uncorrected noncompliance with these
Principles to appropriate government agencies. The CBBB and DMA have been asked
and agreed to work cooperatively to establish accountability mechanisms under
the Principles.
-
Enforcement of principles: what is the
enforcement mechanism if a participating company violates one of the seven
principles?
o
Companies can’t be a part of that association
unless they comply with, and subscribe to, the Principles
o
DAA has established an Accountability program
that regularly monitors members to see whether they are complying with this. If
they don’t comply, a press release is issued.
o
DAA has contracted with the Digital Marketing
Association and the Better Business Bureau, who have agreed to do investigation
when individual files a complaint
§
There have been about 10,000 consumer complaints
since 2011, and there have been 36 public decisions by BBB, with the number of
formal decisions issuing each year has steadily decreased since 2011—with only
5 decisions in 2015 and 2 in 2016 (so far).
-
We next did an exercise where we went to a
website and looked at the ads provided to us, looking for
the DAA
icon. When you click on the icon, as it is displayed with ads, it gives you information about “Ad Choices” and
gives you links for changing your preferences to block ads.
-
How does the EU approach to online tracking and
OBA differ?
o
EU requires a conspicuous notice of ad
tracking, and have to affirmatively opt in to be tracked and participate in
behavioral advertising
