A coalition of civil society groups filed an amicus brief last week in a suit that involves the government preventing Facebook from notifying some users their information is being sought possibly in connection to the Jan. 20 presidential inauguration protests, blogged the Electronic Frontier Foundation Wednesday. The EFF-led coalition, which also includes Access Now, the Center for Democracy & Technology and New America’s Open Technology Institute, filed the brief last week. EFF staff attorneys Nate Cardozo and Andrew Crocker blogged that the case is sealed but Facebook is fighting several gag orders for search warrants for user content. They said Facebook petitioned the D.C. Court of Appeals -- after it lost a challenge in D.C. Superior Court -- to open the proceeding to amicus briefs "and to reveal that Facebook argues that 'neither the government’s investigation nor its interest in Facebook user information' is a secret." (A search of the case in the court's online system was unsuccessful.) Cardozo and Crocker speculated the warrants are related to the presidential inauguration day protests when D.C. police "arrested hundreds of protestors, charging many with felony rioting." More than 200 people were arrested and indicted on felony rioting charges in protests during the day, according to media reports. Cardozo and Crocker wrote that in late January some defendants had received a notice from Facebook that law enforcement had subpoenaed their noncontent account information. The gag orders, said EFF, infringe on the First Amendment and invade Facebook users' rights "to speak and associate anonymously on a matter of public interest" and be given notice and the opportunity to challenge the warrants. "As we point out in our brief, if the government’s investigation into the Facebook accounts is already known, there’s no way that a gag can prevent any harm flowing from notifying the users and allowing them to challenge the search warrants," wrote Cardozo and Crocker. Oral argument for the case is scheduled for September even though the case is sealed, they added. A Facebook spokesman emailed there "are important First Amendment concerns with this case, including the government’s refusal to let us notify three people of broad requests for their account information in connection with public events." He said the company appreciates the support of companies and civil society organizations "in arguing for people’s constitutional rights to learn about and challenge these search warrants.”

The Center for Digital Democracy is urging the EU-U.S. Privacy Shield be suspended because Europeans' personal information isn't being adequately protected. "EU citizens and consumers who deal with companies enrolled in the Privacy Shield program confront a serious erosion of their data protection and privacy rights," wrote CDD Executive Director Jeff Chester in a Wednesday letter to Bruno Gencarelli, head of the European Commission's Data Protection Unit. Gencarelli formally requested feedback from CDD and other nongovernmental organizations as the agreement approaches its first review in September (see 1704200034). Chester wrote that EU data protection authorities should suspend the program "in light of its lack of any policies, rules, or enforcement that would provide [meaningful] adequacy or equivalency" and U.S. companies should operate under the general data protection regulation that will take effect next year. Chester said there's "no effective legal framework" protecting consumer privacy in the U.S. and that Privacy Shield allows "far-reaching data use practices" with key EU policies being ignored. He added self-certification is "both inadequate and dangerous" and the program's website is full of "typos, broken links, and sloppy data entry" suggesting a "disregard for its operations." There were 2,274 organizations enrolled in the program as of Wednesday, according to the Privacy Shield website.

The U.K.'s Royal Free NHS Foundation Trust "failed to comply" with the nation's data protection law when it provided personal data of about 1.6 million patients to Google, said the Information Commissioner's Office, the country's data protection watchdog, in a Monday news release. “Our investigation found a number of shortcomings in the way patient records were shared for this trial. Patients would not have reasonably expected their information to have been used in this way, and the Trust could and should have been far more transparent with patients as to what was happening," said Information Commissioner Elizabeth Denham. It asked the trust or hospital network to make changes to comply with the law. The data shared was part of a "trial to test an alert, diagnosis and detection system for acute kidney injury," the release said. In 2016, the trust forged a five-year deal with Google DeepMind, an artificial intelligence unit, to develop an app for better detection. The trust said in a statement it fully cooperated with the ICO investigation that began more than a year ago and welcomes guidance on how patient data can be processed to test new technology. "We are now doing much more to keep our patients informed about how their data is used," it added. Google didn't comment. ICO said the data protection law isn't a hindrance to innovation but "it does need to be considered wherever people's data is being used."

A federal judge granted Facebook's motion to dismiss a class-action lawsuit that alleged the company violated people's privacy by tracking their browsing activity on third-party websites. Judge Edward Davila of the District Court for the Northern District of California said in Friday's decision (in Pacer) the plaintiffs lacked standing and failed to state a claim. In the case, which dates from 2012 and previously was dismissed before a second amended complaint was filed, several plaintiffs alleged Facebook used "like" buttons in third-party websites to track their private internet browsing history. "Plaintiffs allege that Facebook’s cookies enable it to uniquely identify users and correlate their identities with their browsing activity, even when users are logged out of Facebook," wrote Davila. He said in the second amended complaint the plaintiffs alleged Facebook's actions violated the Wiretap Act, the Stored Communications Act and the California Invasion of Privacy Act (CIPA), among other statutes. Under the Wiretap Act and CIPA, Davila said, plaintiffs alleged Facebook intercepted their communications through acquisition of URL data. But he said Facebook doesn't intercept communications because a user's web browser automatically sends information to Facebook and the third-party website. Davila said the second amended complaint contains "no new facts that establish economic harm or loss" and therefore lacks standing. A Facebook spokeswoman said the company was pleased with the ruling. Plaintiffs' lawyers didn't comment.

