Table of Contents

Legislative Updates

A variety of lobbyist battles, legislative deaths and rebirths, as well as a presidential executive order all brought new changes to social media and online privacy realms this month.

Lobbying frenzy in wake of proposed EU privacy changes

Proposed changes to the EU Data Protection Regulation drew a variety of responses from privacy advocates amidst heavy lobbying from US companies against the initiatives. One proposed revision would create a “right to be forgotten” across all member states, requiring companies to delete a user’s data at their request. The proposals drew a variety of amendments, and advocacy group Europe v Facebook reported that 25% of the content of such amendments were directly copied from lobbyist papers. Additional criticism of the changes came from a US diplomat, who warned that if the proposals were passed, the resulting restrictions might provoke a trade war. These moves were preceded by statements from several privacy advocacy groups including the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU), who wrote to various United States government officials, arguing that the United States should not hinder the EU’s privacy-strengthening regulation. Meanwhile, representatives for US IT companies argued that prescriptive regulation hinders innovation and economic development.

CISPA re-introduction draws privacy criticism

The Cyber Intelligence Sharing and Protection Act (CISPA) was re-introduced this month, unchanged from last year’s version that was passed in the United States House of Representatives, but defeated in the Senate after an outcry from “tens of thousands of concerned individuals”. The Act is designed to set up a streamlined system for the private sector to report cyber threat information to federal agencies. In response to the re-introduced bill, the EFF launched an online petition urging lawmakers to oppose it. Concerned privacy advocates claim the Act’s broad language would allow organizations to disclose their customers’ personal information to the US intelligence community with little transparency, and expressed dissatisfaction that no substantive changes were introduced in the latest version.

Obama cybersecurity executive order elicits diverse responses

US President Obama issued an executive order entitled “Improving Critical Infrastructure Cybersecurity” which calls for improved cybersecurity information sharing between private entities and the government while maintaining privacy and civil liberties protections. Other key demands include a call for a frameworks to reduce cyber risks to critical infrastructure, develop a cybersecurity program to protect said infrastructure, and identify the infrastructure at greatest risk. Michigan’s Chief Security Officer Dan Lohrmann writes that the executive order has elicited a wide range of reactions. For example, security expert Eugene Kaspersky praised the order as a step in the right direction in the wake of increased cyber attacks on critical infrastructure. In contrast to their response to CISPA, privacy advocates have generally praised the executive order for its attempt to protect security while not diminishing privacy. However, critics claim the order does not account for the complex network of existing security frameworks in place and fails to provide any concrete solutions to current problems.

Canadian Internet surveillance bill killed

Canada’s controversial Internet Surveillance Bill C-30 was killed by the Harper government earlier this month, about a year after the bill’s controversial introduction, which saw Canadian Public Safety minister Vic Toews disparage opponents of the bill as supporters of child pornographers. The bill would have required digital service providers to install equipment that enabled authorities to engage in real-time monitoring of the digital activities of customers without court authorization. Vocal opponents of the bill, including Ontario’s Information and Privacy Commissioner Ann Cavoukian and Vancouver-based Internet advocacy group, were delighted to see the bill’s demise.

Back to top

Personal Information & Obscurity

Facebook had a policy triumph in the wake of a challenge over German privacy law, while the inner workings of Google Play’s personal information disclosure to developers raised the ire of privacy advocates.

Facebook defeats German privacy challenge

Facebook defeated a legal challenge by a German privacy watchdog (ULD) over the social networking site’s policy that requires all users to register with their real names. While a ban on pseudonyms may breach German privacy law, the court ruled that as Facebook is technically headquartered in Ireland, the law did not apply. In response, a representative for the ULD argued that the ruling will encourage multinational tech companies to set up their headquarters in jurisdictions with the weakest data protection. While a unified online identity can be useful for commercial purposes, one commentator argues that pseudonyms reflect the nature of people’s fragmented online identities and help to encourage creative thought.

Google Play store provides user data to app developers

An Android application developer caused a stir when he revealed that Google sends him the email address, approximate location, and occasionally the full name of individuals who downloaded his application from the Play Store. A source familiar with Play Store operations claimed that this is intentional, and has always been their practice. As the Play Store was modelled on Apple’s App store, which does not disclose purchaser details to developers, critics are claiming that most users do not expect their personal information to be shared with anyone besides Google (whom purchasers may assume they are doing business with). Google’s main privacy policy is arguably broad enough to cover this type of sharing as being between “affiliates”, to whom personal information is provided.

Back to top

Cookies & Tracking

This month saw several notable developments in online tracking policy. These occurred in the diverse areas of international standards deliberations, web browser implementations, and social media user interaction design.

Will the Do Not Track standard resume development?

After development stalled due to bitter tensions between advertising industry and privacy advocates, the Do Not Track (DNT) web standard is said to be resuming its course, while others are less sure of its future. The working group in charge of the standard has reportedly agreed on a roadmap and several key requirements. The standard, which is already partially implemented in numerous web browsers, provides a way for browsers to inform servers that the user does not wish to be tracked. When the standard’s self-regulated development appeared to have stalled, the advocacy group Consumer Watchdog called on the Federal Trade Commission (FTC) to push for DNT legislation. While no proposed legislation has yet emerged, the resumed development does follow the release of the FTC’s mobile privacy report [PDF], which recommends an implementation of DNT for mobile browsers.

Firefox to block third-party cookies by default

Perhaps in response to the stalled Do Not Track development, an update to the popular Firefox web browser will see it blocking cookies from third-party URLs by default. This move will bring it in alignment with the Safari browser’s similar default setting. When a web browser displays a website, any cookies loaded from a different domain are treated as “third-party origin”. Typically, third-party cookies are used to track individuals across different websites and serve them ads tailored towards an interest profile, a practice known as Online Behavioural Advertising (OBA). Nevertheless, a web browser will still save third-party cookies if the browser visited that third-party in the past. Jules Polonetsky, a leading privacy expert, posits that the move may provide an opportunity for ad companies to be more explicit about how and why they track users, re-framing a practice that largely operates in the background.

Facebook re-targeted ads to adopt AdChoices icon

In response to pressure to be more transparent about its ad re-targeting program, Facebook is reportedly introducing the AdChoices icon to indicate when an advertisement is “re-targeted”, displayed to the user based on information collected about the his/her web browsing history. The disclosure is a step towards transparency, but is not an obvious one; the small icon will only appear alongside a re-targeted advertisement only after a user hovers over it. Jeffery Chester of the Center for Digital Democracy was not impressed by the move, arguing that merely informing users that an advertisement is targeted does not amount to disclosure of how that information is harvested in the first place.

Back to top

Read previous editions of Social Media CyberWatch.