The report recommendations are not rules or regulations, and its contents do little to concretely signal new enforcement direction. Still, the report is a helpful indicator of agency thinking in general, and of the agency's increased interest in mobile privacy issues.

Distilled, the agency wants mobile app firms to provide:

• Clear, simple privacy policies;
• Complete and accurate disclosures of how information will be used, including just-in-time notice where appropriate; and
• Options for end-user control over the access to and use of private information

Just-in-time notice is notice offered to users immediately before the app accesses sensitive data. For example, users of Apple's iPhone may be familiar with the warning that appears when an app or website is attempting to use the phone's geolocation capabilities:

This is an instance of "just-in-time" notice.

The report's recommendations with respect to "just-in-time" notice are complicated, however, by its recommendation to increased policing by app platforms. Platforms -- the agency's word for app store operators associated with classes of mobile devices -- are in a privileged position to understand the functionality of the apps being offered in their respective app stores. Platforms can typically tell, for example, what parts of the mobile device an app will potentially be accessing. Based on this privileged knowledge, the staff report recommends that platforms develop and offer "platform-level" privacy disclosures that give app-store consumers the ability to understand the privacy-profile of a given app. This capability could be combined with other features such as, for example, allowing consumers access to app privacy policies in advance of downloading and installing a particular app on their mobile device. Platforms could also provide services that compared app privacy policies with the platform's own privileged knowledge about the app.

If recommended platform-level privacy measures like these are put in place, however, then the staff report suggests that "it is important that these app-level disclosures not repeat the platform-level disclosures." Here, the FTC discourages some forms of just-in-time disclosure as duplicative:

For example, an app should be able to rely on the platform's disclosure that geolocation data will be collected by the app . . . and need not repeat the same disclosure and consent process. If the app developer decides to share that geolocation data with a third party, the app developer should provide a just-in-time disclosure and obtain affirmative consent from users for that data sharing.

The agency report also supports "do not track" initiatives that would allow users to restrict ad networks from building targeted consumer profiles of particular users.

Operators in the mobile app development space should keep in mind the overarching emphasis of the staff report on the point of view of the end-user: does he know how his data is being treated? Can he find out easily? Does he have convenient control over that data's use?

Mr. Leibowitz stated that the agency believed Path had “unlawfully collected personal information” by crawling users’ mobile address books as part of a feature meant to identify friends within the users’ social network. The FTC identified the lack of affirmative consent from the app user as its primary concern in bringing the enforcement action, and advised social networking app makers to obtain affirmative “just-in-time, opt-in” consent before accessing a user's contacts. The agency explained that “just-in-time” notice is notice offered to the user when the user is likeliest to notice and appreciate it.

Mr. Leibowitz stated that Path’s action had affected about three thousand children aged twelve and under.

Emphasizing its increased interest in mobile privacy, the FTC simultaneously announced the release of a staff report, Mobile Privacy Disclosures: Building Trust Through Transparency. Commenting on the report, Mr. Leibowtiz offered three overarching suggestions for developers operating in the mobile app space: "Say what you'll do, don't mislead, and safeguard the data."

GLBA Privacy Notices

The Eliminate Privacy Notice Confusion Act, H.R. 5817 passed the House by voice vote on December 12. As amended, the bill would remove the Gramm-Leach-Bliley annual privacy notice requirement of a financial institution if it has not, in any way, changed its privacy notice or procedures. After Rep. Ed Markey (D-MA) and others opposed a provision in the original bill that exempted State-licensed financial institutions subject to consumer privacy laws. The amended bill is substantially the same as the legislation that passed the House by voice vote in April 2010 and is supported by the Independent Community Bankers of America, the Credit Union National Association, the American Bankers Association, the National Association of Federal Credit Unions, and the Consumer Bankers Association, among others. As with its predecessor, however, the Senate is unlikely to take up H.R. 5817 in the little time remaining before year-end.

