privacy
- EFF on Privacy
- Wikipedia, particularly good for the history of privacy law in the U.S.
- Prof. Daniel Solove: The Chaos of U.S. Privacy Law
- Michael McFarland, SJ: Privacy and the Law
Facebook is not free
If you use Facebook, this article is a must-read. It’s now common knowledge Facebook is always watching and analyzing how you use the service. But the breadth and depth of the company’s participation in the data brokering economy is staggering. The worst part? You literally signed up for it.
Facebook obviously doesn’t charge its users money, but the mere act of creating a profile affirmatively grants the company total access and usage rights over everything you do on the site. It even shares its data about you with data brokerage firms whose business model is monetizing you.
This is all stuff I have personally known and accepted for a long time, but as the ability to easily aggregate dossiers on anyone and everyone increases, it’s more important than ever to educate yourself and those you care about. Facebook is not free, and in fact it’s worth asking whether the price most people pay by clicking a harmless-looking “I agree” button is really worth it.
Facebook COO Sandberg apologizes for emotional contagion experiment
Facebook COO Sandberg apologizes for emotional contagion experiment
R. Jai Krishna, reporting on the reaction of Facebook Chief Operating Officer Sheryl Sandberg to the outcry over the company’s experiment on the emotions of nearly 700,000 unwitting users:
We take privacy and security at Facebook really seriously because that is something that allows people to share” opinions and emotions, Sandberg said.
The telling part about Sandberg’s reaction is that those who take privacy and security seriously don’t have to say it very often, if at all.
Avoid Facebook's all-seeing eye
Avoid Facebook’s all-seeing eye
Violet Blue, reporting at ZDNet:
Facebook also announced Thursday it will begin tracking its users’ browsing and activities on websites and apps outside Facebook, starting within a few weeks
Her article is full of great advice for people who want to minimize Facebook’s tracking ability across desktop and mobile browsers. Be sure to have a look if the recent changes freak you out.
Internet Privacy and What Happens When You Try to Opt Out
Internet Privacy and What Happens When You Try to Opt Out
Janet Vertesi tried to hide her pregnancy from the internet:
The myth that users will “vote with their feet” is simply wrong if opting out comes at such a high price. With social, financial and even potentially legal repercussions involved, the barriers for exit are high. This leaves users and consumers with no real choice nor a voice to express our concerns.
It’s a fascinating article.
Moves, contradicting previous statement, may share user data with Facebook under new privacy policy
When Facebook acquired fitness tracking app Moves, the two said user data would not be commingled. But Moves’ new privacy policy reverses course.
First, when fitness tracking app Moves was acquired by Facebook in April, it said:
For those of you that use the Moves app – the Moves experience will continue to operate as a standalone app, and there are no plans to change that or commingle data with Facebook.
CNET reported almost identical language from Facebook:
A spokesperson for Facebook confirmed the plans to keep the Moves app standalone and not commingle its data
Today, in an updated privacy policy, Moves said:
We may share information, including personally identifying information, with our Affiliates (companies that are part of our corporate groups of companies, including but not limited to Facebook) to help provide, understand, and improve our Services.
I suppose the updated policy doesn’t technically contradict the statements by Moves and Facebook because it’s feasible there were no plans at that time to commingle data with Facebook. But my initial reaction was incredulity.
After all, the Wall Street Journal reported Moves had been downloaded 4 million times. Surely Mark Zuckerberg acquired Moves primarily for its ever-growing trove of user activity data. Why else?
But none of the coverage questioned the initial statements, and I figured the companies wouldn’t say it so plainly if it wasn’t true. So I decided to wait and see.
Well, I’ve waited and seen. The lesson here is that it is wiser to pay attention only to what a company does, not what it says. If it looks like a data grab and smells like a data grab, it’s probably a data grab. Even if, especially if, someone tells you it isn’t a data grab.
Facebook deals in data, whether its hundreds of millions of users know it or care about it or not. And Moves would be stupid not to take the money and, more importantly, the resources Facebook can bring to bear on improving the app. So a data grab isn’t a surprise. Perhaps the “no commingling” language was an elegant public relations play meant to minimize privacy concerns in the press. That would seem to have worked: as of this article’s publication I couldn’t find a single story on the change.
