Embed Size (px)
Citation preview
Advancing Principled Data Practices in Support of Emerging Technologies
2017 ANNUAL REPORT
MISSION
VISION
WHO WE AREFPF brings together industry, academics, consumer advocates, and other thought leaders to explore the challenges posed by technological innovation and develop privacy protections, ethical norms, and workable business practices.
FPF helps fill the void in the “space not occupied by law” which exists due to the speed of technology development. As “data optimists,” we believe that the power of data for good is a net benefit to society, and that it can be well-managed to control risks and o�er the best protections and empowerment to consumers and individuals.
The mission of the Future of Privacy Forum is to serve as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies.
We believe that...
• technological innovation and new uses of data can help solve big societal problems and improve lives.
• technological innovation must be accompanied by fresh privacy thinking.
• it is possible to build a world where technological innovation and privacycan coexist.
• it is possible to reach consensus on ethical norms, policies and business practices to address new privacy challenges.
2017PRIVACYPAPERSFORPOLICYMAKERS24
252017ADVISORYBOARDANNUALMEETING
THEFPFTEAM4
TABLEOFCONTENTS
10-1112-1314-1516-1718-19
20-2122-23
34-56-8
99
24
25
2626
ABOUT Letter from LeadershipThe FPF Team Advisory BoardSupportersBy the NumbersISSUESBig DataConnected CarsEducationHealthInternationalLocation and Advertising Practices Smart CommunitiesEVENTSPrivacy Papers for PolicymakersAdvisory Board MeetingCapital-Area Academic NetworkTech Lab Open HouseFOUNDATIONFPF Education and Innovation FoundationSTATISTICSFinancials
27
24
2528-29
We are delighted to present the Future of Privacy Forum’s 2017 Annual Report. Since our founding nearly a decade ago, FPF has served as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. FPF brings together industry, academics, consumer advocates, and other thought leaders to explore the challenges posed by technological innovation and develop privacy protections, ethical norms, and workable business practices.
We pride ourselves on being positioned to help fill the void in the “space not occupied by law” which exists due to the speed of technology development. As “data optimists,” we believe that the power of data for good is a net benefit to society, and that it can be well-managed to control risks and o�er the best protections and empowerment to consumers and individuals.
With your intellectual engagement and financial support this past year, FPF played a leadership role on a wide range of privacy issues. Our team produced impactful reports, filings and best practices, convened stakeholder meetings and events, and helped shape policies and practices for industry, government, academia and civil society. We hope you find great value in the following pages that cover highlights of our work in areas such as big data, connected cars, education, health, international, location and advertising practices, and smart communities. We could not do this work without the committed stakeholders on our board, advisory board and corporate and foundation supporters. We look forward to our continued partnership and are excited about what lies ahead as we embark on our 10th Anniversary.
LETTERFROMFPF
LEADERSHIP
Jules Polonetsky Chris WolfFuture of Privacy Forum Chief Executive O�cer
FPF FOUNDER &BOARD PRESIDENT
27
3
4
DIRECTOR OF OPERATIONS
CHRISTAL SHRADER-SANDI
THE FPFTEAM
JULES POLONETSKYCHIEF EXECUTIVE OFFICER
LEADERSHIP
BOARD OF DIRECTORS
SANDRA HUGHESBOARD SECRETARY
DEBRA BERLYNBOARD TREASURER
MARY CULNANBOARDVICE PRESIDENT
ALAN RAULBOARD MEMBER
STAFF AND PERSONNEL
JOHN VERDIVICE PRESIDENT OF POLICY
BRENDA LEONGSENIOR COUNSELAND DIRECTOR OF STRATEGY
BARBARA KELLYLEADERSHIP DIRECTOR
MELANIE BATESDIRECTOR OF COMMUNICATIONS
KELSEY FINCHPOLICY COUNSEL
STACEY GRAYPOLICY COUNSEL
SARA COLLINSPOLICY COUNSEL
AMELIA VANCEPOLICY COUNSELAND DIRECTOR,EDUCATIONPRIVACY PROJECT
CHRISTOPHER WOLFFPF FOUNDER &BOARD PRESIDENT
5
LAUREN SMITHPOLICY COUNSEL
GABRIELA ZANFIR-FORTUNA
POLICY COUNSEL
JENN ABRAMSON
EVENT PLANNER
TERRY GRANTFINANCE AND OPERATIONSMANAGER
LINDSAY KEYSAREXECUTIVEASSISTANT
ERIKA ROSSCOMMUNICATIONSASSOCIATE
MONICA BULGERSENIOR FELLOW
DANIELLE CITRONLOIS K. RESEARCHPROFESSOR & PROFESSOR OF LAW,UNIVERSITY OF MARYLAND
HENRY CLAYPOOLLoyola Marymount University, Coehlo Center on Disability Policy
SENIOR FELLOWS
STANLEY CROSLEYSENIOR STRATIGIST, INFO. ACCOUNTABILITY FOUNDATION
MARY CULNANBOARD VICE PRESIDENT
LESLIE HARRISFOUNDER AND PRINCIPAL, HARRIS STRATEGY GROUP, LLC
FELLOWS
LINDSEY BARRETTPOLICY FELLOW
CHANDA MARLOWEPOLICY FELLOW
CARSON MARTINEZPOLICY FELLOW
TYLER PARKPROJECT FELLOW
OMER TENEVice President of Research and Education, International Association of Privacy Professionals
EVAN SELINGERPROFESSOR OF PHILOSOPHY, ROCHESTER INSTITUTEOF TECHNOLOGY
PETER SWIRENancy J. and Lawrence P. Huang Professor at the Scheller College of Business of the Georgia Institute of Technology
IRA RUBINSTEIN SENIOR LAW FELLOW, INFORMATION LAW INSTITUTE, NYU SCHOOL OF LAW
ADVISORY BOARDAlessandro AcquistiAssociate ProfessorHeinz College, Carnegie Mellon University
Nicholas AhrensVice President of Privacy and CybersecurityRetail Industry Leaders Association
Sharon A. AnolikPresidentPrivacy Panacea
Annie I. AntónProfessor of Computer Science and Chair of the School of Interactive ComputingGeorgia Institute of Technology
Justin AntonipillaiFounder and CEO, WireWheel.ioFormer Counselor to the Secretary of Commerce, Delegated Duties of Under Secretary for Economic A�airs
Jocelyn AquaPrincipal, Regulatory Privacy & CybersecurityPricewaterhouseCoopers
Jonathan AvilaVice President, Chief Privacy O�cerWal-Mart Stores, Inc.
