Poképrivacy: Privacy and Legal Issues in Pokémon GO

Blog Photo CroppedBy Michael Goodyear

When Pokémon GO was released in the United States on July 6 it garnered 15 million downloads in just the first week. Pokémon GO has rapidly become one of the biggest apps ever. Its daily active user total has now outstripped Twitter and on current installs it has beat most other popular mobile app games. But despite its quick rise to fame, Pokémon GO has raised a series of concerns about privacy, from what permissions and personal information the app itself accesses to how the app potentially infringes on personal residences.

Pokémon GO is an augmented reality game that inserts virtual imaginary creatures, Pokémon, onto the physical world via your phone. They can appear anywhere, even on your wife’s hospital bed as she is giving birth. The goal is to catch and train Pokémon as part of one of three teams.

Privacy concerns abound with Pokémon GO, even attracting the attention of Senator Al Franken, the Ranking Member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law. The chief initial concern with Pokémon GO was that iOS users had granted “full access” to their Google accounts. While technically this could include being able to see the contents of Gmail and all other Google programs, in reality Niantic, the company that developed Pokémon GO, only accessed basic account information, such as the name of the user and their Gmail address. More than anything it was a combination of Niantic using an out-of-date version of the Google sign-in process and poor wording that led to this seemingly alarming concern. Niantic has since made an update that fixed this problem, with the app now only requesting access to basic information.

Although this problem has received by far the most press, there are other legitimate concerns about how Pokémon GO handles privacy. The app itself has access to your IP address and the most recent webpage you visited, providing some indicators about your location and habits. In addition, the app tracks your GPS location and has control over your camera. While these are essential to using the app, just consider the possible implications if some third party acquired this data. Unless Niantic’s security is ironclad, there is always the possibility that hackers could get this information and have access to your phone. And with an app as huge as Pokémon GO, hackers will definitely be on the lookout.

Others with malicious intent have already started taking advantage of the app’s security shortcomings. A function of the app is that you can create a beacon, which attracts more players and Pokémon to an area. This has been a hotbed for muggers taking advantage of unsuspecting players. Muggers have used the beacons to lure in players and rob them. Police departments from O’Fallon, Missouri to Australia have expressed their concern over the security risks the app creates, especially when players are paying so much attention to the virtual surroundings on their phone that they are not aware of their physical surroundings.

In addition to beacons created by the players, Niantic itself has created virtual Pokémon gyms, basically battle hubs for players to come and play against other teams for control over the gym and win the accompanying prestige, across the globe. Naturally this makes them fairly popular spots. For this reason, Niantic generally locates the gyms at popular sites, although this occasionally goes awry, from the controversial (Trump Tower and the Westboro Baptist Church) to the just plain dangerous (on the South Korea-North Korea border). And sometimes it even registers people’s homes as gyms. Now, it is not as though Niantic asked the permission of Donald Trump or Boon Sheridan to put a gym on their property, but of course the gym itself is a virtual entity, albeit one with very real consequences. As major draws to players, gyms can attract dozens to hundreds of people, infringing on the privacy and peace and quiet of individuals and businesses. And this brings up a host of legal trespassing issues and questions of attractive nuisances that are bound to be raised, all for the benefit of trying to catch a rare Pokémon.

So while players are battling with their captured Pokémon, they also have to be on the defensive. Mind property laws and don’t infringe on real estate, and protect your privacy and safety, or else it might be your information being captured instead of the Pokémon.

Michael Goodyear, who has a BA in History and Near Eastern Languages and Civilizations from the University of Chicago, is part of the ISLAT team.

Privacy Concerns Influence Consumer Purchases

Blog Photo CroppedBy Michael Goodyear

Back in 2011 just 54% of U.S. consumers, a slim majority, stated that they decided not to purchase a product due to concerns about their personal information’s confidentiality. But that number has been on the rise. Today that figure has grown to 82%, the vast majority of U.S. consumers. Of course many potentially privacy-invading products are not bought on a yearly basis, such as computers or cell phones. Yet even in the past 12 months 35% of consumers still decided not to purchase goods from a specific company due to privacy concerns.

Different groups of consumers considered privacy concerns differently in regards to making a purchase. The portion of the American population that reacts most to privacy factors is that with a higher income and also that with a higher level of education (consumers with a college or post-graduate degree). Although respondents noted several chief concerns about privacy, 52% of U.S. consumers identified identity theft as their greatest concern. This was a sharp increase from 2011, when identity theft constituted only 24% of respondents’ chief privacy concerns. In addition, the next highest figure was the greatest privacy concern of only 10% of consumers, compared to the 52% on identity theft.

These findings are from a November 2015 online survey of 900 consumers, undertaken by the law firm Morrison & Foerster to gather quantitative data on the emerging trend of privacy presenting real threats to business. The results confirm the increasing role of privacy in our lives. In this case, privacy concerns influence our decisions as consumers,
but what other aspects of our lives have privacy concerns also come to influence? What about our privacy when downloading a mobile app or entering our social security number into an online application? With advances in technology and the increasing amount of personal information that ends up online, privacy concerns are here to stay. It is up to each individual to decide how he will engage with his personal privacy concerns and to what degree those concerns might influence his decisions and his life.

