State legislation to require obscenity filters on internet-connected devices “would create an unconstitutional and draconian Internet censorship and taxation regime in Missouri,” the Electronic Frontier Foundation said in a Wednesday letter to House Speaker Todd Richardson (R) and bill sponsor state Rep. Jim Neely (R). HB-2422 and bills like it in about 15 other states would require manufacturers to include filters on cellphones, TVs, gaming consoles and other devices blocking obscene content, including revenge pornography and prostitution and human trafficking websites. Under HB-2422, violators could be subject to imprisonment of less than one year or a fine of $500 per prohibited piece of content. Users seeking to remove blocking software would have to ask the manufacturer, sign an acknowledgement of risk and pay $20. “Although its supporters claim the bill would protect women, children, and vulnerable communities, in truth the bill would limit residents’ freedom of speech, allow the government to intrude into their private lives, restrict control of devices owned by consumers, and levy a disproportionate tax on consumer electronics,” EFF said. Last year, versions of the bill failed in Alabama, Florida, Georgia, Indiana, Louisiana, New Jersey, North Dakota, Oklahoma, South Carolina, Texas and Wyoming, EFF said. This year, similar bills are in play in Hawaii, Illinois, Indiana, Iowa, Kansas, Maryland, Mississippi, Missouri, New Mexico, New Jersey, New York, Rhode Island, South Carolina, Tennessee, Virginia, West Virginia and Wyoming, EFF blogged.

Ranking member Frank Pallone, N.J., and eight other House Commerce Committee Democrats sought a briefing Wednesday from fitness app firm Strava about why it included data from locations of U.S. military bases and other government facilities around the world in a publicly available global “heat map” of users' movements. Reports said earlier this week Strava used GPS tracking data from Fitbit and similar devices in the map, which showed areas of user activity between 2015 and September. U.S. facilities in Iraq, Syria and other counties with military conflicts are highly noticeable amid otherwise low activity, a direct contrast to high activity in the U.S. and Europe. “The increasing popularity of fitness trackers and other wearable technology has raised serious questions about the types of data they collect and share and the degree to which consumers control their own personal information,” the lawmakers wrote CEO James Quarles. “The data these devices collect reveals users' precise locations, daily activities, and health information.” The firm “made no attempt to secure information, and instead published location information on the Internet for anyone to see,” the lawmakers said. The Democrats sought information in the briefing on Strava's privacy and data security policies and whether the company plans to alter those policies. It didn't comment.

Verizon General Counsel Craig Silliman urged Congress Wednesday to “modernize” the 1986 Stored Communications Act amid two Supreme Court cases and other “important questions and policy matters about applying the outdated law to new technologies.” The court is considering Stored Communications Act implications in the U.S. v. Carpenter Fourth Amendment cellsite location case (see 1711290043) and U.S. v. Microsoft, the “Microsoft Ireland” case challenging a U.S. government warrant demanding emails stored in a server based in Ireland (see 1801190047). “Congress needs to address” outdated provisions in the law, Silliman blogged. “When the Stored Communications Act was written 32 years ago we did not entrust so many and varied types of sensitive data with scores of technology companies. And we did not contemplate that those companies would have reason to store so much of that data half-way around the world.” He highlighted the Electronic Communications Privacy Act Modernization Act (S-1657) and the International Communications Privacy Act (S-1671) as vehicles for revamping the statute. “Neither bill is perfect; with so many important interests at stake, perfection is likely impossible,” Silliman said.

Electronic toymaker VTech agreed to pay $650,000 to settle FTC charges it violated children’s privacy rules, the agency announced Monday. VTech’s “Kid Connect” app collected information on “hundreds of thousands” of children without parental notification, the FTC said, saying the case is the first children’s privacy case involving internet-connected toys. VTech failed to use “reasonable and appropriate” measures to safeguard the collection of information, the FTC said. VTech was among several makers of smart toys flagged for criticism in a Senate Commerce Committee minority staff report released in December (see 1612140041) that urged toymakers to build security measures into products at the outset of production. VTech didn't comment. The settlement also requires VTech to implement a data security system and make it available to independent audits for the next 20 years. “There’s not a consistent practice over time of companies making sure they are always staying one step ahead of the hackers,” said FTC Consumer Protection Bureau acting Director Tom Pahl during a call with reporters. The settlement will ensure “that kind of program they develop is in place and works.” The VTech case “sends a message to parents,” who “should read a company’s privacy practices, make sure that companies get their permission to collect their children’s information and be aware of their other rights,” Pahl said. VTech CEO Allan Wong said the company "is pleased to settle this two-year-old investigation by the FTC" and has instituted new security protocols to protect customer data and comply with FTC notice and consent requirements.

