by mwalsh5 | Aug 11, 2021 | Cookies, Incognito, Third Party Data Sharing, Tracking
Written By: Pierce Stanley
In March 2021, U.S. District Court Judge Lucy Koh rejected Google’s bid to dismiss a class action lawsuit alleging Google surreptitiously tracks users of its popular Chrome browser while users browse in “Incognito” mode.[1] The decision is a small victory for privacy activists and a setback for Google, because it effectively dispenses with the tech giant’s argument that users consented to its data collection practices because users were supposedly aware of what data is tracked from notices displayed in Chrome when users open a “new tab” while in Incognito Mode. [2]
The decision keeps alive a lawsuit, Brown v. Google, brought in June of 2020, when three Chrome users filed a complaint[3] alleging Google operates a “pervasive data tracking business,” and asserting that Google’s tracking persists even when users take affirmative steps to protect their private information, such as using Incognito Mode.[4] The ruling comes as Google, Apple, and other companies continue to face heightened scrutiny from lawmakers over their data gathering policies.[5]
At the time, Reuters reported the lawsuit sought at least $5 billion in damages—alleging a putative class in the millions—and accusing Google of violating several federal wiretapping statutes and the California Invasion of Privacy Act (“CIPA”).[6] The lead plaintiffs ask that each class member receive at least $5,000 in civil damages for multiple CIPA violations.[7]
In her order, Judge Koh said Google has not demonstrated that users agreed to being tracked while in private browsing mode, particularly since Google’s privacy policies do not clarify the privacy limitations of Incognito Mode or explain that Google and other entities may still use third party cookies and collect browser analytics such as IP addresses and screen dimensions.[8]
According to Search Engine Journal, “The consumers who filed the case are taking issue with Google collecting data using other services while in ‘incognito’ mode.”[9] For example, when a user visits a website in Incognito Mode, their data can still be collected by Google Analytics, which relies heavily on the use of third-party tracking cookies.[10]
The class representatives say they were under the impression Incognito Mode offered all-encompassing privacy protection from persistent data tracking mechanisms across the internet.[11] However, Incognito Mode does not preclude websites that use Google Analytics for routine analytics from continuing to track users’ behavior.[12] Class members therefore assert they were misled by Google’s failure to disclose tracking of its users while in Incognito Mode. Since most websites today deploy Google Analytics in some form, the potential harm of data collected about unknowing users through Google’s Incognito Mode is vast.[13]
Google argues that “incognito” browsing does not save users’ histories or any cookies after the end of their “incognito” session. Indeed, Google’s lawyers famously wrote, “‘incognito’ does not mean ‘invisible.’”[14] The search giant contends most “incognito” users are aware of this distinction and know that their histories and cookies are cleared by default when a user closes their “incognito” browser, but websites and services most users interact with on the internet may still be able to track them.[15] Google seemingly anticipated this public relations risk and recently declared its intention to move away from relying on third-party cookies, even though such a move may negatively affect the company’s advertising business.[16]
It is unclear what the future of this lawsuit will bring. Successful class actions often lead to payouts of only a fraction of actual damage to consumers.[17] Regardless of where this lawsuit goes, one thing is clear: it puts Google’s practices under the microscope. At the very least, the public is now more aware of how Google’s Incognito Mode works. The suit forces Google (and others) to stop burying important information in terms of service, and it places users on notice of what data companies collect. That’s a good thing—for privacy’s sake.
[1] Dorothy Atkins, Koh Won’t Toss Google Privacy Suit Over ‘Incognito Mode’, Law360 (Mar. 15, 2021, 7:24 PM), https://www.law360.com/articles/1364818 [https://perma.cc/MF47-XVHV].
[2] Ron Amadeo, Judge Rules $5 billion Google Chrome Incognito Mode Lawsuit Can Go Forward, Ars Technica (Mar. 15, 2021), https://arstechnica.com/gadgets/2021/03/judge-rules-5-billion-google-chrome-incognito-mode-lawsuit-can-go-forward/ [https://perma.cc/ANU8-J3L6].
[3]Complaint, Brown, et al. v. Google LLC, et al, (N.D. Cal. (2020) (No. 20-3664).
[4] Kim Lyons, Judge rules Google Has to Face Lawsuit that Claims it Tracks Users Even in Incognito Mode, The Verge (Mar. 13, 2021, 3:40 PM), https://www.theverge.com/2021/3/13/22329240/judge-rules-google-5-billion-lawsuit-tracking-chrome-incognito-privacy [https://perma.cc/GAP8-VPKA].
[5] Malathi Nayak & Joel Rosenblatt, Google Must Face Suit Over Snooping on ‘Incognito’ Browsing, Bloomberg News (Mar. 13, 2021 1:36 AM), https://www.bloomberg.com/news/articles/2021-03-13/google-must-face-suit-over-snooping-on-incognito-browsing [https://perma.cc/3MR3-TVP2].
[6] Jonathan Stempel, Google faces $5 billion Lawsuit in U.S. For Tracking ‘Private’ Internet Use, Reuters (Jun. 2, 2020 6:11 PM), https://www.reuters.com/article/us-alphabet-google-privacy-lawsuit/google-is-sued-in-u-s-for-tracking-users-private-internet-browsing-idUSKBN23933H [https://perma.cc/RR5F-T6C5].
[7] Atkins, supra note 1.
[8] Jon Fingas, Google Will Face Lawsuit over Incognito Mode Tracking (Updated), Engadget (Mar. 13, 2021), https://www.engadget.com/google-must-face-incognito-mode-lawsuit-212859134.html [https://perma.cc/JWH8-93S9].
[9] Matt Southern, Google to Face $5B Lawsuit over Tracking Users in Incognito Mode, Search Engine J. (Mar. 15, 2021), https://www.searchenginejournal.com/google-to-face-5b-lawsuit-over-tracking-users-in-incognito-mode/399113/ [https://perma.cc/6UJP-K285].
