The Hill reports that the bi-partisan congressional Privacy Caucus sent an open letter to Google CEO Larry Page asking for clarification on Glass and the myriad of privacy issues it presents. The letter contains many of the same talking points that groups like Stop the Cyborgs have brought up in the past, but it seems to at least be giving Google the benefit of the doubt in this case.

Here’s some of the more interesting questions that many of us, including myself, would want answered:

“What proactive steps is Google taking to protect the privacy of non-users when Google Glass is in us? Are product lifecycle guidelines and frameworks, such as Privacy by Design, being implemented in connection with its product design and commercialization? For example, if a Google Glass customer/user decides to resell or to dispose of their Google Glas product, would there be any product capabilities incorporated into the device to ensure that one’s personal information remains private and secure?”

“In Google’s privacy policy, it states that the company “may reject requests that are unreasonably repetitive, require disproportionate technical effort … risk the privacy of others, or would be extremely impractical.” Please provide examples of when Google would reject requests on Google Glass that would risk the privacy of others? Would Google place limits on the technology and what type of information it can reveal about another person? If so, please explain. If not, why not?”

“Given Google Glass’ sensory and processing capabilities, has Google considered making any additions or refinements to its privacy policy? If so, please explain. If not, why not?”

There are a total of eight questions, but the above three are by far the most important. The last question is especially interesting as Google has run into complaints and threats of regulation when it changes its privacy policy. Even if Google were to change its privacy policy to reflect the the privacy implications of Glass, it’s a given that somebody would find something to complain about.

In addition to questions about its privacy policy, the Privacy Caucus drags the 3-year-old street view Wi-Fi data collection scandal into the spotlight yet again. They want to know if Google will be doing anything to prevent Glass from unintentionally collecting data. It’s somewhat of a moot point because Glass and the street view cars are very different. Even if Google Glass could store data from unprotected Wi-Fi sources, the paltry 16GB of onboard storage ensures that it wouldn’t be able to collect very much.

As for Google’s response to all of this, a spokesperson for the company told The Hill that Google is “thinking very carefully how [it] design[s] Glass because new technology always raises new issues.”

That’s about all we can ask for at the moment. It will be interesting, however, to see if Page actually responds to the letter. During his closing remarks at Google I/O on Wednesday, he raised concerns that the law wasn’t keeping pace with technology. Would he argue that privacy laws aren’t keeping up with what Google is trying to achieve with Glass?

The Hill reports that Attorney General Eric Holder told the House Judiciary Committee that the Justice Department would be in support of legislation that requires law enforcement to obtain a warrant before accessing email. His support gives a major boost to those who want to update the ECPA – a decades old bill that allows law enforcement to obtain emails without a warrant as long as said email is more than 180 days old.

Of course, Holder did have some reservations. He said that any update to the ECPA should include exemptions for “certain very limited circumstances.” For example, he said that law enforcement agencies shouldn’t have to obtain a warrant for civil investigations.

It was encouraging, however, to hear that Holder is in support of “the general notion of having a warrant to obtain the content of communications.” It’s only slightly less encouraging to think that his idea of exemptions may cut our large swaths of the bill, thus making it less effective.

If the Justice Department truly is in favor of updating the ECPA, it will be interesting to see which one it comes out in favor of. Many hope that it would support Rep. Zoe Lofgren’s bill – The Online Communications and Protection Act. It’s a far reaching bill that not only requires a warrant before accessing email and other online communications, but also requires a warrant when accessing any geolocation data from mobile device carriers.

Lofgren’s bill may be too far reaching for the Justice Department though. It may instead opt to back something like the ECPA Amendments Act of 2013, a bill from Sen. Patrick Leahy that only requires law enforcement to obtain a warrant when accessing email. It says nothing about geolocation data.

Regardless, the Justice Department’s support may not even be enough to pass anything this soon. Both the House and the Senate are wrangling with other issues at the moment, and it looks like ECPA reform has been put on the back burner yet again.

Do you think Google Glass should be banned? Let us know in the comments.

