Privacy

Privacy and Data Security Violations: What’s the Harm? (Part One)

Daniel J. Solove by Daniel Solove, TeachPrivacy
Tuesday, June 24, 2014

Courts have struggled greatly with the issue of harms for data violations, and not much progress has been made. We desperately need a better understanding and approach to these harms. I am going to explore the issue and explain why it is so difficult. Both theoretical and practical considerations are intertwined here, and there is tremendous incoherence in the law as well as fogginess in thinking about the issue of data harms. I have a lot to say here and will tackle the issue in a series of posts. In this post, I will focus on how courts currently approach privacy/security harm.

Google’s Admission to Data Mining of Student and Government Emails Demands Further Scrutiny

Jeff Gould by Jeff Gould, SafeGov.org
Thursday, May 15, 2014

In a surprise announcement on April 30, 2014, Google announced on its company blog that it would no longer “collect or use student data in Apps for Education services for advertising purposes.” Google also noted that it would make similar changes to its Google Apps for Government products. This announcement suggests that Google has been scanning, storing and monetizing student, business and government emails for years, which raises concerns about Google’s past privacy practices and their future policies. This is a significant violation of the trust placed in the company by the schools and government agencies who signed contracts with the assurance that there would be “no ad-related scanning or processing” in Google Apps – language that Google once noted on their website.

Trust But Verify Big Datamining Claims

H. Bryan Cunningham by Bryan Cunningham, Cunningham Levy LLP
Thursday, May 08, 2014

Much has been written in recent years about the benefits and risks of “free” cloud services monetized by providers mining the private data of users. These risks are particularly acute in some government cases, e.g., education applications mining the data of students, and applications used by law enforcement and national security agencies. I, along with others, have recommended that government entities include clauses in contracts with cloud providers prohibiting data mining. Some governmental contracting authorities have embraced this remedy.

Big Data and Our Children’s Future: On Reforming FERPA

Daniel J. Solove by Daniel Solove, TeachPrivacy
Tuesday, May 06, 2014

Last week, the White House released its report, Big Data: Seizing Opportunities, Preserving Values. My reaction to it is mixed. The report mentions some concerns about privacy with Big Data and suggests some reforms, but everything is stated so mildly, in a way designed to please everyone. The report is painted in pastels; it finesses the hard issues and leaves specifics for another day. So it is a step forward, which is good, but it is a very small step, like a child on a beach reluctantly dipping a toe into ocean.

Why Did inBloom Die? A Hard Lesson About Education Privacy

Daniel J. Solove by Daniel Solove, TeachPrivacy
Monday, April 28, 2014

For any organization who doesn't take privacy seriously, the demise of inBoom should be a loud wake up call. Funded by $100 million from the Gates Foundation, inBloom was a non-profit organization aiming to store student data so that school officials and teachers could use it to learn about their students and how to more effectively teach them and improve their performance in school. Who would have thought that a project with so much funding and promise would be shutting down just a few years after its creation? What went wrong?

The Dangers of Apps

Mary DeRosa by Mary DeRosa, The Chertoff Group
Monday, April 28, 2014

The explosion of smartphones and their apps has improved lives in many ways: greater convenience, more information, and far less boredom, to name a few. But the dangers of apps are beginning to get more attention. Apps access massive amounts of personal data, but they lag far behind other technologies when it comes to protection of privacy and data security.

The FTC and Privacy and Data Security Duties in the Cloud

Woodrow Hartzog Daniel J. Solove by Woodrow Hartzog, Samford University, Cumberland Law School
Daniel Solove, TeachPrivacy
Tuesday, April 15, 2014

Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider. In many cases, however, these contracts fail to contain key protections of data. Because the consumer is not a direct party to these contracts and often cannot even have access to these contracts, the consumer is often powerless, and the consumer’s interests are often not adequately represented. In this short essay, we argue that there is a remedy in Section 5 of the Federal Trade Commission (FTC) Act that prohibits unfair and deceptive trade practices. Certain key cases from the emerging body of FTC enforcement actions on data protection issues can be read together to create a double-edged set of duties – both on the organizations contracting with cloud service providers and on the cloud service providers themselves. Not only does an organization owe a duty to consumers to appropriately represent their privacy and data security interests in the negotiation, but cloud service providers have an obligation to the consumer as well, and cannot enter into contracts that lack adequate protections and controls.

Read your privacy policies, people!

Doug Miller by Doug Miller, Milltech Consulting
Monday, April 07, 2014

The issue of consumer consent has taken center stage since the U.S. District Court in California accused Google of violating the federal Wiretap Act by scanning emails for targeted advertising. However, an unfolding story reveals that this same privacy policy also applies to Google’s education, business, and government cloud offerings. A recent exposé in Education Week highlights how Google, as part of its sworn testimony, admitted to mining student data to serve its own purposes, which includes using student data to show targeted ads to minors. While this revelation could suggest that Google is in violation of the Family Educational Rights and Privacy Act (FERPA), the fact that Google mines data from all of its services should not be a surprise. Why? Because, as Google states, when consumers use its services, they are consenting to its privacy policy, which gives Google the right to use and combine the personal information it collects to improve its services, develop new products, and display more relevant search results. This subsequently works to fund advertising.

The Battle for Leadership in Education Privacy Law: Will California Seize the Throne?

Paul SchwartzDaniel J. Solove by Paul Schwartz, Berkeley Law School
Daniel Solove, TeachPrivacy
Thursday, March 27, 2014

Education was one of the first areas where privacy was regulated by a federal statute. Passed in the early 1970s, the Family Educational Rights and Privacy Act (FERPA) was on the frontier of federal privacy regulation. But now it is old and ineffective. With the growing public concern about the privacy of student data, states are starting to rev up their engines and become more involved. The result could be game-changing legislation for the multi-billion dollar education technology industry.

Lawsuit Raises Red Flags For Government Cloud Users

Karen Evans by Karen Evans, KE&T Partners
Tuesday, March 25, 2014

A California lawsuit suggests the federal government must take stronger steps to protect government data from data mining and user profiling by cloud service providers. In the technology-rich world we live in, it's critical for everyone to understand how their data is processed and used. For the government, it is arguably even more important, given the massive amounts of sensitive citizen data it possesses and stores.