Tech company data protection policies will be discussed at a House Communications and Consumer Protection joint subcommittee hearing Nov. 29, 10 a.m., 2123 Rayburn. The hearing, fulfilling a promise House Commerce Chairman Greg Walden, R-Ore., made in a Medium post, will examine how use of algorithms affects consumer privacy and choice with online content. Witnesses include Jeremy Grant, managing director, Venable; Troy Hunt, information security author, Pluralsight; and Ed Mierzwinski, consumer program director, U.S. Public Interest Research Group.

The FTC won't punish websites and online services for not obtaining parental consent before collecting the audio file of a child's voice when used solely to replace written words, as long as the information is held for a short time and only for that purpose, said a policy enforcement statement released Monday. The updated policy approved 2-0 applies to the Children’s Online Privacy Protection Act (COPPA) rule that requires certain operators of commercial websites or online services to obtain parental consent before collecting personal information from children under 13. The new policy doesn't apply when an operator requests information via voice that would otherwise be considered personal information, such as a name. An operator still must provide clear notice of its collection and use of audio files and its deletion policy in its privacy policy. The company may not make any other use of the audio file before it's destroyed and the policy doesn't affect other COPPA compliance requirements.

Companies should develop effective, secure and "responsible" encryption, which means giving law enforcement access to such data on consumer devices, said Deputy Attorney General Rod Rosenstein in prepared remarks Tuesday at the U.S. Naval Academy. He said engaging with major U.S. tech companies hasn't worked, but those companies have accommodated foreign governments. "Responsible encryption can protect privacy and promote security without forfeiting access for legitimate law enforcement needs supported by judicial approval," said Rosenstein, adding the companies won't develop it if left up to themselves. He previously has spoken about encryption (see 1706160029), including a Wednesday speech about the problem of "warrant-proof encryption," at the Cambridge Cyber Summit in Boston. At the Naval Academy, he again warned about "growing dark," a term often used by then-FBI Director James Comey to describe law enforcement's inability to access encrypted data needed during criminal investigations (see 1705030055, 1608150061 and 1603040023). The deputy AG said responsible encryption is "achievable ... examples include central management of security keys and operating system updates; the scanning of content, like your emails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop." Those functions aren't referred to as a back door, but often marketed and sought by many users, he said. The proposal that providers retain an ability to ensure that "evidence of crime can be accessed when appropriate," isn't unprecedented, he said, and every company doesn't have to implement the same technology, whether it's a chip, algorithm or key management technique or escrow. Rosenstein said there's "no constitutional right to sell warrant-proof encryption."

Legislators left little doubt Congress believed violation of the Video Privacy Protection Act would be a concrete injury, as it created a statutory damages provision that is triggered by VPPA violations, the Electronic Privacy Information Center said in an amicus brief backing a plaintiff suing ESPN over treatment of his Roku device viewing data. Judges Susan Graber, Mary Murguia and Morgan Christen of the 9th U.S. Circuit Court of Appeals Friday approved (in Pacer) EPIC's request for leave to file the brief, saying the plaintiff has standing under Spokeo to sue ESPN, which the network disputes (see 1709250050). EPIC's docket 15-35449 brief (in Pacer) said a VPPA disclosure provision violation is a per se concrete injury, and any court that demands a plaintiff prove harm atop the concrete injury Congress deemed actionable is substituting its own judgment.

The FTC scheduled a Dec.12 workshop on injuries to consumers when their information is misused, as expected (see 1709190040), said a Friday news release. The workshop will address how to characterize and measure such harms, their prevalence, and the factors businesses and consumers should consider in collection and use of information that could risk consumer injuries. The agency seeks comment by Oct. 27. The event starts at 9 a.m. at 400 7th St. SW.

Google received nearly 49,000 government requests globally for user data involving more than 83,000 accounts for the first half of 2017, it reported Thursday. Richard Salgado, director-law enforcement and information security, blogged that the information includes requests for user data in criminal case and national security matters. In the first six months of 2016, Google received nearly 45,000 requests globally for data involving more than 76,700 accounts. In the U.S., Google received more than 16,800 requests -- including subpoenas, search warrants, court orders and emergency disclosures -- for user data from more than 33,700 accounts in the first six months of 2017. In the year-ago period, the company got nearly 13,700 requests about more than 27,200 U.S. accounts.