TechDirt reports that a new We The People petition submitted on May 3, a man from Seattle, Washington is requesting that the government “Ban Google Glass from use in the USA until clear limitations are placed to prevent indecent public surveillance.” As the title suggets, those who have signed are scared of the privacy implications:

Google Glass is a new twist on technology which hasn’t had clearly stated limits on the locations in US communities where it can and cannot be used. In order to protect our communities we need limitations to prevent indecent public surveillance of our friends, children, and families.

It is hard to prevent it because the hardware gives no notification that it is recording an individual at any given time.

Aside from the admittedly weak (only 34 signatures in a week) petition, a group called Stop the Cyborgs has sprung up in recent months in protest of Google Glass. It’s not like they hate Google or Glass though. They also don’t want a ban. Instead, the group argues that they just want consumers to think about what they buy and the implications of technology:

As for its specific beef with Google Glass, the group lists a number of problems it has with the technology:

Their concerns may be legitimate as hackers with early access to Glass say its relatively easy to turn the device into a surveillance tool. The obvious first thought is that people can use Glass to spy on others, but the real threat is that hackers could use Glass to spy on the person wearing them. Jay Freeman explains:

Once the attacker has root on your Glass, they have much more power than if they had access to your phone or even your computer: they have control over a camera and a microphone that are attached to your head. A bugged Glass doesn’t just watch your every move: it watches everything you are looking at (intentionally or furtively) and hears everything you do. The only thing it doesn’t know are your thoughts.

The obvious problem, of course, is that you might be using it in fairly private situations. Yesterday, Robert Scoble demonstrated on his Google+ feed that it survived being in the shower with him. Thankfully (for him, and possibly for us), this extreme dedication to around-the-clock usage of Glass also protects him from malicious attacks: good luck getting even a minute alone with his hardware ;P.

However, a more subtle issue is that, in a way, it also hacks into every device you interact with. It knows all your passwords, for example, as it can watch you type them. It even manages to monitor your usage of otherwise safe, old-fashioned technology: it watches you enter door codes, it takes pictures of your keys, and it records what you write using a pen and paper. Nothing is safe once your Glass has been hacked.

Do you think fears of Google Glass are overblown? Or do you think hackers could wreak havoc on those who choose to wear Glass? Let us know in the comments.

I think most can agree that hardware like Glass shouldn’t be allowed in certain places. It’s totally reasonable to ban its use at bars, strip clubs and other places that respect client confidentiality. It should also probably be banned from the workplace or other locations that handle sensitive data.

That being said, the consumer version of Glass is at least a year away. That gives Google and developers enough time to ensure that Glass respects privacy while potentially ushering in a new era of wearable computing.

Despite all of the fear circulating around Google Glass, you probably won’t have to worry about people abusing the technology. Those who use Glass will either be too busy taking selfies in the shower or being punched in the face.

Is Google Glass a revolution in wearable computing? Or is it a surveillance nightmare? Let us know in the comments.

“For some time now, the reddit privacy policy has been a bit of legal boilerplate. While it did its job, it does not give a clear picture on how we actually approach user privacy. I’m happy to announce that this is changing. The reddit privacy policy has been rewritten from the ground-up. This new policy is a clear and direct description of how we handle your data on reddit, and the steps we take to ensure your privacy.”

The new policy will go into effect on May 15th.

The main difference (other the clarity) in reddit’s new privacy policy, as opposed to the older policy, is that this one is more specific to reddit. The previous privacy policy was overbroad, having been written by Conde Nast (who owns reddit).

“The old policy was written very broad. It was a generic one written by Conde Nast. This was written specifically to apply to reddit. The goal was to be clear and specific. Especially about data retention. Some things were added like reddit Gold and specific information about the new advertising providers,” says legal strategist Lauren Gelman, who helped write the new policy.

For one, the new policy expresses exactly what information reddit collects from its users. One new additon involves posts and comments, and how long they stay accessible (hint: forever):

The posts and comments you make on reddit are not private, even if made to a subreddit not readily accessible to the public. This means that, by default, they are not deleted from our servers– ever– and will still be accessible after your account is deleted. However, we only save the most recent version of comments and posts, so your previous edits, once overwritten, are no longer available.

