WPF's new interactive map identifies Health Information Exchanges in California. A Health Information Exchange, or HIE, is technology that enables the electronic movement of health-related information among health care providers and others. HIEs are an increasingly popular way for hospitals, pharmacies, labs, and emergency room physicians to share patient information. HIEs can exchange records across one hospital, across multiple hospitals in a region, or across a whole state. If your health information is being shared through an HIE, your lab test results, medications, medical history, or other clinical information related to your health care may be included in the sharing. See more about HIEs and our California HIE Map here.
WPF Senior Projects Manager Marianne Fitzpatrick will be participating at the ID Ecosystem's Plenary meeting this week. Of top concern at the plenary will be a new ID theft use case that requires substantive discussion regarding privacy checks and balances. For more information, see NSTIC's page on the National Strategy for Trusted Identities in Cyberspace. Also see the ID Ecosystem Steering Group page for documents and meeting dates.
WPF Executive Director Pam Dixon will be speaking at the Federal Trade Commission Tuesday on the issue of Senior ID theft, and specifically, about medical forms of the crime. Dixon, who wrote the first report on medical ID theft and coined the term for the crime, will be presenting new research at the panel.
Related: Medical ID theft page
In the May/June, 2013 issue of Foreign Policy Magazine, Pam Dixon writes about the privacy issues related to India's national biometric ID card. In the piece, Mission Creep, Dixon discusses how government-issued biometric ID cards that serve as national ID cards and as the basis for employment and financial transactions create profound civil liberties and privacy challenges that are neither easily or well-constrained by government policy.
Read the article
Related: WPF's India video series:
Children and Privacy: India Series
Medical Privacy in India: India Series
Privacy by Obscurity: India Series
Thoughts on Privacy in India: India Series
Reimagining Privacy in a Digital Era: Privacy Series
In comments filed with the FAA, the World Privacy Forum urged the agency to establish a robust privacy committee to focus on drone privacy and to clarify the applicability of the Privacy Act of 1974 to UAS test site operators. WPF also requested the FAA conduct mandatory Privacy Impact Assessments and provide a FIPS-compliant privacy notice. "We have offered our comments to the FAA with the acknowledgement that everyone has much to learn in the area of commercial drone privacy. Our suggestions to the FAA seek to increase general knowledge about drones and their effect on privacy," said Pam Dixon.
Read the comments (PDF)
Pam Dixon is speaking on a panel on privacy and trust at Marketing Science Institute in Boston. The panel, led by John Deighton of the Harvard Business School, includes experts from EPIC, the DAA, and CBS.
Pam Dixon is a visiting scholar at Portland's PNCA. She is scheduled to speak with students in a round of interdisciplinary classes, and she will also be giving a public keynote at 7 pm in Swigert Commons. Her public lecture is on Modern Privacy.
Pam Dixon speaks to Los Angeles County social workers and financial abuse support teams today to share WPF's wealth of information about medical identity theft and how this crime impacts seniors. WISE and Healthy Aging is hosting this important meeting.
World Privacy Forum Executive Director Pam Dixon will present WPF's research and India privacy videos at the FTC - IAPP Global Privacy Conference workshop Wednesday, March 7. The session, Global Perspectives on Consumer Privacy, is the first session of its kind at IAPP or the FTC focused on privacy in developing economies. WPF has researched privacy extensively in India, and has documented a number of key privacy issues in a video series. So far, 5 videos in the series have been released. All of the videos were shot on location in India and feature Pam Dixon, with videographer Blake Hamilton. These videos offer a rare and early glimpse into privacy interactions and issues in India. WPF will be releasing one more video on biometric ID cards in India.
See the WPF India Privacy Series:
Children and Privacy: India Series
Medical Privacy in India: India Series
Privacy by Obscurity: India Series
Thoughts on Privacy in India: India Series
Reimagining Privacy in a Digital Era: Privacy Series
WPF is participating in the ID Ecosystem meetings as a consumer privacy representative. Senior Projects Manager Marianne Fitzpatrick is taking the lead on this project, and is working on general privacy and financial privacy areas. The next meeting of the ID Ecosystem is Tuesday March 5. The ID Ecosystem meetings are open to the public. The meetings are important, as this process will set the stage regarding how online identities are managed. For more information, see NSTIC's page on the National Strategy for Trusted Identities in Cyberspace. Also see the ID Ecosystem Steering Group page for documents and meeting dates.