Location Privacy

The Senate Judiciary Committee approved the Location Privacy Protection Act of 2012, S. 1223, on December 13. Sponsored by Sen. Al Franken (D-MN), the bill would require mobile device (phones, tablets, car GPS) service providers to get prior consent from customers before collecting their geolocation information or sharing it with third parties. It also includes provisions designed to prevent so-called “cyberstalking”: Service providers that fall into one of the bill’s exceptions (to help a parent locate a child, provide emergency services, protect customers from fraud, etc.) must nonetheless notify the individual about the tracking and how to revoke consent. Further, the bill makes it a crime to intentionally operate a stalking application and provides for a study of the use of geolocation data in violence against women. The bill is enforceable by DOJ, state AGs, and a private right of action via a minimum of $2,500 in damages, plus punitives, and preempts only contrary, not stronger, state laws.

Despite passing committee with minimal opposition and having the support of “nearly every national domestic violence and consumer group in the country," Ranking Member Chuck Grassley (R-IA) and senior Democrat Chuck Schumer (NY) both expressed reservations about the bill’s potential negative impact on hi-tech, signaling further changes are likely before the bill would advance in the Senate. Grassley, citing a letter from the Interactive Advertising Bureau, also asked for a future hearing on technical aspects of the bill’s notice and consent requirements. Franken acknowledged the bill would not advance further this year, but expressed hope that the bill could make it through the Senate in 2013.

Of interest to the broader legal community, during committee consideration of the bill, Sen. Grassley offered an amendment to require state attorneys general pursuing ANY court action under federal law, including enforcement of S. 1223, to notify the court if they hired private counsel to represent the state, cite their authority to do so, and reveal the terms of any such agreement. Grassley said he’s troubled by firms hired on a contingent fee basis to enforce federal law. The amendment failed 8-9 on a party-line vote.

Video Privacy Protection Act

On December 18, by voice vote, the House passed a bill, H.R. 6671 “to clarify that a video tape service provider may obtain a consumer's informed, written consent on an ongoing basis and that consent may be obtained through the Internet.” In other words, the House passed the so-called “Netflix bill” to modernize the 1988 Video Privacy Protection Act to facilitate sharing one’s viewing information online. The bill included the enhanced video privacy protections from Senate Judiciary Committee Chairman Patrick Leahy’s (D-VT) version of the legislation (H.R. 2471), approved by the Committee in November, but excluded his provisions strengthening the Electronic Communications Privacy Act dealing with government access to communications. The former provision requires renewing consent to share video-viewing information every two years and a "clear and conspicuous" option to withdraw consent at any time. The latter would require the government to obtain a search warrant anytime it seeks individuals’ electronic communications such as email, regardless of how old they are, though notice to the individual could be delayed almost indefinitely in consecutive six month increments if it would jeopardize an investigation, endanger someone’s life, etc. Late yesterday, the Senate passed the House bill by unanimous consent and the President is expected to sign it into law. Judge Robert Bork, whose circumstances inspired the VPPA when a weekly newspaper in Washington, DC published his video rental history, passed away on December 19.

Identity Theft

Yesterday, the House considered the Medicare Identity Theft Prevention Act, H.R. 1509, which would simply eliminate the display (or coding or embedding) of Social Security numbers on Medicare cards within the next two years. It is expected to pass the House any day now with overwhelming bipartisan support. The Senate, however, has yet to act on similar legislation introduced by Richard Durbin (D-IL).

CFPB & Privileged Documents

Last but not least, the President is expected to sign into law any day now H.R. 4014, which clarifies that sharing attorney-client privileged information with the Consumer Financial Protection Bureau does not waive the privilege and potentially open up financial institutions to third-party subpoenas. Current law already preserves the confidentiality of information that financial institutions provide to most regulators, but Congress failed to make that explicit in the Dodd-Frank Wall Street Reform and Consumer Protection Act that created the CFPB.