A coalition of 65 civil liberties, legal, privacy and tech organizations and experts urged state election officials not to turn over voters' personal data to the presidential commission that's investigating President Donald Trump's unsupported claim of massive voter fraud. In a Monday letter to the National Association of State Secretaries (NASS), the coalition led by the Electronic Privacy Information Center said it "strongly" opposes the Presidential Advisory Commission on Election Integrity's request, which some officials like Virginia Gov. Terry McAuliffe (D) said last week is an effort to "commit large-scale voter suppression." The commission is seeking names, addresses, dates of birth, party affiliation and the last four digits of Social Security numbers. "This is sensitive, personal information that individuals are often required to provide to be eligible to vote. There is no indication how the information will be used, who will have access to it, or what safeguards will be established," the letter said. The coalition said the commission also failed to conduct and publish a privacy impact assessment as required by law before collecting personal data. Last week, the Congressional Black Caucus in a letter also urged NASS members not to comply. Media reports say more than half the states are refusing to comply.

The FTC said Broadcom agreed to create a firewall to remedy agency concerns that the company's proposed $5.9 billion buy of Brocade Communications Systems, a networking products maker, would otherwise be anti-competitive. The concerns arose "because of Broadcom’s current access to the confidential business information of Brocade’s major competitor, Cisco Systems, Inc., that could be used to restrain competition or slow innovation in the worldwide market for fibre channel switches," said an FTC release Monday. It said Brocade and Cisco are the only two competitors in the global market for fiber channel switches, and Broadcom supplies both companies with application specific integrated circuits to make them. Such switches are part of networks that transfer data between servers and storage arrays in data centers, the release said. By owning Brocade, Broadcom could use Cisco's competitively sensitive confidential information "to unilaterally exercise market power or to coordinate action among Brocade and Cisco, increasing the likelihood that customers would pay higher prices for fibre channel switches, or that innovation would be lessened," said the FTC. Commissioners voted 2-0 to issue a complaint and accept the proposed consent decree subject to public comment through Aug. 2, and final action thereafter.

An international network of consumer protection agencies in more than 60 countries, including the FTC in the U.S., unveiled an updated website to help identify and respond to cross-border consumer issues, said the commission in a Friday news release. The International Consumer Protection and Enforcement Network's updated site, which includes a mobile version, provides information to help consumers avoid scams, safely shop online and file a complaint in cross-border disputes. ICPEN's update also helps member agencies securely share intelligence on emerging fraudulent, deceptive and unfair commercial practices, the release said. More updates are expected over the next year, it added.

Eighty-three individuals and international organizations, including Access Now, the Electronic Frontier Foundation, R Street Institute and TechFreedom, are urging the "Five Eyes" -- an intelligence alliance comprised of Australia, Canada, New Zealand, the U.K. and the U.S. -- to facilitate strong encryption development and usage. The alliance's ministers and attorneys general met earlier last week, and issued a joint communique saying "encryption can severely undermine public safety efforts by impeding lawful access to the content of communications during investigations into serious crimes, including terrorism." They wanted to discuss "shared solutions" with communications and technology companies "while upholding cybersecurity and individual rights and freedoms," the communique said. But, in a Friday letter to officials, including U.S. Homeland Security Secretary John Kelly, the coalition favoring strong encryption said the alliance's proposal threatened such communications tools. The letter said engineering back doors or other "deliberate weaknesses into commercially available encryption software ... [is] both shortsighted and counterproductive." The coalition said "encryption does far more good than harm."

In response to the WannaCry ransomware that affected hundreds of thousands of computers worldwide last month (see 1705180032 and 1705160038), House and Senate lawmakers proposed bipartisan legislation that would establish baseline, voluntary cyber hygiene best practices that would be publicly accessible online. In a joint news release, Reps. Susan Brooks, R-Ind., and Anna Eshoo, D-Calif., and Sens. Orrin Hatch, R-Utah, and Ed Markey, D-Mass., said the Promoting Good Cyber Hygiene Act would direct the Department of Homeland Security, the FTC and the National Institute of Standards and Technology to create those standards and consider measures such as multifactor authentication and data loss prevention. Eshoo said experts suggested 90 percent of successful cyberattacks are due to system administrators "overlooking" cyber hygiene and security management. She said the attacks cost the U.S. economy "half a trillion dollars annually" in identity theft, exposed financial data and other things.

French data protection authority CNIL said Microsoft is complying with the country's data protection law, after the DPA lodged a formal notice last year that the company excessively collected personal data, tracked users' web browsing without their consent and failed to provide security and confidentiality of the collected user data. In a Thursday news release, CNIL said Microsoft's "response led [it] to consider that violations had ceased" and the company has implemented several measures to comply with the July 2016 notice, which said more than 10 million users of Windows 10 were affected. The DPA said Microsoft "has nearly reduced by half the volume of collected data within the 'basic' level of its telemetry service which is capable of identifying the system’s functional issues and solving them." Microsoft informs users about how it tracks them for customized advertising and gives them a choice of whether to activate or deactivate this service, CNIL said. The company also strengthened user authentication to access online services, the agency said. CNIL said it gave Microsoft until January to comply with the French Data Protection Act. A Microsoft spokeswoman said the company is "committed to protecting our customers’ privacy and putting them in control of their information." Microsoft appreciates the DPA's "decision and will continue to provide clear privacy choices and easy-to-use tools in Windows 10,” she said.