NCL urges regulators to investigate auto makers’ data collection practices

March 27, 2024

Media contact: National Consumers League – Melody Merin, melodym@nclnet.org, 202-207-2831

Washington, DC – Today, the National Consumers League sent a letter to the Federal Trade Commission urging oversight of vehicle manufacturers’ collection of consumer data. Modern cars can collect a range of information on drivers, including the locations they visit, their exact weight, and their texts and call records. Consumers are often unaware of this data collection and are even more surprised when insurance companies utilize this surveillance to increase drivers’ premiums. As digitally connected vehicles become more commonplace, the risks they pose to consumer privacy will only become greater—absent mandatory safeguards.

The full letter can be found here.

###

About the National Consumers League (NCL)

The National Consumers League, founded in 1899, is America’s pioneer consumer organization.  Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad.  For more information, visit nclnet.org.

NCL urges FTC to use rulemaking to protect consumers’ data rights 

November 22, 2022

Media contact: National Consumers League – Katie Brown, katie@nclnet.org, 202-823-8442

WASHINGTON, D.C. – The National Consumers League (NCL) this week filed comments in support of a Federal Trade Commission (FTC) regulation to protect Americans’ data privacy. In its comments, NCL urged the FTC to ensure that consumers have the rights to data confidentiality, access, deletion, portability, and ethical use. Such safeguards are critical for stemming the torrent of privacy abuses that Americans have suffered in the digital age—perpetrated by both corporate and governmental entities. 

“Given our dependency on the internet to conduct our daily lives, the fact that we have gone this long without federal privacy protections is profoundly disappointing. The FTC is doing critical work in initiating this rulemaking process,” said John Breyault, NCL Vice President of Public Policy, Telecommunications and Fraud. “Consumers should not be at risk of identity theft, financial loss, or other privacy intrusions simply by having an internet connection.” 

The League urged the Commission to give special consideration to sensitive data types, such as location and genetic information, as well as students’ data utilized by educational technology companies. 

“With the proliferation of ed-tech, classrooms have become another area of vulnerability regarding privacy. This follows students when they take their school-issued devices and software home with them,” said Eden Iscil, NCL Public Policy Associate. “Ed-tech is a particularly worrying sector as students typically have no choice but to use the technology mandated by their institution, regardless of its insecurity.”

NCL has made fighting for consumers’ privacy a priority. Earlier this year, the League released a slate of proposed genetic privacy rights for policymakers to implement. Additionally, the organization is in its seventh year of publishing the #DataInsecurity Digest, a semi-weekly newsletter containing policy analysis and news coverage related to digital privacy. 

NCL’s full comments to the FTC can be read here. 

###

About the National Consumers League (NCL)

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit https://nclnet.org.

NCL launches campaign to warn Americans about Chinese government’s collection of U.S. consumers’ genetic data 

September 7, 2022

Media contact: National Consumers League – Katie Brown, katie@nclnet.org, (202) 207-2832 

WASHINGTON, D.C. – The National Consumers League (NCL) today announced it is launching a national campaign – www.protectmypatientdata.com – to warn Americans of the threat posed by the Chinese government’s collection of U.S. healthcare and genomic information. The campaign will target consumers, healthcare leaders, and lawmakers and will highlight the privacy and national security risks resulting from this bulk collection of data.

According to a February 2021 report from the U.S. National Counterintelligence and Security Center (NCSC), the Chinese government has made the collection of American healthcare information a top strategic priority and has gained access to large datasets in the U.S. and around the world through both illegal and legal means. This includes partnering with prominent research and healthcare entities in the U.S. to provide them with genomic sequencing services, allowing them to gain access to Americans’ health records.

On June 3, 2021 President Biden signed an Executive Order to further “address the threat of Chinese surveillance technology firms that contribute – both inside and outside China – to the surveillance of religious or ethnic minorities or otherwise facilitate repression and serious human rights abuses.”

“Genetic data remains one of the most sensitive and least protected types of personal information and yet the consequences of it falling into the wrong hands are profound,” said Sally Greenberg, executive director of NCL. “Authoritarian governments have already used genomic data to potentially surveil and control their own citizens and to conduct unsanctioned scientific research. That is why NCL is sounding the alarm and urging consumers and healthcare providers to be more diligent than ever when sharing personal healthcare information with third parties, particularly those funded or operated by the Chinese government.”

NCL has a long history of calling for consumer protections in the genetic testing industry. In February 2019, NCL issued a statement calling for investigation of direct-to-consumer genetic testing services like FamilyTreeDNA in the wake of reports that these services were sharing genetic data with law enforcement agencies.

