My letter to the NTIA concerning the Administration’s Approach to Consumer Privacy

The deadline for submitting comments on the National Telecommunications and Information Administration’s (NTIA) proposed approach for federal privacy law was extended recently to November 9, 2018.

Here’s what I submitted to the NTIA this morning. It’s not too late for you to do the same.

Re: Docket 180821780-8780-01
Federal Register Vol. 83, No. 187, p. 48600 – 48603
Developing the Administration’s Approach to Consumer Privacy

To Whom It May Concern:

Thank you for providing the opportunity to comment on the Administration’s proposed approach to consumer privacy. I have a few concerns I wish to raise.

1. Concerning Section I.B(4) – the Self-Regulatory Approach Proposed

It is not completely clear whether the approach detailed in the RFC would lead to federal law governing the collection, storage, use and sharing of consumer information, or merely to voluntary guidelines. Since the RFC cited both the NIST “voluntary risk-based Privacy Framework” as well as the self-regulatory Fair Information Practice Principles (FIPP), one could conclude that the NTIA is proposing a voluntary approach. This is important and should be clarified.

Assuming a voluntary approach is being proposed, the Administration should re-review the findings of the FTC “Privacy Online” report to Congress in June of 1998. The FTC concluded, with respect to FIPP, that:

To date, industry has had only limited success in implementing fair information practices and adopting self-regulatory regimes with respect to the online collection, use, and dissemination of personal information.

It is out of the limited success of these self-regulatory regimes that laws like the Children’s Online Privacy Protection Act of 1998 came to be and, more recently, that individual states have enacted non-voluntary regulations like the California Consumer Privacy Act of 2018.

It is noteworthy that although FIPP recommends that consumers should be given notice of information practices before any personal information is collected from them, that it wasn’t until the enactment of the EU’s General Data Protection Regulation in 2018 that such notices were added to the online sites of many U.S. based businesses.

Therefore, it is not clear that proposing voluntary principles would be any more effective than past attempts at leaving the tech industry to regulate itself with respect to user privacy. It is not clear that this would further consumer trust, which as the RFC states “is at the core fo the United State’s privacy policy formation” and which the NTIA concluded, twenty years after the FTC “Privacy Online” report, that “Most Americans Continue to Have Privacy and Security Concerns, NTIA Survey Finds” (NTIA Blog, August 2018).

2. Concerning Section I.B(1) – Regulatory Harmonization

This section seems to suggest that the Administration will be seeking to preempt the privacy regulations enacted independently in states like California and Vermont with voluntary principles. This is important and should be clarified.

Although the RFC makes a valid point about the added burden incurred by businesses to respect the various regulations in each of the states in which they do business, preempting state regulations with federal voluntary principles will undermine the trust that is just beginning to be re-built between consumers and businesses in states with new privacy regulations on the books.

If the Administration is to craft preemptive law, it would be better for it to be a non-voluntary regulatory framework that leverages some or all of the requirements of California Consumer Privacy Act of 2018 and the Vermont Data Broker Law of 2018.

Further, similarly, it is not clear whether the “Risk Management” outcome (Section I.A(6)) is intended to preempt states’ data breach disclosure laws. If so, then a non-voluntary regulatory framework (with the state laws informing a minimum) is far more likely to be effective at increasing consumer trust than stripping states’ breach notification protections.

3. Response to Section II.G – “Are there… any outcomes or high-level goals in this document that would be detrimental to achieving the goal of achieving U.S. leadership?”

Although the outcomes enumerated in section I.B of the RFC (e.g. transparency, control, minimization, security, access and correction, etc.) laudably mirror recently enacted privacy regulation abroad and within, I believe relying on voluntary principles being adopted by industry and preempting state law would, instead, directly undermine the goal of achieving U.S. leadership in online privacy.

Thank you for taking these concerns into consideration.