Stephen BalkamChief Executive O�cerFamily Online Safety Institute
Kenneth A. BambergerThe Rosalinde and Arthur Gilbert Foundation Professor of Law, Co-Director of the Berkeley Center for Law and TechnologyUniversity of California, Berkeley School of Law
Kabir BardayChief Executive O�cerOneTrust
Malita Barkataki Privacy Compliance DirectorOath
Inna BarmashGeneral CounselAmplify Education, Inc.
Elise Berkower (1957-2017)Associate General CounselThe Nielsen Company
Nancy BellSenior Manager, External A�airsFiat Chrysler Automobiles (FCA)
Lael BellamyChief Privacy O�cerThe Weather Company/IBM Corporation
Alisa BergmanVice President, Chief Privacy O�cerAdobe Systems, Inc
Debra BerlynPresidentConsumer Policy Solutions
Andrew BloomChief Privacy O�cerMcGraw-Hill Education
Bruce BoydenAssistant Professor of LawMarquette University Law School
John BreyaultVice President, Public Policy Telecommunications and FraudNational Consumers League
Jill BronfmanProgram Director of Privacy and Technology Project at the Institute for Innovation Law, University ofAdjunct Professor of Law in Data PrivacyUniversity of California Hastings College of the Law
Stuart N. BrotmanHoward Distinguished Endowed Professor of Media Management and Law and Beaman Professor of Communication and InformationUniversity of Tennessee, Knoxville
Bill BrownSenior Vice President and Chief Information Security O�cerHoughton Mi�in Harcourt
Stephanie BrysonSenior Public Policy AssociateUber
J.Beckwith BurrDeputy General Counsel and Chief Privacy O�cerNeustar
Ryan CaloAssociate Professor of LawCo-Director of the Tech Policy LabUniversity of Washington School of Law
Sam CasticSenior Counsel, Director of Privacy, Risk ManagementNordstrom
Ann Cavoukian, Ph.D.Executive Director of the Privacy and Big Data Institute, Ryerson University
Mary ChapinChief Legal O�cerNational Student Clearinghouse
Danielle Keats CitronProfessor of LawUniversity of Maryland School of Law
Sheila ColclasureGlobal Chief Data Ethics O�cerAcxiom Corporation
Allison CohenManaging CounselToyota Motor North America, Inc.
Maureen CooneyHead of PrivacySprint Corporation
Barbara CosgroveChief Privacy O�cerWorkday
Lorrie CranorProfessor, Computer Science, Engineering, and Public PolicyCarnegie Mellon UniversityFormer Chief Technologist, Federal Trade Commission (FTC)
Mary CulnanProfessor EmeritusBentley University
Simon DaviesFounderPrivacy International
Alyssa Harvey DawsonGeneral CounselSidewalk Labs
Laurie DecheryAssociate General CounselLifetouch, Inc.
Michelle DemooyDirector, Privacy & Data ProjectCenter for Democracy & Technology
Michelle Finneran DennedyVice President, Chief Privacy O�cerCisco Systems, Inc.
Carol DiBattiste General Counsel & Chief Privacy and People O�cerComscore
Travis DoddChief Privacy O�cer and Associate General CounselAARP
Erin EganVice President & Chief Privacy O�cer, PolicyFacebook, Inc.
Keith EnrightDirector, Global Policy LegalGoogle, Inc.
Patrice EttingerChief Privacy O�cerPfizer, Inc.
Joshua FairfieldProfessor of LawWashington and Lee University School of Law
Denise FarnsworthChief Privacy O�cer and Senior Corporate CounselJazz Pharmaceuticals
Lindsey FinchSenior Vice President, Global Privacy & Product LegalSalesforce
Dona FraserDirectorChildren’s Advertising Review Unit (CARU) of the Council of Better Business Bureaus
Teresa Troester-FalkChief Global Privacy StrategistNymity
Lori FinkSenior Vice President & Assistant General CounselChief Privacy O�cerAT&T Services, Inc.
Leigh M. FreundPresident & Chief Executive O�cerNetwork Advertising Initiative
Christine FryeSenior Vice President, Chief Privacy O�cerBank of America
Deborah GertsenLead Privacy CounselFord Motor Company
6
John GevertzChief Privacy O�cerVisa
John GodfreySenior Vice President, Public PolicySamsung Electronics
Eric GoldmanProfessor of LawCo-Director of the High Tech Law InstituteSanta Clara University School of Law
Scott GossVice President and Privacy CounselQualcomm, Inc.
Justine GottshallChief Privacy O�cerSignal
John GrantCivil Liberties EngineerPalantir Technologies
Kimberly GrayChief Privacy O�cer, GlobalIQVIA
Simon HaniaVice President, Privacy & SecurityTomTom
Ghita Harris-NewtonChief Privacy O�cer & Deputy General CounselQuantcast Corporation
Woodrow HartzogProfessor of Law and Computer ScienceNortheastern University School of Law
Ben HayesChief Privacy O�cerNielsen
Eric HeathChief Privacy O�cerAncestry
Rita S. HeimesResearch Director & Data Protection O�cerInternational Association of Privacy Professionals
Eileen HershenovGeneral CounselWikimedia Foundation
Beth HillGeneral Counsel & Chief Compliance O�cerFord Direct
Dennis D. HirschProfessor of Law; Director, Program on Data & GovernanceThe Ohio State University Moritz College of Law
David Ho�manAssociate General Counsel and Global Privacy O�cerIntel Corporation
Lara Kehoe Ho�manGlobal Director, Data Privacy and SecurityNetflix
Chris HoofnagleAdjunct Professor of LawFaculty Director, Berkeley Center for Law & TechnologyUniversity of California Berkeley School of Law
Jane HorvathSenior Director of Global PrivacyApple, Inc.
Margaret HuAssistant Professor of LawWashington and Lee University School of Law
Sandra R. HughesChief Executive O�cer and PresidentSandra Hughes Strategies
Trevor HughesPresident & Chief Executive O�cerIAPP (International Association of Privacy Professionals)
Brian HusemanDirector, Public PolicyAmazon.com, Inc.
