Archives for the 'Privacy and Government Surveillance' Category

Does This Really Surprise Anyone?

According to ABC News:

Despite pledges by President George W. Bush and American intelligence officials to the contrary, hundreds of US citizens overseas have been eavesdropped on as they called friends and family back home, according to two former military intercept operators who worked at the giant National Security Agency (NSA) center in Fort Gordon, Georgia.

It’s a simple formula: Lack of oversight produces abuses. Members of Congress may scurry around and declare outrage, but the responsibility is their own as much as anyone else’s.

Posted by Jim Harper on Oct. 10, 2008 | Link | Comments |

Age Verification Debate Continues; Schools Now at Center of Discussion

This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year.  ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.

Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are most interested in having the ISTTF evaluate age verification / online verification technologies.  In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.”  [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn't require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]

On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification.  Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this.  I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet's Chris Soghoian had a brutal assessment of this week's proposals on his "Surveillance State" blog.]

In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front.  I will argue:

  • There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
  • First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
  • Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined.  But how do we establish a clear link between parents and kids?  And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
  • It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
  • It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.

Continue reading if you are interested in the details.

Continue reading this post »

Posted by Adam Thierer on Sep. 25, 2008 | Link | Comments |

Good CBN Story on Surveillance Cameras

Yours truly shows up in a good story on surveillance cameras on the Christian Broadcasting Network today. Watching the whole thing, I was impressed by the sophistication of the host, who observed in the discussion segment: “We’re giving up so much privacy in order to obtain the illusion of security.”

Posted by Jim Harper on Sep. 23, 2008 | Link | Comments |

Go to Jail for Online Anonymity: The End of Internet Freedom?

Forget net neutrality and the growing Googleplex. The real threat to Internet freedom comes from plain old criminal law.

In three weeks time, Missouri housewife Lori Drew will face trial for entering false personal details when she signed up for a MySpace account. Her indictment alone, whether or not she is convicted, should frighten anyone who’s ever filled out a form online.

The case, which captured the tabloid media when it broke last year, turns on unusual facts. Drew, posting as a teenage boy, created the MySpace account to probe why a neighbor’s daughter, Megan Meier, had broken off a friendship with her own daughter. She gave a few others access to the account, and things quickly spiraled out of control. Before long, “Josh Evans” (the fictional teen) and Meier were an online couple, and soon after that, they were hurling insults at one another on public message boards.

Meier, already suffering from depression, was devastated by Josh’s turnabout. A final private message from the Evans account–”The world would be a better place without you”–pushed her over the edge. Twenty minutes after receiving it, Meier hung herself in her closet.

Even though she was not responsible for the worst of the messages (according to a prosecutor who investigated the case but declined to file charged), Lori Drew mislead an emotionally troubled youth, and that was surely wrong.

But it’s more problematic to say that it’s a crime.

The theory of the prosecutor behind this case would make all Internet users criminals. Continue reading this post »

Posted by Andrew Grossman on Sep. 22, 2008 | Link | Comments |

Palin Hackers Face Jail Time

From triumph to terror—that’s the likely emotional rollercoaster of the denizens of the “/b” message board on the 4chan website who hacked into Gov. Sarah Palin’s email account earlier this week. The toasts of the left-learning Internet on Tuesday, by this morning they knew themselves to be in the crosshairs of the FBI and Secret Service.

Next stop: jail. That’s the law, and it’s a fair punishment for digital breaking and entering.

According to British tech tabloid The Register, the hackers accessed Palin’s Yahoo account by way of a proxy, relaying all traffic through it to cloak their identities. The proxy’s owner promises to make his log data available to authorities, and it’s probably only a matter of time before that leads to living, breathing (nervous, sweating?) people.

The most likely charge is hacking. Federal law prohibits virtual trespassing for the purposes of stealing information. So cracking the password to a governor’s email account and perusing her messages is a clear violation. The punishment: criminal fines and imprisonment of up to 5 years.

Throw in a few conspiracy offenses—according to reports, a slew of “/b-tards” were in on the act—and the prison term could double.

No, going after a major party’s vice presidential candidate was not smart: Police and prosecutors put extra effort into famous crimes.

As for the media publishing Palin’s emails and family photos, shame on them, but it’s not against the law. In Bartnicki v. Vopper, the Supreme Court held that they have a First Amendment right to publish materials of public importance, even if illegally obtained, so long as the media doing the publishing committed no wrong itself.

But just because it’s legal doesn’t mean it’s right. No one deserves to have their private correspondence stolen (not, as per the AP, “leaked”) and posted online for the world to see. It speaks to Palin’s classiness that nothing objectionable—not even a cuss—has come to light. Too bad that the press and online gossip-mongers don’t share that trait and take the material down.

Posted by Andrew Grossman on Sep. 18, 2008 | Link | Comments |

Lost Laptop Follies, Part 8: ATF Loses Laptops… and Guns!