Reddit clarifies that if you truly want a comment gone for good, it’s best to simply edit it.

Another involves IP addresses:

reddit stores the IP addresses associated with specific posts, comments, and private messages for 90 days after they are made or sent.

On a site like reddit, privacy is paramount. Just spend any time on there, and you’ll see what I mean. If you want to read the (incredibly readable) new privacy policy, check here.

The methodology is simple enough. The EFF looks at 18 prominent tech companies including Facebook, Twitter, Google, Yahoo, Apple, and Amazon, and judges them based on 6 different categories (up from 4 last year). It then awards stars to the companies if their actions in those categories are on the side of protecting user rights.

This year, Twitter and ISP Sonic.net were the only two companies to receive full 6-star ratings from the EFF. Last year, they were the top two performers in the report, scoring a 3.5 and 4 star rating, respectively.

Here are the 6 categories that the EFF looks at for their report:

1. Does the company require a warrant for content of communications?
2. Does the company tell users about government data requests?
3. Does the company publish transparency reports?
4. Does the company publish law enforcement guidelines?
5. Does the company fight for users’ privacy rights in court?
6. Does the company fight for users’ privacy in Congress?

Verizon and Myspace received zero stars, while Apple, AT&T, and Yahoo received 1 star. On the flip side, Dropbox, Google, LinkedIn, and Spideroak got nearly perfect marks, coming in with 5 stars out of 6.

Readers of this year’s annual privacy and transparency report should be heartened, as we are, by the improvements major online service providers made over the last year. While there remains room for improvement in areas such as the policies of location service providers and cellphone providers like AT&T and Verizon, certain practices – like publishing law enforcement guidelines and regular transparency reports – are becoming standard industry practice for Internet companies.

And we are seeing a growing, powerful movement that comprises civil liberties groups as well as major online service providers to clarify outdated privacy laws so that there is no question government agents need a court-ordered warrant before accessing sensitive location data, email content, and documents stored in the cloud.

Remember: you entrust most of these companies with almost everything in your digital life – photos, personal info, location, financial info. It’s important to know exactly where each stands in terms of protecting that info against prying eyes. The EFF warns that the absence of a star doesn’t necessarily mean that the company is thwarting user rights in that category – it simply may mean that they haven’t been given the chance to defend user rights in that arena. Here’s the EFF’s full star report:

And with that, Airbnb announces a move that is likely to ruffle the feathers of some users, while engendering a more serious trust in the service in others. Today, the online service that connects travelers with location renters all across the world is unveiling a heightened verification process which they call Airbnb Verified ID. It will force users to match their online IDs (via Airbnb accounts, Facebook, or LinkedIn) with their offline identities, verifiable with a government-issued ID or some sort of official questionnaire.

“Verified ID provides a connection between the online and offline spaces. Airbnb users can earn a “Verified ID” badge on their profile by providing their online identity (via existing Airbnb reviews, LinkedIn, or Facebook) and matching it to offline ID documentation, such as confirming personal information or scanning a photo ID. The name provided by both channels must match for verification to succeed,” says Wagle.

Airbnb is dipping its toes into the new verification, only requiring a random 25% of users to get verified. Users who wish to make last-minute bookings will also be asked to verify their identities. That percentage is likely to increase quickly, as Airbnb says that their end goal is to make all users have a verified ID.

Of course, you may be forced into verifying your account if you want to book certain locations. Hosts can now require that guests are verified.

At Airbnb, hosts can set reservation requirements that they feel comfortable with. Some may choose to only invite guests into their homes who have verified their IDs. If you would like to book with a host who requires their guests to verify their IDs, we’ll prompt you to do so in order to complete the booking process. Any host who requests their guests to verify their ID must also get verified.

If you want to verify your account, you can start the process here. Or, you can simply wait for Airbnb to require it. If Airbnb asks you to do so during a booking, you’ll have 12 hours to complete the process.

Airbnb has to know that this is a bold move. For some users, this will be a deal breaker. That’s unavoidable from Airbnb’s perspective. But there are few online services other the Airbnb where this sort of thing makes sense. I mean, people are hosting and booking homes and apartments with strangers. For a company that has had its share of negative press regarding poor user experiences, this is definitely a strong move to show that they’re all about trust and legitimacy.