Related: Pam Dixon's Congressional testimony on consumer expectation of privacy online.
Pam Dixon spoke at the Southwestern Law School Privacy Conference on the topic of reputational privacy Friday the 22cnd along with Neville Johnson and Paul Tweed. Dixon highlighted three key consumer situations WPF assisted with recently, discussing the employment challenges consumers faced when harmful material was available online during the job search process.
Related: WPF's job search privacy page
The World Privacy Forum attended the NTIA Multistakeholder meeting as one of the drafters of the code of conduct being considered by the NTIA Multistakeholder process. WPF and the other drafters are accepting comments from all stakeholders in preparation of the next iteration of the draft. Current drafts, including redline drafts, are available on the NTIA website.
Pam Dixon participated as a discussant and contributor to the Arizona School of Law's private workshop on the topic of the future of privacy. Key areas of discussion included the European Union's Right to be Forgotten proposal, consent and health privacy, and Do Not Track.
This Thursday, Pam Dixon will be presenting the consumer privacy perspective for a DMA Webinar on data innovation. While marketers are interested in innovating to use consumer data, consumers have real privacy concerns that need to be addressed. Dixon will present some of the key implications. More information about the event is here.
WPF's Pam Dixon will speak on privacy gaps at Silicon Valley's Churchill Club Wednesday, January 23 in San Francisco. The panel is part of International Privacy Day activities and will be moderated by Chris Kelley, Former Chief Privacy Officer of Facebook. More event information is available at http://www.churchillclub.org/LandingPage.aspx.
WPF participated in the January 17th meeting of the NTIA Multistakeholder Process. The jointly crafted code WPF, ACLU, Mobile App Alliance, and Consumer Action created was again discussed and edited. A growing consensus is moving toward the joint code. The next meeting is January 31, 2013.
Pam Dixon spoke at a CES panel on privacy issues in facial recognition technologies as part of the Leaders in Technology program at CES. The panel was moderated by Tony Romm of Politico and included FTC Commissioner Maureen Ohlhausen and Harley Geiger, legislative counsel for Representative Zoe Lofgren. Dixon spoke on the need for increased work on consumer options in a "sensor rich environment where there is no option to opt out by walking out." Referenced in the panel was WPF's report on digital signage and facial recognition, The One-Way Mirror Society.
Read the One Way Mirror Society.
During our research in India, we captured our experiences in video along the way. This video focuses on children's privacy from a global perspective. We were in south India conducting interviews on privacy, and had the opportunity to talk with these children about privacy. We came away with some surprising results. Our first video, Reimaging Privacy in a Digital Era, and the second video on children's privacy are viewable on computers and mobile devices. Watch the video here:
World Privacy Forum: Children and Privacy, India 2012 from World Privacy Forum's Video Channel.
The WPF co-presented a jointly conceived and written consumer mobile transparency proposal with the Application Developers Alliance, the ACLU, and Consumer Action on Friday, Nov. 30. All four groups were on hand to present the idea of moving forward with simple, clear, direct transparency guidelines for consumers in the mobile app space. "This document and the accompanying screenshots are just a beginning, but it is a beginning I can get behind," said Pam Dixon, who was in Washington to make the presentation to the stakeholders and the NTIA. "Mobile transparency is crucial to consumers, especially as we continue to shift more and more toward smartphone and app use." This is one of the first instances of a co-self-regulatory process that has been successful in generating a document both privacy, civil liberties, industry, and consumer groups have jointly created and agreed on.
NTIA process information
The World Privacy Forum has spent time in India studying several key privacy issues of profound importance. We have done on-the-ground research regarding the national biometric identification card system being deployed in India, it is called the AADAAHR Card, or the Total ID. This biometric project is the largest known biometric deployment in the world to date. We have also been researching additional core WPF issues, such as electronic health record privacy. In a series of five videos, we outline and share the key privacy issues we have been looking at in India, and offer a first-seen peek into a world that is not often seen or experienced in Western policy circles.
This video is the first in the series, and it outlines how privacy today must be reimagined, in India, and in the US.
Watch the video:
World Privacy Forum Re-Imagining Privacy in a Digital Era from World Privacy Forum's video channel.
WPF's Pam Dixon will be speaking at the 2013 International CES as part of the Leaders in Technology program. "I am honored to be part of CES' Leaders in Technology Program," said Dixon, who will be speaking on January 9, 2013 about the policy issues of facial recognition technology, particularly those relating to consumer privacy.