And so the series continues.  The Washington Post reports that the Department of Justice has just released “a scathing report” finding that over a 5-year period the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) “lost dozens of weapons and hundreds of laptops that contained sensitive information.” The DOJ’s Inspector General Glenn A. Fine found that 418 laptop computers and 76 weapons were lost. According to the report:

Yesterday’s report showed that ATF, a much smaller agency than the FBI, had lost proportionately many more firearms and laptops. “It is especially troubling that that ATF’s rate of loss for weapons was nearly double that of the FBI and [Drug Enforcement Administration], and that ATF did not even know whether most of its lost, stolen, or missing laptop computers contained sensitive or classified information,” Fine wrote.  [...]

Many of the missing laptops contained sensitive or classified material, according to the report. ATF began installing encryption software only in May 2007. ATF did not know what information was on 398 of the 418 lost or stolen laptops. The report called the lack of such knowledge a “significant deficiency.” Of the 20 missing laptops for which information was available, ATF indicated that seven — 35 percent — held sensitive information. One missing laptop, for example, held “300-500 names with dates of birth and Social Security numbers of targets of criminal investigations, including their bank records with financial transactions.” Another held “employee evaluations, including Social Security numbers and other [personal information].” Neither laptop was encrypted.

The findings regarding lost weapons were equally troubling, if not a bit humorous:

Continue reading this post »

Posted by Adam Thierer on Sep. 18, 2008 | Link | Comments |

Tech-related Lolcats

I love the lolcats. (Or perhaps I should say, Iz Luvz Da Lolcats.) Here are a couple of my favorite tech-related cats from recent months:

cat
more animals

humorous pictures
more animals

on ur myspace
more animals

cat
more animals

Posted by Adam Thierer on Sep. 15, 2008 | Link | Comments |

Still Cloudy on Cloud Computing: A Matrix to Guide the Coming Policy Debates

Adam Marcus, our exceptionally tech-savvy new research assistant at PFF, has published his first piece at the PFF blog, which I reprint here for your edification.

Today Google’s DC office hosted an interesting panel on cloud computing.  What was missing was a good definition of what “cloud computing” actually is.

While Wikipedia has its own broad definition of cloud computing, many think of cloud computing more narrowly as strictly web-based for which clients need nothing but a web browser. But that definition doesn’t cover things like Skype and SETI@home.  And just because PFF has implemented Outlook Web Access so we can access the Exchange server via the Web, doesn’t necessarily mean we’ve implemented what most people might think of as “cloud computing.”  Yet these are all variations on a common theme, which leads me to propose my own basic definition: any client/server system that operates over the Internet.

To understand the potential policy and legal issues raised by cloud computing so-defined, one must break down the discussion into a 4-part grid.  One axis is divided into private data (e.g., email) and public data (e.g., photo sharing).  The other axis is divided into data hosted on a single server or centralized server farm and data hosted on multiple computers in a dynamic peer-to-peer network (e.g., BitTorrent file sharing).

Examples User Data is Public User Data is Private
Centralized Server(s) Blogs
Discussion boards
Flickr		 Web-based email servers
Windows Terminal Services
Peer-to-Peer BitTorrent
FreeNet (article)		 Skype
Wuala

Continue reading this post »

Posted by Berin Szoka on Sep. 12, 2008 | Link | Comments |

Why Google won’t do evil

In response to Adam and Berin’s excellent introduction to their Googlephobia series, invaluable TLF commenter Richard Bennett succinctly sums up the rap on Google.

There’s no denying that Google has the capacity to do some pretty heinous things with all the sensitive data stored on its servers. But the relevant question isn’t whether Google could do evil, but whether it realistically will. What incentive is there for Google to do anything but keep private data as secure as humanly possible? Sure, Google could earn a nice chunk of change if it were to sell user search queries to the highest bidder. But why would Google put its entire business on the line for a comparatively insignificant short-term gain?

A major privacy breach is Google’s nightmare scenario. If anything happened to cause users to lose trust in Google, they’d go someplace else for email and search. Advertisers would follow suit, causing Google’s stock price to plummet. Google might never be able to recover from a severe privacy fiasco. Obviously, Google is well aware of its vulnerabilities on privacy, which is why Google has incredibly strong safeguards to ensure that sensitive data can’t be uncovered by a rogue product manager with an itchy trigger finger.

Then there’s the liability issue. The multi-billion dollar lawsuits that would ensue were Google to suffer a data breach or an internal leak would deal a serious financial blow to the company, especially because Google’s privacy policy is more than just a comforting statement—it’s legally binding.

Continue reading this post »

Posted by Ryan Radia on Sep. 12, 2008 | Link | Comments |

U.N. Attacks Internet Anonymity - VeriSign Lending a Hand?