Although CISPA as a whole saw bipartisan support, one last-minute amendement that looked to curtail a worrisome practice by employers was shot down on party lines.

Colorado Democrat Ed Perlmutter attempted to tack on a provision to CISPA that would make it illegal for employers to require prospective employees to hand over their social media passwords as a condition of acquiring or keeping a job.

Has an employer even demanded one of your social media passwords as a condition of being hired or keeping your job? What was your reaction? Let us know in the comments.

The proposal was voted down 224-189, with Republicans in the majority.

“People have an expectation of privacy when using social media like Facebook and Twitter. They have an expectation that their right to free speech and religion will be respected when they use social media outlets. No American should have to provide their confidential personal passwords as a condition of employment. Both users of social media and those who correspond share the expectation of privacy in their personal communications. Employers essentially can act as imposters and assume the identity of an employee and continually access, monitor and even manipulate an employee’s personal social activities and opinions. That’s simply a step too far,” said Perlmutter.

This isn’t the first time that Perlmutter has introduced this sort of legislation. Last year, the same employee password protection language was rejected in the House.

Last year, the practice of employers demanding the Facebook passwords of prospective employees became a hot topic. Both state legislatures and the U.S. Congress introduced measures to counteract the rising trend. One particular bill, the Password Protection Act of 2012, was introduced in both the House and the Senate, but went nowhere.

That bill was introduced by Democratic Senator Richard Blumenthal. Before the bill was presented, back in May of 2012, he, along with Senator Chuck Schumer (D-NY) sent a letter to both the Department of Justice and the U.S. Equal Employment Opportunity Commission asking them to “launch a federal investigation into a disturbing new trend.”

Soon after that letter was sent, a motion called “Mind Your Own Business on Passwords” failed in Congress. It would have made the employee password issue one monitored by the Federal Communication Commission. They would have had the right to declare the practice illegal.

So, the Password Protection Act of 2012 moved forward. The language made it a crime that any employer “for the purposes of employing, promoting, or terminating employment, compels or coerces any person to authorize access, such as by providing a password or similar information through which a computer may be accessed.”

But it died, and has been referred back to committee.

The Password Protection Act of 2012 isn’t the only federal bill proposed to deal with the issue. Say hello to SNOPA, or the Social Networking Online Protection Act. It aims to do what the PPA tried to do, but with even clearer languge:

To prohibit employers and certain other entities from requiring or requesting that employees and certain other individuals provide a user name, password, or other means for accessing a personal account on any social networking website.

It’s been introduced, and referred to committee. No movement yet.

On the flip side, some states have had success in passing bans on the practice. First, the state of Maryland enacted a law banning password snooping. And this year, laws in both California and Illinois went into effect.

“It’s not déjà vu — this is the same amendment I introduced twice last year, so people have had plenty of time to study and discuss it. It has bipartisan support. It wouldn’t kill the underlying cyber-security bill; it wouldn’t send it back to committee. It merely safeguards an individuals’ personal privacy as they use their own personal social media accounts,” said Perlmutter of his CISPA add-on.

It’s important to note that Perlmutter did in fact vote yes on CISPA.

But despite those claims, the provision was crushed. If the past year is any indication, password protection legislation must be tackled at the state level, as it’s the only place that its been able to see any sort of success.

Do you think that we need a federal law banning the practice of password snooping by employers? Do you think that it’s better left to the states? Or, do you see no reason for any such legislation on any level? Let us know in the comments.

Millennials, defined as those aged 18-34, were found to be more willing to allow companies track them or access their personal information compared to those 35 and older. Millennials were also found to be more receptive to the idea of targeted advertising, and were much more active on social media. All of this, though, is predicated on receiving some benefit for the lack of privacy.

“Millennials think differently when it comes to online privacy,” said Elaine Coleman, managing director of media and emerging technologies for Bovitz, the research firm that conducted the survey in conjunction with USC. “It’s not that they don’t care about it – rather they perceive social media as an exchange or an economy of ideas, where sharing involves participating in smart ways.”

