Articles by Braden Cox

Braden Cox formerly wrote for the TLF.


Data Privacy Day is January 28. And as Steve DelBianco writes at the NetChoice blog, now is an opportune time for it as Congress, the Commerce Department, and the Federal Trade Commission each have proposed new rights and rules for data privacy.

To appreciate Data Privacy Day you must first ignore the Euro-babble description of what is Data Privacy Day (“an international celebration of the dignity of the individual expressed through personal information”) and take it for what it really is: a prodding for Internet users to take a critical look at how they share and communicate information online.

Importantly, this is not a day for governments, but for users. As Steve writes, “the role for government should be in areas where users and business cannot act alone, including law enforcement, international data flows, and pre-empting a patchwork of state laws. Government should use is powers to pursue online fraud and criminal misuse of data, not to create rules that narrowly prescribe what and how data should be used.”

Also, check out the tech-friendly quotes from Obama’s State of the Union in Steve’s post.

Here at TLF, our privacy discussions often center around such concepts as expectations of privacy, notice and choice, opt-in/out, and the like. These are all important and legitimate of course, but the privacy issue that seems to make news more than any other is Google Spy-Fi, and the defiant attitude Google has against governments. And this has me worried.

Not that I think governments necessarily need to regulate privacy, or that Google’s data collection from unsecured hotspots was even illegal. I’m thinking much more practically. People are concerned about privacy, governments are investigating Google to see what data it really collected, and Google seems to be cherry-picking the kinds of information it provides to different authorities. And in this defiant game of chicken, it’s the rest of the industry that’s the bacon – and I’m afraid we’re all slowly being fried.

There’s an old adage among practitioners of non-violent resistance that “an eye for an eye” retaliation leaves everyone blind. With yesterday’s news that authorities raided Google’s Korean office and found massive amounts of personal data, I’m wondering when—not if—bad behavior from the industry leader will result in a black eye for all online companies.

Korea’s National Police Agency claims to have found hundreds of thousands of emails, instant messages and other personal data” on Google’s hard drives. This is the latest finding similar to a string of other countries like Germany, Canada, Germany, France and the UK.

If it were all just foreign, that would be one thing. Continue reading →

Recent media attention has resurrected the notion that criminal background checks for online dating sites are helpful and should even be required by law. Sunday’s front page article in the New York Times described how companies selling background checks can “unmask Mr. or Ms. Wrong.” And today’s Good Morning America featured a segment called “Online Dating: Are you Flirting with a Felon?”

I was interviewed by both the Times and Good Morning America to say that these background checks are superficial, create a false sense of security, and that government should never mandate these for online dating sites. First of all, I should say that I’m personally involved in this issue. I met my wife on Match.com. We didn’t screen each other, at least not for a criminal past. I remember doing a simple search on her screen name however, and for a while thinking she could be someone who she wasn’t, though.

But for fun, I did a postmortem background check on myself, just to see what my now wife would have seen. First, I went to Intelius and spent $58 (warning: there’s a constant barrage of confusing upsells) to see criminal, civil judgment, property, name, telephone and social networking data. The result: nothing harmful thankfully! But also nothing particularly helpful, either. And the report included a family member that isn’t, and left out my brother that is. Then I went to MyMatchChecker and ordered the basic level screening (the two most expansive products–“Getting Serious” and “All About Me”–require social security numbers, which I doubt most people will not learn about the other until they actually get married). The site made it easy to not include all relevant info, and I didn’t, so there’s a delay on my check. But let’s assume it’s all good too (ahem).

So would my wife have used the absence of a negative history to assume I was a good person? Well, she shouldn’t have. Although these criminal screenings can help in some situations, they still have some serious shortcomings. They result in false negatives when criminal records don’t appear or may not include felony arrests that were plead down to misdemeanors.

