The U.S. government should investigate TikTok’s parent ByteDance and its acquisition of Music.ly, Open Markets Institute said Thursday, citing national security threats. OMI responded to Senate Minority Leader Chuck Schumer, D-N.Y., and Sen. Tom Cotton, R-Ark., asking U.S. intelligence officials to investigate the Chinese company TikTok. More than 110 million Americans downloaded the app this past year, said Schumer and Cotton. “At best, TikTok is a direct source for the Chinese to harvest American user data; at worst, TikTok is an opportunity for the Chinese Communist Party to use algorithms to manipulate Americans to push an authoritarian agenda,” OMI wrote, asking the Committee on Foreign Investment in the U.S. to open a review. TikTok said it's not influenced or controlled by the Chinese government: "We remain committed to providing a safe and expressive app experience for our community."
The European Commission sees "good progress" with Privacy Shield after three years, said European Justice, Consumers and Gender Equality Commissioner Vera Jourova Wednesday. The EC's third review of the trans-Atlantic personal data transfer system found the U.S. followed last year's recommendations, and that about 5,000 companies participate, she said. After EC urging, the U.S. appointed a permanent ombudsman to ensure Europeans' complaints about national security are properly resolved; the Department of Commerce is more attentive to exercising oversight; and the FTC stepped up investigations. PS became a "good tool of digital diplomacy" that spurs dialogue, with several U.S. states and the federal government now talking about data protection legislation, Jourova said. The report noted several issues with practical implementation, and recommended Commerce shorten various periods granted companies to complete recertification, and develop tools for detecting false claims of participation from companies that never applied for certification, and that the FTC prioritize finding ways to share meaningful information about ongoing investigations with the EC and EU data protection authorities. "Privacy Shield remains a successful instrument for the protection of European citizens' data and an essential tool for the safe transfer of commercial data between the two largest trading partners," said Computer & Communications Industry Association European Senior Manager Alexandre Roure. The pact is working but in jeopardy, said Center for Data Innovation Senior Policy Analyst Eline Chivot. The European Court of Justice hasn't ruled whether European citizens' personal data can be transferred to the U.S., a decision expected early next year. This positive review shows the "landmark initiative continues to be a reliable and stable mechanism" for smooth, secure data flows, said Information Technology Industry Council Vice President-Europe Guido Lobrano.
Berkeley, California, can’t use facial recognition technology after the City Council unanimously adopted a law Tuesday evening stopping the city from acquiring, retaining, requesting, accessing or using any facial recognition technology or information obtained from such tech. The vote had no “impact on any existing or planned staff operations,” the city’s spokesperson emailed Wednesday. “City staff have never sought the use of facial recognition software, nor do we have any in place. Under our existing surveillance ordinance, City staff would have had to go to the City Council for explicit permission to purchase and use surveillance technologies, including facial recognition software.” Berkeley is the fourth U.S. city to pass such a ban, Fight for the Future said Wednesday. “The epidemic spread of facial recognition is a human rights crisis,” said Fight for the Future Deputy Director Evan Greer, “but we still have a chance to draw a line in the sand.”
California Gov. Gavin Newsom (D) signed seven privacy bills Friday to tweak the California Consumer Privacy Act (CCPA). Newsom vetoed some other bills on California LifeLine and broadband. Separately, in a decision issued Monday, the Public Utilities Commission denied rehearing, sought by Lifeline providers (see 1810030005), of a decision to shorten the LifeLine benefit portability freeze for transferring voices services to 24 hours from 60 days. The bills that are now law made minor revisions, with neither businesses nor consumer privacy groups getting everything they wanted, though businesses particularly applauded AB-25 and AB-1355 to exempt employer-employee and business-to-business relationships for one year (see 1910100042). Newsom also signed AB-874 to exclude publicly available information from the definition of personal information; AB-1130 on data breach notification requirements; AB-1146 to exempt vehicle data such as ownership information shared between a dealer and automobile manufacturer in anticipation of a repair; AB-1202 to require data brokers to register with the California attorney general; and AB-1564 to remove a requirement that companies list a phone number for opt-out requests. CCPA takes effect Jan. 1, with enforcement to begin July 1 following a rulemaking by the attorney general that opened last week (see 1910100042). The governor vetoed SB-704, which would have revamped state LifeLine rules (see 1907110008). The bill is premature because LifeLine was recently expanded by two new pilot programs, Newsom wrote Sunday. “While this bill may increase access to the LifeLine program, this bill has the potential to more than double the size and cost of the program and should be addressed through the budget.” Newsom last week vetoed AB-1212 to include telecom as a type of infrastructure in funding priority lists at state transportation and water resources departments; and AB-417 to add rural economic development, including expanding broadband, to California Department of Food and Agriculture responsibilities.
