Tag: privacy

What They Know Is Interesting—-But What Are You Going to Do About It?

The Wall Street Journal has stirred up a discussion of online privacy with its “What They Know” series of reports. These reports reveal again the existence and some workings of the information economy behind the Internet and World Wide Web. (All that content didn’t put itself there, y’know!)

The discussion centers around “tracking” of web users, particularly through the use of “cookies.” Cookies are little text files that web sites offer your browser when you visit. If your browser accepts the cookie, it will share the content of the text file back with that domain when you visit it a second time.

Often cookies have distinct strings of characters in them, so the site can recognize you. Sites use cookies to customize your experience. If you voted on a poll, for example, a cookie will cause the site to tell you how you voted. Cookies enable the “shopping cart” function in online stores.

Advertising networks use cookies to gather information about web surfers. Ads are embedded on the main sites people visit, just like the video above and the Amazon Kindle widget in the column on the right. They’re served by different servers than most of the content on the page. Embedded content acts as a sort of  ”third party” to the main transaction between web surfers and the sites they visit. Embedded content can offer cookies just like main sites do—they’re known as “third-party cookies.” 

A network that has ads on a lot of sites will recognize a browser (and by inference the person using it) when it goes to different web sites, enabling the ad network to get a sense of that person’s interests. Been on a site dealing with SUVs? You just might see an SUV ad as you continue to surf.

This is important to note: Most web sites and ad networks do not “sell” information about their users. In targeted online advertising, the business model is to sell space to advertisers—giving them access to people (“eyeballs”) based on their demographics and interests. It is not to sell individuals’ personal and contact info. Doing the latter would undercut the advertising business model and the profitability of the web sites carrying the advertising.

Some people don’t like this tracking. I think some feel it undignified to be a mere object of impersonal commerce (see Seger, Bob). Some worry that data about their interests will be used to discriminate wrongly against them, or to exclude them from information and opportunities they should enjoy. Excess customization of the web experience may stratify society, some believe. Tied to real identities, this data could fall into the hands of government and be used wrongly. These are all legitimate concerns, and I share some of them more, and some less, than others.

One I understand but dislike is the offense some people take at cookies for their “surreptitious” use. How many decades must cookies be integral to web browsing, and how many waves of public debate must their be about cookies before they lose their surreptitious cast? Cookies are just as surreptitious as photons and sound waves, which silently and invisibly carry data about you to anyone in the vicinity. We’d all be in a pretty tough spot without them.

Though cookies—and debate about their privacy consequences—have been around for a long time, many people don’t know even the basics I laid out above. They also don’t know that cookies are within the control of every web user.

As I testified to the Senate Commerce Committee last week, In the major browsers (Firefox and Internet Explorer), one must simply go to the “Tools” pull-down menu, select “Options,” then click on the “Privacy” tab to customize one’s cookie settings. In Firefox, one can decline to accept all third-party cookies, neutering the cookie-based data collection done by ad networks. In Internet Explorer, one can block all cookies, block all third-party cookies, or even choose to be prompted each time a cookie is offered.

Yes, new technologies make cookie control an imperfect protection against tracking, but that does not excuse consumers from the responsibility to exercise privacy self-help that will get at the bulk of the problem.

Some legislators, privacy advocates, and technologists want very badly to protect consumers, but much of what is called ”consumer protection” actually functions as an invitation for consumers to cede personal responsibility. People rise or fall to meet expectations, and consumer advocates who assume incompetence on the part of the public may have a hand in producing it, making consumers worse off. 

If a central authority such as Congress or the Federal Trade Commission were to decide for consumers how to deal with cookies, it would generalize wrongly about many, if not most, individuals’ interests, giving them the wrong mix of privacy and interactivity, for example. And it would leave consumers unprotected from threats beyond their jurisdiction (i.e. web tracking by sites outside the United States). Education is the hard way, and it is the only way, to get consumers’ privacy interests balanced with their other interests.