Michael Goodyear, who has a BA in History and Near Eastern Languages and Civilizations from the University of Chicago, is part of the ISLAT team.

I Can Do All Things Through Technology, Which Enables Me: Churches, Facial Recognition and Spiritual Dynamics

Alex FrancoBy Alexandra Franco, JD

In my work as a privacy lawyer, I’ve become slightly desensitized to the pervasive privacy invasions that we have learned to live with—the fact that Facebook is well-aware of my love of makeup and will constantly remind me of “cool new eyeshadows to try” is something I don’t even think about anymore. However, there is a new technology threatening privacy that struck me as particularly appalling.

A company called Churchix provides churches with facial recognition software “designed for Church administrators and event managers who want to save the pain of manually tracking their members attendance to their events.” The software allows users to “receive demographic data of people attending [their] event (Gender, Age),” and “receive identification reports for a specific event, group of events and attendance of a specific member.” To get the facial recognition software going, churches must first take photos of their faithful to “register and enroll into the data base of Churchix.” After this, the churches will have access to streamlined, automatic attendance data—and won’t have to go through what Churchix calls the “pain” of personal interaction with their attendees.

The number of churches currently using this technology is as high as 40. Speaking at a conference at Loyola University Chicago School of Law, privacy attorney and partner at Edelson PC, Ari Scharg, mentioned that this technology is being used to track people’s church attendance patterns, such as how often they attend and how early they arrive, and that the churches can use this information to understand how much money church goers can be asked to donate.

Churchix claims that despite “honest concerns over privacy” and people’s “‘Big BrotChurch 4her’ mentality” about what the technology entails, it “think[s] that [such beliefs] are mostly a bad feeling derived from a possible abuse of the technology rather than actual threats.” The company website explains that “on the contrary, face recognition software helps catching the bad guys… .” But even the company’s own PR efforts on its website include articles that criticize Churchix for the serious privacy concerns that its technology raises.

As Michael Casey from CBS News says, “the growth of this [facial recognition] technology has far outpaced any efforts to regulate it… .” and if it keeps going the way it is going, it will be very difficult for regulatory bodies to take a stand fast enough to make a difference. The technology is already being used by advertisers in shopping malls to analyze what you are looking at on a store shelf, analyze your demographic information based on your facial characteristics and later show you a targeted advertisement with another item that you may be interested in based on all of this information. Churchix is a branch of Face-Six, the facial recognition business that offers the technology to shopping malls. In addition to offering its services to churches (through Churchix) and shopping malls, Face-Six offers its services to airports, border control, law enforcement, casinos and also for home security purposes.

When a single company is behind all of the different applications of the technology—from shopping malls and targeted advertisements to church attendance—how do we know that  people’s images uploaded to the Churchix database will not end up being used to sell them religious books later when they visit a mall that uses the same technology? What if you have been missing church for a few weeks, would you like to see an advertisement for a book about “regaining your faith?”

A few states—such as Illinois—have enacted laws protecting people’s biometric information. The Illinois statute protects people’s biometric identifiers, such as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” among other things, by requiring that entities planning to collect such data inform the person in writing before collecting it, tell the person for how long and for what purpose they are collecting the data and have the person sign a written release. It also prohibits entities from selling or profiting from someone’s biometric data and requires that entities in possession of such data develop policies and procedures for its destruction.  However, Illinois is one of a few states currently taking steps to protect people’s biometric information and we are still far away from a comprehensive national regulatory regime.

Let’s instead think about this for a moment from the perspective of individual church members and the church community as a whole. Faith is a deeply personal thing which should be between the person and that which he or she believes in, something out of the human realm and out of the reach of human hands. It is a sacred communication between the person and something that transcends the physically human. Is it okay for a third eye in the sky to observe that person’s movements in and out of his or her place of worship? What are the deeper connotations of a pervasive intervention between a person and his or her faith? If church goers become aware that their movements in and out of the church are constantly being tracked, this may alter their church-going habits (as they may dislike being observed and tracked without having control over it) and may decide to stop attending church altogether. On the other hand, those who refuse to give up going to church will always have to think about that third eye who knows whether he or she went to church last week or not.

And what happens if we were to replace the word “church” in the last paragraph with the word “mosque”? It is not hard to imagine the potential for profiling and even more invasive targeting this technology—which works across different settings through the photo database—can bring.

For the most part, places of worship are still the heart and soul of their respective communities. They are groups of families and individuals who look out for each other and have each other’s back. When a congregation member is absent for a long time, other members will express their concern and reach out. If such interactions are interrupted by an automated attendance tracker, will it interfere with the community’s spiritual dynamics? To what extent will we allow technologies to alter human dynamics in their most essential manifestations? Only time will tell.

This isn’t about makeup. This is one of the most personal and private aspects of a person’s life, and we should not become desensitized to technologies which invade it.

Alexandra Franco is a Research Associate at the Institute for Science, Law and Technology at IIT Chicago-Kent College of Law.  The title of this essay is based on Philippians 4:13 “I can do all things through Christ who strengthens me.”

