Mar 312016
 
 March 31, 2016  Posted by  Misc

There’s a new book coming out by Sarah C.  Lawrence  that looks like it might be an interesting read if you’re interested in medical privacy.

Here’s the description of it from Amazon.com:

When the new HIPAA privacy rules regarding the release of health information took effect, medical historians suddenly faced a raft of new ethical and legal challenges—even in cases where their subjects had died years, or even a century, earlier. In Privacy and the Past, medical historian Susan C. Lawrence explores the impact of these new privacy rules, offering insight into what historians should do when they research, write about, and name real people in their work.
Lawrence offers a wide-ranging and informative discussion of the many issues involved. She highlights the key points in research ethics that can affect historians, including their ethical obligations to their research subjects, both living and dead, and she reviews the range of federal laws that protect various kinds of information. The book discusses how the courts have dealt with privacy in contexts relevant to historians, including a case in which a historian was actually sued for a privacy violation. Lawrence also questions who gets to decide what is revealed and what is kept hidden in decades-old records, and she examines the privacy issues that archivists consider when acquiring records and allowing researchers to use them. She looks at how demands to maintain individual privacy both protect and erase the identities of people whose stories make up the historical record, discussing decisions that historians have made to conceal identities that they believed needed to be protected. Finally, she encourages historians to vigorously resist any expansion of regulatory language that extends privacy protections to the dead.
Engagingly written and powerfully argued, Privacy and the Past is an important first step in preventing privacy regulations from affecting the historical record and the ways that historians write history.
Mar 312016
 
 March 31, 2016  Posted by  Court, Surveillance, U.S.

The use of a Stingray/Hailstorm device to track a cell phone is a search under the Fourth Amendment. The Nondisclosure Agreement is essentially unconstitutional because of the state’s argument they don’t have to disclose what they were doing. The court also finds the third party doctrine inapplicable. State v. Andrews, 2016 Md. App. LEXIS 33 (March 30, 2016)

Read more about the opinion on FourthAmendment.com.

Mar 312016
 
 March 31, 2016  Posted by  Business, Featured News, Laws, Online, U.S., Youth & Schools

Earlier this week, I posed some questions to readers about tracking/monitoring your children, and the privacy of children who communicate with your child when they don’t know that you’re monitoring/seeing every private message or image.  I asked you all to think about this question:

So it’s okay with you if some other child’s parents are reading your child’s messages to their child, right? Even if your child is telling their friend sensitive information and nothing stops those parents from sharing what they’re reading with your child’s school or the community?

Then I asked you to take your thinking one step further and to consider what happens if it’s not you directly monitoring or tracking your child, but an online business or service that you hire:

But to help you monitor your child, the business shows you other children’s communications to your child, which they collect and compile.  Is that okay with you? It probably is, but turn the situation around: a business is now collecting and compiling non-public private communications from your child and displaying them to another child’s parent who hired them to help monitor their child. Is that okay with you?

What started me thinking about this was a recent security incident involving uKnowKids, which I initially reported on over on DataBreaches.net. In following up on the incident, I started reading more about their service and looking at their demo. That’s when I started thinking about what they appeared to be doing with private communications of children whose parents were not subscribers and had not given consent to the collection or storage of their children’s information.  I contacted uKnowKids to ask them about the consent issue, and pretty much got blown off several times with answers that simply pointed me to what I had already read and found a bit concerning.

So I took another look at COPPA, the federal law, which regulates commercial entities that collect information from minor children.  I read the statute a few times, and tried to figure out what COPPA requires of a company/entity that is displaying children’s private non-public communications to the parent of another child. Is the entity required to get the consent of that child’s parent if the entity is compiling the child’s communications and storing them in a cloud database?

So this past weekend, I formally asked the FTC to investigate uKnowKids for possible violations of COPPA and possible violations of Section 5 of the FTC Act. Specifically, I put the following questions to them:

  1. Under COPPA, can a commercial service collect and share non-public personal information on minor children whose parents have NOT consented to the collection and sharing of their children’s information? If COPPA aims to protect all minor children, then uKnowKids should not collect and share information on other children incidentally. Are they? And if so, shouldn’t they be required to obtain their parents’ consent?
  1. Under COPPA, can uKnowKids or any other commercial service store non-public personal information on minor children whose parents have NOT consented to the collection or storage of their children’s information? Are uKnowKids storing such information?
  1. Is uKnow.com’s Terms of Services making their customers solely responsible for compliance with all laws regarding monitoring enforceable, when COPPA’s legislative intent and language makes them responsible?
  1. Under Section 5 of the FTC Act, does the collection, sharing, and/or storage of non-public communications of minor children without their parents’ consent constitute an unfair practice? For purposes of this question, the injury or harm is invasion of privacy.
  1. Is it an unfair practice under Section 5 of the FTC Act if uKnowKids is monitoring or tracking children or adolescents without the children’s knowledge or consent if the children actually own the devices that are being tracked? Does a parent’s “warrant and representation” of ownership of accounts absolve uKnowKids of any responsibility they might have in this regard under Section 5 if the parent lies?
  1. In the event of a data security breach, does uKnowKids.com have a duty to notify children or adolescents whose photos, iMessages or other personal info have been exposed, or is it sufficient to just notify their parents? Parents who never told their children they were being tracked will likely not tell them that their personal and sensitive info has been exposed (or may even be on the Dark Web somewhere in another scenario).
  1. In the event of a data security breach, does uKnowKids.com have an obligation to notify those whose data may have been collected and/or stored without their knowledge or consent by virtue of them interacting with a tracked/monitored child?

A copy of the full complaint and inquiry can be found here (pdf).

Mar 312016
 
 March 31, 2016  Posted by  Online, Surveillance, U.S.

Mary-Ann Russon reports:

Police in the US are continuing to raid the homes of people who operate exit nodes for the Tor anonymity network, most recently searching the condo belonging to a pair of outspoken privacy activists in Seattle.

On 30 March, Seattle Privacy Coalition cofounders Jan Bultmann and David Robinson were woken up at 6.15am at their condominium by a team of six detectives from the Seattle Police Department with a search warrant looking for child pornography, according to Seattle’s alternative weekly newspaper The Stranger.

Read more on IBT.