On August 29, 2022, MGI Americas, an affiliate of Chinese genome research giant BGI, re-entered the U.S. next-generation sequencing market, having been previously barred from selling its genome sequencing machines in America. BGI is closely affiliated with the Chinese Communist Party (CCP) and People’s Liberation Army (PLA) and the data it collects has no legal protection against disclosure to the Chinese government.

A recent Reuters investigation found that BGI had scraped the DNA data of pregnant women from its pre-natal test kits and added them to the China National GeneBank, which it manages for the Chinese government. BGI has also been implicated in the repression of the Uighur minority in Xinjiang, for which two of its entities were sanctioned by the U.S. Department of Commerce.

NCL is urging providers and researchers to be cognizant of the risks of partnering with BGI and other Chinese healthcare companies, whose collection of data could be used to advance the country’s precision medicine industry and for more nefarious purposes, including the potential surveillance, exploitation, and manipulation of American citizens. NCL recently published a Genetic Privacy Bill of Rights and released a Policy Framework detailing steps that Congress, the Biden Administration, and industry can take to protect these consumer rights.

In addition to the education campaign, NCL will also embark on a series of initiatives to protect consumers:

  • Working with Members of Congress to create and implement new protections for genetic data, such as the Protecting Americans’ Data from Foreign Surveillance Act, introduced by Sen. Wyden (D-OR), Sen. Whitehouse (D-RI), Sen. Rubio (R-FL), Sen. Lummis (R-WY), and Sen. Hagerty (R-TN).
  • Engaging with the Biden Administration as they develop a potential Executive Order aimed at increasing protections for sensitive personal information, like genetic data.
  • Participating in the Federal Trade Commission’s (FTC) rulemaking process regarding privacy and data protection, to ensure that genetic data is also protected.
  • Educating health care research institutions and major health care associations about the unique risks posed by a lack of safeguards for genetic testing, and what they can do to increase protections.

 

###

About the National Consumers League (NCL) 

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

National Consumers League urges Congress to strengthen Bipartisan Privacy Bill

June 17, 2022

Media contact: National Consumers League – Katie Brown, katie@nclnet.org, (202) 207-2832 

WASHINGTON, D.C. – The National Consumers League is encouraged by the bipartisan, bicameral American Data Privacy and Protection Act (“ADPPA”), a long-overdue step to protect the privacy and security of consumers’ personal information. However, there remain some concerns that must be addressed to ensure that the bill provides basic consumer remedies for failure to comply with the rules of the road and preserve the best aspects of the privacy laws that are already in place in the states.

“The lack of a comprehensive data protection law has left Americans at the mercy of criminal hackers who are making billions of dollars stealing consumers’ personal data,” said NCL Executive Director Sally Greenberg. “At the same time, many companies have built their business models on the collection of sensitive data that exacerbates existing inequities in our economy.”

NCL has long pushed for stronger protections for consumer data. In 2011, NCL supported a bill to regulate the use of sensitive location data. In the wake of the Target data breach in 2013, NCL launched the #DataInsecurity Project to raise awareness about how the lack of data security standards increases the risks to consumers of identity fraud and other scams. Most recently, NCL released a genetic privacy reform roadmap detailing actions Congress, the Biden administration and industry could take to protect consumers’ genetic data.

NCL shares the concerns about the ADPPA raised by privacy and consumer advocates. Importantly, we believe that the bill’s private right of action provisions should be strengthened and a prohibition on mandatory binding arbitration clauses should be included in the legislation.

In addition, NCL supports allowing states with strong privacy and data security laws to preserve those provisions where they provide additional consumer protections.  NCL also supports preserving the Federal Communication Commission’s role in regulating the privacy practices of common carriers. Given the bill’s proposal to expand the role of the Federal Trade Commission in protecting consumer data, Congress must ensure that the FTC has the resources it needs to be effective in that role.

“We applaud members of Congress for putting forward a bipartisan bill to provide comprehensive privacy and security protections,” said John Breyault, NCL’s Vice President of Public Policy, Telecommunications and Fraud. “Compromises by all sides in this debate have led us to this moment. There is much promise in this legislation, but key consumer protections need to be addressed before the bill moves forward.”

###

About the National Consumers League (NCL) 

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

How consumers must respond to the security threat inside nearly every computer

Nearly two years ago, researchers revealed flaws in the chips of virtually every computer made since the mid-1990’s. The flaws—primarily found in Intel’s chips—create a vulnerability that can be exploited by allowing hackers to obtain unauthorized access to privileged information.

