Yesterday fellow TLFers Jim Harper and Berin Szoka joined me for an episode of the Surprisingly Free Conversations podcast in which we discussed the buzz around Google Buzz. You can listen to it here. You might also want to check out our other recent episodes, which include:
Check them all out and subscribe at the podcast page.
Since some of my cobloggers have taken to using the phrase “Privacy Paternalists” to describe some advocates of privacy regulation, I want to suggest a distinction growing out of the discussion on Berin’s Google Buzz post below.
I think that it’s clear there is such a thing as a “privacy paternalist”—and there are not a few among folks I consider allies on other issues. They’re the ones who are convinced that anyone who values privacy less highly than they do must be confused or irrational. A genuine privacy paternalist will say that even if almost everyone understands that Amazon keeps track of their purchases to make useful recommendations, this collection must be prohibited because they’re not thinking clearly about what this really means and may someday regret it.
There’s actually a variant on this view that I won’t go into at length, but which I don’t think should be classed as strictly paternalist. Call this the “Prisoner’s Dilemma” view of privacy. On this account, there are systemic consequences to information sharing, such that we each get some benefit from participating in certain systems of disclosure, but would all be better off if nobody did. The merits of that kind of argument probably need to be taken up case-by-case, but whatever else might be wrong with it, the form of the argument is not really paternalistic, since the claim is that (most) individuals have a system-level preference that runs contrary to their preference for disclosure
within the existing system.
The objections to Buzz, however, don’t really look like this. The claim is not that people’s foolish choices to disclose should be overridden for their own protection. The claim, rather, is that the system is designed in a way that makes it too easy to disclose information without choosing to do so in any meaningful way. Now, if I can log into your private database as user “J’ OR T=T”, you probably need to learn to set up SQL better. But it is not terribly persuasive of me to argue that criticism of my breach is “paternalistic,” since after all you made your database accessible online to anyone who entered that login. It is substantially more persuasive if I have logged in as “guest” because you had enabled anonymous logins in the hope that only your friends would use them. On the Internet, the difference between protecting information from a user’s own (perhaps ill-advised) disclosure and protecting it from exploitation by an attacker ultimately, in practice, comes down to expectations. (The same is true in the physical world, though settled expectations make this less salient: Preventing me from getting into the boxing ring is paternalism; declaring the park a “boxing ring” by means of a Post-It note at the entrance is a pretext for assault.) Continue reading →
I’m a big fan of CNET’s “Buzz Out Loud” podcast and often enjoy co-host Molly Wood’s occasional “Molly Rant” but I’m disappointed to see her jumping on the Google-bashing bandwagon with her latest rant: “Google Buzz: Privacy nightmare.” Instead of appreciating the “privacy by design” features of Buzz, she seems to be rushing to privacy paternalism—just as I feared many would when I blogged about the Buzz launch.
Molly’s primary complaint, repeated several times, is that “you automatically follow everyone in your Gmail contact list, and that information is publicly available in your profile, by default, to everyone who visits your profile.” Actually, while Buzz
does automatically follow some users your contact list, it does so only for the ones you chat with most using Gmail (which I believe means only other Gmail users). After that, Buzz simply tells you when other users follow you, and makes it easy to follow them.
So what’s the big deal? Molly’s concern, shared by a number of other bloggers, is that, before a user can start Buzzing, they have to set up Google Profile (another Google product launched last August, which typically appears on the bottom of the first page of Google search results for that name) and the default setting for Google profiles is to “Display the list of people I’m following and people following me.” In this respect, your Google Profile is a lot like your Facebook profile, except that users can decide to hide their followers/followees on their Google profile. (On Facebook, that information is part of the limited bucket of “publicly available information” and can’t be hidden by the user from their profile, but users can opt-out of having their profile accessible at all through search engines or Facebook search.)
There are essentially three ways of dealing with this concern about inadvertent sharing of sensitive contacts: Continue reading →
If you have a mobile phone, that’s the upshot of an argument being put forward by the government in a case being argued before the Third Circuit Court of Appeals tomorrow. The case is called In the Matter of the Application of the United States of America For An Order Directing A Provider of Electronic Communication Service To Disclose Records to the Government.
Declan McCullagh reports:
In that case, the Obama administration has argued that Americans enjoy no “reasonable expectation of privacy” in their—or at least their cell phones’—whereabouts. U.S. Department of Justice lawyers say that “a customer’s Fourth Amendment rights are not violated when the phone company reveals to the government its own records” that show where a mobile device placed and received calls.