When Your Car Spies on You

Lori Head Shot 2014 v.2 small

By Lori Andrews

Cars are getting smarter.  Some can show you a video of what is behind you to help you park in a tight spot.  Others can automatically apply the brakes if you are about to run into the car in front of you.

Now cars have a new power.  They can snitch to an insurance company about your driving.   A tracking device can be installed in your car to monitor how and when and how far you drive.  Progressive and other insurers offer discounts on car insurance to drivers based on data from such devices.

Do you accelerate sharply, corner too closely, travel at night or drive great distances?   Those traits can be used against you and prevent you from getting a discount.  But many of those factors are beyond your control.  If your job requires you to work in the evening, why should you be penalized by your insurer?

Most insurers’ devices are installed in the data port of car, under the drivers’ side of the dashboard, which limits their use to cars sold after 1998.  But the Canadian insurer Desjardins uses a mobile phone app, Ajusto, that doesn’t even need to be installed in the car.  But phone apps raise additional issues.  Nothing prevents an insurer from matching data from the phone driving app with other information.  Nearly two-thirds of smartphone owners look up health information on their devices.  What if you’ve done a Google search for the side effects of an allergy medication?  The insurer might take that to mean you are using the medication while driving, despite the drug’s warnings about drowsiness.

Who else will ultimately get the driving information?   Will the police want to know who is driving faster than the speed limit?   As a phone app, Ajusto can tap into location information.  Will spouses and employers want to know where the driver has been?  Already, information from toll passes has been used as evidence in criminal cases and divorce cases.  If you get into an accident while using Progressive’s Snapshot device, Progressive will turn over their information about your driving style and history to the court.

These programs to reward safe drivers might actually lead to more accidents.  A friend who used the Progressive device heard a series of beeps from his car if he braked too quickly.  The only way to avoid the beeps was to stay four car lengths behind the car in front of him, but that meant other cars were constantly swerving in front of him.  It also greatly increased the chance of his being rear-ended.

The tracking devices for cars are touted as a way to save you money.  But the data they collect can be used against you.  Progressive announced that it will start charging higher rates to drivers who volunteer to use its Snapshot device, but whose driving does not measure up.  Courts can order that you turn over your driving information to someone who sues you.   Tracking devices have real risks. What you might save in premiums, you’ll lose in privacy.

The Thin Red Line of Predictive Genetic Testing in the Military

Bryan Helwig

By Bryan Helwig, PhD

A military segregated by genetics? The possibility is more reality than science fiction and an issue I encountered while leading a research team for the Department of Defense.  Recent advances in science and technology have produced genetic tests that are low cost, easily performed and able to produce significant amounts of genetic information about individuals. Once confined only to scientific experiments, the general public now has options to trace their family origins from a cheek swab, detect genetic abnormalities prior to birth from a sample of the mother’s blood, and determine their genetic profile using saliva.

Since the mid-1990s the Department of Defense has required that all new recruits provide a DNA sample that can be used for identification purposes. Now, advances in genetic technology are helping to identify genes profiles associated with a predisposition to post-traumatic stress disorder (PTSD) or suicide. The use of genetic testing in this manner is considered predictive genetic testing.

Proponents of predictive genetic testing in the military note the invaluable role testing provides in keeping armed forces safe. Critics contend that mandatory genetic testing is an invasion of privacy and a violation of civil liberties. These individuals contend that the Genetic Information Nondiscrimination Act (GINA) of 2008, which protects civilians from job-related discrimination based on genetic test results, should also apply to military personnel.  Specifically, §202 and §203 prohibit employment discrimination practices based on genetic information. With few exceptions, §203 reads “it shall be an unlawful employment practice for an employer to request, require, or purchase genetic information with respect to an employee or a family member of the employee . . . “ However, the military is a unique environment in which the needs of the unit are a higher priority than those of the individual, complicating the application of civilian policies such as GINA to members of the armed forces.

Military duty is characterized by physical demands and exposure to environments that are unpredictable and often extreme. As a result, work in military environments can result in manifestation of genetic abnormalities that would remain unknown without diagnostic genetic testing in which screening occurs for specific genes that are diagnostic for a condition.

During the last five years, the expansion of genetic testing has been proposed. An advisory panel of independent scientists produced the JASON report in 2010 recommending “The DoD should establish policies that result in the collection of genotype and phenotype data, the application of bioinformatics tools to support the health and effectiveness of military personnel, and the resolution of ethical and social issues that arise from these activities.” The idea is robust and one I frequently encountered during my career directing a Biomedical Research Laboratory for the Department of Defense.

The focus of my team’s work was to better understand how and why the human body responds in extreme environments. For instance, the expression of a subset of genes allows for adaptation to high altitude, low-oxygen environments such as the mountains. Although not as well established, a similar set of genes also may be advantageous to prolonged work in hot and cold environments. Thus, predictive genetic screening in the military could be used to identity individuals that would have advantageous or disadvantageous physiological responses to hot, cold or high-altitude environments. In addition, the JASON report proposes the use of predictive genetic testing to identify service members at increased risk of blood coagulation abnormalities, bone fracture risk, tolerance to sleep deprivation and over two hundred other health-related phenotypes of interest to the military.

