Privacy, Security & Government Surveillance

Microsoft Pushes “Do-Not-Track”

by on June 2, 2012 · 3 comments

The world does not owe targeted advertising networks a business model, so I am agnostic about Microsoft’s decision to ship Internet Explorer 10 with “Do-Not-Track” enabled by default. Ryan Singel has a good write-up on Threat Level that covers many dimensions of the issue.

Decisions like this are never driven by a single motivation, but I’m interested in the likelihood that Microsoft made this choice hoping to drive a dagger into Google’s business model. To the extent it did, it’s a nice illustration of how competition among companies can serve consumers’ privacy preferences. There is some demand for privacy, though less than most regulatory types believe. Microsoft saw an angle to get some pro-privacy PR, improve consumers’ privacy by a small margin, and hamstring a competitor. You go, girl. Er, Microsoft.

Now, consumers aren’t falling over themselves for protection from the benign practice of tracking for the purpose of delivering targeted ads. I suspect that counter-punches from ad networks and Google will send the Do Not Track header into the dustbin of privacy history right along with P3P. The idea of putting a signal into the header that says “please do not track” is clumsy, to put it charitably.

If you want to avoid tracking, you can do that already. Use Tracking Protection Lists.

SHARE: 3 comments

The ACLU of Washington State is Looking

by on May 23, 2012 · 0 comments

May 2012
TECHNOLOGY AND LIBERTY DIRECTOR
(Full-time)

The ACLU of Washington (ACLU-WA) seeks a self-motivated public policy advocate to lead its work to protect civil liberties in the face of society’s increasingly advanced technologies. The ACLU-WA’s staff of 30 employees and numerous volunteers work in a fast-paced, friendly and professional office in downtown Seattle. Continue reading →

SHARE: 0 comments

Surveillance Cuts Both Ways: How New Technology Helps Keep the Cops in Check

by on May 8, 2012 · 0 comments

This seems like a logical follow-up to Berin Szoka’s previous post about technology, social activism, and government power. ReasonTV has produced this important short clip on “Cops Vs. Cameras: The Killing of Kelly Thomas & The Power of New Media.” It documents how the combined power of citizen journalism, social media, and surveillance video can ensure that our police authorities are held accountable for their actions. In this particular case, it can hopefully win some justice for Kelly Thomas, the homeless Fullerton, California man who was brutally beaten to death by police officers on the night of July 5, 2011.

There is live video from the horrific beating here, but I caution you it is not for the faint of heart. Watching the last moments of man’s life slip away from repeated blows to the head while he begs for his life and calls out for his father is, well, stomach-turning. But imagine if this video and the other citizen videos that were taking that night had not existed. As the ReasonTV clip notes, the Fullerton police department basically ignored requests for more information about the case until Kelly’s father (who was former police officer himself) took cell photos of his son’s beaten face in the hospital and released them to the public. Then the citizen videos of the beating were posted on YouTube and went viral. And then, finally, mainstream media started paying attention. And now the surveillance video from a nearby street camera has been released after citizens and activists demanded it. Continue reading →

SHARE: 0 comments

Big Data, Innovation, Competitive Advantage & Privacy Concerns

by on April 27, 2012 · 8 comments

This morning I spoke at a U.S. Chamber of Commerce event on “Responsible Data Uses: Benefits to Consumers, Businesses and the Economy.” In preparing for the event, I dusted off some old working notes for speeches I had delivered at other events about privacy policy and “big data” and expanded them a bit to account for recent policy developments. For what it’s worth, I figured I would post those notes here.  (I apologize about the informality but I never write out my speeches, I just work from bullet points.)

—————–

Benefits of “Big Data”

  • “big data” has numerous micro- and macroeconomic benefits
  • Micro benefits:
    • data aggregation of all varieties has powerful social and economic benefits that are sometimes invisible to consumers and citizens but are nonetheless enjoyed by them
    • big data can positively impact the 3 key micro variables – quality, quantity & price – and benefit consumers / citizens in the process
  • Macro benefits:
    • Data is the lifeblood of the information economy and it has an increasing bearing on the global competitiveness of companies and countries
    • In the old days, when we talked about comparative and competitive advantage, the focus was on natural resources, labor, and capital.
    • Today, we increasingly talk about another variable: information
    • Data is increasing one of the most important resources that can benefit economic growth, innovation, and the competitive advantage of firms and nations.

