Oakland, Seattle See Push for Citywide Privacy Policies, End of Mass Surveillance

By the time the project begun in 2009 was discovered in 2013, Phase I was operational, EFF said last year. DAC had integrated “Port [of Oakland] security cameras and an intrusion detection system with City of Oakland traffic cameras, city geographic information system (GIS) mapping, and a gun shot detector called ShotSpotter,” it said. Phase II would have aggregated additional data sources such as social media, facial and gait-walking recognition and license plate scanners. Residents were able to stop Phase II implementation. The City Council voted March 4, 2014, to restrict the DAC to just the port, and to remove the citywide ShotSpotter maps and city traffic cameras from the system to ensure the DAC would affect just the port.

It’s a qualified victory, EFF activist Nadia Kayyali said. Because the process was so flawed, concerns remain, and the comments made on the development of the privacy policy reflect that, she said. The City Council said if the surveillance capabilities of the DAC are to expand, or if the information will be shared, the council must approve those decisions, and also voted to create an ad-hoc privacy policy committee that includes members from the American Civil Liberties Union, EFF and Oakland Privacy Working Group.

The nine- to 10-member committee has met twice a month since May and is working on a privacy policy that would govern the DAC, said DAC Privacy and Data Retention Committee Ad-Hoc Privacy Policy Committee Chairman Brian Hofer, a member of the Oakland Privacy Working Group. The DAC has been dark and will remain dark until the privacy policy is approved, Hofer said. A privacy policy proposal was presented to the Public Safety Committee Feb. 10. While the group approved the proposal in concept, it decided more “cleanup” needed to be done after the public comment period closed, Hofer said. The next release of the privacy policy is expected April 21, he said. The privacy policy framework includes transparency, independent internal and external audits, annual reporting requirements, and penalties and liabilities for misuses, Hofer said.

“Public feedback and activism can really make a difference,” Kayyali said, saying the city has seen a “huge turnaround” since a couple of residents found out about the DAC. “Even if people didn’t completely shut it down,” what Oakland residents did with the DAC is a success story, Kayyali said. “It’s a big political issue,” Hofer said. “There’s a lot of movement nationwide in 2015 to protect privacy,” he said. “The success in Oakland is going to be encouraging for other municipalities,” including fellow California cities Berkeley and Santa Clara, which are looking to use Oakland’s privacy policy as a template, Hofer said.

First of a Kind

Oakland has a “friendly rivalry” with Seattle, which is working on its own citywide privacy policy, Hofer said.

Seattle has seen several privacy incidents in the past two years, said ACLU Washington state chapter Technology and Liberty Director Jared Friend. The Seattle Police Department bought surveillance drones without obtaining authorization from the City Council or seeking public comment, and installed surveillance cameras along the waterfront without authorization or public comment, said Friend, who's also on the advisory board for Seattle’s privacy initiative. There was such an uproar, particularly about the police department’s use of drones, that the department sold the drones, Friend said. DHS donated funds to roll out initiatives such as tracking people with Wi-Fi hot spots as they walked around the city, Friend said. Because there was no oversight, the project has been put on hold indefinitely, he said.

Given the number of incidents of privacy and surveillance concerns in Seattle, Mayor Ed Murray decided to undertake a privacy initiative and created an advisory board with members from civil liberties groups, city stakeholders and attorneys, to have a “high-level” chat about privacy, Friend said. “Technology is constantly changing, and protecting the privacy of those who interact with the city is of utmost importance,” Murray said last month in a news release. He said the city “collects personal information in many City processes, such as paying a utility bill or in the form of video from our public safety departments.” Murray said it’s “critical that we strike the right balance between protecting individual privacy and the public’s need for a transparent and open local government.” Murray's pointed us to the press release and had no additional comment.

Nothing tangible came out of the Privacy Advisory Committee, but the goal is to create a chief privacy officer who will be tasked to work with departments and stakeholders to ensure privacy is part of the conversation, Friend said. The task force and citywide privacy policy is thought to be the first of its kind in the U.S., he said. Similar programs are in effect in Canada and Europe, but not in the U.S. -- at least not for a city the size of Seattle, he said. Everyone agrees it’s a good thing -- there hasn’t been any outright opposition, he said.

Proposed privacy principles for the city include keeping personal information private, data minimization, giving residents a choice about how their information is used, implementing data security measures, following federal and state laws when it comes to disclosing data, and answering public disclosure requests, Murray’s office said last month.

Americans generally are more privacy-aware than in the past, said Covington & Burling attorney Kurt Wimmer, chairman of the Privacy and Information Security Committee of the American Bar Association’s Antitrust Section. Before connecting to a network, the user should find out what that network's privacy policies are, Wimmer said. The FTC is pushing industry in the direction of writing privacy policies in plain English and making them easier to understand, Wimmer said, since people are reading them now.