Je� JarvisAssociate Professor & Director of the Tow-Knight Center for Entrepreneurial JournalismThe City University of New York, Graduate School of Journalism
Michael Kaiser Executive DirectorNational Cyber Security Alliance
Ian KerrCanada Research Chair in Ethics, Law & TechnologyUniversity of Ottawa, Faculty of Law
Cameron F. KerrySenior CounselSidley Austin LLP
Anne KlinefelterAssociate Professor of LawDirector of the Law LibraryUniversity of North Carolina
Michael C. LambGlobal Chief Privacy O�cerRELX Group
Yoomi LeeVice President, Enterprise Data StrategyAmerican Express
Peter Le�owitzChief Digital Risk O�cerCitrix Systems
Ari LevenfeldChief Privacy O�cerSizmek
Gerard LewisSenior Vice President & Deputy General CounselComcast Corporation
Harry LightseyExecutive Director, Global Connected Customer, Public PolicyGeneral Motors Company
Brendon LynchChief Privacy O�cerMicrosoft Corporation
Mark MacCarthySenior Vice President of Public PolicyThe Software & Information Industry Association
Knut MagerHead Global Data PrivacyNovartis Pharmaceuticals Corporation
Larry MagidPresident & CEOConnect Safely
Kirsten Martin, Ph.D.Assistant ProfessorStrategic Management and Public PolicyGeorge Washington University School of Business
Lisa MartinelliVice President and Chief Privacy O�cerHighmark Health
Michael McCulloughChief Privacy O�cer & Vice President, Enterprise Information Management and PrivacyMacy’s, Inc.
William McGeveranAssociate Professor of LawUniversity of Minnesota Law School
David MedineConsultant, Consultative Group to Assist the PoorFormer Chairman, Privacy and Civil Liberties Oversight Board
Carlos MelvinManaging Director, Global PrivacyStarbucks
Scott MeyerChief Executive O�cer, FounderEvidon, Inc.
Doug MillerVice President and Global Privacy LeaderOath, Inc.
John S. MillerVice President for Global Policy and Law, Cybersecuri-ty and PrivacyITI – Information Technology Industry Council
Ti�any L. Morris PallazoGeneral Counsel and Vice President of Global PrivacyLotame Solutions, Inc.
Alma MurraySenior Counsel, PrivacyHyundai Motor America
Kirsten MycroftGlobal Chief Privacy O�cerBNY Mellon
Jill Nissen, Esq.Founder & PrincipalNissen Consulting
Harriet PearsonPartnerHogan Lovells LLP
Bilyana Petkova Assistant Professor, International and European Law, Faculty of Law M aastricht U niversity
Peter PetrosGeneral Counsel & Global Privacy O�cerEdelman
Kalinda RainaHead of Global Privacy, Senior DirectorLinkedIn Corp
Katie RattéAssistant General Counsel, Privacy and Global Public PolicyThe Walt Disney Company
Alan RaulPartnerSidley Austin LLP
Joel R. ReidenbergStanley D. and Nikki Waxberg Chair and Professor of LawDirector of the Center on Law and Information PolicyFordham University School of Law
Amy ReitzGeneral ManagerHobsons
7
Neil RichardsThomas and Karole Green Professor of LawWashington University Law School
Susan RoholGlobal I ntellectual P roperty and Privacy Policy DirectorNIKE, Inc.
Mila Romano�Privacy & Data Protection Legal O�cerUnited Nations Global Pulse
Shirley RookerPresidentCall for Action
Michelle RosenthalSenior Corporate CounselT-Mobile, Inc.
Alexandra RossSenior Global Privacy and Data Security CounselAutodesk
Norman SadehProfessorSchool of Computer Science, Carnegie Mellon University
Alex Hoehn-SaricSenior Vice President, Government RelationsCharter Communications
Neal SchroederVice President Internal Audit, Corporate Business Ethics O�cerEnterprise Holdings
Corinna SchulzeDirector, EU Government Relations, Global Corporate A�airsSAP
Paul SchwartzJe�erson E. Peyser Professor of LawCo-Director of the Berkeley Center for Law & TechnologyUniversity of California Berkeley School of Law
Evan Selinger, Ph.D.Professor of PhilosophyHead of Research Communications, Community & Ethics at the Center for Media, Arts, Games, Interaction, and Creativity (MAGIC)Rochester Institute of Technology
Linda SherryDirector, National PrioritiesConsumer Action
Julia ShullmanSenior Director, Deputy General Counsel, Commercial and PrivacyAppNexus
Meredith SidewaterSenior Vice President and General CounselLexisNexis Risk Solutions
Dale SkivingtonVice President, Global Compliance and Chief Privacy O�cerDell, Inc.
Will SmithChief Executive O�cerEuclid, Inc.
Kim Smouter-UmansHead of Public A�airs and Professional StandardsESOMAR
Daniel SoloveJohn Marshall Harland Research, Professor of LawGeorge Washington University Law School
Cindy SouthworthExecutive Vice PresidentNational Network to End Domestic Violence
Gerard StegmaierAdjunct Professor, Antonin Scalia Law SchoolGeorge Mason University
Amie StepanovichU.S. Policy Manager, Global Policy CounselAccess Now
JoAnn StonierExecutive Vice President, Chief Information Governance & Privacy O�cerMasterCard Incorporated
Lior Jacob StrahilevitzSidley Austin Professor of LawUniversity of Chicago Law School
Zoe StricklandManaging Director, Global Chief Privacy O�cerJPMorgan Chase
Greg StuartChief Executive O�cerMobile Marketing Association
Lisa SullivanVice President, Deputy General CounselIntuit
Peter SwireNancy J. & Lawrence P. Huang ProfessorScheller College of Business, Georgia Institute of Technology
Scott M. TaylorAssociate Vice President & Chief Privacy O�cerMerck Privacy O�ce, Pulse x-U.S. Program, Animal Health & Global Functions Compliance
Omer TeneVice President, Chief Knowledge O�cerInternational Association of Privacy Professionals
Adam ThiererSenior Research Fellow, Mercatus CenterGeorge Mason University
Melanie TianoDirector, Cybersecurity and PrivacyCTIA-The Wireless Association
Anne TothHead of Data Policy, Center for Fourth Industrial RevolutionWorld Economic Forum
Catherine TuckerMark Hyman, Jr. Career Development Professor and Associate Professor of Management Science Massachusetts Institute of Technology
David C. VladeckProfessor, Georgetown University Law CenterFormer Director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC)
Hilary M. WandallGeneral Counsel & Chief Data Governance O�cerTrustArc
Daniel J. WeitznerDirector and Principal Research ScientistMIT CSAIL Decentralized Information GroupFormer Deputy Chief Technology O�cer at The White House O�ce of Science and Technology Policy
Kevin WerbachAssociate Professor of Legal Studies & Business EthicsThe Wharton School, The University of Pennsylvania
Heather WestSenior Policy ManagerMozilla
Jan WhittingtonAssociate Professor, Department of Urban Design and PlanningUniversity of Washington
Christopher WolfOf CounselHogan Lovells
Nicole WongPrincipalNWong Strategies
Christopher WoodExecutive Director & Co-FounderLGBT Technology Partnership
Heng XuAssociate Professor, College of Information Sciences and TechnologyThe Pennsylvania State University
Karen ZachariaChief Privacy O�cerVerizon Communications, Inc.