The Broadband Internet Technical Advisory Group launched a review of technical aspects of internet data collection and privacy, with a report expected early next year. In a Wednesday news release, BITAG, an advisory group of engineers and technologists, said the report will try to explain collection practices, such as types of data collected, where and how it takes place and what it's used for. The report will show the varied collection and use practices among ISPs, edge providers, advertising networks, app developers, equipment manufacturers and others and the tools and methods they apply, BITAG said.

CompTIA raised privacy and security concerns about bills in Massachusetts, Tennessee and other states that would require electronics manufacturers to share information about hardware to product owners and repair shops. Massachusetts SB-96, in the Joint Consumer Protection Committee, would require manufacturers to “make available to independent repair facilities or owners of products manufactured by the manufacturer the same diagnostic and repair information, including repair technical updates, diagnostic software, service access passwords, updates and corrections to firmware, and related documentation, free of charge and in the same manner the manufacturer makes available to its authorized repair providers.” That could make consumers vulnerable to hacking, CompTIA said in a Tuesday news release. “The last thing a person wants is for a bad actor to get access to their personal information because a family, friend or co-worker compromised their devices by allowing an unauthorized repair shop to tinker,” said Liz Hyman, executive vice president-policy advocacy.

A "coherent framework" with a single regulator to oversee and consistently apply privacy practices across the internet, including advertising networks, apps, browsers, devices, ISPs, operating systems and social media platforms, is needed, blogged Jeff Brueggeman, AT&T vice president-global public policy. Such privacy policies and protections "should be based on the sensitivity of the data from the consumer’s perspective, not the technology or company," he said. Federal and state legislation (see 1709180032 and 1709200053) will lead to a fragmented approach and only confuse consumers and hinder innovation and competition, he said Monday. He added that it's "simply false" that ISPs have more visibility into consumers' browsing activity than Facebook, Google and others, mainly because encryption increasingly is used, Brueggeman said. The digital ad market is expected to grow to $83 billion revenue, a 16 percent hike, this year. Whether the FCC or FTC should be the sole cop on the beat is still a matter of debate, he said. He noted Congress "wisely repealed" FCC ISP privacy rules (see 1704050037).

Using a cellsite simulator without a warrant violated Fourth Amendment rights of a criminal, said the D.C. Court of Appeals last week. Judge Corinne Beckwith's opinion -- concurred in part by Judge Michael Farrell and dissented from by Judge Phyllis Thompson -- reversed Prince Jones' convictions, saying the evidence admitted at trial obtained from the unlawful search "was not harmless beyond a reasonable doubt." The Electronic Frontier Foundation blogged Thursday that the majority decision should be "yet another warning to law enforcement that new technologies do not mean investigators can bypass the Constitution." D.C. police used a cellsite simulator -- popularly known as a StingRay -- to find and arrest Jones at a parked car although it was unclear whether the device pinpointed the unique identifier of his cellphone or one he allegedly robbed from a victim. Jones sought to suppress the evidence, but the trial court denied his motion. "The trial court agreed with the government's argument that regardless of whether there had been a Fourth Amendment violation, the inevitable-discovery doctrine rendered the exclusionary rule inapplicable," wrote Beckwith, meaning police would have located Jones with the device using either Jones' or the victim's phone. Beckwith said a cellsite simulator can expose a cellphone user's "intimate personal information," can be used to track and, more importantly, locate a person, and can exploit a security vulnerability. Use "invaded a reasonable expectation of privacy and was thus a search," she said. Farrell said a recent case said government acquisition of cellsite location information from a provider isn't a search under the Fourth Amendment (see 1708140064 and 1706050006), but in this case, direct government surveillance of a cellphone is a search with a cellsite simulator that intercepts such location data. Thompson believes people have a reasonable expectation of privacy in location information like in their home, but this case didn't involve a home, no long-term tracking, no physical intrusion or trespass and no search of a cellphone. Neither DOJ nor the Public Defender Service commented Friday.