Mattel’s Wi-Fi-connected Hello Barbie doll shows the limits of privacy, said Meg Leta Jones, assistant professor at Georgetown University, at a Microsoft discussion Wednesday. “Barbie doesn’t have a screen, there’s nothing to click on,” Jones said: There is no way to see what the privacy policy is. If you ask the doll, she refers a user to a separate booklet, Jones said. “Who would have that booklet?” The Hello Barbie doll Jones brought with her belongs to a friend, she said. The doll is part of the “internet of other peoples’ things,” Jones said. But Jones said this raises the question of how much information someone could get from the doll if it falls into someone else’s hands. Everything said to Hello Barbie theoretically can be shared with other uses, Jones said. “Hello Barbie cannot keep a secret, no matter what she tells you,” she said. “The bigger question for this room is whether that’s a problem, whether it’s a privacy problem and what do we do about those types of problems.” States are taking a lead role in privacy cases, said Danielle Citron, a University of Maryland Law School professor. State attorneys general brought some of the first privacy cases, she said. State AGs since the 1990s have been “establishing norms that federal agencies have built upon and sharpening norms that are set by the feds,” she said. Early actions were based on the legal theory that “it’s an unfair and deceptive practice not to have a privacy policy,” Citron said. “At the time the FTC was arguing … self-regulation is just fine.”

Login user data stolen from social networking site Myspace was made available in an online hacker forum, parent company Time said in a news release Tuesday. The company said the social networking site's technical security team found out about the breach "shortly before the Memorial Day weekend," but it didn't indicate how many users were affected. The breach was attributed to Russian cyberhacker "Peace," who has links to attacks on LinkedIn and Tumblr, a Myspace blog post said. Time said the stolen data "is limited to a portion of Myspace usernames, passwords and email addresses, from the old Myspace platform" before June 11, 2013, when it was relaunched with stronger account security measures. But Time said none of its other subscriber information or media assets were compromised. It said Myspace is now notifying all affected users, has invalidated their passwords, is monitoring for suspicious activity and is working with law enforcement officials on the investigation.

Sixty-eight civil society groups, companies and trade associations are urging the Senate Judiciary Committee to pass a bill that would update the Electronic Communications Privacy Act. It would essentially strengthen protection for email communications like requiring government law enforcement agencies to get a warrant in all investigations, a higher standard than ECPA now requires. The organizations, including Amazon, the Electronic Frontier Foundation and U.S. Chamber of Commerce, sent a letter Tuesday to Chairman Chuck Grassley, R-Iowa, and ranking member Pat Leahy, D-Vt., indicating support for the Email Privacy Act (HR-699), which the House approved 419-0 in late April (see 1604270067). The Senate panel is to mark up its version called ECPA Amendments Act (S-356) at a Thursday hearing. HR-699 doesn't have all the changes they wanted such as requiring the government to notify targets of investigations when a warrant is served, but the groups said "it represents a carefully negotiated compromise which preserves existing exceptions to the warrant requirement, provides a new ability for civil agencies to obtain access to previously public commercial content, and maintains the government’s ability to preserve records and obtain emails from employees of corporations." They urged the panel to pass the bill without any amendments that would weaken it.

Protesting the length and complexity of mobile app terms and conditions, Norway's consumer protection agency will have politicians, data protection officials, international students and others reading aloud policies of Angry Birds, Facebook, Netflix, Skype, Snapchat, Tinder, Twitter and two dozen more companies -- all told 250,000 words that will take 24 hours to utter during a live stream Friday. "The current state of terms and conditions for digital services is bordering on the absurd," said Digital Policy Director Finn Myrstad at the Norwegian Consumer Council, or Forbrukerrådet. The agency said the collective length of app terms and conditions found on an "average" mobile phone is longer than the New Testament. "Their scope, length and complexity mean it is virtually impossible to make good and informed decisions." He said consumers are at a disadvantage since companies can "unilaterally" amend policies to track, store and sell user content. Advocates want standards for how terms, conditions and privacy statements are written and presented, he said. Haida Tajik, chair of the Norwegian Parliament's justice committee, and Norwegian Data Protection Commissioner Bjørn Erik Thon will be among the numerous speakers during the Web stream.

NTIA will host a June 15 meeting for participants trying to hammer out a best practices document for the commercial use of facial recognition technology, said a notice in Friday's Federal Register. The process, which began more than two years ago, has been controversial, with several privacy and consumer protection advocates walking out last summer. They have said that any resulting voluntary code of conduct wouldn't provide adequate protections for the public. The remaining, mostly industry participants have inched closer to producing a document. Stakeholders met in late March in an NTIA-hosted meeting and then a subset group was developing a document that is expected to be discussed at the June meeting (see 1603290023). The 1-5 p.m. meeting, which is open to the public, will be held in the American Institute of Architects boardroom, 1735 New York Ave. NW.

Fitbit and the Center for Democracy and Technology released a report providing guidance to help other wearable manufacturers develop privacy practices for user data and ethical internal research and development procedures. CDT Deputy Director-Privacy and Data Michelle De Mooy, the report's co-author, said in a Wednesday news release that the data produced through wearable devices usually fall "outside of existing health privacy laws." While some companies such as Fitbit provide "clear and comprehensive privacy policies" in response to user concerns about data use and sharing, the report said "there is a dearth of guidance ... on appropriate and effective ways to protect consumers' health data." The report said sales of wearables are expected to grow to 172 million units in 2018, from 29 million units in 2014. Among the recommendations, the report says companies should preserve the "dignity" for both employees who offer personal data for experiments and users whose data are used throughout the R&D process. It also said companies should build "a culture of data stewardship" to help implement and sustain "privacy-aware and ethical internal research practices."