[10] Id.
[11] Atkins, supra note 1.
[12] Southern, supra note 8.
[13] Atkins, supra note 1.
[14] Kevin Shalvey, A Lawsuit That Accused Google of Collecting the Data of People Who Were Using Incognito Mode Can Continue, Said a Federal Judge, Bus. Insider (Mar. 14, 2021, 6:45 A.M.), https://www.businessinsider.com/google-lawsuit-incognito-mode-user-data-privacy-can-continue-judge [https://perma.cc/57QN-EZ5H].
[15] Ryan Whitwam, Google Fails to Win Dismissal of Incognito Mode Lawsuit, ExtremeTech (Mar. 15, 2021, 2:32 P.M.), https://www.extremetech.com/internet/320847-google-fails-to-win-dismissal-of-incognito-mode-lawsuit [https://perma.cc/NX9J-UXNQ].
[16] Lyons, supra note 3.
[17] Fingas, supra note 7.
by mwalsh5 | Aug 7, 2020 | Biometrics, Cybersecurity, Facial Recognition, voting
Written By: Michael Walsh
A Byte of Online Voting
Sorry, you cannot vote online in the primaries or in presidential elections this year. That is, unless you have been selected to participate in one of the few small-scale pilot programs, such as the DemocracyLive system in Seattle, Washington, the Voatz platform in West Virginia, or most recently, the Shadow voting tool used for the 2020 Iowa caucuses just a few weeks ago.[1] These voting tools use blockchain technology to generate a unique hash for each vote.[2] To mitigate the risk of election tampering, the votes are submitted, but not counted electronically. [3] Each electronic submission is verified with a printed version of the ballot, then the printed ballots are tallied to calculate the total number of votes.[4] These electronic systems are usually deployed in areas in which voter turnouts are low or voting is only possible by remote means.[5] Ideally, these types of services may help improve voter turnout in the United states—a country in which less than 56% of voting-age adults participated in the 2016 presidential election.[6]
There is little federal oversight for online voting infrastructure, but Congress allocated an additional $380 million for voting infrastructure and security improvements,[7] and 85% of those funds are estimated by the U.S. Elections Assistance Commission to be used by states before the 2020 election.[8] Ideally, those funds will help to alleviate problems in areas with intermittent or low bandwidth internet connections, such as some of the precincts that experienced problems with the Shadow voting app during the 2020 Iowa caucuses.[9] Additionally, a slew of other bills has been introduced to help secure elections from (predominantly foreign) interference (see S.2669; H.R. 1946; H.R. 4990).[10] One amendment to the Help America Vote Act (HAVA) of 2002, passed in December 2019, allocated an additional $400 million to help secure voting infrastructure.[11] However, some experts indicate that modernizing and securitizing current voting infrastructure would cost nearly $2.5 billion, not considering recurring maintenance costs.[12] To modernize Pennsylvania’s infrastructure alone is estimated to cost upwards of $150 million, which accounts for nearly half of the total HAVA funds allotted from Congress.[13]
Election Security Concerns and the 2016 Election
The costs to establish secure voting infrastructure do not seem so exorbitant when considering voter trust. 2016 marked the first year in which Russian interference influenced the presidential elections.[14] This foreign interference happened not by meddling with voter infrastructure (which now usually verifies electronically submitted votes with paper ballots), but by alternative means such as phishing, distributed denial-of-service (“DDoS”), and denial-of-service (“DoS”) attacks.[15] These kinds of interference will certainly not be the last.[16] A recent national survey asked politicians about cybersecurity risks, “[f]orty percent said they’ve had an account compromised in a phishing attack. And 60% said they haven’t significantly updated the security of their accounts since 2016.”[17] Even without direct interference with voter infrastructure, threat actors can make a meaningful difference in the outcome of elections with phishing, DDoS and DoS attacks on other vectors including campaign email accounts or insecure servers used by political groups. In response, Microsoft and Google (the companies that provide the most popular email services in the nation) have been implementing security measures to prevent these attacks. Most countermeasures focus on implementing typical information security protections, such as multi-factor authentication, tokenization, and software-based mitigation techniques, such as spoofing and phishing detection.[18]
Experts still have many questions about the security and privacy of electronic voting systems, most particularly those that are completely paperless.[19] Nevertheless, some voting this year will be done in select states by phone or PC through the Voatz system (but with paper ballot verification).[20] Voatz uses blockchain technology paired with biometric data from users’ phones, such as face scans and fingerprints. Although this version of multi-factor authentication may alleviate fraudulent voting, it poses serious privacy concerns[21] and does not address other salient security risks of online voting, such as phishing, DDoS, and DoS attacks. Regardless, the future of voting is likely to be a digital one, as a recent study from University of Chicago found. The survey estimated that voter turnout could increase by several percentage points,[22] a figure that could compound with the help of universally compatible voting technology.
[1] Emily S. Rueb, Voting by Phone Gets a Big Test, but There Are Concerns, The New York Times (Jan. 23, 2020), https://www.nytimes.com/2020/01/23/us/politics/mobile-voting-washington.html [https://perma.cc/B2SR-NF88].
[2] Voatz, Frequently Asked Questions, https://voatz.com/faq.html [https://perma.cc/9RBS-6BK5].
[3] Id.
[4] Id.
[5] Rueb, supra note 1; Emily Dreyfuss, Smartphone Voting Is Happening, but No One Knows if It’s Safe, Wired (Aug. 9, 2018), https://www.wired.com/story/smartphone-voting-is-happening-west-virginia/ [https://perma.cc/JC2B-SYWF].
[6] Drew Desilver, U.S. Trails Most Developed Countries in Voter Turnout, Pew Research Center (May, 21 2018), https://www.pewresearch.org/fact-tank/2018/05/21/u-s-voter-turnout-trails-most-developed-countries/ [https://perma.cc/4T3C-4JD4].