Sincerely,

Allen Snook
WordPress Core Contributor for Privacy
26 years professional experience in engineering, software development and management
Alumni, Virginia Polytechnic Institute and State University, BSEE

Profile Picture Privacy Controls WordPress Plugin Now Available

I wrote this plugin a few months back, use it on all my sites, and finally got around to uploading it to the WordPress.org plugins repository this morning.

The plugin increases your users’ privacy by hiding Profile Pictures (Gravatars) from logged out users (and bots) visiting your site.

It also allows individual registered users on the site to choose whether or not they have a Gravatar displayed for them in their User Profile settings.

Why is this important? Primarily because the “hash” that Gravatar uses to retrieve and display your picture can be used to find other places on the web where you have provided comments or posts and could even be used to reveal your email address in some cases – here’s a good in-depth article by Wordfence on the risks.

Profile Picture Privacy Controls is available in the WordPress.org plugin repository here.  You can also find the source code on GitHub.

As Goes the Drone Industry, So Also Goes the Web

From Drone Hobbyists Angered By Congress Ending the Aerial Wild West:

But it will also significantly change the ground rules for users of products that have grown enormously popular, generating a following among fiercely independent purchasers who want to fly with limited or no restrictions.

Replace “purchasers” with website owners and “fly” with “have a web presence” and you’ll get my drift.

US NTIA Privacy Request for Comments

Today, the United States Department of Commerce National Telecommunications and Information Administration (NTIA) invited the public to comment on the Trump administration’s proposed approach to federal privacy policy.

This is a unique opportunity for privacy professionals to weigh in on the policies and laws that affect many of us and our work, not just in the United States of America, but worldwide.

Tick, tock! Comments are open until October 26, 2018.

A complete copy of the proposal is available from the Federal Register at https://www.ntia.doc.gov/files/ntia/publications/fr-rfc-consumer-privacy-09262018.pdf and more information is available on the NTIA website at https://www.ntia.doc.gov/federal-register-notice/2018/request-comments-developing-administration-s-approach-consumer-privacy

MIT has a great article on commenting on pending legislation here: http://mitcommlab.mit.edu/broad/commkit/public-comment-on-pending-legislation/

I’ll post my comments here in a follow on post once I assemble them.

From the Blockchain to Creating a Privacy Compliance Culture

I recently had the pleasure of attending the 1st Annual Innovation and Technology Law Symposium held by Seattle University’s School of Law. It was an one day series of moderated panels on Innovation and Regulation in Blockchain and Financial Tech (FinTech). Panelists included faculty from the school as well as experts from Microsoft, from Washington State Department of Financial Institutions, and a few startups too.

Although all the discussion was for the most part captivating, the most intriguing part of the conference though was the final panel on regulatory sandboxes. This ended up having direct parallels to the privacy regulations I’m most interested in and working on each day — especially when Youssef Sneifer of Microsoft Payments remarked that it was no small feat to acclimate the software developers in his part of Microsoft to the realities of working in a regulated environment – something that most software developers don’t have experience with. And he’s not alone in this remark!

Although I’ve worked in regulated industry most of my career, first CE/UL/FCC for satellite communications hardware and then later laws like HIPAA while developing software for medical devices, his point really struck me – because most of the web and app developers tackling the changes needed for privacy laws like the GDPR have little to no experience working in a regulated environment – they are more likely to be told to “move fast and break things” and that’s just not the way things work when working with radio or healthcare – and now it is no longer the way when working with people’s personal data.

So I asked, how does one help create a culture of compliance where there formerly was little or no regulation or enforcement, like in the case of privacy? Youssef replied that it had to start at the top, that the leadership had to set the tone that compliance was a top priority, was non-negotiable and that developers and managers were responsible to understand the requirements of the law and make it happen. Lucinda Fazio, the sole regulator on the panel, added that, when a regulator sees that regulatory compliance is being reinforced in the company, the regulator reacts differently if/when that company makes a misstep. Aaron Gregory of Remitly added that ultimately it becomes about trust and ideally becomes part of your brand – becomes a fundamental for your employees.