Elana ZeideAssociate Research Scholar, Center for Information Technology PolicyPrinceton University
Michael ZimmerAssociate ProfessorDirector of the Center for Information Policy ResearchSchool of Information StudiesUniversity of Wisconsin, Milwaukee
This list is current as of May 2018. Please contact us with any updates or discrepancies.
8
SUPPORTERS23andMe2U, Inc.AARPAcxiomAdobeADTAislelabsAlliance of Automobile ManufacturersAmazon.comAmerican ExpressAmplify Education, Inc.AncestryAnonos, Inc.AOLAppleAppnexusArtsoniaAtomite, Inc.AT&TAutodesk, Inc.Bank of AmericaBlackboardBNY MellonCatalina MarketingCengageCharter CommunicationsCisco Systems, Inc.CitigroupClassDojo
Cloud4WiColgate PalmoliveComcastcomScoreConsumer Technology Association (CTA)Cooley LLPCox CommunicationsCriteoCTIADellDigital MortarEAEdelmanEdmodoEnterprise HoldingsEpsilonESOMAREuclid AnalyticsEvernoteFacebook Fiat Chrysler AutomobilesEvidonGlobal AutomakersGoGuardianGoogleGraduate Management Admission CouncilHelix
HEREHID GlobalHigiHobsonsHogan LovellsHoughton Mi�in HarcourtHyundaiInflectionIntelInternational Biometrics & Identification Association (IBIA)Information Technology Industry Council (ITI)International Association of Privacy ProfessionalsInternet of Things ConsortiumIntersectionIntuitIQVIAJazz PharmaceuticalsJPMorganKnewton, Inc.Lifetouch, Inc.LinkedInLockheed MartinLoeb & Loeb LLPLotameLyft
Macy’s, Inc.Marketo, Inc.MasterCard WorldwideMaxPointMcGraw-Hill EducationMeasurenceMerck and Co., IncMicrosoftMobile Marketing AssociationMozillaNetwork Advertising InitiativeNational Student ClearinghouseNautoNetflixNeustarNike, Inc.Nordstrom, Inc.Novartis Pharmaceuticals CorporationNymityOneTrustOtonomoPalantir TechnologiesPearsonPrecisionHawkPricewaterhouseCoopersPfizer, Inc.
PrivoPrudentialPurple WiFiOathQualcommQuantcastRadius NetworksRadiolocusRELXRetail Industry Leaders AssociationRetailNextReveal MobileRopes & Gray LLPSalesforceSamsung ElectronicsSAPShoppertrakSidewalk LabsSidley Austin LLPSignalSizmekSlackSnapSoftware & Information SprintStarbucksStreetLight DataIndustry AssociationSonos
SunovionSprintStarbucksStreetLight DataT-Mobile USA, Inc.TaboolaThe Nielsen CompanyThe Walt Disney CompanyThe Weather CompanyIBM CorporationTomTomToyotaTrustArcUber Technologies, Inc.UnitedHealth GroupVerizonVisa Voyager LabsWalMart Stores IncWestfieldWilson Sonsini Goodrich & Rosati, Professional CorporationWorkdayYelpYodleeZeotapZwillGen PLLCZynga
NUMBERSBYTHE
158 27158 CORPORATE SUPPORTERS
4022 3815 8
40ACADEMICS
22ADVOCATES
15FULL TIMESTAFF
4 POLICY FELLOWS
59%CORPORATE FUNDING
38%FOUNDATION GRANTS
9
27 NEW CORPORATESUPPORTERS
8SENIORFELLOWS 4
59
Corporations
FoundationsAlfred P. Sloan Foundation
Bill and Melinda Gates FoundationCenter for Democracy and Technology
Chan Zuckerberg Initative
Comcast Innovation FundDigital Trust FoundationNational Science FoundationStanford Center on Philanthropy and Civil Society
BIG DATA
FPF has pursued a combination of practical strategies and high-level thought leadership to address new opportunities and privacy risks presented by novel uses of personal information. FPF has centered its big data work on de-identification and data research ethics. FPF is also pursuing new work related to the benefits and risks of algorithmic decision-making and artificial intelligence.
ABOUT
Understand Corporate Data Sharing Decisions
FPF released Understanding Corporate Data Sharing Decisions: Practices, Challenges, and Opportunities for Sharing Corporate Data with Researchers. In this report, we reveal findings from research and interviews with experts in the academic and industry communities.Three main areas are discussed:1. The extent to which leading companies make data available to support published research that contributes to public knowledge; 2. Why and how companies share data for academic research; and 3. The risks companies perceive to be associated with such sharing, as well as their strategies for mitigating those risks.
Unfairness By AlgorithmFPF released Unfairness By Algorithm: Distilling the Harms of Automated Decision-Making. Analysis of personal data can be used to improve services, advance research, and combat discrimination. However, such analysis can also create valid concerns about di�erential treatment of individuals or harmful impacts on vulnerable communities. This report identifies, articulates, and categorizes the types of harm that may result from automated decision-making. To inform this e�ort, we reviewed leading publications on the topic of algorithmic discrimination and worked with a diverse community of subject matter experts. We distilled both the harms and potential mitigation strategies into two charts. In addition to presenting this document for consideration for the FTC Informational Injury workshop, we anticipate it will be useful in assessing fairness, transparency and accountability for artificial intelligence, as well as methodologies to assess impacts on rights and freedoms under the EU General Data Protection Regulation.