Data Breach Reporting for DOD Contractors

Today, the Senate is expected to approve the Conference Report on the FY 2013 NDAA, one of the most important annual bills considered in Congress and the culmination of several months’ work. The Conference Report reflects a compromise between the House and Senate versions of the legislation and contains an entire Subtitle IX.D on “Cyberspace-Related Matters.” In addition to authorizing funds and setting policy parameters for cybersecurity planning and system development, the bill contains a provision directing DOD to establish a breach reporting mechanism for contractors. Section 941 of the legislation directs the Secretary of Defense to establish, within 90 days of enactment, procedures for “cleared defense contractors” to “rapidly” report successful penetrations of certain “networks and information systems” that meet criteria to be developed by the Secretary and other senior DOD officials. The procedures must include a mechanism for limited DOD access to contractor equipment and information for forensic analysis and must prohibit disclosure of non-DOD information outside the Department. The language is reportedly less onerous than provisions opposed by some business groups in the original Senate-passed bill. The House passed the Conference Report yesterday 315-107, so Senate passage will clear the legislation for the President’s signature. A broad overview of the NDAA is available on Armed Services Committee Chairman Levin’s website.

The much-anticipated Leveson Inquiry on the Culture, Practices and Ethics of the Press (“Leveson Report” or “Report”) was released on November 29, 2012.  The inquiry leading to the Report was initiated as a response to ongoing reports and allegations of systemic phone hacking by the English media.

The 16-month inquiry by Lord Justice Brian Leveson sought evidence from many, including victims and law makers, current and former prime ministers, all leading to the recommendations in the Report.  The leviathan tome – nearly 2,000 pages in length – censures the culture of the media in the United Kingdom for faults including its “tendency . . . vigorously to resist or dismiss complainants,” difficulties in securing an appropriate apology or correction, disregard for accuracy, failure of compliance, and—not least of which—an environment that allowed phone hacking to exist.  Its calls for the end of the current state of self-regulation of the print media by the Press Complaints Commission (PCC) and for independent oversight is a top-level take-away from its findings.  As of December 11^th, it is being reported that the replacement to the PCC’s commissioner will be in place in early 2013.

Soon after the issuance of the Report, another story has emerged and seen increased attention, the Report’s potential effect on data protection laws.  Lawyers as well as politicians and journalists alike share concerns that the proposed reforms could chill investigative journalism.  In addition, some of the proposed reforms would have broader effects beyond the media’s gathering and use of personal data.  Overall, the changes seek to significantly strengthen the power of the Information Commissioner’s Office (ICO), particularly in its relation to the press, while narrowing exceptions for the press.  In fuller detail, there are at least five significant changes affecting data protection laws called for in the Leveson Report, and a host of recommendations to the ICO.  The report seeks to: 

• Narrow an exemption to the UK’s Data Protection Act 1998 (DPA) specific to journalistic use from one where data processing is allowed with a “view to” publication, to one where processing is “necessary” for publication. It would remove language granting special weight to freedom of expression when a data controller considers whether the publication is in the public interest, and it would change the consideration whether compliance with the DPA is incompatible with the purpose of journalism from a subjective belief (the reasonable belief of the data controller) to an objective belief that the likely interference with privacy is outweighed by the public interest in publication.

It also seeks to narrow the set of requirements from which the use is exempted.  For example, the data subject’s “right of access” would not be part of the exemption.  The Leveson Report is careful to clarify that the proposal to remove the right of subject access from the exemption is not meant to affect the protection of journalists’ sources.  However, there does not appear to be any attempt to provide a mechanism to discern when data that is subject to an access request relates to the source, which may present a challenge.  The further concern is that such requests could be used to disrupt a journalist’s investigation or obtain information before publication.

• Clarify that the DPA Provides Compensation for ‘Pure Distress’ In Addition to Pecuniary Loss.
• Repeal Certain Procedures That Relate to Journalism and Instead Grant More Power to the Information Commissioner.  The Report hints that the DPA could be amended to give the power to the Information Commissioner (IC) to decide whether publication is acceptable when there are challenges under the DPA.
   