The federal government has several educational, enforcement and legislative efforts to protect people from the use of "surreptitious" smartphone tracking apps, but the GAO said in a report Monday that some stakeholders "differed" over whether current laws against stalking should be strengthened in response to the use of such apps. In analyzing 40 tracking apps and their websites' marketing language, GAO said a majority of these apps are marketed to parents and employers to monitor their children and employees. But it said about one-third of the websites reviewed market their apps as surreptitious, meaning they track individuals without their knowledge or consent. In interviews with academics, domestic violence groups and privacy advocates, GAO said many were concerned about the applicability of current federal laws in the manufacture, sale and use of such apps, the limited enforcement of such laws, and the need for more education about the apps. But others differed. "Some industry stakeholders were concerned that legislative actions could be overly broad and harm legitimate uses of tracking apps," GAO said. "However, stakeholders generally agreed that location data can be highly personal information and are deserving of privacy protections." GAO didn't make any recommendations in the report.

Most sharing or gig economy companies such as Airbnb, FlipKey and TaskRabbit aren't meeting industry best practices for privacy and transparency, specifically about government requests for access to user data, the Electronic Frontier Foundation said in a report released Thursday. Such companies amass people's personal data about purchases and whereabouts, but also collect the content of communications and geolocation data from people's cellphones, said EFF Activism Director Rainey Reitman in a news release. "But are these companies respecting their users’ rights when the government comes knocking? For much of the gig economy, the answer is no," she said. EFF analyzed 10 companies, but only Lyft and Uber received credit in all six categories "for their transparency around government access requests, commitments to protecting Fourth Amendment rights in relation to user communications and location data, advocacy on the federal level for user privacy, and commitment to providing users with notice about law enforcement requests," the report said. FlipKey earned credit in four categories, while Airbnb and Instacart each got credit in three. The remaining companies didn't get any credit. Over the past six years, EFF has published annual overviews of public policies and practices of major tech and communications companies about law enforcement requests, which have improved over the years. It was the first year looking at gig economy companies. EFF Deputy Executive Director Kurt Opsahl said it takes time for industries to adopt best practices. "Internet companies care deeply about user privacy and government access to user data, which is why the Internet industry has been vocal in our support for [Electronic Communications Privacy Act] reform legislation, the USA Freedom Act, and strong encryption," emailed a spokesman for the Internet Association. Its members include Airbnb, Lyft and Uber, its website said.

Always-on mic-enabled devices have unique privacy implications as compared with those that are manually or speech-activated, the Future of Privacy Forum and Ernst & Young said in a new paper released Thursday. The paper said it is inaccurate to label all such devices with speech recognition or mic-enabled features as being always on. Manually activated devices just require a user to press a button or flip a switch to record and transmit audio to a voice-to-text translation service, the paper said. Speech-activated devices like iPhone 6S or Microsoft Cortana stay in an "inert state of passive processing" and require a "wake phrase" to turn on. These devices are "not really 'listening' to its environment" but use the mic as another sensor. But always-on devices -- such as security cameras, baby monitors, the wristband Kapture or wearable camera OrCam -- "evoke different privacy concerns" from the other two categories, the paper said. Such devices "call for notice and consent frameworks in sync with the more extensive data collection that they enable," it added. The paper also discussed how some laws consider a "voice print" as a biometric or personal record with restrictions on usage. Another issue in the paper focused on consent from parties to be recorded. The paper also described emerging privacy issues such as devices transmitting and storing data in the cloud and user ability to disable functions or recognize when devices are recording. “Our expectations will evolve more quickly in some areas than others, and so the manufacturers of devices that are introducing microphones for the first time -- like televisions and toys -- should go the extra distance to provide additional transparency and in many cases greater levels of control and choice,” FPF Legal and Policy Fellow Stacey Gray said in a news release.

Global government requests to Facebook for user account data rose to 46,763 during the second half of 2015, up from 41,214 requests in the first half of last year, Chris Sonderby, the company deputy general counsel, said in a Thursday news release. He said that the number of items restricted for violating local law rose to 55,827 items during the second half of 2015, up from 20,568 during the first half of last year. "Restricted content in this [second] half is almost entirely due to one photo related to the November 2015 terrorist attacks in Paris," he said. "The photo was alleged to violate French laws related to protecting human dignity." Access was restricted to more than 32,000 copies of the photo in France alone in response to a legal request from the government there, he added. In the U.S., there were a total of 19,235 government requests -- including court orders, emergency disclosures, search warrants, subpoenas and others -- for 30,041 user accounts during the second half of 2015, Facebook's report said. The social media company had fewer than 500 total national security letter requests for fewer than 500 user accounts during this period -- same as the first-half period. By law, Facebook can provide national security data only in ranges and had to delay releasing data on Foreign Intelligence Surveillance Act requests, the company said in the report. Sonderby wrote that the company doesn't provide "back doors" or direct access to users' data. Facebook reviews each request "for legal sufficiency" and if it "appears to be deficient or overly broad, we push back hard and will fight in court, if necessary," he added.