More on CES Leaders in Technology program
WPF was quoted in a NYT article on patient biometric identification systems, notably, palm vein readers. The idea is that patients will be uniquely identified to prevent fraud and other misidentifications. However, in cases of medical ID theft, biometric identification can go terribly awry, and can actually create a lot of problems for victims. WPF has written about palm vein scanners and other uses of ID technology in our Red Flag and best practices documents.
See the NYT piece | Read WPF's best practices for health care providers | Related: A Patient's Guide to HIPAA
The World Privacy Forum has filed comments with the US Federal Trade Commission, sending the FTC documentation that a credit bureau was selling information about consumers who had paid their mortgages 30, 60, or 90 days late. WPF made the filing in response to FTC's request for comments regarding its recent enforcement action against Equifax. The FTC's complaint against Equifax showed that for a period of two years, Equifax sold the names of consumers who were late on their mortgages to businesses that used that information to market financially damaging and in some cases fraudulent products and services to these consumers. WPF is concerned that lists of consumers who are late on their mortgages are still being sold, and has requested additional information from the FTC regarding this matter.
Read the WPF letter to the FTC | Related: FTC information regarding case
Today Pam Dixon spoke at the California Consumer Affairs conference on a panel led by California Department of Justice's JoAnne McNabb, outlining key trends in consumer privacy. Focusing on mobile privacy, Dixon noted that privacy trends were moving very quickly in the mobile environment. "Privacy on mobile apps has become a major focus for consumers," noted Dixon. "We need to ensure that consumers can use their smartphones with full confidence and no privacy surprises."
The American Academy of Neurology has published an excellent article distilling Executive Director Pam Dixon's newest tips on medical identity theft. Pam Dixon discovered medical identity theft as a crime in 2006. Her subsequent research and well-known 2006 report was the first published research on the issue. The AAN article is available in full online for the next few weeks, and is free.
American Academy of Neurology - Medical ID Theft | WPF medical ID theft page with tips, map, reports
Each year, the US Department of Justice is required to submit a report to the US President disclosing how individual patient health information has been used for certain law enforcement investigations. This requirement comes from an Executive Order signed in 2000, To Protect the Privacy of Protected Health Information in Oversight Investigations. The Order states:
"On an annual basis, the Department of Justice, in consultation
with the Department of Health and Human Services, shall provide to the
President of the United States a report that includes the following information:
(i) the number of requests made to the Deputy Attorney General for authorization to use protected health information discovered during health oversight activities in a non-health oversight, unrelated investigation;
(ii) the number of requests that were granted as applied for, granted as modified, or denied;
(iii) the agencies that made the applications, and the number of requests made by each agency;
(iv) the uses for which the protected health information was authorized."
The World Privacy Forum has requested a copy of this report. This is our second request for the information. A copy of our full request is here, and gives additional background information about why this report is important for patient privacy.
Read the WPF Request | See the Executive Order
The slide deck from the Future of Privacy Forum and World Privacy Forum's Mobile App Ecosystem webinar is available for download. As soon as the audio is available, we will be posting the full presentation. Our thanks to FPF and all of the presenters for a terrific webinar.
Download the Webinar slide deck
Join us for a Webinar on September 13. Space is limited. Reserve your
Webinar seat now at:
Participants in the NTIA Multistakeholder Process working to create a
code of conduct for App Transparency have expressed strong interest in
holding technical briefings that would provide information about app data
flows and business models.
To help provide a better understanding and transparency of the workings of the app ecosystem, the Future of Privacy Forum and World Privacy Forum have arranged a briefing to provide the consumer advocacy, business and policy stakeholders with an overview of how and why apps access consumer data and how data may be used for both functional and commercial purposes.
Pam Dixon, Executive Director, World Privacy Forum
Jules Polonetsky, Director and Co-Chair, Future of Privacy Forum
Nathan Good, PhD, Chief Scientist at Good Research
Ron Soffer, Independent App Developer, former app developer for WebMD
Adam Towvim & Matt Tengler, VP of Business Development & Product Director at Jumptap
Lia Sheena, Legal & Policy Fellow at the Future of Privacy Forum
Title: Future of Privacy Forum & World Privacy Forum: Mobile App Ecosystem Webinar
Date: Thursday, September 13, 2012
Time: 4:00 PM - 5:45 PM EDT
After registering you will receive a confirmation email containing information
about joining the Webinar.