We hope that the impressions and insights gained from this first look at the issue will help formulate further research questions, inform the dialogue between key stakeholders, and identify constructive next steps and areas for further action and investment.
11
CONNECTEDCARS
Mobility-related technologies are evolving rapidly, transforming the safety and convenience of transportation in increasingly connected and autonomous vehicles. Many innovative features are enabled by the collection of new types of data, putting the topic of privacy in connected cars on the agenda of industry, policymakers, and regulators. Advancing sensible practices is essential to ensure that the collection and use of this data is responsible, thoughtful, and communicated e�ectively to consumers.
ABOUT
DATA and theCONNECTED CAR
Today's connected technologies are making transportation safer and more convenient. Many new features are enabled by the collection and
TOLL BOOTHCARMAKER
THIRDPARTIES
EMERGENCYSERVICES
SATELLITEOTHER CAR(V2V)
TRAFFIC LIGHT (V2I)& LICENSE PLATE READER
FPF.ORG
Produced by
A growing number of entities receive and transmit data through the connected vehicle ecosystem
DATA RECEIVERS
TYPES OF DATA
CELLULAR
NON-CELLULAR
WIRELESS CONNECTIVITY
LOCATIONVEHICLE& SAFETY
ACCOUNT
BLUETOOTHWIFIDSRC RADIOSATELLITE/GPSSHORT RANGE RADIOSHORT RANGE RADAR
DRIVERdriver physical characteristics
or how a person drives a vehicle:
braking habits
precise geographic location of
a vehicle
functioning
including maintenance
and operations
personal accounts
established by vehicle
owner
Version 1.0
EVENT DATA RECORDER: black box with accident data
TIRE PRESSURE SENSORS: short
to radio receiver
TELEMATICS CONTROL UNIT (TCU): interconnects CAN Bus and external systems
DSRC RADIO: vehicle to vehicle and vehicle to infrastructure communication
CAN-BUS: internal communication bridge between Electronic Control Units
AUTONOMOUS VEHICLE IMAGING AND SCANNING:
THIRD PARTY MONITORING DEVICE:
device communicates
License Plate
CRASH DATA RETRIEVAL UNIT: extracts EDR data
USB PLUG-IN: connects via USB port for power or data transfer
TOUCH SENSORS: detects driver fatigue through
SIM CARD: connectivity point for transmitting onboard information
VIN NUMBER:
GPS UNIT: uses satellite to
navigation
VEHICLE SERVICES:
and preventative maintenance reminders
ELECTRONIC TOLL COLLECTION SYSTEM: transponder sends ID via radio
OBD-II PLUGIN:pulls data from
own location or movement data
OBD-II PORT:interface to driving and operational data
WIFI NETWORK:
internet access
INFOTAINMENT SYSTEM: access entertainment and navigation apps
CABIN MONITORING SYSTEM: e.g. monitors eye movement to measure attention
RFID VEHICLE TAG: enables
tracking
KEY FOB: supports keyless entry
PHONE- PROJECTING SOFTWARE: mirrors apps from smartphone
SMART PHONE: connects to car via
Data and the Connected Car Infographic
FPF released an infographic, Data and the Connected Car – Version 1.0, describing the basic data-generating devices and flows in today’s connected vehicles. The infographic will help consumers, policymakers, and businesses understand the emerging data ecosystems that power incredible new features in today’s cars—features that can warn drivers of an accident before they notice it, or jolt them awake if they fall asleep at the wheel.
TEDxWilmingtonSalon: Who’s in the Driver’s Seat?
Lauren Smith presented at the TEDx Wilmington Salon, Who’s in the Driver’s Seat? The Transformation of Transportation. The TEDx included an exciting line-up of the leading voices in the connected car space, including FTC Commissioner Maureen Ohlhausen. Lauren’s talk was titled, What’s Driving the Connected Car? Data, It Turns Out, and emphasized the importance of responsible data management in autonomous vehicles. FPF sta� and friends gathered at our o�ces in Washington, DC to watch Lauren’s presentation. She explained: “I am going to argue that in a world where 94% of car crashes are caused by human error, the case is so much stronger for opting in and sharing data with your car than even your phone—something we have all already chosen to do. As with smartphones your car will need to collect information, and sometimes send it, in order to enable these features. And as with smartphones, the companies involved will need to safeguard your privacy in order for you to use and trust the technology. The truth is that yes, your car will be learning more about you, but what it learns may save your life.”
13
EDUCATION
FERPA | Sherpa
FPF believes that there are critical improvements to learning that are enabled by data and technology. The use of data and technology in K-12 and Higher Education is not antithetical to protecting student privacy. In order to facilitate this balance, FPF equips and connects advocates, industry, policymakers, and practitioners with substantive practices, policies, and other solutions to address education privacy challenges.
The FPF Education and Innovation Foundation (EIF) and the Data Quality Campaign relaunched FERPA | Sherpa. Named after the core federal law that governs education privacy, FERPA | Sherpa is the one-stop shop for all education privacy resources. The website includes sections specifically tailored for various audiences, including students, educators, higher ed, ed tech companies, and policymakers; a chart of all
state student privacy laws passed since 2013; a searchable resource bank with over 450 education privacy resources; and blogs from stakeholders. You can visit FERPA|Sherpa at www.ferpasherpa.org.
ABOUT
Law Enforcement Access to Student Records
We released Law Enforcement Access to Student Records: A Guide for School Administrators & Ed Tech Service Providers. This publication helps to answer some of the basic questions raised by key stakeholders about law enforcement access to data. The publication emphasizes issues that schools and third-party service providers must consider before disclosing student data in response to law enforcement requests.
FTC: Student Privacy and Ed Tech Workshop
In December 2017, the FTC and the U.S. Department of Education hosted a workshop on student privacy and ed tech. The workshop was intended to clarify how both departments can protect student data and ensure student privacy as ed tech in schools advances and expands. Amelia Vance, Policy Counsel and
Director, Education Privacy Project at EIF, spoke at the event, presenting on state laws and participating in the panel “Where Do We Go From Here.” Amelia addressed the importance of safeguarding student data while implementing technology in the classroom, outlined the landscape of student privacy concerns, and described trends in state student privacy laws.