But perhaps this is a government vs. corporate passion play, with government as the privacy defender (… oh, nevermind). One article in the WSJ series has interacted with lasting anti-Microsoft sentiment to produce interpretations that business interests are working to undercut consumer privacy. Engineers working on a new version of Microsoft’s Internet Explorer browser thought they might set certain defaults to protect privacy better, but they were overruled when the business segments at Microsoft learned of the plan. Privacy “sabotage,” the Electronic Frontier Foundation called it. And a Wired news story says Microsoft “crippled” online privacy protections.

But if the engineers’ plan had won the day, an equal opposite reaction would have resulted when Microsoft “sabotaged” web interactivity and the advertising business model, “crippling” consumer access to free content. The new version of Microsoft’s browser maintained the status quo in cookie functionality, as does Google’s Chrome browser and Firefox, a product of non-profit privacy “saboteur” the Mozilla Foundation. The “business attacks privacy” story doesn’t wash.

This is not to say that businesses don’t want personal information—they do, so they can provide maximal service to their customers. But they are struggling to figure out how to serve all dimensions of consumer interest including the internally inconsistent consumer demand for privacy along with free content, custom web experiences, convenience, and so on.

Only one thing is certain here: Nobody knows how this is supposed to come out. Cookies and other tracking technologies will create legitimate concerns that weigh against the benefits they provide. Browser defaults may converge on something more privacy protective. (Apple’s Safari browser rejects third-party cookies unless users tell it to do otherwise.) Browser plug-ins will augment consumers’ power to control cookies and other tracking technologies. Consumers will get better accustomed to the information economy, and they will choose more articulately how they fit into it. 

What matters is that the conversation should continue. If you’ve read this far, you’re better equipped to participate in it, and to take responsibility for your own privacy.

Do so.

Compare and Contrast

Fourth Amendment:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Supreme Court (Katz v. U.S.):

“[S]earches conducted outside the judicial process, without prior approval by judge or magistrate, are per se unreasonable under the Fourth Amendment—subject only to a few specifically established and well delineated exceptions.”

Washington Post:

“The Obama administration is seeking to make it easier for the FBI to compel companies to turn over records of an individual’s Internet activity without a court order if agents deem the information relevant to a terrorism or intelligence investigation.”

The Information Economy Stops Evolving Today

That would be the message if a bill introduced in Congress this week were to pass. H.R. 5777 is the “Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act” or the “BEST PRACTICES Act.” If acronyms were a basis for judging legislation, it should be widely hailed as a masterwork.

But its substance is concerning, to say the least. The bill’s scope is massive: Just about every person or business that systematically collects information would be subject to a new federal regulatory regime governing information practices. By systematic, I mean: If you get a lot of emails or run a website that collects IP addresses (and they all do), you’re governed by the bill.

There’s one exception to that: The bill specifically exempts the government. What chutzpah our government has to point the finger at us while its sprawling administrative data collection and surveillance infrastructure spiral out of control.

Reviewing the bill, I found it interesting to consider what you get when you take a variety of today’s information “best practices” and put them into law. Basically, you freeze in place how things work today. You radically simplify and channel all kinds of information practices that would otherwise multiply and variegate.

I spoke about this yesterday with CNet News’ Declan McCullagh:

Harper says it reminds him of James C. Scott’s book, “Seeing Like A State.” Governments and big corporations “radically simplify what they oversee to make it governable,” he said. “In things like forestry and agriculture, this has had devastating environmental effects because ecosystems don’t function when you eliminate the thousands of ‘illegible’ relationships and interactions. This is Seeing Like a State for the information economy.”

Give people remedies when they’re harmed by information practices, and then leave well enough alone. There’s no place for a list of “must-do’s” and “can’t-do’s” that choke our nascent information economy—especially not coming from a government that doesn’t practice what it preaches.

Stop ‘n’ Frisk Databases

Via Adam Serwer, New York governor David A. Paterson is expected to sign a bill today doing away with data collection on people the police stop and question, but who have done nothing wrong.

The Transportation Security Adminstration’s “SPOT” program—recently the subject of a scathing Government Accountability Office critique—does similar data collection about innocent people.

From late May 2004 through August 2008, “behavior detection officers” referred 152,000 travelers to secondary inspection at airports. Of those, TSA agents referred 14,000 people to law enforcement, which resulted in approximately 1,100 arrests. None had links to terrorism or any threat to aviation.