Later, another attendee mentioned that he agreed with Youssef but that you especially needed to get the sales team on-board too for compliance culture to catch. Shortly after that a third attendee stopped me in the hallway and mentioned the importance of finding the distinct “whys” (they’ll be different) for different groups or individuals throughout the organization – why regulatory compliance should matter to them, whether financial law or privacy law or what have you.

I think they were all right – you need a strong privacy mandate from the top down AND you need sales and marketing to see regulatory compliance as something marketable and not just an encumbrance AND you need to find the whys for the software developers and other roles in your company to begin make compliance – financial, privacy, or what have you – part of a company’s culture.  And that’s the challenge for all of us working on the web and on apps now – in a post GDPR world – helping to get those cultures started and flourishing in our companies.

Twitter: Nice, Granular Privacy Controls

When I signed into Twitter today, they informed me of “Important Updates” – which take effect on May 25, 2018 (coincidentally the same day the GDPR takes effect, but the GDPR is not mentioned.)

Instead of the lovely bold “Got It” button, I went for the “Review settings” link below it in fine print:

I was surprised how much was enabled:

But not anymore!

Props to Twitter for 1) notifying me of the changes when I log in, 2) providing a link to review the settings (even though it was tiny, it was there) and 3) making it easy for me (even as a non EU resident) to opt-out of individual uses of my personal data. You’ve set an example for others to follow.

April is WordPress Plugin Privacy Audit Month

With less than 45 days until the game-changing EU GDPR law takes effect, it is a good time for WordPress administrators to do a privacy review of the plugins they have installed on their site. This information will help you create or update a privacy policy for your site – a must have for any modern web presence.

Administrators are well advised to first deactivate any plugins they no longer need – a good security practice in itself. But don’t delete it right away! If you suspect that plugin might have collected personal data, you’ll want to contact the developer and make sure that deleting their plugin will also clean up any personal data it collected.

Next, administrators should review the privacy policy for each plugin. Most plugins haven’t written these – privacy by design is a new concern for many software developers – so you will probably have to contact each developer and ask them directly.  Here’s the questions you’ll want answered:

  • What data the plugin collects from site users and visitors
  • What the plugin does with the data / why the data is collected
  • What third-parties does the plugin share the data with
  • Where does the plugin store data (both on the site itself and on any cloud based resource), how access to the data is protected
  • How long the plugin retains the data
  • What options administrators and users have about data collection and use
  • How the administrator or users can access, update or delete the data the plugin collects
  • Assurance that, when deleted, the plugin also cleans up any data it collected

Happy Spring Cleaning and Privacy Policy writing!

WordPress Plugin Data Deletion and the GDPR

With the GDPR deadline looming, it is an excellent time for WordPress plugin developers to finish adding or updating that often skipped, often neglected plugin uninstall code – you know, the “clean-up” code that deletes options and meta data and tables that the plugin added to the site?

This is especially a good time for you to do this if your plugin handles personal data in any way.  Why? To give assurance to the administrators that install your plugin that, if they delete that plugin from their site, they are no longer responsible for including in their privacy policy (or, heaven forbid, disclosing in the event of a breach) what data, especially personal data, was collected (or exposed) by your plugin.

Here’s the Plugin Handbook page you’re looking for: https://developer.wordpress.org/plugins/the-basics/uninstall-methods/

Tick tock. The GDPR takes effect on May 25, 2018.

There are, of course, other aspects of the GDPR that apply to the way plugins handle personal data or expose site visitors to data collection by 3rd parties, and solutions to those are coming in WordPress core (see below), but this area (data clean-up on plugin deletion) is one area that developers can attend to now if they haven’t already.

Interested in joining me in helping to make the world’s top CMS more privacy oriented and GDPR ready? Come join the privacy party at https://make.wordpress.org/core/tag/gdpr-compliance/