Zuckerberg’s recently stated intent to grow via the acquisition and development of discreet apps and services raises another interesting issue. To quit Facebook, it may not be enough anymore to, well, quit Facebook. If I closed my Facebook account today, the company could still gather data about me for as long as I use Moves. Facebook has a growing list of acquisitions under its belt, so that concern is likely to increase with time.
This example of corporate self-contradiction is a good reminder: Always assume your data is a valuable and transferable commodity in the eyes and on the servers of the apps and services you use. Some people are deterred by that fact, while others are not. There is no right or wrong answer, just a continuum of personal comfort and preference.
While I wish the companies had been more forthright from the beginning, I won’t stop using Moves. I have personally always been relatively open in sharing data in exchange for convenience and utility. But that doesn’t mean I’m not alarmed by the increasing difficulty of using the internet and related apps and services for those who disagree with my position on openness.
<
p>Share your perspective via email at joe@joeross.me, on Twitter or in the comments.
Heartbleed: When no encryption is better than bad encryption
Heartbleed: When no encryption is better than bad encryption
Alex Hern reports for The Guardian this disturbing fact about the recently disclosed OpenSSL bug, now two years old and pervasive:
servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all.
How? The bug allows access even to information the encryption wasn’t protecting.
DHS wants to track license plates
DHS wants to track license plates
ICE spokeswoman Gillian Christensen, on the license plate tracking system recently proposed by the Department of Homeland Security:
It is important to note that this database would be run by a commercial enterprise, and the data would be collected and stored by the commercial enterprise, not the government.
Because the government never compels commercial enterprises to give it data.
Ever.
Facebook scans messages for ad targeting
Facebook scans messages for ad targeting
I know this is an unpopular stance, but if you operate on any assumption other than that this happens all the time on myriad services you use, you’re a crazy unrealistic person lacking in the minimum amount of cynicism (read: realism) required to use the modern internet in a fully-informed manner.
While I don’t have time these days to do the digging someone should do on this, it strikes me as very likely we all gave Facebook permission to skim all of our content for ad-related and any other purposes when we signed up.
Digital privacy almost always comes with an asterisk these days, and that’s not going to change any time soon.
Judges are, and aren't, competent to rule on intelligence issues
Judges are, and aren’t, competent to rule on intelligence issues
Lots to parse on this one, although it looks like a new chapter in the “Surveillance Wars” Edward Snowden started with his leaks.
Two choice quotes really stood out to me in this article, though, especially because they are in sequence:
Gen. Michael Hayden, former director of both NSA and the Central Intelligence Agency, said […] judges “are not really in a good position to judge the merits of intelligence collection programs.”
That’s funny, because the very next paragraph cites consistent judicial approval of the program as a defense to its continued use:
An Obama administration official said that on 35 occasions in the past, 15 separate judges assigned to the secretive Foreign Intelligence Surveillance court had declared bulk communications of telephone metadata lawful.
Which one is it? Well, as usual with the law, it’s probably both. Judges are human too, despite what some litigators may say, and their job is to decide.
Whether that decision is sufficiently informed in every case is up for debate, but if the former head of the NSA and the CIA doesn’t think judges are well-equipped to render decisions on intelligence collection programs, it’s curious the Obama administration would rely on that judgment in defending the collection programs.
Perhaps the Foreign Intelligence Surveillance Act (FISA) should be amended to mandate an intelligence background for all judges appointed to the Foreign Intelligence Surveillance panel.
As it stands now, the Chief Justice of the Supreme Court can quite literally appoint whomever he wants to the FISA court, whether they have any experience in intelligence or not.
How intelligent is that?
NSA responds to “erroneous” data collection reports (full text)
The National Security Agency, in a mass email to press Oct. 31, presumably responding to a recent Washington Post report on the agency’s direct data monitoring of company’s like Google and Yahoo, goes all third-person self-referential on us:
What NSA does is collect the communications of targets of foreign intelligence value, irrespective of the provider that carries them. U.S. service provider communications make use of the same information super highways as a variety of other commercial service providers. NSA must understand and take that into account in order to eliminate information that is not related to foreign intelligence.