Congress is unlikely to pass "meaningful" privacy or data breach legislation in a midterm election year, blogged Davis Wright. States may revive efforts to pass online privacy laws targeting ISPs as some attorneys general challenge the FCC's order eliminating net neutrality rules (see 1712210034), the firm said. Updates to state data breach notification laws also could be expected in 2018, it said, and outlook for security is grim as the firm sees data breach and ransomware threats likely to grow, putting pressure on legal and IT departments to develop coordinated defense strategies. Palo Alto Networks warned that the dangers of hackers skillfully manipulating data rather than just stealing it "are only just becoming clear," in a blog. Widespread denial-of-service attacks to block access to systems are fairly commonplace now, but the new -- and harder to manage -- threats come when intruders penetrate a system and modify data to cause reputational damage, invalidate data or steal for financial gain, said Palo Alto security expert Sean Duca. Every organization needs to inspect and verify who is accessing data and applications, said Duca. "Based on recent events, it’s foreseeable that someone will come looking for your information, but it’s up to you to manage the risk," he said.

Privacy concerns about the growing use of biometric scanning in U.S. international airports prompted Sens. Ed Markey, D-Mass., and Mike Lee, R-Utah, to question Department of Homeland Security Secretary Kirstjen Nielsen about the program’s legal basis in a letter sent Thursday. The letter asked DHS to stop expanding the program, now used in nine U.S. international airports, until the agency shows Congress “its explicit statutory authority” to use the technology on U.S. citizens. A Georgetown Law Center on Privacy and Technology report released Thursday said “neither Congress nor DHS has ever justified the need for the program,” which may violate federal law because Congress hasn't explicitly authorized border collection of biometrics on Americans using facial recognition technology. DHS hasn't been transparent about the program, nor has it conducted the required rulemaking, said Harrison Rudolph, associate-Georgetown Law Center on Privacy and Technology. "Without enforceable rules, DHS' airport face scanning program may seriously threaten Americans' privacy. That is unacceptable," Rudolph said. DHS told us U.S. Customs and Border Protection, which operates the scanners, “takes its privacy obligations seriously,” and makes clear that U.S. citizens are “not required” to permit the scans. Signage at the scanning sites explain that alternative ID procedures are available. Anyone who’s concerned and doesn’t want to be scanned “need only let a CBP officer or airline gate agent know and their documents will be reviewed to ensure they are the true bearer of the passport that is being presented,” a CBP official said, saying the agency is working on procedures that are “least disruptive for the travel industry while also effectively enhancing border security.” Using facial recognition at airports is an even broader privacy risk due to the lack of regulation and potential for rapid expansion of the technology, said Jeramie Scott, director, Electronic Privacy Information Center's domestic surveillance project, which sued CPB for details on the scanning program and urges it be suspended until privacy risks are better understood.

Internet-connected toys and smartwatches continue to pose privacy concerns the FTC should address, consumer and privacy groups told the agency Monday. The My Friend Cayla and i-Que Intelligent Robot toys are of particular concern, said the Consumer Federation of America, one of several groups that asked the FTC to look into the threat in October (see 1710180021).The FTC said Monday it received the letter but had no further comment. Several major retailers have stopped selling the products "with the exception of Amazon," the groups said, though Walmart's website Monday displayed a listing for a reduced price version of the doll. Amazon didn't comment. The Cayla doll is listed in U.S. Public Interest Research Group's 2017 Trouble in Toyland list. “Connected toys raise serious privacy concerns,” said Marc Rotenberg, president of Electronic Privacy Information Center. “Kids should play with their toys and their friends, and not with surveillance devices dressed as dolls.”

Consumer Watchdog's claims, culled from patent applications, that Google Home smart devices have “troubling” legal and ethical privacy implications (see 1712130011) “are unfounded,” said Google in a Friday statement. “All devices that come with the Google Assistant, including Google Home, are designed with user privacy in mind,” Google said: “For Google Home, we only store voice queries after a physical trigger or after recognizing a hotword trigger like ‘Ok Google’ or ‘Hey Google.’”

Consumers enjoy using IoT devices but few understand or trust how their data is being managed, said a Cisco survey of 3,000 consumers released Tuesday. Despite suspicions about data security, most consumers said they aren't willing to disconnect from IoT devices, the survey said.

Facebook is being asked for assurances its new Messenger Kids app protects children’s privacy and security (see 1712040064), in a letter to CEO Mark Zuckerberg by Senate Democrats Ed Markey, Mass., and Richard Blumenthal, Conn. They ask by Jan. 4 whether Facebook will continue its promise of an advertising-free service; identify information shared with vendors and service providers; describe the app's security protections; and summarize the extent of consultation with child development experts in designing the app. Facebook said it received the letter and pointed to its blog describing consultations with parents in developing the app and an ongoing $1 million research project examining tech’s long-term impact on children.