Required: Windows® 7, Vista, XP or 2003 Server
Required: Mac OS® X 10.5 or newer
Required: iPhone®/iPad®/Android™ smartphone or tablet
The World Privacy Forum attended the NTIA meeting yesterday in Washington, DC to discuss mobile app privacy. We remain optimistic about working with all stakeholders to arrive at positive solutions for consumer privacy concerns. We reiterate that the NTIA process offers a real -- and unique -- opportunity to dialogue with multiple stakeholders from industry, privacy, consumer, and civil liberties perspectives. WPF supports this open public dialogue.
Our focus for the next NTIA meeting is to provide a draft with concrete suggestions that will allow a more detailed conversation about substantive mobile app transparency and privacy issues. We are working with an array of stakeholders on this draft and will present it next week with the hope that a meaningful conversation about substantive ideas will take place. WPF believes that a robust discussion of ideas is positive; in our experience, in a competition of ideas, the good ideas tend to win over the bad ones. But that can only happen when stakeholders are actively engaged in exchanging ideas about specifics.
In our first blog post about the NTIA process, we wrote that it is time for the dialogue between privacy stakeholders and industry stakeholders to mature and move away from a win/lose dynamic and move toward a more effective and mature challenge/response dynamic. We reiterate the importance of this. WPF remains optimistic about this process, and we are ready to discuss substantive matters relating to mobile app consumer privacy. The next meeting is August 29, meeting details are available here.
The California State Senate unanimously approved a law that, if signed by the Governor, will provide greater privacy for students. If the measure is signed into law, educational providers may not force students to disclose their social media passwords and logon information. This law also prohibits the practice of "shoulder surfing," educational providers would not be able to force students to log on to social media profiles so the provider could view the profile. Governor Brown has vetoed privacy laws in the past; September 30 is the deadline for his signature on this law. The text of the law is available here (SB 1349).
WPF filed comments today on an initiative being undertaken by the state of California to "harmonize" California's stronger state privacy laws with the national US health privacy regulations, HIPAA. Our analysis of California's proposal is that it is deeply flawed and is designed to weaken state level privacy protections for California patients. WPF also has procedural concerns about the proposal; it was crafted without a participatory public process, and the presence of consumer and patient representatives in this process was below de minimus standards. CalOHII, the office that released the harmonization proposal, plans to turn its proposal into legislation for the state. WPF opposes this plan unless the proposal is substantially improved. Our comments, jointly filed with EFF and others, are available here.
Read the comments. | Press release: California, Don't Weaken Californian's Health Privacy Laws
California Attorney General Kamala Harris has created a new privacy protection and enforcement unit. The unit will be housed in the Department of Justice and will focus on protecting consumer and individual privacy through civil prosecution of state and federal privacy laws, a news release said. "The Privacy Unit’s mission to enforce and protect privacy is broad. It will enforce laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches. By combining the various privacy functions of the Department of Justice into a single enforcement and education unit with privacy expertise, California will be better equipped to enforce state privacy laws and protect citizens’ privacy rights. " Joanne McNabb, who ran the now de-funded California Office of Privacy Protection, will serve as director of privacy education and policy for the unit. See the full press release.
WPF Essay, by Executive Director Pam Dixon
For decades, privacy advocates have been loathe to engage in the self-regulatory process, and with good reason. Self-regulation in the privacy sector has a grimy history, replete with spectacular failures. Also, most past privacy self-regulatory processes have been controlled by industry participants with the largest stake in the outcome, with advocates either left entirely out of the process, or brought in after the fact. To date this process has been a fairly polite public policy version of the Hatfields and the McCoys, where not much gets done in the public interest, and the dialogue is polarized to the point where there are only winners or losers.
It's time for this debate to mature into something better. From industry participants to privacy advocates to consumers, we need to find a better outcome. I believe that in order to do this, we must do three things. We must put the consumer first, focus on what is important, and assign appropriate responsibilities across the hierarchy of privacy chokepoints. For mobile app privacy, the topic that has been chosen for the multistakeholder process, that means starting with the wireless carriers, and moving on through the chain to publishers, app portals, and developers.
A fourth item would also be helpful -- and that is to reform the self-regulatory process itself. Because previous efforts have lacked any meaningful tension or dialogue between industry interests and consumer and privacy interests, the resulting policies have typically been imbalanced. To cure this, bringing in the right amounts of tension and robust dialogue will go far. With the Department of Commerce convening the multistakeholder process, there is at least an outside chance that there will be some form of dialogue between industry and privacy stakeholders. That's a start. The next step will be to bring a meaningful tension to the proceedings. That means that instead of the Hatfield-McCoy model where everyone withdraws to their well-worn positions, something more along the lines of a challenge-response, challenge-response, and repeat until the parties have all given up some ground model takes its place.
