Category: Privacy

Thursday, February 1, 2024 6:30 AM ET

Report: State Laws are Failing to Protect Privacy

Big Tech’s Influence on State Privacy Laws is Harming Consumers

WASHINGTON, DC  –  Today, the Electronic Privacy Information Center (EPIC) and U.S. PIRG Education Fund released The State of Privacy: How State “Privacy” Laws Fail to Protect Privacy and What They Can Do Better. The report found that nearly half of the 14 states that have passed so-called comprehensive privacy laws received a failing grade, and none received an A. 

Because Congress has failed to pass a comprehensive privacy law to regulate the technologies that dominate our lives today, state legislatures have tried to fill the void in order to protect their constituents’ privacy. Unfortunately for consumers, in states across the country, legislators introducing consumer privacy bills have faced a torrent of industry lobbying vying to weaken protections. Nearly everywhere, they have succeeded. Of the 14 laws states have passed so far, all but California’s closely follow a model that was initially drafted by industry giants.

“Many of these ‘privacy laws’ protect privacy in name only,” said Caitriona Fitzgerald, deputy director of EPIC. “In effect, they allow companies to continue hoarding our personal data and using it for whatever purposes they want. Big Tech should not be allowed to write the rules.” 

The report details the measures states should be incorporating into legislation to better protect consumers, including:

• Data minimization obligations on companies that collect and use personal information – taking the burden off individuals to manage their privacy online and instead requiring entities to limit their data collection to better match consumer expectations. 
• Strict regulation all uses of sensitive data, including health data, biometrics, and location data. 
• Strong civil rights safeguards online.
• Limits on the harmful profiling of consumers. 
• Strong enforcement and regulatory powers to ensure the rules are followed.

“The best way to keep data secure is to not collect it in the first place,” said R.J. Cross, U.S. PIRG Education Fund’s Don’t Sell My Data campaign director. “A law that really protects consumers would prevent companies from collecting and using people’s data however they want. Unfortunately, there’s not a privacy law in the country that does this as well as it should. The laws that are passing in most places are a bad deal for consumers.” 

Some states such as Illinois, Massachusetts, Maine, and Maryland are considering stronger comprehensive consumer privacy legislation that would limit the data companies are allowed to gather about consumers to what’s necessary to deliver the service consumers are expecting to get. 

“Grading these laws really makes it clear that they’re almost all copy-and-paste versions of a bill industry originally wrote,” said Kara Williams, Law Fellow at EPIC and report co-author. “It’s encouraging to see some states considering a different approach.”

###

ABOUT EPIC

The Electronic Privacy Information Center (EPIC) was established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. Our mission is to secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation. 

…

In July 2021, the Watson Institute of Public Affairs at Brown University reported that since September 11, 2001, 7,057 US military personnel have been killed in military operations in Iraq and Afghanistan alone. Civilian contractor deaths reached 8,000, although the institute admits this is an estimate considering many contractors were not US citizens, so some deaths went unreported. Finally, 30,177 US service members would commit suicide after their deployments to these war zones, and the number of wounded veterans is even higher, as the Watson Institute would claim:

Over 1.8 million veterans have some degree of officially recognized disability as a result of the wars—veterans of the current wars account for more than half of the severely disabled veteran population. Many additional veterans live with physical and emotional scars despite lack of disability status or outstanding claims.

Since September 11, the US government has participated in three major conflicts: the second war in Iraq, the war in Afghanistan, and military operations in Iraq and Syria against the Islamic State of Iraq and Syria (ISIS). But they have also led operations in Libya to overthrow Muammar Gaddafi and in Yemen in support of the Saudi government, despite the fact that Saudi bombings and blockades pushed the country to the brink of starvation.

Twenty-three years after September 11, neoconservatives in Congress, the State Department, and the Pentagon are still pushing the same war hawk policy in Ukraine, Israel, and Syria. American foreign policy is out of step with the Constitution and the original intent of the founding fathers. It is time for the men and women who push this policy to be held accountable.

The Founders’ Intent

At the Reagan National Defense Forum in Simi Valley, California, Defense Secretary Lloyd Austin made remarks about American leadership. He highlighted the importance of an American military presence throughout the world in order to protect “democracies’’ like Ukraine and Israel. Secretary Austin also had remarks about noninterventionists:

You know, in every generation, some Americans prefer isolation to engagement—and they try to pull up the drawbridge. They try to kick loose the cornerstone of American leadership. And they try to undermine the security architecture that has produced decades of prosperity without great-power war. And you’ll hear some people try to brand an American retreat from responsibility as bold new leadership. So, when you hear that, make no mistake: It is not bold. It is not new. And it is not leadership.

