It is estimated that some 80 million Americans and more than one billion people use TikTok. It is well known that TikTok has a direct connection to the Chinese Communist Party, which is a foreign adversary of the U.S. This week, South Dakota Governor Kristi Noem signed an executive order banning all state workers or contractors from accessing TikTok’s website or app on any state-owned or leased devices. According to Governor Noem, “South Dakota will have no part in the intelligence gathering operations of the Chinese Communist Party.”

Other governors may wish to take note of this bold, yet necessary, move. U.S. federal agencies, including the State Department, Department of Defense, the Transportation Security Administration (TSA), Department of Homeland Security, the U.S. military, and the Pentagon have already banned federal workers from using TikTok. The reason: national security. Yes folks, the use of TikTok and voluntarily allowing the Chinese Communist Party unfettered access to all content in TikTok is a matter of national security.

Commissioner Brendan Carr of the Federal Communications Commission feels strongly that the Committee on Foreign Investment in the United States (CFIUS) should ban TikTok for American users due to national and cybersecurity concerns. According to Carr, he has little confidence in Tik Tok’s ability to properly handle U.S. users’ data, stating that TikTok is “a sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data” with a direct connection to the Chinese Communist Party. He has asked Google and Apple to remove TikTok from their app stores. Users I have spoken with do not seem to care about national security or that they are endangering national security while they have fun with the app. We need to collectively understand and heed the warnings of our government and understand the impact, though unintentional or ignorant at best, our actions have on national security. Let’s not wait for the government to ban the use of TikTok; let’s collectively do the right thing: delete the app and stop using the website.

The holiday season is here again, and many university students will return in January sporting a brand-new drone. Drones have come a long way from the unwieldy radio-controlled (RC) copters of the past. Modern drones can operate across several miles with great precision carrying mounted cameras, microphones, and other sensors. However, federal and state regulators have not established a robust and uniform regulatory framework for drone operation, leaving smaller jurisdictions, including colleges and universities, to fill the gaps.

The Federal Aviation Administration (FAA) regulates commercial and recreational aircraft, so universities may wonder why their campuses need to get involved. The FAA sets the floor for drone regulation, but many smaller localities have issued stricter rules. The FAA’s jurisdiction, for example, does not extend to drone-mounted cameras, so educational institutions need to address drone-enabled voyeurs with supplemental regulations.

Educational institutions may also be interested in preparing students for a career in drone operations. The FAA partners with educational institutions via its UAS Collegiate Training Initiative to provide this type of instruction and connect students and universities with training materials, industry and government contacts, and other educational resources. This program prepares students for safe, legal, and responsible careers in the field. An institution planning to take advantage of this program must have the infrastructure to support safe and practical instruction.

University drone policies should adequately address the three types of operators flying drones on college campuses: commercial, recreational, and educational or classroom/research operators. To do so, universities may want to consider vesting drone policy and enforcement responsibility in a single position.

Universities may employ commercial drone operators to film at sporting events and graduation ceremonies, complete land surveys, and inspect buildings and other structures for damage, to name just a few applications. Accordingly, they may want to consider the processes for requesting a license to operate a commercial drone on campus and whether the university should require standard terms around indemnity and limitation of liability. An effective commercial drone policy should also answer questions such as: What is the process for requesting a commercial drone permit? Where and when is the drone permitted to fly? Are student organizations allowed to contract commercial drone operators, or do all requests need to come from university staff? Who needs to be notified if a commercial drone is used on campus, particularly near sensitive locations such as residential halls?

Along with safety considerations, it is possible that some drone use could violate certain legal obligations. For example, are students allowed to fly recreational drones over stadiums during sporting events, or could this violate an exclusivity clause with a film crew using a drone for aerial shots? If a university decides to permit recreational drone operation, it should consider where and when these activities are permitted to occur.

Additionally, drone policies should require compliance with FAA regulations for recreational operators. The FAA requires all recreational drone operators to pass an aviation safety certification called The Recreational UAS Safety Test, or TRUST, and recreational operators must register their drones with the FAA Drone Zone, too. Currently, the FAA does not require recreational drones to have Remote ID capabilities. (Remote ID is a signal that commercial drones broadcast to identify ownership and share telemetric data with other drones to avoid collisions.) However, the FAA will begin requiring this technology in recreational drones on September 16, 2023, so universities should update their drone policies accordingly.

Even if an institution is not a member of the UAS Collegiate Training Initiative, it may still want to establish a policy for drone use in classrooms and research settings. Consider the permitting process for educational drones – should the process be different than recreational permitting? Does the university provide drones for classroom use? Are students allowed to use personal drones for classroom activities? Could the operation of a drone pose safety issues on campus? How do you mitigate those risks and restrict the use of drones without hindering the use? Every campus is unique, so each college or university should draft drone policies that meet its specific needs. Urban campuses may face different local regulations than rural campuses; technical and research universities may need to test-fly prototype devices; film schools may want to provide the necessary instruction in drone camera operation. Now is the time to create these policies and infrastructure to allow for safe and educational use of drones on your campus.

