My colleague Jim Harper and I have been having a friendly internal argument about Internet privacy regulation that strikes me as having potential implications for other contexts, so I thought I might as well pick it up here in case it’s of interest to anyone else. Unsurprisingly, neither of us are particularly sanguine about elaborate regulatory schemes—and I’m sympathetic to the general tenor of his recent post on the topic. But unlike Jim, as I recently wrote here, I can think of two rules that might be appropriate: A notice requirement that says third-party trackers must provide a link to an ordinary-language explanation of what information is being collected, and for what purpose, combined with a clear rule making those stated privacy policies enforceable in court. Jim regards this as paternalistic meddling with online markets; I regard it as establishing the conditions for the smooth functioning of a market. What do those differences come down to?
First, a question of expectations. Jim thinks it’s unreasonable for people to expect any privacy in information they “release” publicly—and when he’s talking about messages posted to public fora or Facebook pages, that’s certainly right. But it’s not
always right, and as we navigate the Internet our computers can be coaxed into “releasing” information in ways that are far from transparent to the ordinary user. Consider this analogy. You go to the mall to buy some jeans; you’re out in public and clearly in plain view of many other people—most of whom, in this day and age, are probably carrying cameras built into their cell phones. You can hardly complain about being observed, and possibly caught on camera, as you make your way to the store. But what about when you make your way to the changing room at The Gap to try on those jeans? If the management has placed an unobtrusive camera behind a mirror to catch shoplifters, can the law require that the store post a sign informing you that you’re being taped in a location and context where—even though it’s someone else’s property—most people would expect privacy? Current U.S. law does, and really it’s just one special case of the law laying down default rules to stabilize expectations. I think Jim sees the reasonable expectation in the online context as “everything is potentially monitored and archived all the time, unless you’ve explicitly been warned otherwise.” Empirically, this is not what most people expect—though they might begin to as a result of a notice requirement. Continue reading →
The Federal Trade Commission (FTC) has just announced it will be hosting:
a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data.” Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation. The roundtable discussions will consider the risks and benefits of information collection and use in online and offline contexts, consumer expectations surrounding various information management practices, and the adequacy of existing legal and self-regulatory regimes to address privacy interests.
The first of these roundtables will be held on December 7, 2009 at the FTC Conference Center in Washington, D.C. Additional information can be found here.
I’m sure my colleague Berin Szoka will have much more to say about this in coming days and weeks — and I very much hope the FTC will invite him in to testify — but, for now, I just want to reiterate the three key challenges we have been posing again and again and again and again in all our work on this subject:
- Identify the harm or market failure that requires government intervention.
- Prove that there is no less restrictive alternative to regulation.
- Explain how the benefits of regulation outweigh its costs.
I hope those issues are front and center at these workshops and we get some firm answers because the dangers of breaking the very few Internet business models that actually work is a very steep price to pay for the conjectural harms bandied about by some privacy zealots.
Thanks to Adam for the kind introduction; for folks to whom I’m unfamiliar, my Ars Technica archive has the bulk of my tech writing over the past year and change, though plenty of it is straight reporting now well past its expiration date. It’s been suggested that for openers, I crosspost last week’s Cato @ Liberty thumbsucker on behavioral advertising regulation, which riffs on some of the commentary here, but in the interest of avoiding redundancy, I’ll just do the digest version and let the curious click through. Since they say the first day in lockup, you should pick a fight with the biggest mofo in the yard, I’ll excerpt the part where I disagree with Berin a bit:
First, while it’s certainly true that there are privacy advocates who seem incapable of grasping that not all rational people place an equally high premium on anonymity, it strikes me as unduly dismissive to suggest, as Berin Szoka does, that it’s inherently elitist or condescending to question whether most users are making informed choices about their privacy. If you’re a reasonably tech-savvy reader, you probably know something about conventional browser cookies, how they can be used by advertisers to create a trail of your travels across the Internet, and how you can limit this. But how much do you know about Flash cookies? Did you know about the old CSS hack I can use to infer the contents of your browser history even without tracking cookies? And that’s without getting really tricksy. If you knew all those things, congratulations, you’re an enormous geek too — but normal people don’t. And indeed, polls suggest that people generally hold a variety of false beliefs about common online commercial privacy practices. Proof, you might say, that people just don’t care that much about privacy or they’d be attending more scrupulously to Web privacy policies — except this turns out to impose a significant economic cost in itself.
I still end up rejecting most of the proposed arguments for regulation, though a couple of the suggested rules (notice requirement, liquidated damages for intentional breach of stated privacy policy) struck me as more defensible, if not especially urgent.