• Permit Imprisonment for Up to Two Years.  The Report calls for allowing terms of imprisonment of up to two years for offenses of unlawful obtaining of personal data.  The amendment would be applicable generally and not simply to the press.  Leveson sees this amendment as a response to the thriving black market in personal data.  This amendment was initially halted by lobbying by the press arguing that it would hamstring their ability to conduct investigations.  Leveson stresses that a high regard for public interest defenses to this kind of offense should alleviate the concerns of journalists.  The Report seeks to bring into force another amendment for such an enhanced defense for public interest journalism.
   
• Extend the Prosecution Power of the Information Commissioner’s Office.  The Report recommends extending the prosecution powers of the IC to include any breach of the data protection principles outlined in the DPA.  It advocates for a new duty for the ICO to consult with prosecutors and reconstituting the ICO with a board of commissioners rather than one IC.  The concern here relates to the increased power in the hands of an entire board, which could have an effect on efficiency and independence, particularly where required to consult with prosecutors.

The Report also makes recommendations to the Information Commissioner in  its Executive Summary.  Among these recommendations, the Report suggests that the ICO take immediate steps to publish policies on its functions as well as guidelines and advice for the press to observe in the process of personal data and for individuals on their rights in relation to the use by the press of their data.  It also suggests that the ICO update Parliament on the effectiveness of new measures in its annual report to Parliament, adopt guidelines published in September 2012 for prosecutors on assessing the ‘public interest’ in cases affecting the media, and engage with the police to prepare a long-term strategy in relation to alleged media crime with a view to inclusion of the ICO where appropriate.

Last week the FTC held a workshop with a broad range of stakeholders to examine “comprehensive” data collection about consumers' online activities. The day-long program covered familiar territory – don’t demonize/regulate particular technologies such as cookies; the benefits of data collection and free online services supported by targeted advertising versus the risk to intellectual privacy, loss of consumer bargaining power, potential i.d. theft and potential government intrusion; the merits of long-form privacy disclosures; whether companies should compete on the level of privacy protection they offer; the need to protect innovation and the internet economy; etc. At least one panelist took issue with the notion of the “comprehensive” label, saying it’s “a real lot of data,” but far from everything. This seemed to be the crux of the issue – should there be limits or prohibitions on the comprehensive collection and use of data on consumer behavior across the web? No consensus was reached on this point and it’s not clear what the FTC's next step will be. One thing is certain: These issues will vex regulators, legislators, businesses, and consumers well into 2013 and beyond.

Attorney General Harris announced first ever legal action taken under the California Online Privacy Protection Act (“CalOPPA”), claiming Delta violated the statute by failing to conspicuously post a privacy policy accessible through the App within thirty (30) days of notification of noncompliance.  CalOPPA “requires commercial operators of websites and online services, including mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy.”

Lest companies take comfort that their website privacy policies can keep them out of trouble with respect to mobile applications, the complaint against Delta claims that its website privacy policy (i) does not mention the App (ii) is not reasonably accessible to consumers of the App and (iii) does not disclose several types of personal information that the App collects but the website does not.  Drawing inferences from these allegations, it is unlikely that companies can satisfy CalOPPA’s mobile application privacy requirements through a website privacy policy.

Meaningful penalties can attach to violations of CalOPPA, as Attorney General Harris’ suit seeks to enjoin Delta from distributing the App without a privacy policy that accurately describes all types of personal information collected, and also seeks fines of up to $2,500 for each violation.

The Attorney General’s announcement additionally notes that “if developers do not comply with their stated privacy policies, they can be prosecuted under California’s Unfair Competition Law and/or False Advertising Law."

California is ramping up efforts to enforce privacy laws, in particular with the creation of a Privacy Enforcement and Protection Unit earlier this year that will enforce laws related to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.  A proactive approach to privacy practices by businesses with a national presence is likely to mitigate litigation risk in California (and otherwise).

To that end, agreements entered into earlier this year with the California Attorney General, first by Amazon.com, Apple, Google and three other tech giants, and then by Facebook, appear to have served the companies well in steering clear of trouble in California, a state acting as a leader in protection of consumer privacy.