Declan McCullagh has done some great reporting this morning on an ITU plan to trace the source of all Internet communications. Meaning: no more anonymous speech online.

The U.S. National Security Agency is also participating in the “IP Traceback” drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

Read the whole thing.

It’s particularly interesting to note the role of VeriSign in developing this surveillance capability for the ‘net. McCullagh quotes Tony Rutkowski of VeriSign stepping up to defend the plan. Rutkowski published a summary of the plan in May.

Great reporting by McCullagh. Not a great thing for VeriSign to be doing.

Posted by Jim Harper on Sep. 12, 2008 | Link | Comments |

Googlephobia: Part 5 - Google at Ten & Its Competition

By Berin Szoka & Adam Thierer

As we noted in our intro to this series, Google’s tenth anniversary has passed with Googlephobia reaching new heights of hysteria.

But is Google really too big and dangerous, or are people just too lazy to find other alternatives to each of the wonderful services that Google offers?  If one is truly paranoid about the firm’s supposed dominance, it doesn’t take much effort to live a Google-free life. To prove it, we set out to find alternatives to each of the services that Google provides.  After awhile, we got a little tired of compiling alternatives in each category and just provided links for the additional choices at your disposal.  It’s tough to see what the fuss is about with the cornucopia of choices at our disposal.  If you don’t like Google, then just don’t use it or any of its services.  The choice is yours.

In each case, we’ve listed Google first, even though Google may not be the market leader (e.g., Google’s relatively unknown social network Orkut).

Search Engines

Continue reading this post »

Posted by Berin Szoka on Sep. 11, 2008 | Link | Comments |

Googlephobia: The Series

By Berin Szoka & Adam Thierer

With Google celebrating its 10th anniversary this week, many panicky pundits are using the occasion to claim that Google has become the Great “Satan” of the Internet.  Nick Carr wonders what the future holds for “The OmniGoogle.” The normally level-headed Mike Malone worries that Google is “turning into Big Brother.”  And Washington Post’s Rob Dubbin says that he can’t escape Google’s “tentacles,” even for just 24 hours.  Meanwhile, speculation abounds that the Justice Department is preparing a major antitrust lawsuit against Google concerning its advertising partnership with Yahoo! or perhaps even a broader suit concerning Google’s “dominance” of online advertising generally.

Carr quotes Google co-founder Sergey Brin’s now-famous 2003 interview:

I think people tend to exaggerate Google’s significance in both directions.  Some say Google is God.  Others say Google is Satan.  But if they think Google is too powerful, remember that with search engines, unlike other companies, all it takes is a single click to go to another search engine. People come to Google because they choose to.  We don’t trick them.

In the last five years, Google has become far more than just a search engine.  As Google’s suite of suite of complementary products continues to grow, so too does the specter of Google as an all-knowing and therefore all-powerful economic colossus.  Yet Google isn’t even close to being the sort of nefarious monopolist out to destroy user privacy at every turn, as some seem to imply—if not exclaim.  Indeed, in our view, the Net is overall a far better place because of the existence of Google and the many free services it provides consumers.

Our point is not that Google should be immune from criticism.  Indeed, healthy criticism of corporate actions plays a vital role in the free market by disciplining corporate policies and behavior—often thus providing an effective alternative to government regulation.  This is particularly important in the area of consumer privacy protection, as demonstrated by Google’s quick response to public concern about its Chrome EULA. Continue reading this post »

Posted by Berin Szoka on Sep. 11, 2008 | Link | Comments |

Privacy Solutions Series: Part 2 - Adblock Plus

By Adam Thierer & Berin Szoka

The goal of our “Privacy Solution Series,” as we noted in the first installment, is to detail the many “technologies of evasion” (i.e., user-empowerment or user “self-help” tools) that allow web surfers to better protect their privacy online—and especially to defeat tracking for online behavioral advertising purposes.  These tools and methods form an important part of a layered approach that, in our view, provides an effective alternative to government-mandated regulation of online privacy.

In this second installment in this series, we will highlight Adblock Plus (ABP), a free downloadable extension for the Firefox web browser (as well as for the Flock browser, though we focus on the Firefox version here).

Adblock Plus

Purpose: The primary purpose of Adblock Plus is to block online ads from being downloaded and displayed on a user’s screen as they browse the Web.  In a broad sense, this functionality might be considered a “privacy” tool by those who consider it an intrusion upon, or violation of, their “privacy” to be “subjected” to seeing advertisements as they browse the web.  But if one thinks of privacy in terms of what others know about you, Adblocking is not so much about “privacy” as about user annoyance (measured in terms of distracting images cluttering webpages or simply in terms of long download times for webpages).  In this sense, ABP may not qualify as a “technology of evasion,” strictly speaking.  But, as explained below the fold, ABP does allow its users to “evade” some forms of online tracking by blocking the receipt of some, but not all, tracking cookies.