[7] The Impact of HAVA Funding on the 2018 Elections, U.S. Election Assistance Commission (2019), https://www.eac.gov/sites/default/files/paymentgrants/TheImpactofHAVAFundingonthe2018Elections_EAC.pdf [https://perma.cc/6KDW-RNEJ].
[8] Id.; U.S Senate Committee on Rules and Administration Oversight of the Election Assistance Commission, U.S Election Assistance Commission (May 15, 2019), https://www.rules.senate.gov/imo/media/doc/EAC_Testimony.pdf [https://perma.cc/95VB-NA4H]; Elizabeth Howard, Defending Elections: Federal Funding Needs for State Election Security, The Brennan Center (July 18th, 2019), https://www.brennancenter.org/our-work/research-reports/defending-elections-federal-funding-needs-state-election-security [https://perma.cc/P7UC-8ZW4].
[9] Kevin Roose, The Only Safe Election is A Low-Tech Election, The New York Times (Feb. 4, 2020), https://www.nytimes.com/2020/02/04/technology/election-tech.html, [https://perma.cc/2C8W-982G]; Nick Corasaniti, Sheera Frenkel and Nicole Perlroth, App Used to Tabulate Votes is Said to Have Been Inadequately Tested, The New York Times (Feb. 3, 2020), https://www.nytimes.com/2020/02/03/us/politics/iowa-caucus-app.html [https://perma.cc/B7TG-YJ2P]; Keith Collins, Denise Lu, Charlie Smart, We Checked the Iowa Caucus Math. Here’s Where it Didn’t Add Up, The New York Times (Feb. 14 2020), https://www.nytimes.com/interactive/2020/02/14/us/politics/iowa-caucus-results-mistakes.html [https://perma.cc/HH8N-DURV].
[10] S.2669, 116th Cong. (2019); H.R. 1946, 116th Cong. (2019); H.R. 4990, 116th Cong. (2019).
[11] U.S. Election Assistance Commission, How Can The States Use the Funds? (Jan. 6, 2020) https://www.eac.gov/how-can-states-use-funds-0 [https://perma.cc/79W6-WHYA]; H.R. 1158 § 501, 116th Cong. (2019).
[12] Lawrence Norden and Edgardo Cortez, What Does Election Security Cost?, The Brennan Center (Aug. 15, 2019), https://www.brennancenter.org/our-work/analysis-opinion/what-does-election-security-cost [ https://perma.cc/TL69-YCU2].
[13] Howard, supra note 8.
[14] U.S. Senate Committee 116th Congress, Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election Volume 1: Russian Efforts Against Election Infrastructure With Additional Views
https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf [https://perma.cc/CZ47-7XLY]; Andy Greenberg, Feds’ Damning Report on Russian Election Hack Won’t Convince Skeptics, Wired (Jan. 6, 2017), https://www.wired.com/2017/01/feds-damning-report-russian-election-hack-wont-convince-skeptics/ [https://perma.cc/2T8Q-YZR9]; David E. Sanger and Catie Edmonson, Russia Targeted Election Systems in All 50 States, Report Finds, The New York Times (July 25, 2019), https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html [https://perma.cc/78SM-YVZ4].
[15] Andy Greenberg, Everything We Know About Russia’s Election-Hacking Playbook, Wired (June 9 2017), https://www.wired.com/story/russia-election-hacking-playbook/ [https://perma.cc/EAZ8-W5Z4]; Shannon Bond, 2020 Political Campaigns Are Trying To Avoid A 2016-Style Hack, Nat’l Pub. Radio (Jan. 28, 2020), https://www.npr.org/2020/01/28/799062773/2020-political-campaigns-are-trying-to-avoid-a-2016-style-hack [https://perma.cc/T2ER-KQ9U]; Jeremey Ashkenas, Was It a 400-Pound, 14-Year-Old Hacker, or Russia? Here’s Some of the Evidence, The New York Times (Jan. 26, 2017), https://www.nytimes.com/interactive/2017/01/06/us/russian-hack-evidence.html [https://perma.cc/U9CX-N829].
[16] Miles Parks, Russian Hackers Targeted The Most Vulnerable Part Of U.S. Elections Again, Nat’l Pub. Radio (July 28, 2018), https://www.npr.org/2018/07/28/633056819/russian-hackers-targeted-the-most-vulnerable-part-of-u-s-elections-again [https://perma.cc/MR8E-3H3Q]; Shannon Bond, Microsoft Says Iranians Tried To Hack U.S. Presidential Campaign, Nat’l Pub. Radio (Oct. 4, 2019), https://www.npr.org/2019/10/04/767274042/microsoft-says-iranians-tried-to-hack-u-s-presidential-campaign [https://perma.cc/K9ST-T55N].
[17] Bond, supra note 15.
[18] Tom Burt, Protecting Democracy with Microsoft AccountGuard, Microsoft Blog (August 20, 2018), https://blogs.microsoft.com/on-the-issues/2018/08/20/protecting-democracy-with-microsoft-accountguard/ [https://perma.cc/7MGY-MW5X]; Lily Hay Newman, Google’s Giving Out Security Keys to Help Protect Campaigns, Wired (Feb. 11, 2020), https://www.wired.com/story/google-free-security-keys-campaigns/ [https://perma.cc/4TN7-9SQ2].
[19] David Jefferson et al., What We Don’t Know About the Voatz “Blockchain” Internet Voting, System (May 1, 2019), https://cse.sc.edu/~buell/blockchain-papers/documents/WhatWeDontKnowAbouttheVoatz_Blockchain_.pdf [https://perma.cc/62H2-MQN4]; Michael A. Specter et al, The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections, Mass. Inst. of Tech., https://internetpolicy.mit.edu/wp-content/uploads/2020/02/SecurityAnalysisOfVoatz_Public.pdf [https://perma.cc/89H7-XLP2]; Abby Abazorius, MIT Researchers Identify Security Vulnerabilities in Voting App, MIT News (Feb. 13, 2020), http://news.mit.edu/2020/voting-voatz-app-hack-issues-0213 [https://perma.cc/AA49-97FS]; Robby Mook et al., Cybersecurity Campaign Playbook, Harv. Kennedy School Belfer Center (Nov. 2017), https://www.belfercenter.org/CyberPlaybook [https://perma.cc/82NN-KA57]; Miles Parks, In 2020, Some Americans Will Vote On Their Phones. Is That The Future?, Nat’l Pub. Radio (Nov 7, 2019), https://www.npr.org/2019/11/07/776403310/in-2020-some-americans-will-vote-on-their-phones-is-that-the-future [https://perma.cc/4W62-9TLS].