The government can maintain this position because of the retrograde “third party doctrine.” That doctrine arose from a pair of cases in the early 1970s in which the Supreme Court found no Fourth Amendment problems when the government required service providers to maintain records about their customers, and later required those service providers to hand the records over to the government.
I wrote about these cases, and the courts’ misunderstanding of privacy since 1967’s
Katz decision, in an American University Law Review article titled “Reforming Fourth Amendment Privacy Doctrine“:
These holdings were never right, but they grow more wrong with each step forward in modern, connected living. Incredibly deep reservoirs of information are constantly collected by third-party service providers today. Cellular telephone networks pinpoint customers’ locations throughout the day through the movement of their phones. Internet service providers maintain copies of huge swaths of the information that crosses their networks, tied to customer identifiers. Search engines maintain logs of searches that can be correlated to specific computers and usually the individuals that use them. Payment systems record each instance of commerce, and the time and place it occurred. The totality of these records are very, very revealing of people’s lives. They are a window onto each individual’s spiritual nature, feelings, and intellect. They reflect each American’s beliefs, thoughts, emotions, and sensations. They ought to be protected, as they are the modern iteration of our “papers and effects.”
This is a case to watch, as it will help determine whether or not your digital life is an open book to government investigators.
I’ve written before about my dislike of “the cloud.”
The term implies that there aren’t specific actors doing specific things with data, which will tend to weaken people’s impression that they have rights and obligations when using or providing cloud services. We’re talking privacy problems.
When “cloud” services fail, the results can be widespread and significant. Think of cloud computing as a sibling of security monoculture.
TechDirt’s indefatigable Mike Masnick reminds us of this with a tweet today about hiccups in Google Calendar that may have prevented him getting on a conference call. He’s written once or twice about the cloud in terms of legal/discovery issues, privacy issues, and business/regulatory hurdles.
Remote computing is not going away, but it’s a fad that should fade over time. I think I hit the right notes in an earlier post where I said:
There will always be a place for remote storage and services—indeed, they will remain an important part of the mix—but I think that everyone should ultimately have their own storage and servers. (Hey, we did it with PCs! Why not?) Our thoroughly distributed computing, storage, and processing infrastructure should be backed up to—well, not the cloud—to specific, identifiable, legally liable and responsible service providers.
Today’s Online Safety Technical Working Group (OSTWG) meeting included some heated debate about whether online intermediaries should be doing more to assist law enforcement to help track down child predators and those producing and distributing child pornography. (It’s not clear whether or when NTIA will actually put the archived video or a transcript online at this point).
Most interesting was the third panel of the day (agenda), which devolved into a shouting match as Dr. Frank Kardasz (resume) of the Arizona Internet Crimes Against Children (ICAC) Task Force basically accused Internet intermediaries of being willing accomplices in crimes of sexual abuse against children—and suggested that they could be charged as co-defendants in child porn prosecutions. A few industry folks in the room expressed their outrage at such slander. A retired law enforcement officer perhaps put it best when he said that he had never dealt with an ISP that didn’t sincerely want to help law enforcement stop this monstrous crime.
Apart from those pyrotechnics, and a superb morning presentation by the Pew Internet Project’s Amanda Lenhart about “Social Media & Young Adults,” the most interesting part of the day concerned data retention mandates. Even as a debate rages in Washington about how much collection and use of online data should be permitted, Dr. Kardasz suggested online service providers should be required to hold user data for 5 years. A number of attendees noted the staggering costs of such a mandate given the sheer volume of information shared every day by use, especially for startups for whom building monitoring and compliance infrastructure can be a significant barrier to entry. Of course, practical objections are always answered with practical counter-solutions—in this case, several attendees asked why we couldn’t just provide tax incentives or stimulus money to defray such costs. One attendee joked that we’d have to devote the entire state of Montana just to house all the necessary server farms.
But the strongest objection came from John Morris of the Center for Democracy & Technology, who rightly noted that no amount of government subsidies for data retention could prevent leakage of sensitive private data. For this reason and because of the basic civil liberties at stake whenever the government has access to large pools of data about its citizens, Morris argued that we need to strike a balance between how we protect children & the values of free society. Dave McClure of the US Internet Industry Association (USIIA) seconded this point powerfully: If such vast data is retained, it will be abused.
