Hello all, and happy Thursday!
The concept of “privacy by design” isn’t new—the term was coined way back in the mid-nineties, but it’s only since privacy by design was enshrined in the GDPR that it’s really come to the fore. One of the stories in our newsletter this week really highlights the importance and challenge of privacy by design, I think.
According to Reuters reporting, Tesla workers were able to access videos from Tesla owners’ cars and often shared them around the office. These were recordings of accidents, people caught in embarrassing situations—even (allegedly) of the inside of Elon Musk’s garage. One former employee said, “The people who buy the car, I don't think they know that their privacy is, like, not respected … We could see them doing laundry and really intimate things. We could see their kids.”
Technically, Tesla employees aren’t supposed to be accessing video data for anything other than the analytics and development purposes described in their privacy policy, But the issue is that they can; not that they are or are not allowed.
If a Tesla employee feels like it, there may not be much to stop them from sharing recordings from individuals’ cars. Teslas collect a significant amount of data by design—an example is Tesla’s Sentry Mode, in which external cameras remain on to detect potential threats and which has been described as a “privacy violation on wheels.”
Ultimately, no amount of policy and procedure can truly protect personal information. The only surefire way to protect personal information is to not have to collect it in the first place—which can be achieved by adhering to privacy-by-design and data minimization principles.
Best,
Arlo
Indiana poised to add to U.S. state privacy law patchwork
The Indiana House recently voted unanimously to grant final passage to Senate Bill 5—Indiana’s proposed comprehensive data privacy law—to the state Senate. The Indiana Senate has already voted unanimously to approve the bill earlier, and will now vote on concurrence (considered a formality) before the bill will land on Governor Eric Holcomb’s desk for signature or veto.
'Operation Cookie Monster': International police action seizes dark web market
In a multinational crackdown dubbed "Operation Cookie Monster," UK authorities seized a massive dark web marketplace. They estimated that the service hosted about 80 million credentials and digital fingerprints stolen from more than 2 million people.
Special report: Tesla workers shared sensitive images recorded by customer cars
Between 2019 and 2022, groups of Tesla employees privately shared highly invasive videos and images recorded by customers’ car cameras, according to interviews by Reuters with nine former employees. Although Tesla’s privacy notice claims that any recordings are anonymous and cannot be linked to individuals or their vehicles, several former employees indicated they could identify the locations where recordings were made.
Oops: Samsung employees leaked confidential data to ChatGPT
Mere weeks after lifting a ban on the use of ChatGPT, Samsung discovered that multiple employees had shared proprietary code and meeting transcripts with the AI chatbot. Unless users explicitly choose to opt out of data collection, OpenAI retains all data submitted to ChatGPT in an effort to improve its AI models. In part due to these leaks, Samsung is developing its own AI model.
IAPP GPS 2023: FTC's Bedoya sheds light on generative AI regulation
During the International Association of Privacy Professionals’s (IAPP’s) Global Privacy Summit conference this year, U.S. Federal Trade Commissioner Alvaro Bedoya asserted that there is no need for further regulation to address the privacy concerns related to AI. "The reality is AI is regulated (in the U.S.). Unfair and deceptive trade practices laws apply to AI," Bedoya said.
The U.S. deserves stronger spyware protections than Biden’s executive order
U.S. President Joe Biden has signed an executive order that limits U.S. government agencies from using commercially available spyware—but the Electronic Frontiers Foundation argues that this does not prevent the government use of spyware in the U.S.
Osano Blog: The Iowa Consumer Data Protection Act (ICDPA): The basics
Now that Iowa has joined the five other U.S. states with data privacy laws, what do businesses need to do to get compliant? Fortunately, the Iowa Consumer Data Protection Act appears to be more business friendly than most other laws, but that doesn’t mean compliance is automatic or easy. Read our blog to learn more.
If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you.