As I look back on privacy developments in 2012, I’m not sure whether the more appropriate analogy is Sisyphus pushing a boulder up the hill, only to have it repeatedly roll back down on him, or to borrow from Judith Viorst and call it, “Privacy Advocacy and the Terrible, Horrible, No Good, Very Bad Year.” It certainly wasn’t a good year from my perspective…
But, But, It Started Off So Well in the Courts!
In January, the Supreme Court (SCOTUS) issued a ruling in United States v. Jones that attaching a GPS device to a car constitutes a search under the Fourth Amendment. They didn’t go so far as to say that it always requires a warrant, and they didn’t provide clear guidance on what might constitute an unreasonable search, but it was a start, and privacy advocates cherished the victory. But courts applied the ruling inconsistently across circuits, and the year drew to a close with the District Court for the District of Columbia sidestepping the warrant issue in United States v. Jones and ruling that the cell site location evidence in that case could be used under a good faith exception, even if a warrant was required. EFF has provided a nice roundup of other relevant court rulings here. Some of them are more encouraging than others, but we still still lack warrant standards and adequate protections.
Track Me Once, Shame on You. Track Me Twice, Shame on Congress
Having never harbored any hope that industry would ever adequately regulate itself, some of us looked to Congress to enact privacy and data protection for consumers. We looked in vain. Although President Obama proposed a Consumer Privacy Bill of Rights, The Gang That Couldn’t Legislate Straight accomplished nothing of note this year when it came to online tracking, collection, and use of our data. Indeed, when Microsoft grabbed the bull by the horns and announced that DNT would be its default setting in IE10, the ad industry responded as you might expect, and Apache went so far as to change their platform to willfully ignore IE10 settings. Members of Congress grabbed some popcorn, but did … nothing productive.
Problems with apps collecting and sharing personal information also made frequent headlines, with lawsuits quickly following. As the year drew to a close, I considered whether Venkat Balasubramani and I should start a betting service as to how quickly lawsuits get filed and dismissed. Don’t misunderstand: I think most of the lawsuits I’ve read deserve to get dismissed, but the sad reality is that here we are, a year later, and we still have no meaningful protections. Yes, we have Congressional inquiries and investigations, but action? No. The one exception that I can think of is Senator Franken’s bill to protect location privacy. It is oriented more to cyberstalking concerns, but it’s a start – if it even passes.
Email, Drones, Cars, and Domestic Surveillance
Another year passed and there is still no update to ECPA that would provide us with greater protection from warrantless searches. I hoped that the General Petraeus scandal would increase public awareness about the need to limit government searches, but Congress still balked on strengthening protections.
In 2012, drones took to the skies in increasing numbers, but there was no meaningful government regulations ensuring privacy. Police chiefs proposed their own code of conduct, and members of Congress introduced bills (e.g., this one by Rep. Markey), but we all know what happens to most bills, and the aviation industry is already pushing the FAA not to deal with privacy concerns.
It’s not just the eye in the sky we’ll need to watch out for in the future. The National Highway Traffic Safety Administration is pushing for all new cars to contain Event Data Recorders (or “black boxes”). And if Congress doesn’t enact the legislation, President Obama seems prepared to authorize it by executive order.
But perhaps the most infuriating story was that in a total abrogation of their oversight function, Congress reauthorized FISA for another five years without dealing with concerns that there is a “secret law” that permits the government to engage in more domestic surveillance than the law should seemingly permit. In the Senate, Ron Wyden, Mark Udall, Mike Lee, Jeff Merkley, and Rand Paul proposed amendments that would provide greater transparency and enable better oversight. Kicking civil liberties to the door, however, Dianne Feinstein denied that there was any secret law, waved the “Terrorists are coming! Terrorists are coming!” flag and moaned about how there wasn’t time to make changes before the law would sunset. Of course, the Senate had oodles of time to deal with these serious issues but chose not to – delaying any debate at all until right before the clock was running out. Shame on them.
To add insult to injury, just a few weeks ago, the Wall Street Journal revealed that Attorney General Holder had given the National Counterterrorism Center sweeping new powers to store dossiers on U.S. citizens – even if they are not suspected of any crime. Not surprisingly, the agency says it is subject to rigorous oversight. How did they get this one by everyone? It wasn’t hard, it seems. Two members of Congress wrote to the DOJ with some reasonable questions. They haven’t gotten a response yet. I’m sure Senator Feinstein is just fine with it all, though. After all, terrorists are out for us!