Although not widely recognized, each of us undergoes a diagnostic genetic test at birth for phenylketonuria, more commonly known as PKU, an inborn error of protein metabolism that can have profound negative affects on development if not identified early in life. In comparison, the use of predictive genetic screening is in its infancy. Genetic tests are highly accurate in quantifying gene expression, however use of the results in a predictive capacity is less accurate and often over-exaggerated by the media.

For instance, a genetic profile that affords natural protection in a hot environment is likely to be comprised of up and down regulation of hundreds or even thousands of genes. Some genes may be affected by health status, nutrition, sleep, etc. Thus, the use of predictive genetic testing requires identification of stable gene profiles that serve as accurate predictors of health status and only change expression in the environment being studied. Additionally, many scientists cite a two-fold change in gene expression as significant.  However, a two-fold change is arbitrary and not always indicative of a significant physiological impact. Despite rapid expansion of genomic technology, the reliability of predictive gene profiling remains nascent.

Despite the scientific gaps, legal and ethical issues need to be addressed before genetic testing achieves an accuracy allowing its use en masse. Initial efforts should focus on privacy, including modification of GINA to protect privacy of military members in a way that is similar to the general public. Secondly, if GINA cannot be modified, discussions regarding new policies associated with predictive genomic testing that address the intersection of military personnel privacy and mission readiness should be encouraged. Instrumental will be deciding how broadly predictive genetic testing should be used by the Department of Defense. Conversations must also include updated policies regarding the handling or even destruction of DNA samples and specimens after military service ends and related rules for governing the almost fifty million samples in the Department of Defense Serum Repository (DoDSR). Such policy decisions should be balanced with the knowledge that the DoDSR is the largest repository of samples in the world and its use in understanding disease has been substantial.

Some service members refused to provide DNA for inclusion in the DoDSR and the punishment was harsh, including court martial, a reduction in rank and loss of pay. The Hawaii District Court held that requiring DNA samples from service members does not violate the Fourth Amendment right to be free from unreasonable searches [Mayfield v. Dalton, 901 F. Supp. 300 (D. Haw. 1995), vacated as moot, 109 F. 3d 1423 (9th Cir. 1997)]. Objection to inclusion may become more common if predictive genetic testing is used without privacy protection. The military must revisit the thin red line between privacy and military needs; a line that currently favors minimizing individual needs.

Standard informed consent required whenever biological samples are obtained must also be re-evaluated to better reflect the current practices. Informed consent forms should be re-written, allowing the service member to give different levels of permission regarding future use of their DNA beyond the required baseline diagnostic screening and identification purposes. Importantly, this option must be revocable at any time, during or after their military career. The military should also consider the alternative of an external third party to perform predictive genetic screening, the results remaining private, and released only as required by strict criteria. Regardless of the results, policies must be in place to prevent discriminatory practices related to genetic results in military and post-military career advancement.

The military benefit to the Warfighter from genetic testing is significant and, if used responsibly, can help protect a soldier’s health. However, many ethical and legal hurdles exist that must be resolved before predictive genetic testing becomes mainstream.  Conversations addressing such issues need to occur now; the issues are central to protecting the privacy of those who keep us safe.

Bryan Helwig, PhD is a first-year law student at Chicago-Kent College of Law (Class of 2017) with an interest in the intersection of intellectual property, genetics and privacy. During the five years preceding law school he directed a Biomedical Research Lab for the Department of Defense.

ISPs as Public Utilities

By Adam RouseAdam Rouse Headshot

In late 2010, the Federal Communications Commission (FCC) issued the Preserving the Free and Open Internet Order [1] mandating a set of “net neutrality” policies that required internet service providers (ISPs) to essentially treat all internet traffic the same as it traversed the various individual networks making up the internet as a whole. Verizon filed suit against the FCC claiming that the FCC had no legal authority to issue the order and the FCC exceeded the scope of the Telecommunications Act of 1934 and the Telecommunications Act of 1996.[2] The FCC countered by arguing that it was regulating the activity of broadband providers under its ancillary jurisdiction [3] to regulate certain aspects of internet communication services. The DC Circuit Court held that the FCC lacked authority to issue the anti-blocking and anti-discrimination rules that were part of the Preserving the Free and Open Internet Order, effectively gutting it.[4] Many broadband providers were upset with Verizon for filing suit when they did. They were concerned that the FCC, when challenged, could reclassify broadband and wireless internet service providers as Title II Common Carriers, subjecting them to the hundreds of regulations that were already in place for telecommunications providers.[5]

On Thursday, February 26, 2015, the FCC did exactly what internet service providers feared it would: broadband internet service is now classified as a telecommunications service under Title II of the Communications Act.[6] By reclassifying broadband internet service under Title II the FCC has secured its own authority to strictly regulate almost every aspect of the broadband internet industry. Reaction from internet service providers in the cable and telecommunications industry was dour, and the order is expected to be challenged in court. This time, however, with internet service classified as a Title II utility, there is ample backing for the FCC’s legal authority to impose regulations as suggested by the court in the Verizon v FCC case.[7] Regardless of the eventual outcome of the anticipated court cases, the decision by the FCC to reclassify broadband internet to a Title II utility is widely considered the first step in maintaining a fair and open internet that all can take advantage of.[8]