15
HEALTH
Healthcare technologies are rapidly evolving, producing new data types and innovative data uses. Data and technology can bring significant enhancements to the healthcare system, deepen patients’ and consumers’ engagement, and help to improve health outcomes. It is critical to analyze how sensitive health and wellness data a�ects individual privacy and understand what it means for doctors, researchers, and companies to responsibly use such data.
ABOUT
FPF-IAF Joint Health Initiative
FPF convened a Genetics Working Group, which consists of leading direct-to-consumer genetics companies in 2017, to develop Privacy Principles for Genetic Data. These Principles provide a privacy policy framework for the collection, protection, sharing, and use of genetic data through tests that are marketed directly to consumers by private companies. FPF is continuing to develop these Principles in 2018, incorporating input from a wide range of stakeholders including advocates, regulators, and organizations.
Genetics Working Group
FPF partnered with the Information Accountability Foundation (IAF) to form the FPF-IAF Joint Health Initiative in December 2017. The Initiative convenes leading stakeholders to better understand the health data ecosystem by mapping the stakeholders in the field and data flows between them, and creating a common taxonomy of data types. This project seeks to analyze novel data use cases and identify opportunities and challenges to data sharing. The Initiative’s work continues in 2018 to develop maps and deliverables.
Disability Data Privacy FPF partnered with the Comcast Innovation Fund in 2017 to explore the promise and privacy implications of the Internet of Thing when used by persons with disabilities. FPF is working in 2018 to convene stakeholders for another dialogue and create a white paper to document the range of areas where data and technology o�er benefits to persons with disabilities, how the disability community may have di�ering views of how data and technology may be used to support their needs and goals, and the circumstances in which users with disabilities may need enhanced or alternative privacy protections.
17
FPF-IAF Joint Health InitiativeFPF sponsored the Refining Privacy to Improve Health Outcomes Symposium on October 26-27, 2017 in Durham, NC. The event - also sponsored by Intel Corporation, IAF, Center for Democracy, University North Carolina at Chapel Hill, and Duke University, Triangle Privacy
Research Hub - brought together leading experts in the fields of privacy, medicine, and data science to discuss how new technologies and data sources can improve health outcomes, while protecting individual privacy. The goal of the event was to propose specific law, policy, and practice changes to promote the more e�ective use of data for health research.
INTERNATIONALLAW & REGULATION
19
Around the world, policymakers are focusing on ways to improve privacy frameworks. More than 120 countries currently have a privacy or data protection law. Significant developments are taking place in the European Union, with the General Data Protection Regulation becoming applicable in May 2018 and a framework for ensuring the privacy of electronic communications currently under consideration. These developments have an impact on US based organizations that conduct business in the EU, even if they do not have an establishment there.
ABOUT
European Updates Newsletter and FPF Europe Community
FPF, the Internet Privacy Engineering Network (an initiative of the European Data Protection Supervisor), University of Leuven CS Department, and Carnegie Mellon University co-organized a workshop on Privacy Engineering Research and the GDPR: A Trans-Atlantic Initiative at the University of Leuven. With this event, we aimed to determine the relevant state of the art in privacy engineering; in particular, we focused on those areas where the “art” needs to
be developed further. The goal of the trans-Atlantic privacy engineering workshop was to identify open research and development tasks, which are needed to make the full achievement of the GDPR’s ambitions possible.
The Annual Brussels Privacy Symposium The 2017 Symposium, titled AI Ethics: The Privacy Challenge, focused on developing ideas that address the ethical challenges associated with the new capabilities Artificial Intelligence technologies present for democratic institutions, human autonomy, and the social fabric of our society. This academic workshop discussed ways to harness the power of AI and machine learning to better protect individuals’ privacy and security, helping consumers to navigate complex sociotechnical architectures in smart cities and homes, transportation systems, financial transactions, and content platforms. Papers addressed areas such as algorithmic due process and accountability, fairness and equity in automated decision making, societal implications of autonomous experimentation and leveraging AI to enhance privacy.
In 2016, we began to send out “European Updates” Newsletter to a small group of FPF members and friends. That was the first step of building an engaged community among FPF members interested in developments of the privacy and data protection law and policy in the European Union. Around 40 “European Updates” Newsletters were sent throughout last year to a group that now has close to 300 members. We also organized two breakfast events, one in Washington, D.C. and one in San Diego to discuss practical GDPR implementation challenges.
Engaging Regulators Worldwide
Transatlantic Privacy Engineering
FPF and the Information Accountability Foundation (IAF) co-hosted an o�cial side event at the International Conference of Data Protection Commissioners in Hong Kong. The discussion centered around Artificial Intelligence, Machine Learning and Ethical Applications.
LOCATION &ADVERTISING
PRACTICES
Addressing the privacy issues related to advertising technology and online tracking has been a key focus since FPF’s founding. Increasingly, the mobile advertising space, geo-location tracking, and indoor positioning technologies are at the forefront of online data management, retail, and new consumer o�erings. Thus it is not surprising that regulators, industry leaders, and advocates are all taking a hard look at questions about how to appropriately collect and handle consumer data for advertising, location-based targeting, and audience measurement. FPF continues to work with policymakers, advocates, media, and other business stakeholders to support leading privacy practices for the use of location data.
ABOUT
Microphones & the Internet of Things
21
FPF and the Information Accountability Foundation (IAF) co-hosted an o�cial side event at the International Conference of Data Protection Commissioners in Hong Kong. The discussion centered around Artificial Intelligence, Machine Learning and Ethical Applications.
The Wiretap Act, 18 U.S. Code § 2511Federal Sectoral Laws for Sensitive Contexts or Populations, such as the Children’s Online Privacy Protection Act (COPPA) or Health Insurance Portability and Accountability Act (HIPAA)Federal Trade Commission (FTC)’s Section 5 Enforcement AuthorityState Unfair & Deceptive Practices (UDAP) LawsState Anti-Surveillance StatutesCivil Tort Remedies for Invasion of Privacy
In a rapidly changing environment, trust is critical for developers seeking to innovate. Key privacy considerations include:
Data Security — regardless of how a device is activated, if the data being transmitted is sensitive (e.g. voices or data from inside the home), strong security is paramount. Product developers should design for technical safeguards, such as: limiting microphone sensitivity and range to
Prominent Visual and Audible Notice — keeping in mind that users may not be comfortable with uses of their device’s microphone related to detection of acoustic events or ambient noise if they are not aware of those uses or how they work. Access to Information — companies should make it easy for users to access and delete their information, and be transparent about any third-party disclosures, including government requests for access. Content vs. Metadata — although fewer legal protections exist for metadata, companies should be aware of how patterns of use for home devices can be revealing and take steps to mitigate possible privacy risks.
