Is This Thing On? Decoding Audacity’s Privacy Update

Is This Thing On? Decoding Audacity’s Privacy Update

Changes in the data-collection policy for a hugely popular audio editing app are highlighting old and new tensions in digital trustworthiness, and how open-source software can offer solutions. A Familiar Tune: The Vague Privacy Policy Audacity has been a touchstone for open-source editing software for years. Since its first open-source release in 2000, the app has garnered over 100 million downloads, giving rise to vibrant online communities of users. To understand the implications of Audacity’s July 2 update and its widespread backlash, it’s crucial to keep in mind the app’s open-source community. Diving into Audacity’s Privacy Updates Let’s look at two explicit changes in Audacity’s policy and their impact for software users and broader regulations. First, the July 2 update …

Meet The Colorado Privacy Act: An Intro To CPA Compliance

Meet The Colorado Privacy Act: An Intro To CPA Compliance

Colorado joins the ranks of California and Virginia in passing comprehensive consumer privacy legislation. Here’s how the latest privacy law stacks up to other frameworks, and what it could teach us about the future of American privacy regulation. Privacy Protections for the Centennial State On July 7, Colorado’s governor signed the Colorado Privacy Act (CPA) into law, which codifies data privacy rights for the state’s almost 6 million residents. The CPA takes effect on July 1, 2023. Looking at a national scale, the CPA is grounded in the general business obligations and user provisions articulated in recent legislation from California and Virginia. However, its additions are significant and could shape expectations for other jurisdictions’ privacy legislation in the future. Here …

See A Dark Pattern, Defeat A Dark Pattern

See A Dark Pattern, Defeat A Dark Pattern

I first learned about dark UX patterns when I worked at Blizzard Entertainment, where our UX team fought endlessly to thwart any experiences that could be remotely perceived as dark patterns, since it is so prevalent in the games industry. Using some of those learnings as my foundation, I led an interactive session on UX dark patterns at The Rise of Privacy Tech‘s Virtual Summit in June alongside my colleague Simon, the Director of Design here at Ethyca. I’ll take you through the highlights here, but to see a recording of the session (with all the audience engagement!), check out their YouTube channel here in the coming weeks! Meet Dark Patterns In 2010, UX researcher Dr. Harry Brignull coined the …

Data Erasure In Distributed Systems

Data Erasure In Distributed Systems

Encoding Respect My talk at this year’s Privacy Engineering Practice and Respect (PEPR) conference came on the heels of the Colorado House voting to pass the state’s comprehensive privacy legislation. This regulatory news sums up one of my talk’s main points for engineers: users are looking for respectful systems, where respect is built into the processes that handle their data. Building respectful systems is both the right thing to do and—increasingly—the approach demanded by regulations worldwide. For folks who could not attend PEPR, or those who want to revisit my talk, I’ve written up a couple of highlights on modern data erasure in distributed systems. Key Take-Away #1: Personal data is never just a matter of deleting a single row. …

Big Tech As Its Own Privacy Regulator, Part 2: For Kids

Big Tech As Its Own Privacy Regulator, Part 2: For Kids

On policy and product fronts, children’s privacy is taking the national stage. In understanding the market and legal forces at work, a striking vision for general consumer privacy comes into focus. Think of the Children! For all of the complex challenges of data privacy (see: the increasingly maze-like state of EU-US data transfers), some topics seem much more intuitive to wrap my brain around, like children’s privacy protections. In recent weeks, a bipartisan proposal for revamped children’s privacy protections has come to the US Senate, shortly after 44 states’ attorneys general issued a letter urging Facebook to stop development of its new Instagram for Kids, citing–among other vital concerns–threats to children’s privacy protections. As I previously wrote, in the absence …

Implementing Two-Factor Authentication In DSARs And Beyond

Implementing Two-Factor Authentication In DSARs And Beyond

Strong password practices are essential for keeping your company’s and users’ data safe, in processing DSARs and in your general business practices. However, passwords are just one part of the equation. For next-level protection, here’s the 411 on 2FA: two-factor authentication. The Basics of Two-Factor Authentication Two-factor authentication, sometimes called multi-factor authentication, is exactly what it sounds like. It is a two-step process to verify that someone is who they say they are. In addition to a password, two-factor authentication requires additional information from the user. For instance, a user might have a unique code sent to their email or to an app on their phone. The user then inputs this code as part of the log-in process. Two-factor authentication …

Your Guide To The May 2021 Ruling On Facebook’s EU-US Data Transfers

Your Guide To The May 2021 Ruling On Facebook’s EU-US Data Transfers

The Schrems saga, going eight years strong, is only getting more consequential for data transfers. Here’s a recap of the latest ruling out of Ireland. Setting the Stage, Raising the Stakes The widening disparity in data protections between the EU and the US is spelling trouble for Facebook, and potentially for US businesses of all sizes. Late last week, the Irish High Court dismissed Facebook’s attempt to block Irish authorities from investigating their data EU-US transfers. The ruling does not halt the transfers overnight, but it is a consequential development in an ongoing story eight years in the making. To make sense of the latest ruling, I have done my best to distill eight years and seven court cases into …

What Florida And Washington Are Teaching Us About Privacy Legislation

What Florida And Washington Are Teaching Us About Privacy Legislation

Last week, two of the most prominent privacy bills in the country died, in large part over a debate about a private right of action. Here’s a rundown of the ongoing disagreement and how it could shape the trajectory of US privacy. Taking Stock of State-Level Privacy Bills Ever since March 2020, our collective sense of time has had its tenuous moments, to say the least. Working from home and not holding in-person events to mark special occasions, some days seem to fly by while others float in place. But time is indeed moving along; just look at how the privacy landscape has evolved. A little over two months ago, I was giving a summary of the growing number of …

Global Comparison Of DSARs And Data Subject Requests

Global Comparison Of DSARs And Data Subject Requests

Data subject access requests (DSARs) and data subject requests (DSRs) are among the most prominent user-facing aspects of modern privacy regulations. Effectively fulfilling users’ requests in accordance with global regulations is one of the most visible ways you can earn users’ trust. Defining DSARs and DSRs DSARs and DSRs are related terms, sometimes used interchangeably, to describe requests that end-users can make regarding their privacy rights. DSRs refer to users’ requests to access, erase, or correct their data according to the relevant regulation, such as the EU’s General Data Protection Regulation (GDPR). DSARs specifically refer to access requests. In other words, DSRs form an umbrella category that includes DSARs as well as other requests. This article is a guide on …

Why Data Erasure Actually Might Not Leave A Blank Cell

Why Data Erasure Actually Might Not Leave A Blank Cell

Erasure requests are a key component of privacy regulations worldwide. To meet the growing requirements, teams must be able to effectively erase a requesting user’s data. That erasure actually might not leave a blank cell in the database, and that’s a good thing. Data Erasure, Explained The EU’s General Data Protection Regulation (GDPR) has set the global standard for privacy, including in the rights it grants to users. Among them, a right to erasure: a user can request that a company remove all personal data they hold on them. In recent years, this right to erasure – sometimes called “right to delete” or “right to be forgotten” – has cropped up in privacy regulations worldwide, from Virginia’s CDPA to Brazil’s …