It is critical to understand what the order will require and similarly what it will not. The FCC is required by the U.S. Congress to refrain from enforcing Title II regulations are not in the public interest. It is within this spirit of public interest that the FCC press release stated that the following provisions of Title II regulations would not be enforced by the new order:

  1. There will not be any rate regulation for broadband internet services. This means that every provider is welcome to set their own pricing provided that they are not anti-competitive or gouging the market – both restrictions which were in place before the order.
  2. There is no change to Universal Service Fund contributions from broadband providers. This means that there will not be any new FCC imposed fees showing up on consumer’s internet service invoices. A Universal Service Fee for broadband is already under consideration by the FCC and is not impacted by this order.
  3. Internet service providers will not be required to perform “last mile unbundling” services. Currently telecommunications providers must lease out portions of their networks to competitors at wholesale pricing (set by regulation) to foster competition in the telecommunications industry. By not requiring network unbundling in the case of ISPs the FCC is removing the fear of sudden competition from the major internet service providers. They will be allowed, for the time being, to maintain their monopolistic grasp on the major service markets.
  4. Broadband access will remain free from taxation by local and state governments.

The order does the following:

  1. Gives the FCC authority to investigate and resolve consumer complaints made against broadband ISPs.
  2. Applies the core principles of anti-discrimination and no unjust or unreasonable practices or policies. ISPs cannot charge more or offer different levels of service based on any discriminatory practices and they must make their services available where reasonable to do so.
  3. Grants consumers greater privacy rights, restricting the information that ISPs can share with third parties about subscribers without the prior consent of the subscriber.
  4. Ensures that internet service providers that want to expand and grow their networks have fair access to the current utility infrastructure such as telephone poles and underground wiring conduits.

The order further imposes the following regulations that are separate from standard Title II regulation, but are allowed under Title II’s authority.

  1. ISPs may not block access to any legal content on the internet.
  2. ISPs may not throttle (slow down) legal content based on the type of content, application, service, or device – so long as the content is not harmful to the network.
  3. ISPs may not favor paid traffic over non-paid traffic. This is the ending of so-called fast lanes on the internet where some companies or consumers would pay to have their traffic prioritized over the traffic of those who could not afford or chose not to pay.

Finally, the order states that while ISPs can engage in practices that are necessary for reasonable network management, they cannot use network management as a guise for instituting anti-consumer policies such as artificial or arbitrary data caps on plans that were advertised and sold as “unlimited” bandwidth plans. ISPs have admitted that there is not a congestion problem on their networks that the extra fees associated with the higher data users is not a cap – it’s a method to lower prices for users who use lessor amounts of data in a billing cycle. Consumer advocates see these artificial caps as ways for ISPs to squeeze additional money out of consumers who were told they would have unlimited service. The order specifically states that any policies (including data capping or throttling) enacted for the purposes of network management must be reasonable, take into account the type of technology at issue, and cannot be instituted for a business purpose – such as attempting to profit from consumers who use more of the services they are already entitled to under their plan.

The FCC’s reclassification of broadband internet services to a Title II utility attempts to cement the FCC’s regulatory authority of internet communications – even with the light touch of all the regulations subject to forbearance. Only time will reveal the eventual impact on the internet service industry, however, the policies seem rooted in the desire to foster an open and free internet that exists as a communications and information vehicle for the common person, not just those who can afford to pay for fast lanes of unblocked traffic.

[1] Federal Communications Commission Order 10-201 (2010),  https://apps.fcc.gov/edocs_public/attachmatch/FCC-10-201A1_Rcd.pdf

[2] 47 U.S.C.

[3] John Blevins, Jurisdiction as Competition Promotion: A Unified Theory of the FCC’s Ancillary Jurisdiction, 36 FLA. ST. U. L. REV. 585 (2009).

[4] Verizon v. FCC, 740 F.3d 623 (D.C. Cir. 2014).

[5] Jon Brodkin, ISPs ‘secretly furious’ at Verizon, scared of stronger net neutrality rules, arstechnica.com, October 3, 2014, http://arstechnica.com/tech-policy/2014/10/isps-secretly-furious-at-verizon-scared-of-stronger-net-neutrality-rules/

[6] Federal Communications Commission, Press Release – FCC Adopts Strong, Sustainable Rules to Protect the Open Internet, February 26, 2015, http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db0226/DOC-332260A1.pdf

[7] See, Verizon, 740 F.3d. 623 (D.C. Cir. 2014).

[8] Haley S. Edwards, “FCC Votes ‘Yes’ On Strongest Net Neutrality Rules,” Time, February 26, 2015, http://time.com/3723722/fcc-net-neutrality-2/

Is Your TV Watching You?