Though the social benefit of most social media is clear, even more tangible benefits still don’t seem to entice those over 35 as much as they do Millennials. One question, for example, asked whether a survey respondent would reveal their location to a company in exchange for coupons to nearby businesses. 56% of Millennials would share their location, but only 42% of older respondents said they would.

“Online privacy is dead – Millennials understand that, while older users have not adapted,” said Jeffrey Cole, director of the USC Annenberg Center for the Digital Future. “Millennials recognize that giving up some of their privacy online can provide benefits to them. This demonstrates a major shift in online behavior – there’s no going back.”

(Infographic courtesy the USC Annenberg Center for the Digital Future)

(via BGR)

US News reports that the Senate has decided not to take up CISPA. In short, CISPA is dead. The bill that would have given companies full legal immunity when sharing your personal information with the government will have its remains scattered on the winds of history yet again.

It seems that CISPA’s death can be largely attributed to two factors. For one, Sen. Jay Rockefeller, chairman of the Committee on Commerce, Science and Transportation, came out against CISPA saying it lacked privacy protections. Rockefeller holds considerable sway in the Senate, and his committee would have had a lot of say over CISPA. Secondly, President Obama’s veto threat most likely played a major role in the Senate’s rejection of CISPA.

We can relax now that CISPA is dead, right? Unfortunately, the answer is a little unclear at this point. An unnamed representative on Rockefeller’s committee says that “issues and key provisions” of CISPA will be divvied up and made into separate bills. In other words, CISPA will be broken up into smaller, separate bills in the Senate. The problem with this approach is that some of the less vile, but still damaging, provisions of CISPA can make it through as they won’t be attached to the really bad stuff.

Of course, there’s always the possibility that the Senate will craft a handful of bills that narrowly target the areas not covered by President Obama’s cybersecurity executive order without sacrificing civil liberties. It would certainly be nice, but the Senate’s past attempts at writing cybersecurity legislation certainly don’t inspire confidence.

Either way, we won’t be seeing any cybersecurity legislation out of the Senate for a while. The unnamed representative says the Senate currently has its hands full with a number of other bills that take priority over cybersecurity, including the controversial Marketplace Fairness Act.

Last week, Sen. Patrick Leahy said that the Senate Judiciary Committee would be marking up an update to the Electronic Communications Privacy Act. The decades old bill allows law enforcement to obtain emails without a warrant as long as said email is 180 days old.

The Hill reports that both the Senate and the House will be taking up their respective email privacy bills today. The Senate Judiciary Committee will be taking a look at Leahy’s bill – S. 607 – that simply requires the police to obtain a warrant when accessing any electronic communication, including email.

In the original announcement of the mark up, Leahy said that ECPA must be updated to counter concerns over the “growing and unwelcome intrusions into our private lives in cyberspace.” Those concerns certainly came to a head earlier this month when documents obtained by the ACLU revealed that the IRS told its agents that they could obtain emails without a warrant. The agency also said that “Internet users do not have a reasonable expectation of privacy.”

Since then, IRS Commissioner Steven Miller said that his agency always obtains a warrant before searching emails. Miller also said that his agency never snoops through email during civil investigations. It wasn’t exactly reassuring, but an updated ECPA would ensure that the IRS, or any government agency for that matter, would never be able to obtain emails without a warrant.

It should be noted that the House will be making a mockery of itself this week by discussing an update to the ECPA after passing CISPA. The House Judiciary Committee will be discussing whether or not the ECPA should be updated to require that law enforcement obtain a warrant before accessing geolocation data. The irony here is that CISPA, in its current form, would allow mobile carriers to share geolocation data with the government without a warrant. Even if the carrier was found in violation of an updated ECPA, it would enjoy full legal immunity under CISPA.

Even so, we’ll continue to follow both discussions and keep you up to date on any changes. The Senate seems to have made an updated ECPA a priority so we may see a final vote as early as next week. That is, of course, if the Senate doesn’t run into any problems with its current controversial bill – the Marketplace Fairness Act.