[20] Voatz, supra note 2.
[21] Jefferson, supra note 19.
[22] David Stone, Jul 30, 2019 West Virginia Was the First State to Use Mobile Voting. Should others follow? U. of Chi. (July 30, 2019), https://news.uchicago.edu/story/voting-mobile-devices-increases-election-turnout [https://perma.cc/NAF9-69B5]; Anthony Fowler, Promises and Perils of Mobile Voting, U. of Chi. (June 2019), https://cpb-us-w2.wpmucdn.com/web.sas.upenn.edu/dist/7/538/files/2019/06/Fowler_MobileVoting.pdf [https://perma.cc/6N8C-VQGZ].
by mwalsh5 | Jul 17, 2020 | Biometrics, COVID, Cybersecurity, Legislation
Written by: Michael Walsh
Disclaimer: This post does not contain legal advice. I am not a licensed attorney nor am I qualified to give compliance help or other legal services. This post is for educational purposes only.
Due to a resurgence of the COVID-19 pandemic in many states, federal and state health agencies have deployed several technologies to help track (and ultimately quell) the spread of the pandemic. Temperature scans and other screening technologies have become commonplace, and nonconsensual mass temperature screening has been used to mitigate the spread of other major pandemics in the past.[1] The Food and Drug Administration (FDA) issued comprehensive, but nonbinding guidance on the use of thermal imaging technologies for COVID diagnostics, which advocates for the use of thermal imaging tech as an initial screening tool in “high throughput areas” such as airports, businesses and other high density areas where traditional temperature measuring techniques would be ineffective or impracticable.[2]
Technical Limitations and Efficacy of Temperature Screening
Some scientific studies support the use of telethermographic devices or non-contact infrared thermometers (NCITs) to accurately measure skin temperature (which correlates with core temperature).[3] NCITs are thermal imaging systems that measure infrared radiation that is omitted from febrile humans (humans with a detectable fever) and convert that radiation map into a relative temperature measurement.[4] However, the FDA emphasizes that such technologies are not suitable as a sole means of diagnosing COVID-19.[5]
NCITs can be effective at sensing relative temperatures but have palpable limitations that can affect the technology’s efficacy. The American Civil Liberties Union (ACLU), citing a clinical study of NCITs, asserts that mass screening of open rooms can lead to wildly inaccurate temperature measurements.[6] The FDA recommends that temperature scans should be made in highly controlled environments or in rooms which have a temperature between 68-76 degrees Fahrenheit and that have no draft, radiant heat, (filament) light interference, or reflective backgrounds.[7] Because the technology senses relative infrared radiation, most systems also require a controlled temperature reference (called a blackbody) to compare the radiation density between the individual and the ambient environment. A relatable analogy to the purpose of the blackbody is comparing a white tissue (blackbody) to the color (heat radiation) of one’s teeth to determine if one’s teeth are truly white (heat saturated). The relative differences between the thermal maps of the blackbody and the scanned individual can be used to estimate skin temperature with relatively high confidence (this study found skin temperature variations of ±10 degrees Fahrenheit and within a 95% confidence interval),[8] meaning that measured temperatures were generally accurate within 2-3 degrees Fahrenheit.[9]
Additionally, FLIR, one of the most prominent thermographic device manufacturers concedes that the technology has technical limitations and is not suitable as the sole diagnostic tool for identifying individuals with COVID.[10]
Regardless, the aforementioned CDC study found that although thermal imagery systems are highly dependent on controlled environments, infrared tech can reliably detect “elevated skin temperatures” and are significantly more accurate at determining fever than self-reported questionnaires (In this study, only one tenth of those who reported a fever were actually febrile).[11] Overall, the technology, once calibrated and controlled, can determine core temperatures with similar accuracy to more traditional oral temperature measurements.[12]
Legal Implications of NCITs
NCITs are governed exclusively by the FDA under part 201(h) of the FD&C Act 21 U.S.C. § 321(h), which governs some medical devices.[13] Generally, these medical devices are those which are intended for use in the diagnosis of disease or other conditions, or in the “cure, mitigation, treatment, or prevention of disease.”[14] However, thermal devices that are not intended for such a purpose are not within the regulatory scope of the FDA, meaning the Food, Drug, and Cosmetic Act (FD&C) does not apply to those businesses or individuals using nonmedical thermal devices. Of course, the definition of a medical device under 201(h) is dependent on the intent of the user, so thermal imaging systems that were originally unintended for COVID screening should still comply with the FD&C and other relevant FDA guidance.[15] However, the FDA promotes the use of thermal imaging technologies as a preliminary tool for COVID screening. The FDA states that businesses (because the COVID-19 pandemic is defined as a public health emergency) likely need not comply with many medical device regulations so long as such use does not “create undue risk.”[16]
Privacy Concerns
HIPAA
HIPAA, the flagship federal legislation that protects medical health information is rendered obsolete in the age of contact tracing. HIPAA applies primarily to health plans, clearinghouses and health care providers, of which Google, Apple, PwC, PopId and Clear (contact tracing powerhouses) are not.[17]
Searches
It is also important to note that thermal imagery can qualify as a “search,” but Constitutional protections for unreasonable searches and seizures only apply to government actors. However, there is evidence that tech companies have shared location data with government agencies to help track the spread of COVID.[18] This data may be aggregated and anonymized, but combining relevant data sets may reidentify that data, revealing private medical data traceable to specific individuals. Apparently, 63% of individuals can be uniquely identified by a combination of gender, date of birth, and zip code alone.[19] By combining different data sets which have both “anonymized” or “aggregate” direct or indirect personal identifiers, many anonymous data sets can be reidentified, compromising the privacy of specific individuals.[20]