Since the initial exploits were first exposed, new versions have continued to be discovered—the most recent of which was found this past NovemberWhile software “fixes” have been released, they tend to reduce the speed and performance of computers—as much as 40 percent, according to some reportsIn additionsince the flaw is hardware-based, the “fix is only good until the next exploit is discovered. 

At the time of the discovery of one of the “worst CPU bugs ever found,” there was significant alarm expressed in the news as well as across the cybersecurity communitySince that timepublic attention has waned. Unfortunately, the problem has only grown worse. And while there has been considerable discussion of the impact these flaws have on businessesthe impact on consumers has been somewhat overlooked. 

That’s why NCL’s #DataInsecurity Project recently released a paper detailing the threat that these bugs—with scary names like MeltdownSpectre, and Zombieloadpose to consumers, their data, and the performance of their computers.  

Every organization or individual running a server or computer with affected hardware should take action to protect themselves. Unfortunately, consumers are less likely to know what to do or have the resources to do it, leaving them more exposed 

For example, consumers are more likely to be running older or outdated software. Consumers are also likely to keep their computers much longer than a business, making their hardware older as well. The way these flaws work, older hardware generally sees a greater slowdown when the security patches are applied. 

Additionally, the small businesses that consumers interact with may also be running “legacy” hardware or software. These businesses may not be able to afford the high cost of additional servers to offset the speed loss from the patches or of entirely replacing old systems. This difficult choice for small businesses could mean that some decide against applying patches – with potentially severe consequences for consumers’ data security.  

Google has taken preemptive steps to protect consumers, but it also warned that as a result of these security measures, “some users may notice slower performance with some apps and games.” Apple, conversely, has offered software patches but left other security measures as an “opt-in” for consumers.  

So, while consumers may not face the same type of risk as businesses, they do face a lot of challenges when it comes to addressing these exploits. Consumers already live in heightened threat environment, filled with phishing emails and computer viruses. They shouldn’t have to choose between the security of their data or the performance of their computers.  

To learn more about these issues and the best way to protect yourself, you can find NCL’s white paper here.

NCL calls for investigation of direct-to-consumer genetic testing industry in the wake of FamilyTreeDNA revelations

February 27, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC – Reports that DNA testing services like FamilyTreeDNA are sharing genetic data with law enforcement agencies should prompt regulators and Congress to consider new rules to protect consumers from abuses by the direct-to-consumer (DTC) DNA testing industry, said the National Consumers League (NCL) today. The reports about FamilyTreeDNA come on the heels of other revelations about lax data security and the potential for misinformation stemming from consumers’ use of DTC genetic testing kits.

“Our genetic information is literally the code for who we are,” said NCL Executive Director Sally Greenberg. “The value of genetic data to law enforcement must be weighed against the significant potential for harm from misuse of such data. Our DNA data is tremendously sensitive, and extreme care must be taken to ensure that it is not used in unexpected ways or, even worse, misused to harm consumers. Unfortunately, the DTC genetic testing industry has exploded without effective oversight, leaving consumers at the mercy of companies whose primary goal may be monetizing this valuable data, not respecting their users’ privacy.”

Specifically, NCL urges policymakers to take common-sense steps to better protect consumers’ genetic data, including:

  • The Federal Trade Commission should immediately broaden its existing investigations of DTC DNA testing services to determine whether FamilyTreeDNA and similar services have engaged in unfair or deceptive trade practices by sharing genetic data with law enforcement without adequate notice and consent by users;
  • DTC DNA testing websites should collectively pledge to obtain affirmative opt-in consent from current and new users prior to allowing law enforcement agencies access to users’ genetic data without appropriate legal process; and
  • Congress should convene hearings to examine how widespread abuses of consumer privacy by the DTC DNA testing industry are and what, if any, new consumer protection regulations are needed to address the potential for consumer harm in this rapidly growing industry.

For more information about the National Consumers League’s work on privacy issues and data security, visit https://fraud.org/data-breach-epidemic/.

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

What broadband privacy? – National Consumers League

When you ask consumers about the kind of information that they’d like to keep private, location data is usually near the top of the list. That’s why Motherboard’s recent investigation into cell phone companies’ location data sharing services is so troubling.

In the sting, Motherboard reporters paid a bounty hunter $300 to locate a phone. The bounty hunter was able to find the phone without any hacking tools. Instead, he used real-time location data originally sourced from the phone’s wireless carrier.

Additional reporting revealed that approximately 250 bounty hunters and related companies had access to AT&T, T-Mobile, and Sprint customer location data. To put this in perspective, one bail bond firm admitted to utilizing phone location services at least 18,000 times, and other companies used the services thousands or tens of thousands of times.