This latest crackdown will come as no surprise to privacy practitioners: As the press release reminds folks, in February, Harris engaged seven leading mobile and social app platforms which agreed to privacy principles that allow consumers the opportunity to review an app’s privacy policy in a consistent location in the platform store before the app is downloaded. In July, Harris announced the creation of the Privacy Enforcement and Protection Unit within her Department to focus on civil prosecution of state and federal privacy laws. Earlier this month, Harris used social media to tip off one company about problems: http://twitter.com/CalAGHarris. As the only state to require privacy policies for mobile applications in addition to websites, and with the NTIA-led multi-stakeholder discussions on a mobile app privacy code of conduct going nowhere fast, California is positioned to exert considerable influence in the app privacy space for the foreseeable future.

Markey’s Mobile Device Privacy Act, H.R. 6377, would apply to:

• Sellers of mobile devices
• Providers of commercial mobile service and mobile data service
• Manufacturers of mobile devices and operating systems
• Website or other online service operators (i.e. app developers)

“Monitoring software” is defined as “software that has the capability to monitor the usage of a mobile device or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.” “Usage” is not further defined and thus would encompass everything from taking photos to checking football scores, regardless of the type of activity monitored or information collected. Disclosure to the consumer includes detail on information collection, transmission, usage, sharing (identity of any person with whom info will be shared), security, and how to revoke consent.

Two caveats are provided: (1) FTC has discretion to exempt from disclosure (other than security policies and procedures) use of monitoring software “for a particular purpose…consistent with the reasonable expectations of consumers.” (2) FTC may deem compliance with other federal information security laws as satisfying the security policies and procedures requirements.

Recipients of information from monitoring software also have to file their agreements governing receipt with the FTC or FCC. Both agencies would share enforcement responsibilities, supplemented by state AGs and private rights of action, with penalties for the latter of at least $1,000 per violation, trebled for willful or knowing violations.

While Markey’s press release references “personal information,” the bill contains no such distinction and thus covers all manner of analytics or anonymized information that may have little or no privacy implications. The required disclosures also apply to anything that is “capable” of being collected and transmitted, not information that is actually collected and transmitted. Without doubt, this is a broad bill and as might be expected, it has not been warmly received by groups such as the Software & Information Industry Alliance, which would rather see the NTIA-led stakeholder collaboration on developing codes of conduct for mobile transparency continue despite contention and directional drift in those talks.

With Congress set to adjourn later this week until a post-election lame duck session in November focused on impending budget cuts and expiring tax cuts, Markey’s bill isn’t heading anywhere soon. This is no doubt welcome news to the “nascent” app industry, a bright spot in the economy, as touted at a House hearing last week, the upshot of which was that Congress should tread carefully vis-à-vis regulation, but act boldly to promote infrastructure development: make more spectrum available, promote broadband adoption, and facilitate capital formation - both financial and human.

The Joint Statement resulted from the AG’s collaborative review of mobile application compliance with the California Online Privacy Protection Act (“Act”) and the AG’s opinion that the Act “requires mobile applications that collect personal data from California consumers to conspicuously post a privacy policy.” The Joint Statement does not impose legal obligations, rather, is an effort between the Mobile App Market Companies and the AG to increase transparency and control over personal data in the mobile marketplace “without unduly burdening innovative mobile platforms and application developers.”

The Joint Statement generally sets forth the following:

• Where applicable law requires, a software application (“App”) collecting personal data must conspicuously post a privacy policy presenting clear and complete information regarding how personal data is collected, used and shared;
• Mobile App Market Companies will include either (a) an optional data field for a hyperlink to the App’s privacy policy or a statement describing the privacy practices or (b) an optional data field for the text of the App’s privacy policy or a statement describing the App’s information collection practices;
• Mobile App Market Companies will maintain a means for users to report App’s that do not comply with applicable terms of service and/or laws;
• Mobile App Market Companies will maintain a process for responding to reported instances of non-compliance with applicable terms of service and/or laws (without limiting law enforcement/regulatory rights to pursue actions); and
• Mobile App Market Companies will continue to work with the AG to develop best practices for mobile privacy in general and model mobile privacy policies in particular, and, within six months, will convene to evaluate privacy and education regarding mobile Apps.