FOR MORE, VISIT FPF.ORG
Understanding Uses of Audio Sensors in Connected Devices
Device transmits data 100% of the time on a standalone basis, and
further processing occurs externally.
ACTIVATION: Manual, Always Ready, or Always On?By their method of activation, consumer devices can be categorized as manual, always ready, or always on. In the past, most recording devices could be considered either on or off. Many new voice-based home assistants today can be considered “always ready” because they do not begin transmitting data off-site until they detect a wake phrase.
ME
TH
OD
OF
AC
TIV
AT
ION
BE
NE
FIT
S
DATA TRANSMITTED
After a device is activated, it may sometimes transmit the full range of audible sounds (including voices), for example to enable cloud-based speech-to-text translation. However, other devices may not send audio at all, but instead may use the microphone to detect patterns and transmit other information about the user’s environment.
LEGAL PROTECTIONS
grapple with the limitations of constitutional protection for data sent outside the home. Current applicable laws in the United States include:
Microphones & the Internet of Things
ALWAYS ON
• enabling physical security for people and property
• child safety
AUDIO RECORDINGS
Examples: Home security systems; CCTV; Body-worn cameras;
Baby monitors
MICROPHONES are devices that convert sound waves (acoustic energy) into electrical signals, dating back over 100 years. In the last five years, the “voice first revolution” has brought new uses of microphones as sensors into the Internet of Things (IoT). In order to enable the benefits of new voice-based services while protecting data privacy, this infographic attempts to explain the range of possible uses of microphones in consumer devices.
Produced by
August 2017
Device begins transmitting audio externally when a button or switch
is pressed or held down.
MANUAL
• ability to prevent unauthorized access through a hardware-linked microphone
• avoids unintentional activation
Examples: Smart TVs (some); Mattel’s Hello Barbie
DIAPHRAGM
AUDIO SIGNAL
SOUND WAVES
Device processes locally to detect a “wake phrase*” which wakes/triggers the device to begin transmitting data.
ALWAYS READY
• convenience of verbal activation• accessibility for users with physical limitations,
e.g. mobility or visual impairment• contextual responses, e.g. a home security system
that alerts the owner and begins transmitting data when it detects a noise
Examples: Smart TVs (some); Home Assistant Devices, e.g. Google Home, Amazon Echo
*Familiar wake phrases include: “Hey, Siri” “OK, Google,” “Hey Cortana,” and “Alexa”
DRAFTNON-AUDIO
Infrasonic Human Hearing Ultrasonic
20 Hz 20,000 Hz (20 kHz)
Cello(lowest note)
Average Human Voices
CRT Television RunningFlute
(highest note)
PATTERN RECOGNITION
Devices sometimes do not need to transmit audio recordings at all, but might use e�cient local processing to detect
sound patterns and convey data related to those patterns. For example, a city sensor might alert law enforcement when
a “gunshot” pattern is detected.
METADATA
Data about when and how a device is used is known as “metadata,” and may include, e.g., times and lengths of audio
recordings, or where the recording took place. This data may not be as sensitive as a recording’s content, but may
nonetheless be revealing. For example, the times of day when a device is used may indicate when a person is typically at home.
AUDIBLE TO HUMANS
Most microphones only detect sounds within the normal range of human hearing to
enable, e.g., voice commands, speech-to-text translation, or music recognition. Depending
on the sensitivity, the microphone might also detect unintended background noises (such as
dogs barking, or tra�c sirens).
SPECIALIZED RANGES
Sophisticated microphones might sometimes be designed to capture only certain ranges of audio data, such as very low or very high (even inaudible) sounds. For example, a microphone
could be designed to detect a hummingbird’s wings or a dog whistle.
(positions are approximate)
Microphones in home devices — and increasingly, in city sensors and other out-of-home systems — have continued to generate privacy concerns. This has been particularly notable in the world of children’s toys, where the sensitivity of the underlying data invites heightened scrutiny. Yet voice-first interfaces may one day represent the “normal,” default method of interacting with many online services and connected devices, from our cars to our home security systems. In this Infographic, based on FPF's earlier white paper Always On: Privacy Implications of Microphone-Enabled Devices, we recommend that policymakers understand the wide range of ways that these devices can operate, and consider legal protections that are appropriate and relevant to: (1) how the device is activated; (2) what kind of data is transmitted; and (3) existing legal protections that may already be in place.
Seeing the Big Picture on Smart TVsIn order to better understand the privacy and security issues raised by Smart TVs, we had the opportunity to informally review the policies and user interfaces of 2017 models from three leading manufacturers: Sony (which uses the Android TV interface), LG, and Samsung. Overall, the industry for Smart TVs and Smart TV data, much like the broader “Internet of Things” ecosystem, is relatively nascent. In the absence of baseline privacy legislation that would provide minimum standards for
commercial collection and use of personal information, there is little consensus or consistency between di�erent TV manufacturers about the appropriate ways to collect and use data. Independent trusted organizations will likely play a key role in addressing these challenges in years to come.
Location & Privacy: What Marketers Must Know FPF Policy Counsel Stacey Gray spoke at the 2017 Local Search Association’s Place Conference. The Place Conference is a day long event covering location intelligence, o�ine analytics, and proximity marketing. In her presentation, Stacey discussed the rules and practices brands and marketers must get right about location.
SMART COMMUNITIES
Open Data Risk Assessment for the City of Seattle
Working collaboratively with public, private, and civil society leaders, FPF is developing best practices to guide how cities and local communities collect, manage, and use personal data to improve services for citizens. FPF and its Smart Cities Working Group seek to promote fair and transparent data uses, provide practical guidance to help local governments navigate complicated privacy-related issues, and help individuals better understand and engage with data-driven programs in their communities.
ABOUT
Model Open Data Benefit-Risk AnalysisTo address inherent privacy risks in the open data landscape, the Assessment includes a Model Open Data Benefit-Risk Analysis, which evaluates the types of data contained in a proposed open dataset, the potential benefits – and concomitant risks – of releasing the dataset publicly, and strategies for e�ective de-identification and risk mitigation.