These kinds of abuses are exactly what NCL and other public interest groups were worried about when we supported the Federal Communications Commission’s (FCC) 2016 broadband privacy rules. Those common-sense rules would have prohibited Internet service providers (ISPs) from sharing consumers’ location data and other types of sensitive information without their consent. In particular, NCL filed comments urging the FCC to create strong data security rules for ISPs.

When the FCC adopted its broadband privacy rules in October 2016, it was a victory for privacy and data security advocates. Unfortunately, those rules would be short-lived, thanks to Congress’ decision to use the Congressional Review Act (CRA) to overturn the rules in March 2017. By using the CRA to overturn the broadband privacy rules, Congress effectively precluded the FCC from ever passing “substantially similar” rules in the future.

The Motherboard investigation has not only sparked multiple responses calling for a more detailed investigation but also proves two important things: it has confirmed that ISPs have been irresponsible with consumers’ data and that broadband privacy rules are still needed.

House Energy & Commerce Committee Chairman Frank Pallone (D-NJ) wrote FCC Chairman Ajit Pai, asking him to provide an emergency briefing explaining what the FCC has done to address the broadband privacy issue. Incredibly, Chairman Pai declined. FCC Commissioner Geoffrey Starks commented on the recent findings saying, “the for-profit location data industry has flourished in the shadows without any government oversight.” Additionally, Motherboard’s revelations prompted calls from senators and FCC commissioners to investigate the cell phone companies’ data sharing practices. While investigations are a good start, real consumer privacy protections can only come through legislation. If you don’t think that cell phone companies should be allowed to sell your personal information without your permission, now is the time to call your Congressional representatives and tell them you want real broadband privacy protections.

Rubio’s bill is an empty promise – National Consumers League

Last month, Sen. Marco Rubio (R-FL) joined the growing list of Members of Congress, advocacy groups, and industry players who have released privacy bills. Rubio’s bill, the American Data Dissemination Act (ADD Act), exists primarily to relieve Congress of the January 20, 2020 deadline when the California Consumer Privacy Act (CCPA) takes effect. Absent action by Congress, the CCPA, the subject of a furious lobbying campaign to weaken it, will become the strongest consumer privacy law in the United States less than a year from now.

To say that privacy advocates are skeptical of the Rubio bill is an understatement. For starters, the bill makes no mention of stringent enforcement, heightened transparency, or timely notification of violations. Other bills from Senators Wyden (D-OR) and Schatz (D-HI), however, implement sensible provisions. These include defining sensitive information and requiring the Federal Trade Commission (FTC) to establish a Bureau of Technology, which would give the FTC more resources to investigate companies. However, Rubio’s bill maintains one stark difference: state preemption. Rubio has made it clear that his bill would preempt state privacy bills like California’s in favor of a federal privacy standard.

In comparison to the CCPA’s strict provisions, such as enforced rulemaking authority and timely notifications to consumers, Rubio’s bill would only give the FTC authority to craft privacy rules if Congress is unable to do so after more than two years of debate.

Rubio justifies this prolonged timeline by suggesting that Congress needs more time to make informed decisions to protect consumers and promote innovation. Rubio claims this approach is sensible because it ensures a non-partisan approach from the experts who are informed on the best course of action.

In reality, Rubio’s bill is a poor option for consumers and companies. For starters, the bill would only allow the FTC to craft privacy rules based on the guidelines in the Privacy Act of 1974. While the Privacy Act may have been timely back in 1974, it is hopelessly antiquated and unable to account for modern technological advancements. The Rubio bill fails to address issues like data minimization or data security standards and fails to broadly define personal information.

Ultimately, the Rubio bill exists to address industry concerns about a “patchwork of privacy bills.” It fails to add any substantive new consumer protections, despite the voluminous evidence that such protections are needed. Rather, the Senator suggests that in order to create a comprehensive data privacy bill, Congress needs more time—time which consumers, in this day of record-setting data breaches and privacy threats, simply do not have.

Carpenter v. United States: Impacts on privacy legislation – National Consumers League

The U.S. Supreme Court decision last week in Carpenter v. United States will shape the relationship consumers have with their wireless devices and the services they use every day for years to come. In a 5-4 decision, the Court held that by obtaining cell-site records, the U.S. government performed a search. By doing so without a warrant, this search was judged unconstitutional, violating petitioner Timothy Carpenter’s Fourth Amendment rights and reversing two previous decisions.

In the case, the FBI had requested records as part of an investigation into several Detroit-area armed robberies, and those records included details about call dates, times, and approximate locations. Carpenter asked that the cell phone evidence be suppressed because it was obtained in a search without a warrant.   