In connection with the Joint Statement, the AG released a Mobile Applications and Mobile Privacy Fact Sheet which referenced a Wall Street Journal report stating “45 of the top 101 Apps did not provide privacy policies either inside the application or on the application developer’s website” despite 56 of the Apps transmitting unique identification information to third parties without consumer consent.

Although the Joint Statement isn’t legally binding, and applies only to California, mobile application providers should strategically reevaluate the transparency of their personal information collection practices and privacy policies since (a) conspicuous links to privacy policies at the time of purchase/installation may be interpreted as an affirmative obligation under the laws of other States and (b) CA (and its robust tech community) often serve as a thought leader providing legislation other states choose to implement.

• Rapid technological change is prompting an evolution in traditional notions of privacy.  While the law – state, federal, EU – is evolving much more slowly, changes are underway and regulators and legislators need (and want) to hear from stakeholders;
• No one wants to stifle technology and the new economy jobs it creates, but many current privacy disclosures and practices (or the lack thereof) risk making the “privacy bargain” (personal information in return for free content/services) so one-sided that prescriptive regulation becomes inevitable; 
• Companies lacking a robust compliance program governing collection, protection and use of personal information (be they customers, employees, vendors, or others) may face significant risk of a data breach or legal violation, resulting litigation, and a hit to their bottom lines.

The huge attendance at this year’s summit by a wide range of companies, technical professionals, and inside and outside counsel from all over the world reflects the growing importance of these issues.  Following are highlights from some of the conference panels I attended featuring the FTC:

Collection Versus Use

Regulation of data collection versus data usage was a central theme at a panel that had hoped to discuss the FTC’s final version of its 2010 framework for protecting consumer privacy (still no word on when the final report will be issued).  Disagreeing with a fellow panelist from George Washington University who said the FTC should simply focus on how collected consumer data is used, FTC Commissioner Julie Brill expressed serious concerns about the “unmitigated collection” of consumer data for all manner of purposes that then exists in perpetuity.  Referencing a recent New York Times article about the ability to predict whether someone is pregnant out of “relatively innocuous information,” Brill said she is most concerned about vast amounts of information being collected and then used to compile profiles of consumers.  Brill urged companies not to think about privacy just in terms of compliance but to think about it as “risk management” at the corporate executive level, pointing out that the more information a company collects the greater the potential liability if it is breached.  Brill also emphasized the collection versus usage theme in the context of “do-not-track” proposals being developed by industry, saying it is very important that do-not-track address both the collection and use of consumer information; to ignore the collection element would only yield a “do-not-target” mechanism, which is not what the FTC called for in its preliminary framework. 

Liability and Proactivity

Brill also said that failure to have a “privacy by design” program in place would not be automatic grounds for a violation of Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices.” Brill said that the FTC looks at companies’ practices and processes when evaluating a potential privacy-related enforcement action, insisting over her co-panelist that such actions are not subject to strict liability.  Nonetheless, Brill encouraged companies to be forward-thinking, saying that standards in the realm of privacy and data security have evolved and the reasonable steps a company is expected to take will become more comprehensive in the future.  Similarly, Brill encouraged privacy professionals to help their clients realize that privacy and data security issues are not going away; ignore a problem and you’ll end up sitting across from the FTC in an enforcement action.  Finally, Brill also warned that many data brokers do not even realize that they come under the Fair Credit Reporting Act.

COPPA and Mobile Privacy

The FTC is continuing to review its rules with respect to children’s growing use of mobile devices and online services.  Referring to the “long tail” in the app industry and the fact that so many apps lack privacy policies as found in FTC’s February report, Commissioner Brill said she wanted to get the message out that the Children’s Online Privacy Protection Act applies to mobile device applications.  Brill described COPPA, which requires parental consent for collection and use of children’s personal information, as an appropriate “speed bump” for particular types of users, while private sector panelists characterized COPPA as more of an obstacle to the possibilities created by new online and mobile platforms that requires fine tuning.  The issue of how to treat teens, currently not covered by COPPA, was also discussed.  Brill could not comment on specifics due to the review underway, but thinks that teens require some sort of special protection and said some commenters believe COPPA should be extended up to age 18.