On November 28, 2022, the Department of Health and Human Services (HHS) issued a proposed rule to modify the confidentiality protections of Substance Use Disorder (SUD) patient treatment records under 42 CFR Part 2 (Part 2) to implement statutory amendments passed under Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (42 U.S.C. 290dd-2). Comments are being accepted for 60 days from the date of publication.

HHS indicates in the proposed rule that the current confidentiality provisions under Part 2 (which Part only applies to SUD treatment records as defined in the Part)  differ from those of HIPAA and create “dual obligations and compliance challenges” for HIPAA covered entities that maintain both protected health information (PHI) and Part 2 records and, therefore, are responsible for both sets of rules, as well as potential informational barriers for treating providers. The proposed changes aim to align the requirements of Part 2 with the HIPAA Privacy Rule to provide greater care coordination so that treatment and recovery supports for SUD are more accessible for patients with SUD challenges.

Key proposed changes align the use and disclosure of Part 2 treatment records with the HIPAA requirements, as follows:

  • Disclosure: A single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations (TPO) of Part 2 records. In addition, revised rules regarding the permitted re-disclosure of Part 2 records consistent with the HIPAA Privacy Rule, subject to certain exceptions.
  • Patient Rights: New patient rights to obtain an accounting of disclosures and to request restrictions on certain disclosures of Part 2 records, and related updates to the HIPAA Privacy Rule Notice of Privacy Practices requirements concerning patient rights and uses and disclosures of Part 2 records. The changes also provide for expanded prohibitions on the use and disclosure of Part 2 records in certain legal proceedings, as well as establishing a process for patients to make complaints for Part 2 violations.
  • Enforcement: New HHS enforcement authority, including the imposition of civil monetary penalties for violations of Part 2.
  • Breach Notification: Updated breach notification requirements to HHS and affected patients.

The proposed compliance date is 24 months following publication of the final rule, thereby providing enough lead time for entities to comply.  We will continue to monitor changes to Part 2 resulting from any final rule issued by HHS.

This post is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting health information privacy and HIPAA related topics, we invite you to subscribe to the blog. This post was co-authored by Yelena Greenberg and Danielle Tangorre.

I continue to marvel at how many Americans are using TikTok but are oblivious to the fact that they are being duped by one of our foreign adversaries—the Chinese Communist Party. Folks, listen to and heed the warnings of both state and federal governments on the dangers that the use of TikTok poses to national security. Think about your country instead of yourself and stop using TikTok. It’s a matter of national security.

I am not an alarmist by nature, but the increased mention of TikTok in day-to-day conversations is very concerning, considering the overwhelming warnings about how the Chinese Communist Party is collecting information on Americans. The way to visualize it is to imagine there is a member of the Chinese Communist Party on your shoulder looking at everything you do, tracking your location, accessing your personal and health information and that of your children and other members of your family. We wouldn’t like it if our own government were surveilling us like that. Why are we comfortable with a foreign adversary doing it?

You don’t have to listen to me—just scroll through the articles below—from both sides of the media aisle (this is actually a bipartisan issue)—and get on the collective wagon to voluntarily ban TikTok on a national basis. We can all do this together to spare the government from having to ban us from harming ourselves or our national security.

The saga started in 2020, when President Trump attempted to ban TikTok in the U.S. with an executive order citing national security concerns. TikTok then pivoted to potentially selling its U.S. business to an American company. That strategy fizzled.

President Biden revoked Trump’s order, but started an investigation into security threats posed by Tik Tok. FCC Commissioner Brendan Carr asked Apple and Google to remove TikTok from their app stores.

Commissioner Carr wants TikTok to be banned for all U.S. users, citing concerns over how TikTok is handling the massive amounts of data it gathers from U.S. users and lingering doubts “that it’s not finding its way back into the hands of the [Chinese Communist Party.”

FBI Director Christopher Wray has testified before the Homeland Security Committee of the U.S. House of Representatives that the FBI has ‘national security concerns’ about the use of TikTok by American users. Wray testified that his concerns include “the possibility that the Chinese government could use it to control data collection on millions of users or control the recommendation algorithm, which could be used for influence operations if they so chose, or to control software on millions of devices, which gives it an opportunity to potentially technically compromise personal devices.”

U.S. federal agencies including the State Department, Department of Defense, the Transportation Safety Administration, Department of Homeland Security, the U.S. military and the Pentagon have already banned federal workers from using TikTok.

State governors also are getting into the action to ban the use of TikTok by state workers. The Governor of South Dakota issued an executive order this week banning state workers and contractors from using the app or accessing TikTok’s website from state-issued devices. Enough is enough. Let’s start a grassroots movement to ban the use of TikTok on our own. I urge you to join the movement.

The Health Care Sector Cybersecurity Coordination Center (IC3) recently released an Analyst’s Note to health care organizations providing information on a new variant of ransomware called Venus (also known as GOODGAME).

According to IC3, the threat actors “are known to target publicly exposed Remote Desktop Services to encrypt Windows devices.” The ransomware then “will attempt to terminate 39 processes associated with database servers and Microsoft Office applications” and will “delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using” AES and RSA algorithms and append the ‘.venus’ extension and a ‘goodgamer’ filemarker.