You’re thinking, “And? I’m not accused of armed robbery,” but it’s bigger than Timothy Carpenter. The Carpenter decision affects all of us, and in essence redefines government searches in a digital age.

Think of your relationship with your cell phone. According to Pew, 95 percent of Americans now own one. The same study found that for one in five of us, our smartphone is our sole source of Internet service. We carry them to work, to school, to our homes, and to meet up with friends. They go with us to our meetings, appointments, and vacations. They are a key vector through which we’re understood. Part of that is an unprecedented ability to locate us. When 95 percent of us are moving and communicating with our phones, and when 20 percent of us are using them as our only personal Internet connection, government access to when and where we use cell phones becomes an inroad to very intimate surveillance.

The FBI obtained records defined by the Court as “personal location information maintained by a third party” under the Stored Communications Act (SCA). SCA compels service providers to hand over records of electronically stored communications to government, without a warrant requirement, provided there is evidence for the information’s relevance to an ongoing investigation. Last week’s decision sets a new standard for expectations of digital privacy at a time when consumers and government are grappling with how to think about our lives online using documents drafted by the nation’s founders.

NCL has previously stated that consumer privacy is an integral part of the data economy, and we advocate for robust consumer protections in this space to encourage safe and secure use of online services. We applaud the Court’s decision and see it as an important step in the fight to safeguard consumers’ data in the United States and beyond.

Rebecca Kielty is spending the summer with John Breyault’s team, working on consumer privacy issues as NCL’s 2018 Google Public Policy Fellow. Rebecca received her B.A. from the University of South Florida Saint Petersburg and her M.A. from Georgetown University.

The promise and peril of always-on ad filtering – National Consumers League

Last year, we examined whether the growth of ad blocking was partly a logical response to consumers’ desire to reduce their data security risk. The catalyst for that blog post was Google’s announcement that it intended to include ad filtering-by-default in its Chrome browser, the most popular browser on the market. Earlier this year, that promise became a reality as Google rolled out an update to Chrome that included the ad filtering function.

Much of the online discussion around this move has centered on whether Google’s move, while laudable for pushing for less-annoying ads, should be viewed as a way for Google to give its advertising business an unfair leg up. That conversation is one that needs to happen to ensure that Google doesn’t abuse its market position as both the leading browser maker and the Web’s dominant advertising platform. However, it’s also important to consider whether and how consumers’ data security could benefit from this move. In this blog posting, I take a look at some of the data security benefits that could flow from the growth of always-on ad filtering.

First, however, we must acknowledge that the Coalition for Better Ads (whose Better Ads Standard serves as the basis for Chrome ad filtering tool) had limited goals. One reason for this may be that the Coalition didn’t include any consumer organization representatives as it developed its standard, who would have probably pushed for a broader scope. While removing annoying ads is certainly a plus for consumers, this limited scope means Chrome’s ad filter won’t address many of the reasons that consumers have increasingly embracing third-party ad blockers. As our colleagues at the Electronic Frontier Foundation recently noted:

This industry membership explains the limited horizon of the group, which ignores the non-format factors that annoy and drive users to install content blockers. While people are alienated by aggressive ad formats, the problem has other dimensions. Whether it’s the use of ads as a vector for malware, the consumption of mobile data plans by bloated ads, or the monitoring of user behavior through tracking technologies, users have a lot of reasons to take action and defend themselves.

Given this limited scope, what data security benefits can Chrome’s ad filtering provide to consumers? For one, filtering out annoying ads can help reduce consumers’ data security risk. When we first looked at this issue, we noted studies by UC Berkeley and UC Santa Barbara (supported by Google) and security firm Namogoo showing that tens of millions of browsers visiting popular websites were infected with malware and spyware.

Second, by having a default ad filtering function built in to Chrome, consumers’ need to install a third-party ad blocker can be reduced. While plenty of consumers install ad blockers for legitimate privacy reasons, scammers have found a lucrative side business in creating fake ad blocking software. For example, five fake ad blockers on the Chrome Web Store were downloaded more than 20 million times before the company shut it down this April.

Finally, as the impact of ad filtering on Chrome takes hold throughout the digital ecosystem, there will be pressure on other browser makers to improve their own technology to better protect consumers from ad-based malware. For example, in March, Mozilla announced that they will be rolling out ad filtering on their Firefox browser this fall. It seems likely that if consumers vote with their mouse clicks and choose more secure browsers, we’ll see other browser makers implement this technology as well.

Going forward, we will be monitoring whether default ad filtering on Chrome and other browsers has a demonstrable impact on browser infection rates. Ultimately, regardless of their browser choice, the goal should be for consumers to have a reasonable level of protection against browser-based malware attacks.