In a separate panel, Christopher Olsen, assistant director of privacy and identity protection in the FTC's Bureau of Consumer Protection, similarly warned that companies need to do a better job providing information about their mobile apps’ data collection; that the same privacy and security principles apply in the mobile and non-mobile environments.  The FTC undertakes its own inspections of mobile apps, testing developers’ claims, in addition to considering consumer and NGO complaints and congressional concerns.  With all the different players involved in the mobile device space – from app developers to telecom carriers to add networks to device manufacturers – contract provisions play a large role in how information is collected and used.  Olsen stressed that compliance with such provisions – making sure someone is actually monitoring – will be an important issue going forward.

Finally, the FTC will hold a mobile payments workshop on April 26 and a “Public Workshop to Explore Advertising Disclosures in Online and Mobile Media” on May 30.  The latter will inform FTC’s thinking on updating guidance to businesses about disclosures in online advertising.

The article examines the prosecution and conviction of Raj Rajaratnam, Galleon Group's co-founder, for insider trading -- a significant conviction due to the novel use of wiretap evidence to bring the crime to life before the jury. New and Malek explore the history of wiretapping, limitations on the use of wiretaps and the effects that prosecutors' newly aggressive use of wiretaps will have on the practices of the financial services sector.

"The government's recordings have ensnared not just traders and financiers but also officers and directors of public companies, lawyers, and consultants. As a result," the authors explain, "Wall Street may now be wondering 'is law enforcement listening?' whenever they pick up the phone, as U.S. Attorney Preet Bharara warned in announcing the arrest of Mr. Rajaratnam."

Wiretaps and Financial Crimes

Historically, law enforcement has used wiretaps to assist in investigations of narcotics trafficking and organized crime. "Nevertheless, the Galleon case reflects a recent coordinated effort by law enforcement to use electronic surveillance and 'organized crime' style approaches more frequently in white collar cases."

Limitations

New and Malek examine the limitations and conditions of wiretap use. "The government can only seek a wiretap if there is probable cause to believe that a predicate offense is being committed, and a court may suppress a wiretap if the application fails to meet this standard or for government misconduct. The number of crimes that may be investigated using wiretaps has expanded over time, but still does not include securities fraud."

Implications

"The authors analyze electronic surveillance in the Galleon case, and what this will mean for corporate America going forward. Although electronic surveillance of the financial sector may not become routine, its dramatic use in the Galleon and expert networking investigations has highlighted the need for effective and comprehensive compliance programs to identify and address questionable practices before they become widespread. With the government having publicly declared its policy of aggressively pursuing cases of financial fraud, companies are well-advised to take this opportunity to review and update their internal policies and procedures currently in place, to retrain their employees on best practices, and establish a culture in which employees seek advice on actions that may be close to the line.... Compliance officers and IROs [investment relations officers] who seize this opportunity stand a greater chance of preventing or detecting early even an inadvertent improper disclosure of material nonpublic information, which not only protects the company and its insiders from criminal prosecution, but also benefits the investing public."

The study, Big data: The next frontier for innovation, competition, and productivity, is a 156-page effort that looks at the proliferation of large datasets and finds that data can create “significant value for the world economy.”  The source of data include customer transactions, networked sensors and actuators (the so-called “Internet of Things”), social media sites, smartphones, PCs, and laptops.  And after identifying the techniques and technologies used capture and analyze big data, the study concludes that “[a]nalyzing large data sets—so called big data—will become a key basis of competition, underpinning new waves of productivity growth, innovation, and consumer surplus as long as the right policies and enablers are in place.”