That aside, I want to get down to the more important business of suggesting a TLF theme song: The Magnetic Fields’ sardonic “Technical (You’re So)” (whence the title of this post), in which wordsmith/crooner Stephin Merritt delivers such lines as: “There are no papers on you / The laws don’t cover what you do / You and your think-tank entourage / Are all counterculture demigods” and “You’re a Libertarian / The death of the left was you / You look like Herbert Von Karajan / You live underneath the zoo.” Sure, they’re meant as mockery when Merritt sings them, but then, “queer” used to be a pejorative too. Reappropriation, baby.
Also, rhyming “Libertarian” with “Von Karajan” is the greatest act of poetry in music since Sting paired “He starts to shake and cough” with “the old man in / that book by Nabakov.” Fact.
Google today unveiled the Data Liberation Front, a team of engineers in Chicago dedicated to ensuring that Google build “liberated products”—ones that have “built in features that make it easy (and free) to remove your data from the product in the event that you’d like to take it elsewhere.” We’ve spent a lot of time here warning about the dangers of Googlephobia, but now that Google has brazenly appropriated the TLF’s unique mock-Communist iconography, we’re starting to think that Jeff Chester and Scott Cleland may be right: Maybe Google really is trying to take over the world!
So we regret to announce our filing of a lawsuit in the Twelfth Circuit Court of Appeals to challenge Google’s infringement of our mark. We demand 50% of the $0.00 Google earns every time they “allow” users to port their application data out of Google to a competitor’s services! We will, of course, dedicate these royalties to the important project of educating and empowering users about how they can determine their own destiny online.
But seriously… We heartily agree with our Data Liberation Front comrades that users should be fully empowered to switch from one service to another online. This kind of competition is clearly the best protection for consumers in the Digital Age. Making switching easy should assuage not just antitrust concerns, but also concerns about how much privacy or security each web service offers to its users, no matter how big its market share: If you don’t like what a service offers, just take your data and leave! Who needs the government micro-managing the Internet when users have that kind of control?
Viva la (Technology) Revolution!
P.S. In case you haven’t seen it the Monty Python video we’re all riffing on:
Continue reading →
Finally, the courts are starting to take notice of the growing ease with which we all share information online: “Twenty-somethings have a much-reduced sense of personal privacy,” as an NYU law professor put it. Unfortunately, this slow realization of the utterly obvious is happening in the narrow area of legal ethics: Courts are punishing young lawyers who say unkind things about the court on social networking sites or say something inconsistent with what they’ve told the court. It’s a must-read for all young lawyers!
I really appreciate the venture capitalists (VCs) in Silicon Valley subsidizing my soapbox at Twitter. Seriously, it is an absolutely awesome platform for getting a message out to the masses. But at some point I worry that the gravy train will come to an end and that users will have to start picking up part of the tab. After all, will those VCs continue to subsidize Twitter if it never turns a profit? According to the Wikipedia entry about Twitter:
In total, Twitter has raised over US$57 million from venture capitalists. The exact amounts of funding have not been publicly released. Twitter’s first round of funding was for an undisclosed amount that is rumored to have been between $1 million and $5 million. Its B round of funding in 2008 was for $22 million and its C round of funding in 2009 was for $35 million from Institutional Venture Partners and Benchmark Capital along with an undisclosed amount from other investors including Union Square Ventures and Spark Capital. Twitter is backed by Union Square Ventures, Digital Garage, Spark Capital, and Bezos Expeditions.
Again, thank you VCs! But, like them, I do wonder when and how Twitter will bring in some cash. Is there a “freemium” model that could work? Perhaps. “Pro” or corporate accounts have been rumored to be in the works. Getting someone else to pick up the tab that way might bring in enough cash for Twitter to allow the free ride to continue for the rest of us. But what about advertising? It’s been the “mother’s milk” of most online media and platforms for some time now, and Twitter seems perfectly suited to insert a few banner ads or contextual ads here and there. It could be happening sooner than you think. Austin Modine of The Register notes in a new piece, “Twitter ‘Leaves Door Open’ for Targeted Ads,” that: Continue reading →
There is no better security for data than not collecting it in the first place. And when data is no longer needed, the best security for it is to destroy it.
That’s why I was surprised to see a request from the chairman and ranking member of the House Homeland Security Committee asking the Transportation Security Administration to preserve data that is scheduled for destruction.