In the environmental sector, industry interests realized after several decades that the environmental activists were not going to go away. Industry wisely began to shift its approach in that sector, and now, a significant green transformation has occurred. While there are some notable irresponsible actors and terrible incidents such as the BP oil spill, many more companies are environmentally responsible now, with some even leading the charge. The dialogue changed, and it changed for the better. It is possible. Whether or not the multistakeholder process will achieve something more mature than has been realized in the past is an unknown. I am viewing it as a possible first step in moving to a more mature approach to the very real consumer privacy concerns today, but to achieve that all stakeholders will need to at least agree to one thing, and that is, to put the consumer first. There will be many points of disagreement among stakeholders, but perhaps, just perhaps, we can find this one point of agreement of putting the consumer first, and then moving millimeter by millimeter from there.
-Pam Dixon, Mysore India
July 11, 2012
Press Release: Put the Consumer First
A recent item about drones in the GWU
CyberSecurity Policy Newsletter revealed that drones can be hacked
via spoofing the drone GPS systems. Government drones in US airspace are
poised to become a privacy issue of increasing concern. Here is an excerpt
from the newsletter, which is available here.
........."A group of researchers at the University of Texas at Austin Radionavigation Laboratory recently succeeded in hijacking a drone by spoofing the global positioning system (GPS) on board the aircraft. With just around $1,000 in parts, the team took control of an unmanned aerial vehicle owned by the college, all in front of the US Department of Homeland Security. Domestic drones are already being used by the DHS and other governmental agencies, and several small- time law enforcement groups have accumulated UAVs of their own as they await clearance from the Federal Aviation Administration, Reuters reports. Indeed, by 2020 there may be tens of thousands of drones diving and dipping through US airspace. With that futuristic reality only a few years away, this action suggests that the FAA may have their work cut out for them if they think it’s as easy as just approving domestic use anytime soon." CyberSecurity Policy News, July 2, 2012.
Mobile app privacy is the topic of the multistakeholder process to be undertaken this week under the direction of the US Department of Commerce. Over the weekend, a NYT article revealed that mobile carriers received more than 1.3 million requests by law enforcement for mobile data, including requests for text messages. This article is a focusing event. It is a reminder that in mobile privacy we need to put the consumer first, focus on what is important, and apply responsibility for privacy and transparency throughout the hierarchy of mobile players, from carriers to platforms to app stores to publishers to developers. It is unclear yet what segments of the hierarchy require what amounts of the burden, but what is clear is that carriers will certainly need to do a lot. It is also clear that the idea of just an icon on a screen to communicate the idea of mobile privacy to consumers is a band-aid approach at best when faced with the truth of where some of the real risks are for consumers.
Multistakeholder meeting info | NYT article on mobile privacy issues
Keyword listing of World Privacy Forum reports, research, comments, tips
Listing of most recent WPF materials
Listing of World Privacy Forum materials by date
Listing of WPF reports
Listing of WPF consumer tips
Listing of agency comments
FTC - IAPP Workshop on Privacy in Developing Countries, March 3, 2013, Washington DC. Panel.
Biederman Institute Online Privacy Conference, Southwestern Law School, Los Angeles, Feb. 22, 2013. California. Program committee, panelist.
ASU Law School Privacy Conference, Phoenix, Feb. 1, 2013. Conference participant/discussant.
Churchill Club, San Francisco, The Privayc Gap, January 23, 2013, panel.
CES, Facial Recognition, Jan. 9, 2013, Las Vegas, Panel discussion.
WPF India Privacy Forum, July 2012, Mysore, India.
Privacy Summit, June 5, Los Angeles, June 6 San Diego. WPF will be speaking.
FTC Hearing on Mobile Disclosures, March 30, 2012, Washington, DC. WPF will be on a panel.
Medical ID Theft training, Denver Health Medical Center, April 11, 2012, Denver, Colorado.
2012 International Consumer Electronics Show, Las Vegas. Jan. 10.
FTC Hearing on Facial Recognition, Dec. 8, 2011, Washington, DC.
Consumer Dialogue, Nov. 2, 2011, New York City.
Congressional Testimony: Pam Dixon, October 13, 2011.