According to reporting from the Verge and the Markup, several popular e-filing providers have been transmitting sensitive financial information to Meta through Meta Pixel. Meta Pixel is a free advertising analytics service offered by Meta that, similar to cookie files and other persistent user identifiers, collects personalized data about how the users interact with content across the Internet. The Meta Pixel service allows Meta to tailor advertising profiles for users regardless of whether they have a Facebook account.

According to the report, using the Meta Pixel code, several popular e-filing sites collected information such as users’ filing status, their adjusted gross income, and the amount of their refund, then sent that information back to Meta’s servers. Meta’s terms of service prohibit the use of Meta Pixel code to collect sensitive information, and the code on the e-filing sites appeared to be misconfigured or left to default settings in many cases.

Businesses that are considering partnering with an outside analytics provider may wish to carefully inventory what data can be collected and where it will be sent. Privacy laws such as the California Privacy Rights Act could expose a business to Attorney General investigations, fines, and private lawsuits for mishandling sensitive information. While use of these technologies is often free, the legal liability might not be.

Starting December 1, Facebook reportedly will remove several biographic details from user profiles, including “Religious views,” “Political views,” “Interested in” (indicating the user’s sexual orientation), and “Address.” Many state privacy laws, including California’s Privacy Rights Act, restrict how businesses can collect and use these types of sensitive personal information. Facebook has not confirmed why it is removing these biographical details or whether it will delete this information or simply remove it from public profiles

The French data privacy authority (DPA) announced that it will fine Discord, Inc. 800,000 euros under the General Data Protection Regulation (GDPR). Discord is a social messaging platform popular with gamers, technology enthusiasts, and the LGBTQ+ community.

The alleged GDPR breaches include failure to establish a written information security policy and data retention schedule, failure to require secure account passwords, and failure to conduct regular data protection assessments. The regulators specifically called out the Discord app’s unusual practice of staying active in the background, keeping the user active on voice chat after the user has clicked the “close” button.

The DPA noted in its findings that Discord cooperated with its investigation and has taken steps to remediate the alleged violations.

This week, a lawsuit was filed in the U.S. District Court of Massachusetts against the Commonwealth of Massachusetts for its use of a COVID-19 contact-tracing app for residents’ mobile phones. However, very few residents voluntarily downloaded the app. The solution? The lawsuit alleges that Massachusetts caused the app to be downloaded to certain residents’ mobile devices without consent or knowledge. The complaint alleges that “on June 15, 2021, [the Massachusetts Department of Public Health (DPH)] worked with [a third party application developer] to secretly install the Contact Tracing App onto over one million Android mobile devices located in Massachusetts without the device owners’ knowledge or permission.” The complaint further alleges that “[w]hen some Android device owners discovered and subsequently deleted the App, DPH would re-install it onto their devices. The App causes an Android mobile device to constantly connect and exchange information with other nearby devices via Bluetooth and creates a record of such other connections. If a user opts in and reports being infected with COVID-19, an exposure notification is sent to other individuals on the infected user’s connection record.”

The complaint also alleges that the app collected information about the user’s travel, social interactions and internet usage. The app was installed as a “settings feature” instead of an “applications file” in order to remain unnoticed.

The lawsuit alleges violations of the Fourth and Fifth Amendments to the U.S. Constitution, Articles XIV and X of the Massachusetts Declaration of Rights, and the Computer Fraud and Abuse Act. The class seeks an injunction against continued use of the spyware and an order requiring the DPH to remove the spyware from users’ mobile devices. The class also seeks to recover attorneys’ fees and $1 for symbolic damages.

The City Council of Chula Vista, California (in the San Diego metropolitan area), announced a new policy governing how city law enforcement can use technology to protect residents from data collected by surveillance equipment. The policy was developed by a city task force after the police department began using Automated License Plate Readers in 2020 and will now be effective. However, this new policy directly affects Chula Vista’s signature drone program. The goal of the policy is to require any kind of technology that city officials and law enforcement intend to use to be reviewed by the task force, which will then determine the impact the technology will have on the public and city systems and resident privacy.

The task force consists of technology experts, financial auditors, public safety professionals, and government transparency activists. To streamline the review, all technology will fall under one of the following categories: general technology, which includes emails and cellphones; sensitive technology, such as drones and traffic signal cameras; and surveillance technology, such as the license plate readers. The highest level of oversight will apply to surveillance technology.

If the technology and its use are approved by the task force, the city manager would be required to report at least once every two years about how the technology has been used, any adverse impacts, and the status of the data collected. The goal is to keep government officials accountable. So, where does that leave drones? Well, they will be subject to this policy (as noted above), but the policy does allow the City Manager or the City Council to waive certain elements of the policy “in the event of exigent circumstances or other circumstances that make compliance impossible or infeasible.” It is likely that other policies and tasks forces like this in Chula Vista will continue to pop up as city residents question the scope and oversight of surveillance using new technologies, including drones, by government entities.