Privacy Concerns

  • of course, “big data” also raises big privacy concerns for many groups and individuals
  • this has led to calls for regulatory action and virtually all levels of government – federal, state, local, and international – are considering expanded controls on data collection and aggregation

Continue reading →

SHARE: 8 comments

Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges

by on April 10, 2012 · 616 comments

Andrew Orlowski of The Register (U.K.) recently posted a very interesting essay making the case for treating online copyright and privacy as essentially the same problem in need of the same solution: increased property rights. In his essay (“‘Don’t break the internet’: How an idiot’s slogan stole your privacy“), he argues that, “The absence of permissions on our personal data and the absence of permissions on digital copyright objects are two sides of the same coin. Economically and legally they’re an absence of property rights – and an insistence on preserving the internet as a childlike, utopian world, where nobody owns anything, or ever turns a request down. But as we’ve seen, you can build things like libraries with permissions too – and create new markets.” He argues that “no matter what law you pass, it won’t work unless there’s ownership attached to data, and you, as the individual, are the ultimate owner. From the basis of ownership, we can then agree what kind of rights are associated with the data – eg, the right to exclude people from it, the right to sell it or exchange it – and then build a permission-based world on top of that.”

And so, he concludes, we should set aside concerns about Internet regulation and information control and get down to the business of engineering solutions that would help us property-tize both intangible creations and intangible facts about ourselves to better shield our intellectual creations and our privacy in the information age. He builds on the thoughts of Mark Bide, a tech consultant:

For Bide, privacy and content markets are just a technical challenges that need to be addressed intelligently.”You can take two views,” he told me. “One is that every piece of information flowing around a network is a good thing, and we should know everything about everybody, and have no constraints on access to it all.” People who believe this, he added, tend to be inflexible – there is no half-way house. “The alternative view is that we can take the technology to make privacy and intellectual property work on the network. The function of copyright is to allow creators and people who invest in creation to define how it can be used. That’s the purpose of it. “So which way do we want to do it?” he asks. “Do we want to throw up our hands and do nothing? The workings of a civilised society need both privacy and creator’s rights.”  But this a new way of thinking about things: it will be met with cognitive dissonance. Copyright activists who fight property rights on the internet and have never seen a copyright law they like, generally do like their privacy. They want to preserve it, and will support laws that do. But to succeed, they’ll need to argue for stronger property rights. They have yet to realise that their opponents in the copyright wars have been arguing for those too, for years. Both sides of the copyright “fight” actually need the same thing. This is odd, I said to Bide. How can he account for this irony? “Ah,” says Bide. “Privacy and copyright are two things nobody cares about unless it’s their own privacy, and their own copyright.”

These are important insights that get at a fundamental truth that all too many people ignore today: At root, most information control efforts are related and solutions for one problem can often be used to address others. But there’s another insight that Orlowski ignores: Whether we are discussing copyright, privacy, online speech and child safety, or cybersecurity, all these efforts to control the free flow of digitized bits over decentralized global networks will be increasingly complex, costly, and riddled with myriad unintended consequences. Importantly, that is true whether you seek to control information flows through top-down administrative regulation or by assigning and enforcing property rights in intellectual creations or private information.

Let me elaborate a bit (and I apologize for the rambling mess of rant that follows).

Continue reading →

SHARE: 616 comments

How & Why the Press Sometimes “Sells Digital Fear”

by on April 8, 2012 · 3 comments

Yesterday on TechCrunch, Josh Constine posted an interesting essay about how some in the press were “Selling Digital Fear” on the privacy front. His specific target was The Wall Street Journal, which has been running an ongoing investigation of online privacy issues with a particular focus on online apps. Much of the reporting in their “What They Know” series has been valuable in that it has helped shine light on some data collection practices and privacy concerns that deserve more scrutiny. But as Constine notes, sometimes the articles in the WSJ series lack sufficient context, fail to discuss trade-offs, or do not identify any concrete harm or risk to users. In other words, some of it is just simple fear-mongering. Constine argues:

Reality has yet to stop media outlets from yelling about privacy, and because the WSJ writers were on assignment, they wrote the “Selling You On Facebook” hit piece despite thin findings. These kind of articles can make mainstream users so worried about the worst-case scenario of what could happen to their data, they don’t see the value they get in exchange for it. “Selling You On Facebook” does bring up the important topic of how apps can utilize personal data granted to them by their users, but it overstates the risks. Yes, the business models of Facebook and the apps on its platform depend on your personal information, but so do the services they provide. That means each user needs to decide what information to grant to who, and Facebook has spent years making the terms of this value exchange as clear as possible.