And speaking of terrorists, the Transportation Security Administration found itself in hot water with the court for blowing off a court order to hold public hearings. It seems that after wasting a ton of money and our time, TSA is quietly abandoning the “nude-a-trons.” But where was the genuine Congressional oversight and evidence of necessity and effectiveness before all the Security Theater? And if the TSA blows off a court order, why aren’t people in jail?
Meanwhile, Back at the Local Level…
A few cases and state proposals are worthy of note:
- A number of states proposed or enacted laws prohibiting employers and/or colleges from demanding social media logins from employees, applicants, or students.
- California continued to lead the way in state privacy laws, although Governor Brown vetoed (again) a bill to protect location privacy.
- California became the first state to sue over a mobile app privacy policy. The state sued Delta Airlines, alleging the company violated state law by not warning users that the airline is collecting sensitive information each time customers contact the company on its “Fly Delta” mobile application.
- Maryland enacted the first state law to try to prevent child ID theft.
Although states may be cracking down on employers demanding social media logins, not everything was rosy on the worker privacy front. Florida become the first state to enact a law allowing state agencies to be randomly drug test employees. Florida also keeps trying to drug-test welfare applicants and recipients, too.
Perhaps one of the most concerning developments this year was that more school districts started requiring students to wear RFID tags or to use biometric identifiers. One brave student in Texas is fighting back in the courts, though. And a district in Maryland abandoned its biometric program following public outcry.
What Breach Notification Law? Where?
We are still without any national breach notification law. A federal law would make it easier for entities to comply with notification, but it needs to be a strong law, and not the wimpy laws that have been proposed to date. Sadly, a satiric post I wrote in February 2007 still applies.
We are also without any national data security requirements. And although Congress squawked and thumped their chests over the TRICARE/SAIC breach in which over 4.9 million people had their details stolen from an employee’s unattended vehicle, SAIC continued getting government contracts and contracts in the health care sector.
As was the case in 2011, those whose privacy or data have been breached – whether by hackers, data leaks, or lost data – found little solace in the courts unless they could demonstrate actual (not potential) harm. The Supreme Court also set privacy advocacy back in March when it ruled in Federal Aviation Administration v. Cooper that someone whose medical information was shared by government agencies could not recover emotional damages under the Privacy Act.
The FTC Stands Up While Congress Sits Down
The one real ray of hope I saw this year was in FTC’s continued efforts to protect consumers. In 2012, they settled cases with Equifax for improperly selling consumer data, with MySpace for deceptive promises about privacy protection, with Google for hacking the Safari browser, with Facebook for sharing user data, with Compete for tracking, and with DesignerWare and rent-to-own companies for installing spyware on computers without consumers’ knowledge or consent. They also settled with Artist Arena over collection of minors’ information without parental consent, Epic Marketplace for history sniffing, and they strengthened and amended COPPA. As the year drew to a close, they sent inquiries to nine data brokers over their collection and use of our data. More power to them! I just wish they wouldn’t accept clauses such as “no admission of guilt” in their consent decrees, even though I understand why they do it.
Continuing their involvement in data breach-related litigation, the FTC also sued Wyndham over repeated security breaches, and settled with debt collector EPN, Inc., and Georgia auto dealer Franklin Budget Car Sales, Inc. after P2P incidents exposed consumer data. I think (but cannot be sure because of their nondisclosure policy) that they also opened a formal investigation into a complaint I filed against Experian, Inc. over their numerous breaches.
Not the Best of Years, Huh?
All in all, though, apart from the FTC’s actions, I wouldn’t consider 2012 a good year for privacy. And as I noted a few times during the year, EU data protectors seemed to get more concessions and protections from American businesses for their citizens than we get here.
Do Americans deserve any less privacy protection from American businesses than EU citizens do? I don’t think so.
As we get ready for 2013, we have a Very Big Boulder to start pushing up that hill again. I’d better make more coffee.
A previous version of this post incorrectly stated GPS evidence instead of cell site location data.
Image credit: Dreamstime