Secretary Austin needs a history lesson in the founding ideals of the United States. If what he said is true, then American figures such as George Washington and Thomas Jefferson were bad leaders. President George Washington issued a neutrality proclamation in response to the revolution in France and the subsequent declaration of war on Austria, England, and Prussia, which embroiled the whole European continent in war. In President Washington’s farewell address on September 19, 1796, he made his vision for American foreign policy clear: “It is our true policy to…

While Google’s patent indicates that this tech could automatically activate devices based on user presence, physical sensors have long filled that gap, so it’s unclear how this kind of tech offers anything different from a motion-activated porch light, said Sara Geoghegan, counsel for the Electronic Privacy Information Center.  

With a lot of innovations in consumer tech, the common case is that companies will ask for more and more personal data, and in return users get more convenient and useful features. This leaves the consumer to decide how much trust they’re willing to put into these tech firms for the sake of convenience.  

But with this tech, Geoghegan said, “It seems that the potential benefits that this software service could provide already exist with significantly less privacy-invasive services. Like a lot of things in our space, I think that there is often this idea that there is some sort of convenience or benefit. But if you really look at it, it’s quite minimal.”  

Google, meanwhile, gains access to continue growing its “troves of personal information,” said Geoghegan. And while Google does make the caveat that these systems may come with privacy-preserving identifiers for the users it tracks, the fact that this system may be operated through a cloud-based system presents its own risks. 

Read more here.

The proposed iRobot acquisition has also alarmed privacy advocates. Calli Schroeder, senior counsel for the Electronic Privacy Information Center, pointed out that Amazon has a roster of electronic products that collect household data, including Echo smart speakers and Ring security cameras. “They already have a bunch of technology that is privy to very, very personal information, because it’s focused on our home,” she said. 

Schroeder believes Amazon wanted iRobot because its advanced Roomba machines use cameras to create maps of the rooms it cleans. This would give Amazon even deeper insights into the habits of its customers. But it could also violate users’ privacy, if the collected data was stolen or abused. For instance, MIT Technology Review reported in 2022 that images captured by prototype Roomba machines wound up on Facebook after iRobot shared them with a business partner that helped train the Roomba’s artificial intelligence software. 

Schroeder celebrated the collapse of the deal on Monday. “It looks like the privacy side won,” she said. “We’ve got to take those victories anywhere we can get them.” 

Read more here.

Jeramie Scott — senior counsel and director of the Electronic Privacy Information Center’s Project on Surveillance Oversight — called facial recognition “an invasive and dangerous surveillance technology,” adding that TSA’s use of it “basically endorses the use of facial recognition for identity verification.”  

“That will ultimately accelerate the use of our faces as our ID, and that has some very important implications for privacy, civil liberties, civil rights and our democracy,” he said, adding that the lack of federal regulations around facial recognition’s use means that — despite TSA’s current privacy requirements — “what may be the safeguards today does not mean they will be the safeguards tomorrow.” 

He also pushed back on TSA’s claim that it conducts “independent analysis” of collected data, since the agency falls under DHS’s authority. 

“You can’t say just because we handed it to a different part of the agency that that’s an independent test in any meaningful way,” Scott said. 

Read more here.

A news update and constitutional law analysis, related through a video commentary from Mark W. Smith of The Four Boxes Diner:  BORDER WARS: The Constitutional Issues you need to know about in Texas v. Biden Admin. Two days ago, it was 11 states, but now, 25 states have signaled support for Texas Governor Abbott’s position. And at least 10 of those States have now pledged to send National Guard or State Guard/Militia troops to Texas, to assist. Tucker Carlson interviewed Abbott, on Friday.

—

On January 27th, 1967, a launch pad fire during Apollo program tests at Cape Canaveral, Florida, killed astronauts Virgil “Gus” Grissom, Edward H. White II, and Roger B. Chaffee. An investigation indicated that a faulty electrical wire inside the Apollo 1 command module was the probable cause of the fire. The astronauts, the first Americans to die in a spacecraft, had been participating in a simulation of the Apollo 1 launch scheduled for the next month.

January 27th, 1945 is the anniversary of the liberation of Auschwitz by the Soviet Army.  January 27th is commemorated as International Holocaust Remembrance Day.

Today is the birthday of singer-songwriter Kate Wolf. (Born 1942, died December 10, 1986.) Her untimely death at age 44 cut short an amazing career and robbed America of a great songwriting talent.

—

SurvivalBlog Writing Contest

Today we present another entry for Round 110 of the SurvivalBlog non-fiction writing contest. The prizes for this round include:

First Prize:

1. The photovoltaic power specialists at Quantum Harvest LLC  are providing a store-wide 10% off coupon. Depending on the model chosen, this could be worth more than $2000.
2. A Gunsite Academy Three Day Course Certificate. This can be used for any of their one, two, or three-day course (a $1,095 value),
3. Two cases of Mountain House freeze-dried assorted entrees in #10 cans, courtesy of Ready Made Resources (a $350 value),
4. American Gunsmithing Institute (AGI) is providing a $300 certificate good towards any of their DVD training courses.
5. Two sets of The Civil Defense Manual, (in two volumes) — a $193 value — kindly donated by the author, Jack Lawson.