ADA
The Americans with Disabilities Act (ADA) enforces nondiscrimination based on disability (under which COVID may qualify) and binds all private employers with fifteen or more employees.[21] However, the U.S Equal Employment Opportunity Commission (EEOC) explicitly states that the ADA should not interfere with COVID-19 guidelines made by the CDC.[22] Temperature and other COVID tests must be ‘job related and consistent with business necessity’ and employees may be furloughed or excluded if they have a “medical condition” that would pose a direct threat to health or safety (such as COVID-19).[23]
State Privacy Laws
Of course, there are some existing protections such as the California Consumer Privacy Act (CCPA), Vermont’s data broker registration law, and Illinois’s biometrics law (BIPA), each of which either contain a public health emergency, “direct relationship” or other exception, meaning that most contact tracing companies are exempted from complying with these privacy laws until they are amended or COVID is no longer classified as a health emergency.[24]
Two companies, Clear and PopID have already begun using biometric face scanning and thermal imaging technologies to monitor COVID-19 in businesses and other public places.[25] Some restaurants are implementing these screening procedures in response to the White House guidelines, which require businesses to “monitor workforce[s] for indicative symptoms.”[26]
Pending Federal Legislation
Amid concerns of private health information gathered from COVID screening, senators have introduced a COVID-19 privacy bill which would: (1) require express consent to collect, process or transfer “personal health, geolocation, or proximity information”; (2) disclose to whom that data will be transferred to and retained by; (3) give individuals the opportunity to opt out of their health information being stored or compiled; and (4) give individuals the right to delete or deidentify all personal information that is no longer being used.[27] However the bill has been criticized for preempting stricter state laws (including the CCPA) and not providing a private right of action.[28]Another bill, the Public Health Emergency Privacy Act (PHEPA), is sufficiently broad in its definitions of medical health data, contains clauses for nondiscrimination against those who opt out of COVID tracing programs, and does not undermine existing state data privacy laws through preemption.[29]
The novel coronavirus is just that, novel. Government health agencies and businesses are scrambling to adapt to the constantly changing circumstances. Due to resurgences in cases, the global pandemic has appropriately been categorized as a national health crisis. There is evidence that contact tracing, health screening, and mass temperature scanning can help mitigate the spread of the virus, or at the very least, allow researchers to learn more about the virus. The remaining question is what we are willing to give up in the process. Will government agencies forfeit the private health data that was shared with them once the virus subsides? If so, how will the government and cooperating tech companies protect individuals’ data privacy?
[1]Pejman Ghassemi et al., Best Practices For Standardized Performance Testing of Infrared Thermographs Intended For Fever Screening, PLoS ONE, 1710 (Sept. 19, 2018), https://doi.org/10.1371/journal.pone.0203302 [https://perma.cc/SUB3-8JKB].
[2]U.S. Food and Drug Administration, Enforcement Policy For Telethermographic Systems during the Coronavirus Disease 2019 (COVID-19) Public Health Emergency, Food And Drug Administration, 2 (April 2020), https://www.fda.gov/media/137079/download [https://perma.cc/SZ4J-RGXU].
[3]An Nguyen, et al., Comparison of 3 Infrared Thermal Detection Systems and Self-Report for Mass Fever Screening, Centers For Disease Control and Prevention, 1713-14 (Nov. 2010), https://www.cdc.gov/eid/article/16/11/10-0703 [https://perma.cc/5CXG-TAZS].
[4] U.S. Food And Drug Administration, Thermal Imaging Systems (Infrared Thermographic Systems/ Thermal Imaging Cameras), Food and Drug Administration (May 13, 2020), https://www.fda.gov/medical-devices/general-hospital-devices-and-supplies/thermal-imaging-systems-infrared-thermographic-systems-thermal-imaging-cameras [https://perma.cc/89CQ-WR8N].
[5]U.S. Food and Drug Administration, supra note 2, at 3.
[6] Jay Stanley, Temperature Screening and Civil Liberties During an Epidemic, American Civil Liberties Union, 1-4 (May 19, 2020), https://www.aclu.org/aclu-white-paper-temperature-screening-and-civil-liberties-during-epidemic [https://perma.cc/8ZVH-AUHP].
[7]U.S. Food and Drug Administration, supra note 4.
[8] Nguyen, supra note 3, at 1713.
[9] Id.
[10]Frequently Asked Questions: Thermal Imaging for Elevated Skin Temperature Screening, FLIR (May 13, 2020), https://www.flir.com/discover/public-safety/faq-about-thermal-imaging-for-elevated-body-temperature-screening/ [https://perma.cc/J2AG-X9MM].
[11] Nguyen, supra note 3, at 1713-15.
[12] Id. at 1713.
[13] U.S. Food and Drug Administration, supra note 2, at 3.
[14] Id.
[15] Id. at 4.
[16] Id.; pt. 510(k) of the FD&C Act (21 U.S.C. § 360(k)) (requiring device certification and quality testing before the introduction of the device into interstate commerce); 21 C.F.R. pt. 807.81 (requiring device manufacturers to submit a premarket approval request to the FDA before commercial distribution of the device); 21 C.F.R. pt. 806 (governing the scope and definitions of manufacturer liability for medical devices that have been removed or corrected from current marketed equivalents); 21 C.F.R. pt. 80 (governing medical device registration); 21 C.F.R. pt. 820 (governing device quality control and system requirements); 21 C.F.R. pt. 830 (requiring unique identifiers for medical devices); 21 CFR pt. 801.20 (governing labeling requirements for medical devices).
