2019 has been an eventful year for consumer privacy, both in a few key courts and state legislatures as well as in Silicon Valley.
An important decision by the Ninth Circuit Court of Appeals in August defended the ability of Illinois citizens to protect their biometric data. Meanwhile, a flurry of efforts by technology giants to weaken the California Consumer Privacy Act (CCPA) failed in the state legislature.
Amazon’s Ring doorbell appliance is making it easy for police departments across the country to obtain warrantless access to the front-door footage of millions of Americans. (In fact, we’re so upset about Ring that it gets it’s very own 2019 year-in-review post.)
Facebook’s follies in mishandling user data continued unabated this year with a number of disturbing dark patterns, and both Facebook and Google had their Apple Enterprise Certificates revoked when they were found to be using these certs to spy on iOS users.
Patel v. Facebook and the Illinois Biometric Privacy Act
The Illinois Biometric Privacy Act of 2008 (BIPA) is a foundational piece of legislation that provides important privacy safeguards for ordinary people against corporations that want to harvest or monetize their biometric information. Among other guarantees, BIPA requires the informed opt-in consent of users before a service is permitted to gather biometric information. BIPA also requires a company to destroy a person’s biometric information when its purpose for collection is satisfied, or within three years of the company’s last contact with the person, whichever is sooner. Importantly, BIPA provides a strong enforcement tool to protect these requirements: a “private right of action,” meaning a person may file their own lawsuit against a company that violates their privacy rights.
In 2015, Illinois residents filed Patel v. Facebook, which is a class-action lawsuit alleging that Facebook violated both of these requirements with it’s “Tag Suggestions” feature. This feature, introduced in 2010, uses a facial recognition system which suggests a tag for friends who appear in photos you upload. Facebook challenged the suit and over the next few years the case made it all the way up to the Ninth Circuit U.S. Court of Appeals, the federal appellate court where Facebook is headquartered. In August the Ninth Circuit held that the Patel plaintiffs had constitutional standing to sue Facebook for violating their statutory privacy rights under BIPA. The court also backed its decision with forceful language explaining the grave privacy threats posed by Facebook’s face surveillance. The Patel ruling marks a watershed victory in privacy law, and we hope will act as a template for stronger biometric privacy protections in the future. EFF has worked against efforts to weaken BIPA in the Illinois Legislature, and has filed amicus briefs in support of robust interpretation of BIPA, including in the Patel case.
Technology Giants Fail to Weaken The California Consumer Privacy Act
In 2018, we worked hard to pass the The California Consumer Privacy Act (CCPA), which enshrines basic rights for California consumers to have control over—and be informed about the sale of—their personal data. This year, we fought hard to defend and strengthen it.
In March, we submitted comments to the California Attorney General with suggestions on how to implement the CCPA, including using the “do not track” (DNT) header sent by browsers as a mechanism to opt-out of data sharing and using secure verification methods before informing users of the data that’s been gathered about them. In April, we supported efforts to advance two bills to strengthen the CCPA, including requiring consumer’s opt-in consent to share data, disallowing “pay-for-privacy” schemes that put a premium on protection of user data, and allowing individuals to bring their own privacy claims to court. Unfortunately, these efforts were met with significant opposition from technology industry trade association groups and stalled in the legislature.
In contrast, the big technology companies backed a number of bills that each would have weakened the CCPA’s protections, spending nearly $176,000 on the effort. Taken together, they would have effectively neutralized this groundbreaking privacy law. Fortunately, the efforts of our supporters and coalition partners paid off, and after sailing through the Assembly, the bills were stopped in July by the Senate Judiciary Committee. On January 1, 2020, the CCPA will take effect without having been undermined by the very companies it is meant to protect consumers from.
Still, it must be strengthened in order for those protections to be effective. In October, EFF joined a coalition of a dozen organizations in a new set of comments to the California Attorney General. These reiterated the recognition of DNT as an opt-out mechanism and requested a clarification that bans efforts of the adtech industry to evade the opt-out requirement. The California Attorney General is required to adopt regulations by July 2020 to further the law’s purposes, we hope our suggestions in these comments will be adopted.
This year has not been a good one for Facebook, and it has only itself to blame. Facebook’s 2019 has been marked by collecting copious amounts of user data without their consent and mismanaging that data. In the first month of 2019, Facebook was found to have been paying people to give up their privacy by installing an application that spies on them, doing this by having them install a root security certificate on their iOS device. This violation of Apple’s Enterprise Developer program prompted Apple to revoke the application and briefly Facebook’s Enterprise Certificate, causing some panic within the company.
In February, we demanded that Facebook stop using users phone numbers provided for the purposes of 2FA instead for advertising. In March, they continued their streak of privacy violations by allowing anyone to find your account via your phone number, by default. The company was found in March to essentially be running a phishing attempt to gather the email username and passwords of its own users, ostensibly to verify users’ email addresses. In our investigation of the attempt, we found that they were using this information to import and link users to their e-mail contacts without ever asking for user consent.
Also in March, Facebook announced a “pivot to privacy” that would include implementing end-to-end encryption in all three of its messaging properties. We were glad to see the company embracing privacy fundamentals, but we’ll believe it when we see it.
The FTC reached a settlement with the company this year over violations of a 2012 settlement order concerning the company’s deceptive statements about user privacy through its role in the Cambridge Analytica scandal, which violated the privacy rights of millions of Facebook users. We found the terms of the settlement completely unsatisfactory in limiting the privacy-invasive behavior of Facebook, and the monetary damages are not sufficient to dissuade them from the same behavior in the future.
Google’s year didn’t look much better. It was also found in violation of Apple’s Enterprise Developer program under the aegis of “user research” with their Google Screenwise application and had their certificates revoked in the same way. And much like Facebook, Google’s Screenwise was siphoning off massive amounts of user data in exchange for a monetary payback – this time a $20 gift certificate. It’s no understatement to call Screenwise a comprehensive spying app, capable of seeing anything on your screen—your application usage, the websites you visit—and even using an always-on microphone to determine what you’re watching.
The New York Times reported earlier this year on a little-known technique using location data collected by Google to let law enforcement know about devices in a specific location at a certain time. If you’ve allowed Google to store your location, you could be opening yourself up to so-called “reverse location” searches used by the FBI and police in at least 7 states across the country.
Lastly, in an August statement Google doubled down on the targeted advertising techniques it is so heavily involved in. As the number one tracker across the web, Google proposed its Federated Learning of Cohorts (FLoC), which essentially furthers the identification and categorization of users into categories useful not to their own browsing, but to advertisers. Introduced as a way to replace traditional tracking methods such as fingerprinting, FLoC replaces it with a formalized system, developed by Google, for tracking users into consumer profiles based on their browsing habits.
EFF’s Technology Projects
We’ve made strides in protecting users’ privacy through efforts to encrypt DNS requests with DNS over HTTPS. Your ISP can currently see which websites you visit through your DNS requests, which can be read as unsecured packets on the wire. This year we’ve redoubled our efforts to close this security hole and ensure everyone can use the Internet without fear of prying eyes.
What’s In Store for 2020?
In 2020, we’ll be working on legislative efforts to improve consumer privacy protections and ensure that any new federal legislation does not weaken state protections.
We’ll also be fighting hard for data portability, the ability to pick up and leave a service you don’t like with your data and “port” it to another service. And going one step further, we’ll also be pushing for adversarial interoperability, which envisions a world where the tools we use to communicate with each other, the data those tools use, and the ways that they are allowed to use them take place in a way that we are able to control.
This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2019.
Like what you’re reading? Support digital freedom defense today!