Read the rest of the statement:
STATEMENTOct. 31, 2013
Recent press articles on NSA’s collection operations conducted under Executive Order 12333 have misstated facts, mischaracterized NSA’s activities, and drawn erroneous inferences about those operations. NSA conducts all of its activities in accordance with applicable laws, regulations, and policies – and assertions to the contrary do a grave disservice to the nation, its allies and partners, and the men and women who make up the National Security Agency.
All NSA intelligence activities start with a validated foreign intelligence requirement, initiated by one or more Executive Branch intelligence consumers, and are run through a process managed by the Office of the Director of National Intelligence. When those requirements are received by NSA, analysts look at the Information Need and determine the best way to satisfy it. That process involves identifying the foreign entities that have the information, researching how they communicate, and determining how best to access those communications in order to get the foreign intelligence information. The analysts identify selectors – e-mail addresses and phone numbers are examples – that help isolate the communications of the foreign entity and task those to collection systems. In those cases where there are not specific selectors available, the analysts will use metadata, similar to the address on the outside of an envelope, to attempt to develop selectors for their targets. Once they have them, they task the selectors to the collection systems in order to get access to the content, similar to the letter inside the envelope.
The collection systems target communications links that contain the selectors, or are to and from areas likely to contain the selectors, of foreign intelligence interest. Seventy years ago, the communications links were shortwave radio transmissions between two points on the globe. Today’s communications flow over technologies like satellite links, microwave towers, and fiber optic cables. Terrorists, weapons proliferators, and other valid foreign intelligence targets make use of commercial infrastructure and services. When a validated foreign intelligence target uses one of those means to send or receive their communications, we work to find, collect, and report on the communication. Our focus is on targeting the communications of those targets, not on collecting and exploiting a class of communications or services that would sweep up communications that are not of bona fide foreign intelligence interest to us.
What NSA does is collect the communications of targets of foreign intelligence value, irrespective of the provider that carries them. U.S. service provider communications make use of the same information super highways as a variety of other commercial service providers. NSA must understand and take that into account in order to eliminate information that is not related to foreign intelligence.
NSA works with a number of partners and allies in meeting its foreign-intelligence mission goals, and in every case those operations comply with U.S. law and with the applicable laws under which those partners and allies operate. A key part of the protections that are provided to both U.S. persons and citizens of other countries is the requirement that information be in support of a valid foreign intelligence requirement, and the Attorney General-approved minimization procedures. These limitations protect the privacy of all people and, in particular, to any incidentally acquired communications of U.S. persons. The protections are applied when selectors are tasked to the collection system; when the collection itself occurs; when the collected data are being processed, evaluated, analyzed, and put into a database; and when any reporting of the foreign intelligence is being done. In addition, NSA is very motivated and actively works to remove as much extraneous data as early in the process as possible – to include data of innocent foreign citizens.
—NSA Public Affairs Office
States cite lack of federal progress in pursuit of privacy reform
States cite lack of federal progress in pursuit of privacy reform
Special interest groups oppose federal privacy reform to prevent onerous new regulations.
But this effort must, at some point, become counterproductive.
A multitude of state-specific privacy frameworks that, by (federal) law, can’t operate between states, must, at some point, become at least as onerous as new federal regulations.
Google "zealously" private about mystery barge
Google “zealously” private about mystery barge
I thought this was interesting but not really worth mentioning here, until the Coast Guard visited, apparently, as USA Today reports, under a presumably Google-imposed gag order.
I’m an avid Google user, incredibly open on the internet, and something of an apologist for the utility of systems that know a ton about me. But I still think it’s rich that, as Michael Winters writes in the article, Google “is zealously guarding its privacy” around the barge.
So rich.
UPDATE: It’s a party barge. No, seriously.
One Google, two different privacy rulings
One Google, two different privacy rulings
Stanford researcher Jonathan Mayer, in an email to the Wall Street Journal’s Elizabeth Dwoskin and Rolfe Winkler:
Courts are doing pretzel twists to slot modern electronic privacy issues into antiquated statutory schemes. Congress badly needs to update the nation’s privacy laws; we can’t leave the courts with so little guidance and expect consistent results.
The inconsistent application of the law across states suggests the issue may be ripe for appeal on both fronts, and may be on a long journey to the Supreme Court. The Delaware court saw no harm in Google’s circumvention of browser-based privacy settings and thus no cause of action.