Adam-Rouseby Adam Rouse

In Star Trek space explorers of the future talk to their spaceship’s computer to easily control nearly every function on the ship. Now, you can control your TV simply by talking to it.  Smart TV manufacturers are now integrating voice control and motion sensing controls into their products.  Simply tell your TV what you want to watch and the TV will tune in for you; make a downward motion with your hand and the TV will mute the sound.  Smart TVs can even learn your tastes and recommend shows when asked: “What should I watch tonight?”  With nearly 30% of American households projected to have a smart, internet connected, TV by the end of 2015, the ability for your home entertainment products to listen to you may raise some concerns: How is your TV able to listen to you? Can you tell when it is listening and not listening? And, most importantly, what does your TV do with all the information it hears that is not relevant to helping you find entertainment to watch?

As to the how, there are small sensitive microphones located in a smart TV and its remote control.  Presumably these devices are only listening to you when the TV is on, however there is no way to really determine when these devices turn on the microphones and eavesdrop on their users.  Samsung states that there is a microphone icon that appears on the TV screen when the device is set to a listening mode.  Samsung, in their global privacy policy, also warns: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Many media outlets have reported smart TV’s transmission of voice data to a third party is unsettling and intrusive.  Voice recognition is a computationally heavy task that is usually best performed by specialized computing devices.  The computer inside of the TV simply does not have the required capabilities to perform speech to text translation without offloading the processing to a more powerful computer, usually in a data center.  Because smart TV manufacturers do not have the necessary computers needed for voice recognition, the transmission of a user’s spoken words to a third-party is essential to convert spoken words to commands the smart TV understands.  Anyone who has used Apple’s Siri digital assistant or Android’s “OK Google” voice features has had their voice samples transmitted over the internet for processing in a specialized data center.  While Google chose to keep its voice processing in house, Apple transmits voice queues spoken to Siri to Nuance – the same company that Samsung has chosen to use to process voice commands spoken to its TVs.  Samsung has released a statement expressing that it adheres to industry standard encryption and data protection standards to protect its customers.  Even so, it is probably best to avoid discussing finances, medical conditions, or other highly personal data while a smart TV is listening for a voice command.

The genuinely alarming issue with smart TVs in the homes of consumers is the potential security risk involved in having an internet-connected device with a camera and microphone, capable of taking video and recording audio without the user’s consent.  Proof-of-concept hacks allowed security researchers to take over smart TVs and use them like a very expensive webcam.  CK Privacy has published a paper on the dangers of webcams and remote access technology.  The same dangers apply to smart TVs and other voice-controlled entertainment systems.  With most interconnected devices the end user has some control over the security of the device by being able to set a password, update the device with new security patches, or place them behind a home firewall.  Smart TVs were not designed to be accessed remotely by the home user thus there is no way to set passwords or increase security without reliance on the manufacturer who produced the device to provide an update.  Not only must the manufacturer produce an update, but the average consumer must know about and install the update for it to be of any use.  Consumers must give feedback to the smart TV manufacturers demanding they fix the smart systems to be secure and to also encrypt their voice recording data that is required to be transmitted to Nuance or another third party for processing.

You can help protect yourself by ensuring that you have the latest firmware for your device:

  • Samsung owners can find the latest firmware for their smart TV here.
  • LG owners can find information about firmware and software updates here.
  • Sharp owners can download firmware updates here.
  • Sony owners can find information regarding firmware updates from Sony Support here.

Of course, a Post-it note placed strategically and securely over the camera on the TV and a thick piece of masking tape with some felt or other audio-dampening material over the microphone works just as well to stop prying eyes and ears.  It’s not the most aesthetically pleasing solution, but it is a definitive way to control what the camera and microphone see and hear.  Blinding and deafening your smart TV may reduce your chances of being overheard, but then again, it also eliminates all the advantages of voice and motion control.  Once again, consumers are going to have to research the manufacturers and purchase wisely or disable many of the features that make their TV smart in the first place.

This post originally appeared on CKPrivacy.org (archived link)

Step Aside, States?

Erik Jonesby Erik Jones

In the fall of 2005, 44 state attorneys general came together to send a joint letter to Congress and share their concerns about a proposed federal law on data breach notification. Such letters are exceedingly rare, as state attorneys general come from competing political parties and states with varied interests. However, nothing brings state government officials together like a congressional effort to limit states’ power to assist their own residents. And that is just what Congress was doing.

At the time, a number of states had already passed their own data breach notification laws, or were in the process of doing so. The state laws were and are popular because they are based upon a simple but powerful argument. When a company suffers a data breach that includes consumers’ sensitive personal information, it should be required to inform the affected consumers so the consumers can quickly take steps to limit any potential fraud or identity theft stemming from the breached information.

In response to a growing number of data breaches in 2005, including an extensive and widely publicized breach suffered by a data broker named ChoicePoint, members of Congress were also pushing bills that would require companies to notify consumers when their sensitive personal information was subject to a data breach. The state attorneys general supported Congress’s effort, as many had championed the same law in their respective states. But to their disappointment, the legislation also included provisions that would nullify existing state laws on data breach notification and prevent states from passing additional laws on the matter in the future. When Congress does this, it’s known as pre-emption. The prospect of pre-emption alarmed the state attorneys general because of its potential negative impact for consumers.