Then the riposte from advocates of data retention mandates: Aren’t online intermediaries
already retaining huge amounts of consumer information? If they can do that, why can’t they retain the data we need to track down child predators and child porn distributors? Continue reading →
At today FTC’s “Exploring Privacy” roundtable event at Berkeley Law School, were heard a lunchtime address from Daniel J. Weitzner, Associate Administrator for Policy, National Telecommunications and Information Administration (NTIA) at the Department of Commerce. Down below is a brief summary of his remarks. (Berin Szoka and have been live-tweeting the event at @AdamThierer and @BerinSzoka). You can view all our tweets here.
- Obama Administration is looking at nexus between privacy & innovation
- Success of Internet has depended upon creative use of information
- Predictability and certainty is imp for both consumers and companies on this front
- Believes we CAN have both innovation and privacy protection; but there will be some tensions
- Challenge of the 3rd decade of Internet policymaking = to get together set of policies to bring security to Net while preserving freedom
- Does domestic & global patchwork of #privacy policies hurt or help innovation?
- Need to take a hard look at the traditional notice & choice framework
- Rules for COLLECTION or USE of data is key question
- Concepts of “accountability” … to what or whom?
- a Notice of Inquiry coming from NTIA about privacy to help shape privacy policy for Obama Admin
I’m attending the FTC’s 2nd “Exploring Privacy” roundtable event, which is taking place at the University of California-Berkeley School of Law. Here’s the agenda. (I’ll be live Tweeting @AdamThierer). FTC Commissioner Pamela Jones Harbour & FTC Bureau of Consumer Protection Director David Vladeck kicked things off. Here’s a quick summary of their remarks:
- Data collection has vast opportunities but drawbacks also
- “non-price dimensions” of privacy important
- Talking about recent Facebook privacy changes
- Privacy is not “over” as McNealy once said; recent public outcry about Facebook changes make that clear
- “delicate balance” between data collection and consumer control
- Concerned about privacy in the mobile environment
- “Apple could do more to require baseline level of privacy disclosures”; other could set such defaults too
- Similar fears about privacy in the cloud; difficult for consumers to define privacy expectation in the cloud; fear of lock-in concerns
- Wants more data portability
- Concerned that anonymization doesn’t work good enough; Perhaps our faith in current technologies is misplaced
- Must address the question of privacy by design sooner rather than later
Continue reading →
Berin Szoka and I will be in Berkeley, CA tomorrow attending the FTC’s 2nd “Exploring Privacy” roundtable event. The event will take place at the University of California-Berkeley School of Law. Here’s the agenda and speaker bios. The event will be webcast for those who cannot make it. But for those of you who going, make sure to come say hi to Berin and me. We were thinking about trying to get a group together afterward to grab a beer somewhere nearby.
Incidentally, Berin and I testified at the FTC’s first Exploring Privacy workshop, which took place on December 7th. You can find webcasts of the panels here, and here are Berin’s comments and my summary of what we had to say that day.
Like Braden, I also filed comments on the FCC’s inquiry—written by CDT—about what, if anything, the FCC should say about online privacy in the National Broadband Plan Congress assigned the agency to write in the (so-called) “Recovery Act” last year. My comments are available here and are embedded below. Over 20 parties filed comments, available here. My argument in brief is as follows:
- To the extent consumer anxiety about online privacy is, as many claim, actually discouraging some Americans from fully utilizing broadband, the FCC could indeed recommend that Congress take action on online privacy—even though the FCC has no jurisdiction to regulate online privacy itself (beyond the limited CPNI rules it has already imposed on the communications services it licenses).
- But when Congress charged the FCC with drafting a plan for promoting broadband adoption, it set specific goals: The FCC may only recommend that Congress enact policies the agency concludes on the basis of real data will, on net, help achieve “affordability” and “maximum utilization” of broadband.
- The quality and quantity of online services depends on the ability of service providers to collect and use data about web browsing habits to analyze site use, personalize content, tailor advertising, and measure its effectiveness.
- So imposing additional regulations on the private sector comes with real costs to users and it’s far from clear that such regulations would, on the whole, promote broadband adoption.
- The Commission simply doesn’t have the data to evaluate this trade-off,, nor the time to collect it (as the FTC is trying to do) since the National Broadband Plan is due to Congress in a matter of weeks.
- But no such trade-offs exist with regards to government access to consumer data, which creates far more demonstrable and serious consumer harms. So the Commission should limit its legislative recommendations on privacy to endorsing enhanced limitations on government access, such as CDT has proposed.
- The Commission should be particularly wary of opinion polls as evidence of consumer expectations because they cannot tell us about the trade-offs inherent in the real world.
Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.