[17]U.S. Department of Health and Human Services, HIPAA for Professionals (April 2015), https://www.hhs.gov/hipaa/for-professionals/privacy/index.html [https://perma.cc/RE33-8JTK]; Adam Schwartz, Two Federal COVID-19 Privacy Bills: A Good start and a Misstep, Electronic Frontier Foundation (May 28, 2020), https://www.eff.org/deeplinks/2020/05/two-federal-covid-19-privacy-bills-good-start-and-misstep [https://perma.cc/TFW6-LWBR].
[18] Garret Stone, Constitution in Crisis: The Fourth Amendment and Combating COVID-19, Wake Forest J. of L. and Pol’y (April 20, 2020), https://wfulawpolicyjournal.com/2020/04/20/constitution-in-crisis-the-fourth-amendment-and-combating-covid-19/ [https://perma.cc/98TB-F4TM].
[19]Boris Lubarsky, Re-identification of “Anonymized” Data, 1 Geo. L. Tech Rev. 202 (2017), https://georgetownlawtechreview.org/wp-content/uploads/2017/04/Lubarsky-1-GEO.-L.-TECH.-REV.-202.pdf [https://perma.cc/AU9G-E4FA].
[20] Id.
[21]U.S. Equal Employment Opportunity Commission, What You should Know About COVID 19 and ADA Rehabilitation Act, and Other EEO Laws (June 17, 2020), https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws [https://perma.cc/F2TN-LAY5].
[22]Id.
[23]Id.
[24] Adam Schwartz, Vermont’s New data Privacy Law, Electronic Fronteir Foundation (Sept. 27, 2018), https://www.eff.org/deeplinks/2018/09/vermonts-new-data-privacy-law [https://perma.cc/MH8P-QE4B]; Daniel Gottlieb, California Bill Proposes CCPA Exceptions for HIPAA De-Identified Information, McDermott, Will and Emory, (Jan. 17, 2020), https://www.mwe.com/de/insights/california-bill-proposes-ccpa-exceptions-for-hipaa-de-identified-information-other-health-data/ [https://perma.cc/BR9P-GJ2Z]; Illinois General Assembly, § 740 ILCS, https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57s/california-bill-proposes-ccpa-exceptions-for-hipaa-de-identified-information-other-health-data/ [https://perma.cc/8TBQ-CDUP].
[25]Natasha Singer, Employers Rush to Adopt Virus Screening. The Tools May Not Help Much., New York Times, (May, 11, 2020), https://www.nytimes.com/2020/05/11/technology/coronavirus-worker-testing-privacy.html [https://perma.cc/7AMC-QANC].
[26]Centers for Disease Control, Opening Up America Again, https://www.whitehouse.gov/openingamerica/ [https://perma.cc/MKT6-Z9MG].
[27]John Thune, Thune Wicker, Moran, Blackburn Announce Plans to Introduce Data Privacy Bill, US Senator for South Dakota (April 30, 2020) https://www.thune.senate.gov/public/index.cfm/press-releases?ID=37E557F5-566E-4872-A66D-EBBFEC1D190A [https://perma.cc/F6RM-LCZN].
[28]U.S. Department of Health and Human Services, supra note 17.
[29]Id.
by mwalsh5 | Jun 26, 2020 | Legislation
Written by: Michael Walsh
There were forty bills proposed for state privacy legislation between 2018 and June 2020 (up from 27 bills in February 2020).[1] Of those, only fourteen bills died in committee or were postponed.[2] Nevertheless, the introduction of such bills indicate that States are becoming increasingly concerned about consumer privacy protection, and these bills still have a chance of being reintroduced and enacted. Six of those bills were instead replaced with a dedicated task force to monitor and enforce nationwide consumer privacy concerns. Excluding the bills that either died in committee or were replaced with dedicated task forces, twenty bills remain to be considered for passage.
Consumer Rights
The majority of these bills focus on consumers’ rights, including many of the following fundamental provisions: (1) Right of Access; (2) Right of Deletion; (3) Right to opt out; (4) Private Right of Action; (5) Right to Fair Notice; and (6) Right to Nondiscriminatory Access.
- Right of Access (15 of 20 bills include this provision)
The consumer may submit a request to a business or data collector (data controller), to receive a file, which notes the categories or “specific pieces” of personal data that the data controller has collected from said consumer. A consumer should be able to submit a request for access to his or her personal information through more than one means (written or electronic). These requests should be timely fulfilled and returned to the consumer in a common file format.
- Right of Deletion (14 of 20 bills include this provision)
The consumer may submit a request to a data controller to delete any or all personal data that the data controller has collected from said consumer.
- Right to Opt Out (17 of 20 bills include this provision)
The consumer may affirmatively opt out of the sale of his or her personal information to third parties.
- Private Right of Action (9 of 20 bills include this provision)
The consumer may seek civil damages from the data controller for violations of a consumer data privacy statute.
- Right to Fair Notice (15 of 20 bills include this provision)
A data controller shall provide to the consumer reasonable notice of the collection of said consumer’s personal information.
- Right to Nondiscriminatory Access (13 of 20 bills include this provision)
A consumer shall not be discriminated against or have impaired access to services merely for exercising his or her privacy rights under a consumer data privacy statute.
Is a Quilt Better than a Blanket?