“While sensationalizing the dangers of online privacy sure drives page views and ad revenue,” Constine also noted, “it also impedes innovation and harms the business of honest software developers.” These trade-offs are important because, to the extent policymakers get more interested in pursing privacy regulations based on these fears, they could force higher prices or less innovation upon us with very little benefit in exchange.

Of course, the press generating hypothetical fears or greatly inflating dangers is nothing new. We have seen it happen many times in the past and it can be seen at work in many other fields today (online child safety is a good example). In my recent 80-page paper on “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” I discussed how and why the press and other players inflate threats and sell fear. Here’s a passage from my paper: Continue reading →

SHARE: 3 comments

Initial Thoughts on FTC’s Final Privacy Report

by on March 26, 2012 · 2 comments

The Federal Trade Commission (FTC) has just released its final privacy framework proposal, “Protecting Consumer Privacy in an Era of Rapid Change.” The agency released a draft report with the same title back in late 2010 and then asked for comments. [Here were my comments to the agency.] The FTC’s final report comes just a month after the Obama Administration released its 50-page privacy framework, Consumer Data Privacy in a Networked World, which included a privacy “bill of rights.” That report was primarily driven by the Department of Commerce. [I penned a Forbes column about that report the day it was released.]  The new FTC report is fairly consistent with the earlier Commerce Department report.  Here are some of the key themes or recommendations from the final FTC report:

  • rooted in a set of baseline privacy principles with a strong push for “privacy by design,” more consumer choice, and better transparency.
  • along with Dept of Commerce, the agency will work with industry to develop privacy codes of conduct and then give them teeth with possibility of FTC enforcement.
  • pushes for industry to pursue voluntary “Do Not Track” mechanism, which to the agency apparently means “do not collect” any info.
  • calls on Congress to pass data security legislation and legislation “to provide greater transparency for, and control over, the practices of information brokers.” Also, “to further increase transparency, the Commission calls on data brokers that compile data for marketing purposes to explore creating a centralized website where data brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”
  • the agency will host a workshop later this year to discuss privacy withing “large platform providers.” The report notes: “To the extent that large platforms, such as Internet Service Providers, operating systems, browsers, and social media, seek to comprehensively track consumers’ online activities, it raises heightened privacy concerns.”
  • the agency is also stepping up oversight on mobile privacy issues.
  • the agency says it “generally supports the exploration of efforts to develop additional mechanisms, such as the ‘eraser button’ for social media,” but stops short of saying it should be mandated at this time.

Some of my initial random thoughts about the FTC report: Continue reading →

SHARE: 2 comments

FTC Issues Groundhog Report on Privacy

by on March 26, 2012 · 1 comment

The Federal Trade Commission issued a report today calling on companies “to adopt best privacy practices.” In related news, most people support airline safety… The report also “recommends that Congress consider enacting general privacy legislation, data security and breach notification legislation, and data broker legislation.”

This is regulatory cheerleading of the same kind our government’s all-purpose trade regulator put out a dozen years ago. In May of 2000, the FTC issued a report finding “that legislation is necessary to ensure further implementation of fair information practices online” and recommending a framework for such legislation. Congress did not act on that, and things are humming along today without top-down regulation of information practices on the Internet.

By “humming along,” I don’t mean that all privacy problems have been solved. (And they certainly wouldn’t have been solved if Congress had passed a law saying they should be.) “Humming along” means that ongoing push-and-pull among companies and consumers is defining the information practices that best serve consumers in all their needs, including privacy.

Congress won’t be enacting legislation this year, and there doesn’t seem to be any groundswell for new regulation in the next Congress, though President Obama’s reelection would leave him unencumbered by future elections and so inclined to indulge the pro-regulatory fantasies of his supporters.

The folks who want regulation of the Internet in the name of privacy should explain how they will do better than Congress did with credit reporting. In forty years of regulating credit bureaus, Congress has not come up with a system that satisfies consumer advocates’ demands. I detail that government failure in my recent Cato Policy Analysis, “Reputation under Regulation: The Fair Credit Reporting Act at 40 and Lessons for the Internet Privacy Debate.”

SHARE: 1 comment

How Much is a Bad Blog Post Worth?

by on March 21, 2012 · 0 comments

I was astounded to see the misstatements and misapplication of math in a recent Atlantic blog post called “How Much Is Your Data Worth? Mmm, Somewhere Between Half a Cent and $1,200.”

For his back-of-envelope calculations about the value of personal data, Alexis Madrigal writes, “User profiles — slices of our digital selves — are sold in large chunks, i .e. at least 10,000 in a batch. On the high end, they go for $0.005 per profile, according to advertising-industry sources.”