The study cites examples of companies that have effectively used big data to create economic value through increased productivity and customer loyalty, including Tesco’s use of customer loyalty card data, Wal-Mart’s use of vendor-managed data to optimize its supply chain, and Amazon’s use of customer data to make “you may also like” recommendations.  McKinsey looked at five domains—health care, retailing, the public sector, manufacturing, and personal location data.  From this research, the study identified five ways to leverage big data: (1) Making big data more accessible in a timely manner; (2) Using data and experimentation to expose variability and improve performance; (3) Segmenting populations to customize actions; (4) Replacing and supporting human decision-making with automated algorithms; and (5) Innovating new business models, products, and services.

For the healthcare industry, after making certain assumptions (e.g. necessary IT investment, analytical capabilities, privacy protections, and economic incentives), the study predicts that in ten years there will be an opportunity to capture $300 billion annually in new value, “with two-thirds of that in the form of reductions to national health care expenditure.”  In the public sector, the study projects that the EU could use “big data levers” to increase productivity and efficiency that would result in administrative cost savings of up to $446 billion.  In retail, “pioneers” are projected to have the ability to reduce operating margins by up to 60%.  Similarly, the manufacturing sector could use big data to reduce costs and increase innovation.  Lastly, the study projects that use of geolocation data will create $100 billion in revenue to service providers over the next ten years and as much as $700 billion in annual value to customers.  

In response to skeptics who suggest that the economic benefit of big data is still wishful thinking and that productivity gains driven by data analytics has peaked, the authors of the study suggest that economic statistics will not show productivity gains for a few years, similar to the delay in measuring the productivity gains from the use of computers. 

On May 10, 2011, the Senate Committee on the Judiciary, Subcommittee on Privacy, Technology and the Law held a hearing entitled "Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy."  Witnesses from Google and Apple were “grilled on over their so-called "Locationgate" problems.”

On May 13, 2011, Representatives Markey and Barton introduced the “Do Not Track Kids Act of 2011,” which would amend the Children’s Online Privacy Protection Act of 1998 (COPPA).  Key provisions of the bill would expand COPPA to cover mobile applications and unique device identifiers (e.g. IP addresses), establish new privacy rules for minors under 18, prohibit targeted marketing to minors, and require express consent from parents or teens prior to the collection of geolocation information.

On May 17, 2011, Senator Patrick Leahy introduced a bill (ECPA Amendments Act of 2011) proposing amendments to Title II of the Electronic Communications Privacy Act (ECPA), which is known as the Stored Communications Act (SCA).  Two provisions related to geolocation data would require the government to obtain express owner consent or a warrant prior to accessing “geolocation information” directly from an “electronic communications device” or indirectly from a service provider except in emergencies.   Also on May 17, the FCC announced that it was seeking public comments on location based services.

The European Union’s Article 29 Working Party released an opinion on May 18, 2011, which held that geolocation data is personal information governed by the EU Data Protective Directive.  The opinion also set forth a list of best practices for obtaining user consent to collect geolocation data.

 On May 19, 2011, the Senate Subcommittee on Consumer Protection, Product Safety and Insurance held a hearing on consumer privacy and protection in the mobile marketplace following recent concerns that companies are secretly collecting geolocation data.  During the hearing, witnesses from Facebook, Apple, and Google  were again grilled regarding privacy policies and practices for mobile apps.  Senator Kerry pressed the witnesses from Facebook, Apple, and Google to support his Commercial Privacy Bill of Rights Act and Senator Rockefeller did the same for his Do Not Track bill.  David Vladeck also testified that the FTC is “looking for good enforcement targets” as it investigates mobile privacy, including violations of COPPA.  The FTC is  also seeking public comments on its enforcement of COPPA.

Following the Senate hearing, the Center for Democracy & Technology and the Future of Privacy Forum released a statement in response to the Senate hearing, announcing that they are working with mobile app stakeholders to develop best practices and privacy principles for mobile devices.  The statement identified six fundamental user privacy issues that it would address: (1) having a privacy policy for every mobile app; (2) providing users with meaningful choice regarding collection, disclosure, and use; (3) minimizing data that is collected; (4) having appropriate data security; (5) educating users about data that is collected; and (6) incorporating privacy by design.