And these sort of criminal screenings are not very inclusive–at all. Continue reading →

Earlier today the Commerce Department’s Internet Policy Task Force issued its expected privacy report. Commerce waded into shark-filled privacy waters and produced a report that overall is thoughtful, comprehensive and has lots of meat for strengthening the nation’s privacy framework. Of course, we have our quibbles too. On first read, here’s what I like and what concerns me:

Like:

  • “Dynamic policies”. The report appropriately proposes what it calls “dynamic policies.” We agree that technology and information flows are constantly changing, so a privacy policy regulatory framework should not be static, nor should it be proscriptive.
  • Privacy Policy Office. Because it would be located within Commerce, the office would be a vital advocate for online companies doing business overseas. It could help outreach with European regulators and coordinate certification procedures to enable cross-border data flows.
  • Transparency through purpose specification and use limitation (NOT collection limitation and data minimization). The report proposes consumer assurances principles that would require data collectors to specify all the reasons for collecting personal information and then specify limits on the use of that information. This is a flexible approach compared to proscriptive regulations limiting data collection and requiring data minimization.
  • Encourage Global Interoperability. In our comments, NetChoice advocated strongly for international privacy reciprocation, and where appropriate, harmonization.
  • ECPA Review. We like how the report calls for a review of the Electronic Communications Privacy Act (ECPA). The law is outdated and doesn’t do a good job of clarifying the roles of online companies when responding to law enforcement requests.

Concerns: Continue reading →

At today’s FCC “Generation Mobile” forum — chock-full of online safety experts, company reps, Jane Lynch of the TV show Glee, and even Chairman Genachowski himself — it was the kids that made the show about mobile technology worthwhile. On a panel about generation mobile, here are a few of the statements we heard from high school kids:

  1. “Don’t just take the phone away.”
  2. “When parents snoop too much, it’s a privacy invasion.”
  3. “We’ll listen more if you present us with concrete evidence for behavioral restrictions.”

These are the kinds of arguments tech policy advocates make, only we would have said them in our unique brand of policy speak:

  1. Don’t regulate the technology, regulate bad behavior.
  2. Privacy is important and governments/companies must respect the privacy interests of their citizens/customers.
  3. Policymakers should collect sufficient data and analysis before introducing new legislation

Policy geek speak aside, here are some interesting facts we heard about teen use of mobile technology: Continue reading →

“The do-not-track system could put an end to the technological ‘arms race’ between tracking companies and people who seek not to be monitored.” – David Vladeck, FTC

David Vladeck is right. The Do Not Track system would put an end to the technological “arms race” – but that’s not a good thing. Instead, its the nuclear option that will halt ongoing industry innovation and consumer welfare.

This has been unofficial privacy week in Washington, DC. Wednesday saw the release of the FTC’s privacy report. Yesterday was the House Commerce Committee hearing; phrased in the form of a question, the tile of the hearing was a bit presumptuous: “Do-Not-Track Legislation: Is Now the Right Time?” And today, NetChoice responds with why the answer to that question should be No.

Do Not Track is a Blunt Response, Not an Informed Choice

The FTC’s report calls for a “uniform and comprehensive” way for consumers to decide whether they want their activities tracked. The Commission points to a Do Not Track system consisting of browser settings that would be respected by web tracking services. A user could select one setting in Firefox, for example, to opt out of all tracking online. The FTC wrongly calls this “universal choice.”

Really, it’s a universal response. It’s a single response to an overly-simplified set of choices we encounter on the web. This single response means that tracking for the purpose of tailored advertising is either “on” or “off.” There is no middle setting. But it is the “middle” where we want consumers to be. The middle setting would represent an educated setting where consumers understand the tradeoffs of interest-based advertising – in return for tracking your preferences and using them to target ads to you, you get free content/services. But an on/off switch is too blunt and not, err, targeted enough. There is no incentive for consumers to learn about the positives, they’ll only fear the worst-case scenarios and will opt-out. In return they’ll also opt-out of the benefits.  [more on the “middle” below]. Continue reading →

Rob Pegoraro’s article in yesterday’s Washington Post is a worthy read, if only because it puts into context what is and isn’t a privacy breach.

Recently, there’s been a lot of noise–started by a Wall St Journal article–about a supposed privacy breach by Facebook surrounding the misuse of user data by applications installed on the user’s page. But as Pegoraro relates, this information was all public anyway, much like a phone book displays your identity. Here’s what he says is the difference between what is and isn’t a breach:

Privacy breach: Exposes private information you tried to keep confidential, in ways that risk the loss of money or security or otherwise fairly earn the adjective ‘Orwellian.’”