FPF created its Open Data Risk Assessment for the City of Seattle. This Report provides tools and guidance to the City of Seattle and other municipalities navigating the complex policy, operational, technical, organizational, and ethical standards that support privacy-protective open data programs.
23
NITRD’s Smart Communities Federal Strategic PlanFPF submitted comments regarding the National Coordination O�ce for Networking and Information Technology Research and Development’s (NITRD) Request for Comment on the Draft Smart Cities and Communities Federal Strategic Plan, published in the Federal Register on January 9, 2017. FPF commended NITRD for its forward-looking guidance and the acknowledgement that privacy will play a key role in promoting trust in smart cities and communities. FPF believes the guidance and its emphasis on privacy is an important first step in building that trust.
PRIVACY PAPERSFORPOLICYMAKERS
Each year, FPF invites privacy scholars and authors with an interest in privacy issues to submit papers to be considered for FPF’s Privacy Papers for Policymakers Award (PPPM). The PPPM Award recognizes leading privacy scholarship that is relevant to policy makers in the United States Congress, at U.S. federal agencies, and for data protection authorities abroad.
This year, the winning authors were invited to join FPF and Honorary Co-Hosts Senator Edward J. Markey and Co-Chairs of the Congressional Bi-Partisan Privacy Caucus, to present their work at the United States Capitol Building with policymakers, academics, and industry privacy professionals. FPF published a printed digest of summaries of the winning papers for distribution to policymakers, privacy professionals, and the public.
Artificial Intelligence Policy: A Primer and Roadmap Ryan Calo
Designing Against Discrimination in Online Markets Karen Levy and Solon Barocas
Health Information EquityCraig Konnoth
The Public Information FallacyWoodrow Hartzog
Transatlantic Data Privacy LawPaul M. Schwartz and Karl-Nikolaus Peifer
The Undue Influence of Surveillance Technology Companies on Policing Elizabeth Joh
PAPERSWINNING
Algorithmic Jim Crow Margaret Hu
The Idea of ‘Emergent Properties’ In Data Privacy: Towards A Holistic Approach Samson Y. Esayas
Public Values, Private Infrastructure and the Internet of Things: The Case of Automobiles Deirdre K. Mulligan and Kenneth A. Bamberger
HONORABLE MENTIONS
THE 8TH ANNUAL
24
STUDENT WINNERThe Market’s Law of Privacy: Case Studies in Privacy/Security Adoption Chetan Gupta, UC Berkeley
ADVISORY BOARD MEETING
2017
The 2017 Advisory Board Annual Meeting was an opportunity to review FPF’s projects and achieve-ments, discuss emerging privacy issues, and help plan for the year ahead. With the new Administra-tion and a new Congress, regulatory changes worldwide, and the continuing rapid pace of data inno-vation, there was plenty to discuss.
25
CAPITAL-AREA
FPF hosted FPF-CAN, a roundtable discussion featuring Mary Madden (Researcher, Data & Society Institute) and Michele Gilman (Venable Professor of Law and Director of Clinical Education, University of Baltimore School of Law). Mary and Michele discussed their latest research: Privacy, Poverty and Big Data: A Matrix of Vulnerabilities for Poor Americans.
The FPF Tech Lab Open House is an opportunity for us to welcome our members, friends, and colleagues in town for the IAPP Global Privacy Summit. Hosted at our home o�ce in Washington, DC, this event provides a rare occasion for Data Protection Authorities and policymakers to interact with the latest in privacy-impacting gadgets and new technologies.
TECH LAB OPEN HOUSE
ACADEMIC NETWORK
26
The Tech Lab was widely attended by chief privacy o�cers, regulators, advocates, academics, and other privacy professionals who encounter the policies and regulations governing the type of technology that was on display. We were delighted to be joined by several distinguished guests: Lahoussine Aniss, General Secretary of the Moroccan Data Protection Authority; Alon Bachar, Commissioner, Israel Securities Authority; Giovanni Buttarelli, European Data Protection Supervisor; Ivan Chi-kin Chan, Head of Communications and Education for Hong Kong’s Privacy Commissioner for Personal Data; Helen Dixon, Data Protection Commissioner for Ireland; Ventsislav Kirilov Karadjov, Chairman of Bulgaria’s Commission for Personal Data Protection; and Raymund E. Liboro, Chairperson of the National Privacy Commission of the Philippines.
2017
The FPF Education and Innovation Foundation, a 501(c)(3), endeavors to educate the public about issues relating to data privacy. Through research, publications, educational meetings, and other related activities the Foundation advances responsible data practices and brings together leaders from industry academia, law, and advocacy groups. Using its research, the Foundation educates the public on the importance of data privacy, new and developing issues in data privacy, and responsible data practices to best protect the public’s interest.
BOARD OF DIRECTORS
Jules Polonetsky, CEOMary Culnan, President
EDUCATION INNOVATION FOUNDATION
FPF
27
IN MEMORIAM FPF launched a new fellowship in memory of Elise Berkower. Elise was a senior privacy executive at global measurement and data analytics company Nielsen for nearly a decade and was a valued, longtime member of the FPF Advisory Board.
FPF acknowledges the Berkower Family, the Nielson Foundation, IAPP, and friends of Elise as founding sponsors of the Elise Berkower Memorial Fellowship.
The Elise Berkower Memorial Fellowship is designed for recent law school graduates and will honor Elise’s legacy by identifying and nurturing young lawyers interested in contemporary privacy issues with a focus on consumer protection and business ethics. If you would like to support this fellowship, please visit www.fpf.org.
Christopher Wolf, Secretary Debra Berlyn, Treasurer
FINANCIALS
28
Future of Privacy Forum and FPF Education and Innovation Foundation
Draft Consolidated Statement of Activities for the fiscal year ending on December 31, 2017.
The figures presented here in the form of a Consolidated Statement of Activities are in draft format. They are subject to change pending the completion of the organizations’ fiscal year 2017 audits.
FINANCIALS
The figures presented here are in draft format. They are subject to change pending the completion of the organizations’ fiscal year 2017 audits.
Future of Privacy Forum and FPF Education and Innovation Foundation
Draft Functional Expenses for the fiscal year ending on December 31, 2017.
20
2-7
68
-89
50
14
00
EY
E S
TR
EE
T, NW
/ SU
ITE
45
0 / W
AS
HIN
GT
ON
, DC
20
00
5 F
PF.O
RG