Second Prize:

1. A SIRT STIC AR-15/M4 Laser Training Package, courtesy of Next Level Training, that has a combined retail value of $679
2. Two 1,000-foot spools of full mil-spec U.S.-made 750 paracord (in-stock colors only) from www.TOUGHGRID.com (a $240 value).
3. Two Super Survival Pack seed collections, a $150 value, courtesy of Seed for Security, LLC.
4. Montana Survival Seed is providing a $225 gift code for any items on its website, including organic non-GMO seeds, fossils, 1812-1964 US silver, jewelry, botany books, and Montana beeswax.
5. A transferable $150 FRN purchase credit from Elk Creek Company, toward the purchase of any pre-1899 antique gun. There is no paperwork required for delivery of pre-1899 guns into most states, making them the last bastion of firearms…

EPIC submitted comments in response to DOJ and DHS’ Request for Written Submissions on Sec. 13e of Executive Order 14074 urging DOJ and DHS to center vulnerable communities in its crafting of new guidance on the use of facial recognition, predictive policing technologies, social media surveillance tools, and DNA analysis tools. EPIC argued that DOJ, DHS, and other law enforcement agencies should cease to use some of the most privacy-invasive and dangerous surveillance technologies—like facial recognition—because of their systemic issues, severe effects on vulnerable populations such as racial minorities, and threat to our democracy. However, EPIC also provided recommendations to create a robust framework of safeguards to protect privacy, civil rights, and civil liberties. EPIC continues to advocate for a set of principles that would adequately assess the risks of these technologies and shape the policy on how law enforcement officials use them. In brief, these include:

• prohibiting mass surveillance;
• protecting privacy, civil rights, and civil liberties;
• protecting constitutional rights;
• proving that the technology and its implementation do not result in a disparate impact for protected classes; 
• requiring adequate evaluation of the purpose, objectives, benefits, and risks of the technology;
• adopting stricter data minimization procedures; 
• ensuring adequate security for retained data;
• regular independent auditing;
• strengthening accountability and oversight; and
• advancing public trust, prioritizing transparency, and requiring substantiation for claims relating to the technology, especially related to its effectiveness. 

EPIC runs a robust surveillance oversight program with several areas of focus. EPIC opposes the spread of facial recognition in both the public and private sector. For many years, EPIC has worked to end TSA’s use of facial recognition at airports. Over the last year, EPIC has helped lead a yearlong coalition campaign to fundamentally reform FISA § 702 as it nears its sunset date. EPIC also regularly calls for increased transparency and oversight of automated decision-making and predictive policing. EPIC has filed complaints with the Attorney General, submitted several Freedom of Information Act (FOIA) requests, and engaged in extensive research to map DHS’ web of databases to shine light on law enforcement use of overbroad surveillance technology. 

Alan Butler, executive director of consumer privacy group Electronic Privacy Information Center, said that a website on the safety of technologies could provide as an additional layer of protection. This would allow the FCC to limit the amount of information on the label and avoid confusing consumers. Consumers expect to understand if their devices could pose potential threats, he said. 

Read more here.

On Tuesday, EPIC submitted comments to the Federal Communications Commission applauding new rules that will strengthen consumer protections against SIM swap and port-out fraud and urging the FCC to further incentivize carriers to reduce security vulnerabilities. SIM swap and port-out fraud occur when a fraudster takes control of a victim’s phone number by convincing a carrier to transfer the victim’s phone service to the fraudster’s phone.

EPIC alerted the Commission to increased instances of SIM swap and port-out fraud targeting major cryptocurrency investors and unsuspecting telecommunications customers alike. EPIC called on the Commission to harmonize CPNI and CPI rules with SIM swap authentication requirements, to establish additional authentication requirements, and to require carriers to report incidents of fraud. Additionally, EPIC requested the Commission articulate its enforcement power under the Communications Act of 1934 and hold carriers liable for SIM swap attacks conducted using their networks and devices, as presently carriers seek to evade liability for SIM swap fraud.

EPIC routinely comments on regulations concerning telecommunications customers privacy and protection from fraud.

On January 17, EPIC submitted reply comments to the Federal Communications Commission in the FCC’s proceeding on reclassifying internet service providers and other broadband providers as common carriers. In its comments, EPIC urged the FCC to outline a broad interpretation of its privacy and data security authorities under Title II of the Communications Act (which governs common carriers such as phone carriers), to explain that the FCC’s consumer protection authorities complement those of the FTC, to make findings that prioritize protecting consumers over protecting data broker and advertiser profits, to initiate an immediate rulemaking to safeguard consumer privacy and data security on the internet, and to continue to facilitate cooperation among state and federal agencies in combating fraud.

EPIC has long advocated for consumer privacy protections in broadband services and regularly files comments with the FCC.