NOT a privacy breach: Information about you that is already made public to users of a website, including the “basic parameters of people’s accounts:  their name, picture, gender and networks….”

The point is that we shouldn’t conflate the use (or misuse) of public information with the breach of private information. Doing so elevates a lesser offense at the expense of something that is much more serious.

But as much as I like the article, I also have a few quibbles. Pegoraro says that if users are still offended by Facebook, they should blame the site for its default settings and switch to a competitor. And while losing customers is the ultimate penalty for any business, he misses the point in a couple of ways. First, we want to encourage innovation in social media and information sharing, which means companies need the freedom to set and change default settings (I’ve blogged on this before). Second, instead of switching sites users can just adjust their privacy settings! This simple, less drastic measure wasn’t even mentioned.

A federal judge sided with privacy over taxes yesterday, signaling a victory for consumers in North Carolina. Now we’re waiting to see if this also means victory for consumers and online companies that sell into Colorado.

A U.S. District Court in Seattle blocked North Carolina’s Department of Revenue from compelling Amazon to reveal the names and addresses of its customers so that North Carolina could go after them for not paying use taxes on purchases where they did not pay sales tax.

The North Carolina DOR had been auditing Amazon’s 2003-2010 sales into the state and had asked for “all information for all sales to customers with a North Carolina shipping address.” Amazon provided detailed information about the purchases, but the DOR demanded information about the customers making the purchases. Amazon balked and filed suit, and the ACLU even intervened to support Amazon. And they won.

The court was clear that states cannot compel companies to disclose the purchasing behavior of its citizens:

The First Amendment protects a buyer form having the expressive content of her purchase of books, music and audiovisual materials disclosed to the government. The fear of government tracking and censoring one’s reading, listening and viewing choices chills the exercise of First Amendment rights.

What does this have to do with Colorado? Everything and more.

Continue reading →

Today I testified at a hearing by Massachusetts Attorney General Martha Coakley on commercial sexual exploitation and the Internet. When I first learned about it, I feared the worst: time to demonize the Internet. After all, the hearing announcement openly targeted Craigslist and websites generally. But this was not the case at all—as we heard, NGOs, law enforcement, and industry all have roles to play.

Instead of Internet-bashing, the hearing was a constructive dialogue. We learned why children are forced into prostitution and how classified ads on the Internet can promote this illegal activity. I was there to learn how we can help.

Commercial sexual exploitation is big business. Over 100,000 women are in the illegal sex trade. Often these women are actually teenage girls, vulnerable and with no place to go. Their lives are run by pimps, they cater to “johns,” and their lives are a living hell – except that these women become so desensitized that they eventually have no life at all.

These child prostitutes show up in advertisements for “escort services” or “adult services.” Traditionally, these ads were in the yellow pages. Now they exist on the Internet, and these listings can often be graphic. But it’s hard to tell whether these ads involve women against their will or underage girls. That’s why there are folks who would like to see all these ads disappear. And they’ll blame Internet classifieds—indeed, one witness called sites like Craigslist and Backpage “electronic pimps.”

Unfortunately, there are those that think it is better to force the shut down of the adult services section of these sites. But as we heard from danah boyd of Microsoft and a fellow at the Harvard Berkman Center, merely shutting down the listed supply of adult services is superficial. Continue reading →

The WSJ ran a front page, above-the-fold headline screaming that Facebook has had a privacy breach. But as Steve DelBianco discusses over at the NetChoice blog, today’s WSJ “breach” is all smoke and no fire.

The WSJ is saying that some of Facebook’s applications are accidentally sharing the public username on my Facebook page, in violation of the company’s privacy policy.  This story was nothing like a breach where my credit card numbers or sensitive personal information was leaked or hacked. A closer look at the issue indicates that there is far mSmoke alarm in a smoky roomore smoke than fire in the WSJ piece.

Moreover, the WSJ should step-back from using tabloid-style headings to attract eyeballs (and advertising revenue) to their research and writing.  The breathless headline is clearly meant to feed the privacy beast that is increasingly in danger of doing far more harm than good.

While details are still forthcoming, it appears that the issue at hand involves external actions between application developers and advertising companies. Facebook has stepped-up and is holding third parties accountable to existing privacy requirements.