I have now experienced both sides of this debate. I’ve worked at both the federal and state levels, and I’m currently an assistant attorney general for Illinois. And I share the concerns over pre-emption raised by those state attorneys general nearly a decade ago.

Thankfully, these fears have not yet been realized. Congress has failed to pass a data breach notification law, leaving state laws intact. This failure can be attributed, in part, to Congress’s own disagreement over pre-emption. But that may soon change, as the conditions might be right for data security legislation to move in this Congress. A rash of large, costly data breaches has galvanized public interest in the issue. One political party controls both the Senate and the House of Representatives. And President Obama has rightfully put the issue at the top of his agenda.

During a recent speech at the Federal Trade Commission, and again in the State of the Union this week, President Obama called on Congress to pass a national law on data breach notification. For Congress, the challenge will not be deciding whether to pursue such a law, which is widely supported. The difficult part will be determining the role states will play in data security moving forward.

In order to pass a national law on data breach notification, Congress will have to decide what to do about the 47 state laws on breach notification that have already been enacted—only Alabama, South Dakota, and New Mexico do not have laws requiring data breach notification. The president has argued for the need to end, in his wording, this “patchwork” of state laws. But such a move, if done incorrectly, could be a disaster for consumers.

The state laws on breach notification have been critical for consumers. They are the reason consumers were made aware of the significant data breaches that caught Congress’s attention in 2005. And they are the reason millions of consumers were notified of the payment card breaches that Target, Home Depot, and other large retailers suffered more recently. Without the state laws, companies would not have been legally obligated to notify their customers of the breaches.

In their letter to Congress in 2005, the state attorneys general made similar points, noting that “states have been able to respond more quickly to concerns about privacy and identity theft involving personal information, and have enacted laws in these areas years before the federal government.” The state attorneys general also looked to the future and predicted that pre-emption would interfere with “state legislatures’ democratic role as laboratories of innovation.” Time has validated their assertion.

Over the past decade, as states have developed expertise on the issue, they have also updated their laws to address problems and to adapt them to changes in technology. With the growth of cloud computing and e-commerce, Florida and California have included breaches of login information for online accounts as triggers for a notification requirement. In response to the increased use of fingerprint-reading software, Iowa, Nebraska, North Carolina, and Wisconsin have mandated notification if a breach of biometric information occurs. More than 30 states have enacted laws requiring companies to dispose of sensitive data securely, and a number of states are now requiring companies that handle sensitive personal information to develop reasonable data security practices to protect it.

States have also passed laws that require companies suffering breaches to provide notice directly to the state attorney general. Such a requirement, for example, has enabled California to maintain awebsite of data breaches affecting California residents, which any state resident can access. There are thousands of data breaches on the list. Some are national in scope, but most are local or regional in nature and not covered by the national media. The list helps ensure California residents have the opportunity to learn about the data breaches that have affected them.

If Congress had succeeded in pre-empting state law in 2005, it is likely that none of these protections would exist. States would have been precluded from enacting them. And given the difficulty Congress has had passing a simple data breach notification law, Congress would also likely have had a difficult time updating or expanding the law.

For four years I served in various capacities for the Senate Committee on Commerce, Science, and Transportation, while my boss, Sen. Jay Rockefeller, D-W.Va., was working to pass consumer protection legislation on data security and legislation to protect our nation’s most critical infrastructure from cyberattacks. Throughout my time with the committee, I had a front-row seat for the debate over pre-emption.

On one side were the consumer advocates, who were concerned that a weak national law, combined with pre-emption, would mean fewer protections for consumers. On the other side was the business community, which complained that meeting the requirements of nearly 50 separate laws on breach notification was inefficient and burdensome. At the time, I thought I understood the costs and benefits of pre-emption. I now know that I did not.

In 2013 I took a position working for Illinois Attorney General Lisa Madigan. Through it, I have experienced firsthand the important role states play for consumers. State attorneys general hear directly from the residents they serve on a daily basis. In Illinois, thousands of residents have asked our office for help with data security and identity theft. They have not asked that we step aside so that the federal government can handle it.

This year Attorney General Madigan will be proposing a number of updates to Illinois’ data breach notification law. These updates are based upon the lessons we have learned through our efforts to enforce our data breach notification law and consumer protection laws. It would be a shame if we were prevented from using these insights and pursuing these updates, which are designed to protect consumers, because of an overly broad pre-emption provision in federal law.

While a national law on data breach notification is long overdue and very much needed, a perverse outcome is possible, in which Congress pre-empts states and at the same time passes a weak notification law that provides consumers with notice of data breaches only when very specific conditions are met. If not narrowly tailored, a pre-emption provision could place a wedge between consumers and the very state agencies that serve them.

This piece originally appeared in Slate’s Future Tense section.

Erik C. Jones is the policy director and an assistant attorney general in the Illinois Attorney General’s Office and an Adjunct Professor at IIT Chicago-Kent College of Law.