The current privacy landscape in the U.S. can be described as a patchwork. About one half of the states have introduced some type of consumer privacy law.[3] So, should we just enact federal privacy legislation? The Electronic Frontier Foundation, a digital rights advocacy group, urges not. Tech superpowers including Facebook and Google (as the “Internet Association”) have been lobbying for the enactment of a federal privacy law, but the EFF contends that enacting a federal privacy law will undermine stricter state laws through preemption (an issue that may be able to be resolved with careful legislative drafting).[4]
Oppositely, some business advocates contend that universal federal privacy legislation that resembles the General Data Protection Regulation (GDPR) would be needlessly costly.[5] Gartner estimates that consumer requests for current and future privacy legislation will cost, on average, $1,406 and take about a week to fulfill.[6] These compliance costs are doubtlessly expensive but may be offset by return on investment from increased consumer trust.[7]
Regardless, Congress is considering two bills that resemble the GDPR (with a private action being the most controversial provision), the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act (USCDPA). COPRA is effectively broader in the way it defines personal information, while USCDPA is restricted to a more linear definition of “sensitive” personal information. COPRA allows for a private right of action while USCDPA does not. COPRA retains state authority for most areas of privacy protection (allowing states to enforce their own laws if they are more stringent than the federal equivalent), while USCDPA preempts most areas of existing state data privacy laws.[8] We will likely see the passage of one of these bills in 2020, albeit modified. Get to know them here: COPRA[9] and USCDPA.[10]
[1] Mitchell Noordyke, U.S. State Comprehensive Privacy Law Comparison, Iapp (June 2020), https://iapp.org/resources/article/state-comparison-table/ [https://perma.cc/V583-4LMB].
[2] Id.
[3] Id.
[4] Bennett Cyphers, Big Tech’s Disingenuous Push For a Federal Privacy Law, Electronic Frontier Foundation (Sept. 18, 2019), https://www.eff.org/deeplinks/2019/09/big-techs-disingenuous-push-federal-privacy-law [https://perma.cc/2XLJ-MEF8]; Michael Beckerman, Americans Will Pay a Price for State Privacy Laws, New York Times (Oct. 14, 2019), https://www.nytimes.com/2019/10/14/opinion/state-privacy-laws.html [https://perma.cc/8KEX-VPPA].
[5] Alan McQuinn and Daniel Castro, The Costs of an Unnecessarily Stringent Federal Data Privacy Law, Information Technology and Innovation Foundation (Aug. 5, 2019), https://itif.org/publications/2019/08/05/costs-unnecessarily-stringent-federal-data-privacy-law [https://perma.cc/P5XL-H66C].
[6] Jordan Bryan, 4 Legal Tech Trends for 2020, Gartner (Feb. 6, 2020), https://www.gartner.com/smarterwithgartner/4-legal-tech-trends-for-2020/ [https://perma.cc/HN7R-SVKB].
[7] Nasdaq, Cisco 2020 Data Privacy Benchmark Study Confirms Positive Financial Benefits of Strong Corporate Data Privacy Practices (Jan 27, 2020), https://www.nasdaq.com/press-release/cisco-2020-data-privacy-benchmark-study-confirms-positive-financial-benefits-of [https://perma.cc/3386-D6GL]; Brooke Auxier et al, Americans’ Attitudes and Experiences With Privacy Policies and Laws Pew Research Center (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/ [https://perma.cc/XN2K-DPJJ]; Emily Leach, Iapp, (2016), https://iapp.org/media/pdf/resource_center/ROI_Whitepaper_FINAL.pdf [https://perma.cc/BV8R-P5BQ].
[8] Wendy Zhang, Comprehensive Federal Privacy Law Still Pending, National Law Review (Jan. 22, 2020), https://www.natlawreview.com/article/comprehensive-federal-privacy-law-still-pending [https://perma.cc/4U4H-8EPX]; Christian T Fjeld, Christopher Harvie, Cynthia J. Larose, Congressional Privacy Action – Part 1: The Senate, National Law Review (Jan. 28, 2020), https://www.natlawreview.com/article/congressional-privacy-action-part-1-senate [https://perma.cc/VTK5-3YMC]; Angelique Carson, At Senate, consensus on federal law until you get to ‘private right of action’, Iapp (Dec. 5, 2019), https://iapp.org/news/a/at-senate-consensus-on-federal-law-until-you-get-to-that-private-right-of-action/ [https://perma.cc/938E-RKKU]; Charlie Warzel, Will Congress Actually Pass a Privacy Bill?, New York Times (Dec. 17, 2019), https://www.nytimes.com/2019/12/10/opinion/congress-privacy-bill.html [https://perma.cc/GY6Q-T9QG]
[9] Consumer Online Privacy Rights Act, 116th Cong. (2019), https://www.cantwell.senate.gov/imo/media/doc/COPRA%20Bill%20Text.pdf [https://perma.cc/EA85-5BQT].
[10] United States Consumer Privacy Act of 2019, 116th Cong. (2019), https://aboutblaw.com/NaZ [https://perma.cc/3J8X-MP3G].
by mwalsh5 | Jun 12, 2020 | Deepfake
Written By: Michael Walsh
Deepfakes are spoofed images or videos that are created using machine learning algorithms. Deepfake algorithms use tools such as TensorFlow, a free open source machine learning platform popularized by Google, to create digitally manipulated spoofs that are nearly indistinguishable from unmodified footage. These algorithms use existing photos and videos on the internet to create a simulated version of a person’s face and then superimpose that spoofed face onto someone else’s body.[1] If such an algorithm is trained with enough data, which should not be difficult to procure (considering that 200 million selfies were published to Google Photos in 2016), the algorithm can develop a dynamic version of a fake face (or one of a notable figure), and superimpose that digital mask onto the target body, creating imitations that are nearly indistinguishable from the unmanipulated source videos.[2]
More recently, it has been demonstrated that the technology can be used to track intricate facial expressions and superimpose them in real time.[3] The underlying technology can be used to supplement our creative imaginations by streamlining CG or “generated adversarial network” (GAN) effects (which are used to create much of the computer generated imagery in modern movies),[4] but bad actors inevitably end up using the technology for nefarious purposes such as creating antagonistic political spoofs[5] or fake celebrity porn.[6]
The potential for abuse is evident, but studies suggest that industry leaders, policymakers, and legal professionals are taking particular interest in the trajectory of deepfakes.[7] Congress has also passed several bills requiring federal agencies to develop reports about the legal implications of deepfake and GAN technology.[8]
State Legislative Countermeasures
Several other state bills have been introduced to quell the potential abuse of deepfake technology. Texas banned the distribution of deepfaked videos that are intended to sway elections.[9] California proposed a bill imposing criminal and civil consequences for the exchange of nonconsensual deepfake pornography, but the bill was eventually dismissed pursuant to time requirements in Art. IV, Sec. 10(c) of the California Constitution. However, the considerable civil penalties originally proposed in A.B. 1280[10] were effectively modified and consolidated into A.B. 602.[11] Virginia also recently passed legislation prohibiting the “malicious” dissemination of manipulated video “with the intent to coerce, harass, or intimidate.”[12] New York followed suit by passing a bill banning the use of “digital replica” in pornographic work.[13] Most of these bills require a showing of some derivative of malice or intent to harm in order to circumvent free speech protections.