What interests me is that the information you can collect via someone’s browsing behavior with a cookie is probably similar to the information you can collect by scanning their email, the action at issue in the North Carolina case, in which the judge denied Google’s motion to to dismiss the suit.
Thus, it’s the difference in the method of collection, even where the subject of collection is the same, that may be triggering the proliferation of multiple interpretations of privacy law.
Of course, it’s worth noting that the wiretap law refers specifically to communication interception, which applies directly to email. While browsing history can tell a great deal about someone, it’s not, strictly speaking, a mode of communication, so plaintiffs probably need to rely more on the common law.
I wish I had more time to sink my teeth into the issue, but I’ll have to settle for sharing a few useful links on privacy law for those interested in learning more:
Welcome to Google Island
If you follow one link from my blog this week, make it the one above. It’s well-written and disturbingly possible-seeming.
U.S. directs agents to cover up program used to investigate Americans
U.S. directs agents to cover up program used to investigate Americans
John Shiffman and Kristina Cooke, reporting for Reuters Washington bureau:
The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial.
This goes well beyond spying. This is, I would argue, exactly why people object to such domestic spying.
The logic is that those with nothing to hide have nothing to fear. However, the “Special Operations Division” probably isn’t infallible, since, well, no one is, and that means that you may have nothing to hide, and think you have nothing to fear, and be completely wrong.
Innocent people may have been convicted as a result of what appear on their face to be unconstitutional, extrajudicial practices.
Those arguing that the price for protection from terrorists and other would-be evil doers is letting the National Security Agency have a peak at our Gmail will have a much more difficult time making the same case for falsifying an evidence trail.
The defense was often held in the dark and, apparently, at least in some cases, investigators misled both the prosecution and judicial evidentiary discretion.
Oh, and as a cherry on top, here’s a gem from near the end of the Reuters story:
A DEA spokesman declined to comment on the unit’s annual budget. A recent LinkedIn posting on the personal page of a senior SOD official estimated it to be $125 million.
The monitoring of internet communications for sensitive information, it would seem, goes both ways.
German railroad mulling anti-graffiti drones
German railroad mulling anti-graffiti drones
With US authorities pushing for easier backdoors into electronic communications systems, a network of anti-graffiti drones looks like a good front for general state-wide surveillance. The German privacy ethic runs deep, but it may provide an interesting model for US authorities to consider in the long-term.
Obama May Back F.B.I. Plan to Wiretap Web Users
Obama May Back F.B.I. Plan to Wiretap Web Users
Charlie Savage of The New York Times:
the new proposal focuses on strengthening wiretap orders issued by judges. Currently, such orders instruct recipients to provide technical assistance to law enforcement agencies, leaving wiggle room for companies to say they tried but could not make the technology work. Under the new proposal, providers could be ordered to comply, and judges could impose fines if they did not.
Concerns that this would prompt similar measures from repressive governments abroad are not overblown. If we expect foreign companies to submit to these procedures, their governments will expect US companies to do the same. I’m surprised this article doesn’t mention anything about what the Obama administration’s diplomats and international law folks think about all of this.
China is very serious about cyberespionage
China is very serious about cyberespionage
Google apologists like myself often answer concerns that the search-and-advertising giant can scan your email with something like “yes, but they’re doing it with robots and scrubbing it clean of all identifying information.”
China, however, is not so concerned with your privacy or its own image. In fact, monitoring otherwise-harmless civilians probably proves valuable to the renegade nation by illustrating the best means of tricking US netizens into installing backdoor viruses on their systems.
The most important point this article makes, in my view, is that China is playing the long game on cyberespionage efforts. As David Feith reports in the Wall Street Journal piece linked to above:
The essence of China’s thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu’s “The Art of War” about 2,500 years ago. The concept’s English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as “the strategically advantageous posture before a battle.”
They’re not going to take down any infrastructure any time soon, but if and when they want to, their current efforts will probably go a long way to helping them learn how to do it.
This stuff is not just a headline: it’s been happening for some time, is still happening, and is likely only to increase. Mr. Feith’s article at the Journal is well worth reading.
Actually, it's not our data at all
Actually, it’s not our data at all
It may illustrate your shopping habits and your life events, but the data about what you do online and with customer loyalty cards effectively belongs to the companies that sell it. And it makes them a lot of money.
Don’t forget that.