The dollar value isn’t crazy—a CPM rate of about five cents is on the low end—but he has got the nature of the transaction precisely wrong. Advertisers place ads with content providers like Facebook, Google, and ad networks. The latter direct those ads to their visitors, trying to get ads to the people the advertiser wants to reach. They do not sell the information they use to guess at what interests consumers—consumers’ profiles, to whatever extent they exist.

If content providers sold data about their visitors to advertisers, this would undercut their own role in the advertising business. There wouldn’t be a second sale to make. And doing so would require a radical re-engineering of targeted advertising, which is largely cookie-based. The purchaser of the profile wouldn’t know how to find the subject of the profile in order to deliver an ad.

Madrigal repeats several times that “profiles” are “sold.” It’s a highly misleading characterization, creating the impression that dossiers of information about people are circulating the Internet on a strange black market. On the contrary, profiles are held—not sold—by content providers and advertising networks. There are privacy concerns enough with that business model. We don’t need it mis-described.

I probably would have let this pass. Madrigal isn’t the first to get the advertising business model wrong. (And he hasn’t repeated the error that I know of.) But then comes the bad math.

Writes Madrigal:

[L]et’s not forget the rest of the Internet advertising ecosystem either, which the Internet Advertising Bureau says supported $300 billion in economic activity last year. That’s more than $1,200 per Internet user and much of the online advertising industry’s success is predicated on the use of this kind of targeting data.

Personal information is one input into part of the online advertising. It makes no sense to assign all the value from the entire ecosystem to that one input. The auto industry is about a $400 billion industry, and there are about 250 million car tires sold in the U.S. each year. This does not mean that tires are worth over $2,000 each.

The idea, evidently, is to make the case that consumers are losing a lot in the advertising ecosystem today. That may or may not be true. I’d like to see it shown in the success of a company like Personal or others in the Personal Data Ecosystem, which could re-jigger the personal-data > free-content bargain. But I don’t think that misstating how advertising works and exploding the value of personal data is a good way to make the case for change.

SHARE: 0 comments

No NSA monitoring in McCain cyber bill, seems better on privacy than Lieberman-Collins (UPDATED)

by on March 1, 2012 · 1 comment

After the NSA’s aggressive pursuit of a greater role in civilian cybersecurity, and last week’s statement by Sen. John McCain criticizing the Lieberman-Collins bill for not including a role for the agency, some feared that the new G.O.P. cybersecurity bill would allow the military agency to gather information about U.S. citizens on U.S. soil. So, it’s refreshing to see that the bill introduced today–the SECURE IT Act of 2012–does not include NSA monitoring of Internet traffic, which would have been very troubling from a civil liberties perspective.

In fact, this new alternative goes further on privacy than the Liberman-Collins bill. It limits the type of information ISPs and other critical infrastructure providers can share with law enforcement. Without such limits, “information sharing” could become a back door for government surveillance. With these limits in place, information sharing is certainly preferable to the more regulatory route taken by the Liberman-Collins bill.

It seems to me that despite Sen. McCain’s stated preference for an NSA role, the G.O.P. alternative is looking to address the over-breadth of the Lieberman-Collins bill without introducing any new complications. The SECURE IT bill is also more in line with the approach taken by the House, so it would make reaching consensus easier.

I’ll be posting more here as I learn about the bill.

UPDATE 12:06 PM: A copy of the bill is now available. Find it after the break.

UPDATE 2:55 PM: Having now had an opportunity to take a look at the bill and not just the summary, it does appear it includes a hole through which the NSA may be able to drive a freight train. While NSA monitoring of civilian networks is not mandated, information that is shared by private entities with federal cybersecurity centers “may be disclosed to and used by”

any Federal agency or department, component, officer, employee, or agent of the Federal government for a cybersecurity purpose, a national security purpose, or in order to prevent, investigate, or prosecute any of the offenses listed in section 2516 of title 18, United States Code …

That last bit limits law enforcement’s use of shared cyber threat information to serious crimes, but the highlighted bit potentially allows sharing with the NSA or any other agency, civilian or military, for a any “national security” reasons. That is troublingly broad and a blemish on this otherwise non-regulatory bill.

Information sharing with the NSA might be fine as long as it is not mandatory and the shared information is used only for cyber security purposes.

Cross posted from JerryBrito.com

Continue reading →

SHARE: 1 comment

← Previous Entries

Next Entries →