Chairman Bennie Thompson (D-MS) attended and spoke at the first meeting of the DHS Privacy Committee four years ago. I have regarded him as a champion of privacy since then. But he and Rep. Peter King (R-NY) want biometric data collected for the defunct Registered Traveler program preserved on the chance that Registered Traveler is revived. This is an inappropriate request.
Anyone who submits data to the government should recognize the risk that it will be preserved longer than promised and put to new uses. There were merits to the Clear system within Registered Traveler. I wrote about them in my book and testified about them in 2005. One of the serious demerits is that Registered Traveler created stores of biometric data that politicians are now trying to control.
Interesting piece from Jeff Jarvis about “Google Bigotry,” or his belief that “media people are going after Google’s success for no good reason other than their own jealousy.” Jarvis argues that reporters penning hard-nosed stories about Google are, in reality, just a bunch of envious cry-babies:
newspaper people will use their last drops of ink to complain about Google’s success and try to blame it for their own failures rather than changing their own businesses. .. It’s not just that they dislike the competition – and they do, for it is a new experience for too many of them. If they were smart, they’d use Google to get more audience and make more money but they don’t know how to (or rather, they’d prefer not to change). No, the problem is that Google represents change and a new world they’ve refused to understand.
Well, yes and no. I don’t believe that
every story penned about Google by a mainstream media reporter is rooted in envy, and certainly not the one that Jarvis alludes to as prompting him to pen this piece. Jarvis apparently received an inquiry from a French journalist at Le Monde asking for comment about “an article about Google facing a rising tide of discontent concerning privacy and monopoly.” That doesn’t necessarily sound like an unreasonable journalistic inquiry to me. So, I’m not sure it’s fair to accuse every journalist who calls with a hard-nosed question about privacy and antitrust as being guilty of “Google bigotry.”
That being said,
some journalists are likely feeling a bit miffed about Google’s recent success, thinking it comes at their expense, and, therefore, their envy might be prompting some of them to pen attack stories on the company. I think Jarvis in on stronger ground, however, in asserting that most privacy and antitrust complaints about Google are unfounded, and also based on envy. Indeed, Berin Szoka and I have have been cataloging the complaints that we believe are driven by an irrational form of corporate envy we call “Googlephobia.” And in prior years we saw a similar form of Microsoft-bashing at work that we still have with us today. That’s why I think Jarvis is on to something when he notes that Google-bashing represents a broader sociological phenomenon: Continue reading →
Wordpress has experienced a major security vulnerability, with a worm making its way around the ‘Net, attacking earlier versions of WordPress. Fortunately, because of the hard work of the Wordpress open source community, the current (2.8.4) and most recent (2.8.3) versions are immune. Yet as with any piece of program, some users haven’t upgraded. In the case of Wordpress (which we use at the TLF), upgrading can be difficult for sites that rely on plug-ins that aren’t always updated quickly when a new version of WordPress is released.
While my heart goes out to my fellow Wordpress bloggers who may have experienced an attack, I’m just glad that, for once, the message isn’t that somehow we need the
government to protect us all from cyber-catastrophes, but, instead, a little good-old-fashioned digital self-help! From the Wordpress Blog:
WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.
As with parental controls and privacy, protecting your security online begins at home. Government can help to educate and promote empowerment solutions, and industry certainly has a role to play in both, and communities like Wordpress can offer invaluable support, but at the end of the day, only you can protect yourself online!
September 8 — this Tuesday — is the deadline for filing objections against the Google Book Settlement. A number of trade associations, corporations, authors, and advocacy groups have weighed in, including the
Electronic Frontier Foundation and the American Civil Liberties Union. They argue that approving the Google Book Settlement in its current form, without explicitly spelling out data collection practices, would endanger user privacy. EFF and ACLU have threatened to file an objection to the Settlement unless Google commits to a stringent privacy policy for Google Book Search.
I think the privacy risks posed by Google Book Search are being blown out of proportion, as I explained in the Examiner Opinion Zone last month. While EFF and others have raised some legitimate fears about the possibility of government getting its hands on Google Book Search user data, these privacy concerns are not unique to Google Book Search, nor are they legitimate grounds for the court to reject the Google Book Settlement.
In a letter I submitted yesterday as an amicus curiae brief to U.S. District Judge Denny Chin, who is presiding over the Google Books case, I argue that privacy concerns should not determine the court’s evaluation of the Settlement:
Competitive Enterprise Institute Letter http://d.scribd.com/ScribdViewer.swf?document_id=19440943&access_key=key-2o4o6jm42x4fvx9dyiwp&page=1&version=1&viewMode=
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.