It’s that time of the year: time to look back and reflect on the top privacy stories of the year for Americans. Foregoing any pretext of democratic process, I simply looked back through the headlines I had featured during the year to remind myself of what seemed important to me. Here’s a recap and synthesis of some the biggest privacy news this year:
Consumers increasingly assert right to be free from online tracking or unwelcome sharing of their data.
In 2011, we got into a rhythm that went something like this: researcher or media announce discovery of “feature” or “flaw” in a browser, social media platform, or app that enables collection or transmission of data that consumers had no idea was being collected or shared. Lawsuits ensue. Lawsuits get dismissed.
Congress, aware of growing consumer discontent, proposed some Do Not Track legislation and other bills that would give consumers “baseline” privacy protections. None of the bills were passed, leaving consumers pretty much where we were at the beginning of 2011 as far as federal protections go.
One ray of hope came from the FTC, who reached settlements with Google over their rollout of Buzz and with Facebook over a host of deceptive practices that left users with their private details hanging out for the world to see. The FTC settlements hopefully send a message to businesses that not only is transparency about data collection and use essential, but sometimes, you need to also get explicit consent. That notion of transparency has yet to be embraced by most businesses, however, and most consumers still have no idea as to how long their telecoms retain their data.
Our shrinking online privacy was also reflected in more mainstream web sites and platforms prohibiting users from posting anonymously or pseudoanonymously. In the process of protecting us from anonymous comments or profiles, Salman Rushdie was not allowed to use his own name on Facebook, who insisted he call himself “Ahmed Rushdie.” Once word spread on Twitter, Facebook promptly backed off. As for those of us who post anonymously or pseudoanonymously, apparently businesses respect our privacy but we are reminded that we have no right to keep our identity to ourselves if we wish to participate in public debate on their sites.
Despite the increased risk of breaches, businesses want more, more, MORE data, but damned if they’ll protect it adequately.
By mid-year, some were already calling 2011, “The Year of the Hack.” I will cover the year in data breaches in a separate post over on DataBreaches.net, but suffice to say that most businesses haven’t learned anything from some of the massive data breaches that occurred this year. They continue to try to amass data instead of purging data that is way past its freshness date or meaningful use date. The more they collect, the more inaccurate information about us is likely to show up in the over 200 databases where businesses sell our data and records. Then, too, the more they collect, the harder it should be for businesses or government to look us in the eye with a straight face and claim that our data can be “anonymized” and safely shared. Despite repeated warnings, many sites continue to store passwords in plain text or easily decrypted MD5 hashes. And despite repeated warnings, users continue to re-use ridiculously simple passwords like “123456” across sites and accounts.
In light of the DOJ’s urging businesses and telecoms to retain data for longer (allegedly to help them fight child pornography and other crimes), Congress has predictably done absolutely nothing to reverse the dangerous trend of amassing more data. Even when businesses or entities experienced breaches affecting millions of people, Congress did nothing in 2011 to impose reasonable limits on data retention or to mandate better security protection.
Domestic surveillance increases and the DOJ gets by with a little help from its friends.
If anyone still harbored any hopes that President Obama might have a shred of left-leaning tendencies, 2011 should have disabused them of that notion. In a chilling oral argument before the Supreme Court in United States v. Jones, the DOJ claimed that yes, law enforcement can track you 24/7/365 using GPS or other technology-enabled surveillance, and by golly, they don’t need no stinkin’ warrant because we have no “reasonable expectation of privacy in public.”
The Supreme Court will rule on that case next year, but GPS surveillance and access of cell site location data by law enforcement were not the only big DOJ surveillance issues in 2011. At the beginning of the year, we learned that DOJ had used 2703(d) orders to compel Twitter (and other sites) to turn over information on people who had been linked to the WikiLeaks “cablegate” case. Presumably building a case against Julian Assange and WikiLeaks, the DOJ convinced a judge to order companies to turn over non-content data on Assange, PFC Bradley Manning, and three individuals who had been involved with WikiLeaks. The three individuals fought the order, lost, and appealed. They lost again and as the year draws to a close, are appealing again. The “Twitter Order” case, as it came to be called, has significant implications for privacy online, and highlights the need for Congress to update the Electronic Communications Privacy Act (ECPA) and its Stored Communications Act provisions. Those laws are badly in need of updating, but after an initial flurry in Congress with bills being proposed, nothing happened.
Domestic surveillance and intrusions on privacy by government certainly got a helping hand this year. Businesses continue to turn over our data upon request, states continue to enact or propose legislation that permits police to take DNA samples at time of arrest, states tried to get welfare applicants to undergo mandatory drug-testing as a precondition of getting assistance, and the courts held that cell phone searches “incident to arrest” do not require a warrant.
And we don’t know the half of it. Senators Wyden and Udall courageously publicized the fact that the DOJ has a “secret” interpretation of the PATRIOT Act that we, the public, know nothing about. How is their secret interpretation being used against citizens? We have no idea, but never have so few had so much power to trample our privacy and civil liberties.
Not all domestic surveillance increased, however. Following major flaps over intrusive TSA screening last year, TSA introduced less intrusive screeners. Complaints persist, however, as some passengers report finding personal notes in their searched luggage and little old ladies complain of being strip-searched. To date, the TSA has yet to demonstrate how its enhanced screening has actually prevented a single act of terrorism.
The year drew to a close with disturbing stories about the use of unmanned drones for domestic surveillance.
Protecting children’s privacy online is a Good Thing. Protecting it at school? Not so much.
In 2011, Congress considered changes to the Children’s Online Privacy Protection Act (COPPA). Despite Congress’s reported desire to protect children from online hazards and to protect their privacy and an FTC enforcement action, research revealed at the end of the year showed that many parents were actively assisting their children in signing up for over-13-only platforms.
While Congress and the FTC push for regulations that they claim will protect children’s privacy, down the block at the U.S. Department of Education, they’ve decided to go the opposite way and share more of children’s data. Districts that have continued to have breaches that have never been disclosed to government or parents will now be sharing more data, increasing the risk of identity theft.
While the U.S. Department of Education puts more students at risk of privacy breaches and/or identity theft, the powers that be continue to strip students of their privacy rights. It has long been established that students have less protection against search and seizure on school property. But now they also have fewer rights over their online conduct and speech in the privacy of their own homes as school districts decide they can discipline or expel students over online conduct outside of school. Since my editorial on this subject in August 2010, and despite admirable advocacy by the ACLU and other civil liberties organizations, children’s privacy remains at serious risk – from their schools, their government, and to a lesser extent, from businesses.
Of course, those weren’t the only privacy developments of note in 2011, but I think they top my list.
And if you were to ask me which I think is the biggest privacy story of 2011, I’d have to say it’s domestic surveillance – by our government, businesses, and schools.