Cost: Like almost all other Firefox add-ons, both the ABP extensions and the filter subscriptions on which it relies (as described below) are free.

Popularity / Adoption: While there are a wide variety of ad-blocking tools available, Adblock Plus is far and away the leader.  ABP has proven enormously popular since its release in November 2005 as the successor to Adblock, which was first developed in 2002 and reached over 10,000,000 downloads before being abandoned by its developer and even today garners nearly 40,000 downloads a week.  This history of Adblock provides further details.

ABP was named one the 100 best products of 2007 by PC World magazine and is now the #1 most downloaded add-on for Firefox with over 500,000 weekly downloads, up significantly for just a few months.  In a blog post last month, ABP creator Wladimir Palant estimated that “no more than 5% of Firefox users have Adblock Plus installed,” but that percentage is bound to grow larger as more people discover Adblock.  As one indicator of ABP’s popularity, the number of Google searches for “Adblock” has nearly eclipsed the number of searches for “identity theft,” which seems like a far more serious concern than having to look at web ads. Continue reading this post »

Posted by Adam Thierer on Sep. 8, 2008 | Link | Comments |

Privacy Solutions Series: Part 1 - Introduction

By Adam Thierer & Berin Szoka

Whatever ordinary Americans actually think about online privacy, it remains a hot topic inside the Beltway. While much of that amorphous concern focuses on government surveillance and government access to information about web users, many in Washington have focused on targeted online advertising by private companies as a dire threat to Americans’ privacy — and called for prophylactic government regulation of an industry that is expected to more than double in size to $50.3 billion in 2011 from $21.7 billion last year.

In 1998, when targeted advertising was in its infancy, the FTC proposed four principles as the basis for self-regulation of online data collection: notice, choice, access & security. In 2000, the Commission declared that too few online advertisers adhered to these principles and therefore recommended that Congress mandate their application in legislation that would allow the FTC to issue binding regulations. Subsequent legislative proposals (indexed by CDT by Congress here along with other privacy bills) have languished in Congress ever since. During this time self-regulation of data collection (e.g., the National Advertising Initiative) has matured, the industry has flourished without any clear harm to users and the FTC has returned to its original support for self-regulation over legislation or regulatory mandates.

But over the last year, the advocates of regulation have succeeded in painting a nightmarish picture of all-invasive snooping by online advertisers using more sophisticated techniques of collecting data for targeted advertising. The Federal Trade Commission (FTC) has responded cautiously by proposing voluntary self-regulatory guidelines intended to address these concerns, because the agency recognizes that this growing revenue stream is funding the explosion of “free” (to the user) online content and services that so many Americans now take for granted, and that more sophisticated targeting produces ads that are more relevant to consumers (and therefore also more profitable to advertisers).

Continue reading this post »

Posted by Adam Thierer on Sep. 5, 2008 | Link | Comments |

Market Forces At Work: The PR Backlash Against Google Chrome’s EULA

Most debates–from privacy to net neutrality–about consumer protection in Internet policy come down to the following increasingly-cliched exchange:

1. Advocate of Regulation: “The government must intervene to protect users against Companies who want to [___________] by writing new laws or regulations!”

2. Regulatory Skeptic: “Why don’t we rely on the FTC’s enforcement of End User License Agreements (EULAs), privacy policies and other terms of service (TOS) under existing law?  If companies spell out their policies clearly and then are required to stick to them, those policies will become part of competition:  Companies will compete for consumers by offering attractive policies the same way they compete for consumers by offering attractive products & prices.”

3. Advocate of Regulation: “That doesn’t work because nobody actually reads all that legalese!  They’re impossibly dense for non-lawyers, so companies always make such agreements as broad as possible to allow them to do whatever they damn well please–and bury all the really scary provisions.”

And yet… within 12 hours of releasing its new Chrome Browser, Google removed a clause from the Chrome EULA that essentially would have Given Google the right to whatever it liked with all content posted by users anywhere online using Chrome.  If this incident demonstrates anything, it’s that there are significant “market forces” at work to restrain companies from writing agreements & policies that allow them to screw consumers.  Indeed, it beautifully demonstrates why the Regulatory Skeptic ultimately wins this debate with one final response:

4. Regulatory Skeptic: “It doesn’t matter if 99%+ of users never read a EULA or TOS.  No matter how hard companies might try to bury some ominous provision, the relatively small number of consumer protection watchdogs who do read such provisions protect everyone else by calling attention to true areas of concern.  Not every blogger who complains about something he doesn’t like in a EULA is going to make Slashdot, but overall, provisions that cross a certain line will get public attention and most companies will bend over backwards to avoid bad PR.  So, the market does work to protect consumers without the need for further government regulation.”

Continue reading this post »

Posted by Berin Szoka on Sep. 4, 2008 | Link | Comments |