This post also appeared on CKPrivacy.org (archived version)

A White House Invitation to Launch Precision Medicine

By Lori Andrews

President Obama at the launch of the Initiative

Last Friday, I was a guest at the White House for President Obama’s launch of the Precision Medicine Initiative.  The goal of the Initiative is to sequence people’s genomes and read the nuances of their genes to determine how to prevent disease or more precisely treat it. The President illustrated how this would work by introducing Bill Elder, a 27 year old with cystic fibrosis. Bill has a rare mutation in his cystic fibrosis gene and a drug was fast-tracked at the FDA to target that mutation.  “And one night in 2012, Bill tried it for the first time,” explained President Obama. “Just a few hours later he woke up, knowing something was different, and finally he realized what it was:  He had never been able to breathe out of his nose before.  Think about that.”

When Bill was born, continued the President, “27 was the median age of survival for a cystic fibrosis patient.  Today, Bill is in his third year of medical school.”  Bill expects to live to see his grandchildren.

The Precision Medicine Initiative will involve sequencing the genomes of a million Americans.  Such a project would have been unimaginable if we hadn’t won the Supreme Court case challenging gene patents.  Prior to that victory, genetic sequencing cost up to $2,000 per gene due to patent royalties.  Now it will cost less than ten cents per gene.

Bill Elder at the White House event

The people who volunteer as research subjects for the project may expect cures for their own diseases.  But, even when genetic mutations are discovered, cures are a long way off.   “Medical breakthroughs take time, and this area of precision medicine will be no different,” said President Obama. And despite the fanfare surrounding genetics, researchers often find that environmental factors play a huge role in illness. At the same time the White House was preparing for the launch of the Precision Medicine Initiative, Stanford researchers and their colleagues across the globe were publishing a study in the January 15 issue of the prestigious journal Cell challenging the value of sequencing research.  Their study, “Variation in the Human Immune System is Largely Driven by Non-Heritable Influences,” tested sets of twins’ immune system markers.  The result: Nearly 60% of the immune system differences were based on the environment rather than genes.

Capturing environmental information about the million volunteers will involve invasions of their privacy as their health and behavior is categorized and quantified from every perspective.  Their genetic data will be combined with medical record data, environmental and lifestyle data, and personal device and sensor data.  If not handled properly, this data could be used to stigmatize the research participants or discriminate against them.  Will they be properly informed of the risks in advance?  Will sufficient protections be in place for their device and sensor data, which is often not covered by medical privacy laws such as HIPAA?

At the White House last Friday, President Obama said, “We’re going to make sure that protecting patient privacy is built into our efforts from day one. It’s not going to be an afterthought.” He promised that patient rights advocates “will help us design this initiative from the ground up, making sure that we harness new technologies and opportunities in a responsible way.”

Professor Andrews with Henrietta Lacks’ descendants at the White House

President Obama underscored that commitment by inviting members of Henrietta Lacks’ family to last Friday’s event. In 1951, Henrietta Lacks was dying of cervical cancer.  A researcher at Johns Hopkins University undertook research on her cells without her knowledge or consent (or that of her family).  Her immortalized human cell lines provided the basis for generations of research in the biological sciences, as well as research by commercial companies.  When her husband learned about it years later, he said, “As far as them selling my wife’s cells without my knowledge and making a profit—I don’t like it at all.”

A former Constitutional Law professor, President Obama is aware of the importance of people’s rights.  Let’s hope that his aspiration of an Initiative that guards research subjects’ autonomy and privacy will be honored by the scientists who will actually operationalize the $215 million project.

Improving Defenses: Data Breaches and Security Standards

Richard warnerby Richard Warner

The recent wave of massive data breaches shows that businesses holding sensitive data need to do a better job of protecting it. That has fueled renewed calls to give businesses an incentive to improve data security by promulgating industry or statutory standards. The irony is that the breaches also show that it is extremely difficult for standards—statutory or industry—to sufficiently improve security. Target, for example, complied with all relevant industry standards but was easily breached.

The problem runs much deeper than the usual concern about industry capture. To begin with, standards are often too specific, addressing just a few of the wide range of problems associated with contemporary networks attacks. For example, Target’s point of sale systems were PCI (Payment Card Industry) compliant, but that provided no protection for the rest of Target’s complex network. Further, promulgated standards, no matter how wide reaching, are always behind the curve in the rapidly escalating war of network attack and defense. For example, PCI standards did not, at the time of the Target breach, require that credit card information be encrypted for the milliseconds it took to transfer it from the payment terminal to the network, so the hackers simply recorded the information at that point. Finally, standards are simply a roadmap for attackers. They just tell them what networks guard against and what they probably don’t.

So should we abandon the idea of using statutes or industry standards to give businesses an incentive to improve data security? That would almost certainly be a mistake since market incentives run the wrong way. Consumers have been unwilling to pay for the added value of security through slightly higher retail prices or credit card fees, and companies dependent on consumer sales don’t offer what consumers don’t want. Consumers end up paying even more to cover the high cost of data breaches, but that fact has not created any “pay more for security” reaction.

So the task is clear: formulate standards with sufficient detail to provide genuine guidance but with enough flexibility to encourage innovation and keep pace with rapid change. It is just the solution that eludes us.

This post was originally published on CKPrivacy.org (archived link)