The data TSA collects “when observed behaviors exceed certain thresholds”—that is, when a traveler garners TSA suspicion—includes:

  • first, middle, and last names
  • aliases and nicknames
  • home and business addresses and phone numbers
  • employer information
  • identification numbers such as Social Security Number, drivers license number or passport number
  • date and place of birth
  • languages spoken
  • nationality
  • age
  • sex
  • race
  • height and weight
  • eye color
  • hair color, style and length
  • facial hair, scars, tattoos and piercings, clothing (including colors and patterns) and eyewear
  • purpose for travel and contact information
  • photographs of any prohibited items, associated carry-on bags, and boarding documents
  • identifying information for traveling companion.

Busting the Myth that Web Sites ‘Sell Your Data’

On TLF, Berin Szoka comes up just shy of ranting, but it’s a good rant against the myth that Web sites like Facebook sell or give your data to advertisers.

In targeted online advertising, the business model is generally to sell advertisers access to people based on their demographics. It is not to sell individuals’ personal and contact info. Doing the latter would undercut the advertising business model and the profitability of the web sites carrying the advertising.

I did some myth-busting of my own last year when the Wall Street Journal published erroneous information about a health-interest site called RealAge.com, which does not give or sell visitors’ data to drug companies.

Understanding how technologies and business models work is job one for crafting good public policies, but as I noted yesterday

“Privacy” v. Justice: Wiretapping Case Update

Anthony Graber, the Maryland motorcyclist being prosecuted on state felony wiretapping charges for recording his traffic stop and posting the video on YouTube, is the subject of an article in today’s Washington Post. I have said (again and again) that this is a misreading of the Maryland wiretapping statute, which is not supposed provide grounds for prosecution where there is no “reasonable expectation of privacy.”

Graber was on the side of the highway, and the police officer asserting this expansive reading of the wiretap statute while making an arrest at the Preakness was in the middle of a large crowd. There is no reasonable expectation of privacy in either of those places. The Post article provides the other side of the argument:

The attention the Graber case is receiving has surprised Harford prosecutor Joseph I. Cassilly, who said his office has prosecuted similar cases before, including one within the past year against the passenger of a car that was stopped during a drug investigation who started taping officers with a cellphone camera. Cassilly said he didn’t know the status of the case because the prosecutor handling it has been out sick.

“The question is: Is a police officer permitted to have a private conversation as part of their duty in responding to calls, or is everything a police officer does subject to being audio recorded?” Cassilly said.

Cassilly thinks officers should be able to consider their on-duty conversations to be private.

I disagree. The injustice of the Maryland wiretap law was demonstrated earlier this week when Rep. Bob Etheridge assaulted a student who asked him a question while recording the encounter. The students were lucky that they were in the District of Columbia.

If the scuffle had been in Maryland, Etheridge could have been prosecuted for misdemeanor assault (this remains true for D.C., but I am not aware of any charges that have been made). In contrast, the students would have been on the hook for a felony violation of the wiretap law for recording the event, another violation for posting the event on the internet, and an additional charge for possession of the device used to intercept the conversation. I’m not agreeing with that reading of the law, but that’s the interpretation being used to prosecute Anthony Graber.

Whatever your views on privacy are, that’s not justice.

Event Data Recorders: They’re Not Just for Safety

In my recent testimony before the House Commerce Committee on a proposal to require event data recorders in all new cars sold in the United States, I pointed out that the mandate would go far beyond what is needed to ensure safety. Indeed, the cost of EDRs raises the prices of new cars, marginally reducing the pool of used cars and keeping lower income drivers in older used cars which are less safe.

The demand for EDRs in all cars, collecting and transmitting data about all crashes, suggests that something more than statistically relevant safety data is what advocates of this mandate want. I put a finer point on these issues today in answers to questions propounded to me after the hearing.

The proposed EDR mandate includes controls on the use of EDR information, a nominal protection for privacy, but the EDR mandate “sets the stage for migration away from consumer privacy toward serving the goals of government and industry related not only to safety but also to general law enforcement, taxation, and surveillance.”