Amazon came under scrutiny again for privacy issues for artificial intelligence data gathering. Bloomberg reported Thursday that dozens of Amazon workers based in India and Romania review select video clips captured by Amazon’s Cloud Cam, and the clips are used to train AI algorithms to distinguish between real threats and false alarms. It said at one point, on a typical day, some Amazon auditors were each annotating about 150 video recordings, which were typically 20 to 30 seconds long. Snippets for review came from employee tests and from Cloud Cam owners who submit clips to troubleshoot issues such as inaccurate notifications and video quality. Bloomberg said Amazon’s Cloud Cam user terms don’t spell out explicitly that human beings are training the algorithms behind the motion detection software and that some clips have included activity “homeowners are unlikely to want shared, including rare instances of people having sex.” Although Amazon has tight security policies -- employees in India aren’t allowed to use their mobile phones -- "that hasn’t stopped other employees from passing footage to non-team members," the article said. An Amazon spokesperson emailed Thursday the company takes privacy seriously and puts Cloud Cam customers “in control of their video clips. Only customers can view their clips, and they can delete them at any time by visiting the Manage My Content and Devices page.” Customers can share a specific clip using the feedback option in the Cloud Cam app to help improve the service, she said. “When a customer chooses to share a clip, it may get annotated and used for supervised learning to improve the accuracy of Cloud Cam’s computer vision systems. For example, supervised learning helps Cloud Cam better distinguish different types of motion so we can provide more accurate alerts to customers.” A FAQ on Amazon’s customer service page detailing who can view Cloud Cam clips, says: “Only you or people you have shared your account information with can view your clips, unless you choose to submit a clip to us directly for troubleshooting. Customers can also choose to share clips via email or social media.”
Senate Commerce Committee ranking member Maria Cantwell, D-Wash., pressed the FTC Thursday for details about its Facebook privacy settlement, asking if the company’s release from liability was unprecedented. Her letter noted that although the commission's July 24 public statement suggested other deals have included similar releases from liability, it didn’t cite a prior FTC settlement releasing a defendant from unknown claims or releasing individuals not named in the complaint.
The House Commerce Committee's top Republican and TechNet raised alarm over an economic analysis of California Consumer Privacy Act costs. But the Berkeley Economic Advising and Research (BEAR) says costs “present a notable, but hardly insurmountable challenge." BEAR prepared the Aug. 15 report for the California attorney general (see 1909200030). Commerce Committee ranking member Greg Walden (R) Wednesday said the study highlighted the need for a federal privacy bill. TechNet Executive Director-California Courtney Jensen said Tuesday this shows CCPA "will not only cost billions for businesses to comply with, but small businesses and start-ups are likely to face higher compliance costs." The report estimated initial compliance costs at about $55 billion, about 1.8 percent of California gross state product in 2018, and estimated direct compliance costs $467 million-$16.5 billion over the next decade. CCPA “will have consistently positive net costs for the state economy, but the magnitude of these costs is negligible from a macroeconomic perspective.” That doesn’t count “considerable” benefits to protected consumers. Firms operating within California may have a competitive disadvantage to those operating only outside the state, but it’s small, the document said. “Previous legislation that was unique to California has in turn set national standards as firms find it easier to adopt California’s requirements to all products and services rather than provide differentiated services.” There’s “likely limited direct competition between firms that would be subject to the regulation and those that would not,” it said. The new law could “provide a future competitive advantage for affected firms that are required to come into CCPA compliance now by creating additional barriers to entry for future competitors considering entering into the California market,” it said. “If the CCPA is a precursor for future privacy regulations at the additional state or federal level, then firms already in compliance with the CCPA will have a competitive advantage.”
Local, state and federal officials should end Amazon partnerships that allow police to use the company’s Ring doorbell products, more than 30 advocates wrote Tuesday. Fight for the Future, Color of Change and Project on Government Oversight signed. Amazon Ring data shows at least 500 partnerships between the company and cities, which the groups wrote threaten privacy, civil liberties and democracy because of lack of oversight. Police can use face scanning technology to profile individuals and invade the privacy of their homes, the groups wrote. Claims that the partnerships pose privacy and civil liberties risks are “inaccurate,” emailed an Amazon spokesperson. “Ring’s mission is to help make neighborhoods safer,” the spokesperson said, citing design that keeps users in control of their privacy.
ITTA continues to raise concerns with the FCC about how employees could be harmed if the Universal Service Administrative Co. requires they share personally identifiable information for a Lifeline representative accountability database, said a filing posted Monday in docket 17-287. "Union agreements may not allow for company employees' PII to be subject to disclosure requirements outside of the company, and companies may be subject to liability for any ramifications in the event of a data breach involving personal information their employees were required to furnish in the course of their employment." ITTA President Genny Morelli and representatives from CenturyLink, Consolidated Communications and Blackfoot met Wednesday with an aide to Commissioner Jessica Rosenworcel.