Tort Theories
While state legislatures and Congress invest in developing statutory protection specific to deepfakes, the Electronic Frontier Foundation contend that there are already several legal theories to protect against deepfake abuse, namely tortious theories including extortion, harassment, false light, defamation, and intentional infliction of emotional distress.[14]
Regardless, deepfake and GAN technology has spurred considerable interest and concern in the public and legal communities alike. It is imperative to carefully consider ethical, technical and legal solutions to ensure the benefit of deepfakes while simultaneously mitigating their risk.
[1] David Güera, Deepfake Video Detection Using Recurrent Neural Networks, Video and Image Processing Laboratory, (VIPER) Purdue University (2018), https://engineering.purdue.edu/~dgueraco/content/deepfake.pdf [https://perma.cc/KQZ7-9BVA].
[2] Kevin Roos, Here Come the Fake Videos, Too, New York Times (March 4, 2018), https://www.nytimes.com/2018/03/04/technology/fake-videos-deepfakes.html [https://perma.cc/52NQ-QXUL].
[3] Matthias Nießner, Face2Face: Real-time Face Capture and Reenactment of RGB Videos, http://www.niessnerlab.org/papers/2019/8facetoface/thies2018face.pdf [https://perma.cc/7B4B-H6G5].
[4] Dave Itzkoff, How ‘Rogue One’ Brought Back Familiar Faces, New York Times (Dec. 27, 2016), https://www.nytimes.com/2016/12/27/movies/how-rogue-one-brought-back-grand-moff-tarkin.html [https://perma.cc/8JKZ-S646].
[5] Maheen Sadiq, Real v Fake: debunking the ‘drunk’ Nancy Pelosi footage – video, The Guardian (May 24, 2019), https://www.theguardian.com/us-news/video/2019/may/24/real-v-fake-debunking-the-drunk-nancy-pelosi-footage-video [https://perma.cc/FF33-F3ZW]; James Vincent, Watch Jordan Peele use AI to make Barack Obama deliver a PSA about fake news, The Verge (Apr. 17, 2018), https://www.theverge.com/tldr/2018/4/17/17247334/ai-fake-news-video-barack-obama-jordan-peele-buzzfeed [https://perma.cc/3GPZ-TK66].
[6] Samantha Cole, AI-Assisted Fake Porn Is Here and We’re All Fucked, Vice (Dec. 11, 2017), https://www.vice.com/en_us/article/gydydm/gal-gadot-fake-ai-porn [https://perma.cc/7GM8-Z47R].
[7] Matthew Ferraro, Deepfake Legislation: A Nationwide Survey—State and Federal Lawmakers Consider Legislation to Regulate Manipulated Media, Wilmer Hale (Sept. 25, 2019), https://www.wilmerhale.com/en/insights/client-alerts/20190925-deepfake-legislation-a-nationwide-survey [https://perma.cc/EJ2Q-AESV]; Miles Brundage et al., The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation (Feb. 2018), https://arxiv.org/pdf/1802.07228.pdf [https://perma.cc/8B2E-RPHH]; Bobby Chesney, Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security, 107 Cal. L. Rev. 1753 (2019).
[8] H.R. 3600, 116th Cong. (2019), https://www.congress.gov/bill/116th-congress/house-bill/3600 [https://perma.cc/F2B7-5RRD]; H.R. 3494, 116th Cong. §§ 707, 715 (2019), https://www.congress.gov/bill/116th-congress/house-bill/3494/text [https://perma.cc/P684-WKRT]; S. 1348 116th Cong. (2019), https://www.congress.gov/bill/116th-congress/senate-bill/1348 [https://perma.cc/7C4Q-U8WF]; H.R. 4355, 116th Cong. (2019), https://www.congress.gov/bill/116th-congress/house-bill/4355 [https://perma.cc/9MK9-9ZYH]; H.R. 3230, 116th Cong. (2019), https://www.congress.gov/bill/116th-congress/house-bill/3230 [https://perma.cc/W27A-EDKC].
[9] Tex. S.B. 751 (2019), https://www.capitol.state.tx.us/BillLookup/History.aspx?LegSess=86R&Bill=SB751 [https://perma.cc/4ZFX-QM3S].
[10] A.B. 1280 (Cal. 2019), https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1280 [https://perma.cc/3VWL-NNUJ].
[11] A.B. 602 (Cal. 2019), https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB602 [https://perma.cc/YC88-72SE].
[12] Va. Code Ann. § 18.2- 386.2 (2019), https://law.lis.virginia.gov/vacode/title18.2/chapter8/section18.2-386.2/ [https://perma.cc/D9GL-S646].
[13] S. 5959C (N.Y. 2019), https://www.nysenate.gov/legislation/bills/2019/s5959/amendment/c [https://perma.cc/C7VJ-EJAX].
[14] David Greene, We Don’t Need New Laws for Faked Videos, We Already Have Them, Electronic Frontier Foundation (Feb. 13, 2018), https://www.eff.org/deeplinks/2018/02/we-dont-need-new-laws-faked-videos-we-already-have-them [https://perma.cc/3MFV-EHUN].
