Debates about online privacy often seem to assume relatively homogeneous privacy preferences among Internet users. But the reality is that users vary widely, with many people demonstrating that they just don’t care who sees what they do, post or say online. Attitudes vary from application to application, of course, but that’s precisely the point: While many reflexively talk about the “importance of privacy” as if a monolith of users held a single opinion, no clear consensus exists for all users, all applications and all situations.
If a picture is worth a thousand words, this picture makes the point brilliantly—showing:
locations where [Flickr] users are more likely to post their photos as “public,” which is the default setting, in green. Places where Flickr users are more likely to put privacy controls on their photos show up in red.
Of course, geography is just one dimension across which users may vary in their attitudes about privacy, but the map makes the basic point about variation very well. Seeing what users
actually do in real life says a lot more about their preferences than merely polling them about what they think they care about in the abstract—as my colleagues Solveig Singleton and Jim Harper argued brilliantly in their 2001 paper With A Grain of Salt: What Consumer Privacy Surveys Don’t Tell Us (SSRN).
Yesterday, after my Criminal Law class, I went to a lunch talk sponsored by the Stanford Biolaw and Health Policy Society about “abandoned” DNA – that is, DNA traces that people leave all over the place. It was given by Prof. Elizabeth Joh, visiting Stanford Law this year from UC Davis Law. She focused on her recent law review article on the subject.
Joh’s basic argument was that DNA is fundamentally different than the other detritus we abandon on a regular basis. She contended that, though we might not have an expectation that the soda bottle we tossed into the public trash can won’t be seen by anyone, we have an expectation that it won’t be mined for our saliva and the genetic information it contains. Joh even argued that DNA traces are fundamentally different from fingerprints, since fingerprints can only identify us, but cannot give investigators a view into fundamentals about who we are (including our health risks).
Joh contrasted her view, which focuses on privacy, from what she called the “old” trespass view. Under that perspective, what was wrong about an FBI agent slipping into your house to implant bugs was not that the government could now listen into everything you say in your home, but rather the property violation involved in breaking in. Similarly, under the trespass view, a cop could not run a cotton swab on the inside of your mouth to collect DNA (without a warrant) because it would violate your property in yourself, not because it would reveal your genetic information to the government. But the trespass view would have no problem with the government picking up that soda bottle out of the trash and collecting your DNA from it, to match you to a crime. Continue reading →
From the Columbus Dispatch:
Information on [Joe “the Plumber”] Wurzelbacher was accessed by accounts assigned to the office of Ohio Attorney General Nancy H. Rogers, the Cuyahoga County Child Support Enforcement Agency and the Toledo Police Department.
The security of information about you in government databases is contingent on you keeping your head down.
I was amused to read that a draft Army intelligence report identified micro-blogging service Twitter as a potential tool for terrorists. On the other hand, it’s regrettable that this terrorism mania persists to foster this kind of report and media attention. There’s no distinct terror threat from Twitter. (Do check out the send-up of an Osama Bin Laden Twitter feed by clicking on the image.)
Sure, it’s possible that terrorists could use Twitter, just like it’s possible with any communications medium. Twitter is right up there with telephones, pen and paper, email, SMS, and smoke signals as a potential tool for terrorism. Each of these media have different properties which make them more or less susceptible to use for wrongdoing — and more or less protective of legitimate privacy for the law-abiding.
Like most common digital communications, Twitter is a pretty weak medium for planning bad things. Copies of every post are distributed far and wide — and all “Tweets” are housed pretty much permanently by a single organization.
If you want to get caught doing something wrong, use Twitter to plan it.
Continue reading →
Online and IT privacy is a ripe issue for President Obama’s or McCain’s administration. It often takes a confluence of concerns and momentum to elevate an issue to the national forefront, and with privacy we have concerns related to targeted ads, ID theft, government snooping, electronic health records, and to be blunt — Google. There will be pressure for policymakers to enact a “comprehensive privacy policy” — but what does that mean?
I heard that question raised last week. Last Friday the Technology Policy Institute held an event that featured Peter Swire, Obama’s privacy/security advisor, and Orson Swindle, McCain’s privacy/security advisor.
Swindle downplayed the notion of “comprehensive” privacy, because the need for privacy is contextual. Sometimes you’ll want more, other times less. If Congress were to enact privacy legislation back in 2000, when concerns over “cookies” were raging, it would have stunted the growth of the Internet and new business models. What we have now isn’t perfect, he stressed, but regulation is even more imperfect.
Swire ducked the question about whether Obama would favor “comprehensive” privacy legislation. Obama has been silent on the issue, he said. He did discuss what he called “market failure” that occurs when new technologies pose new risks. He brought up electronic health records as an example…shouldn’t government help protect people’s medical information?
Swindle said that the FTC is in a perfect position to respond to the privacy challenges posed by new technology. Swire said that the FTC is necessary but not sufficient to get the job done.
My two cents, which I wrote in my recent paper on cyber security: Continue reading →
According to ABC News:
Despite pledges by President George W. Bush and American intelligence officials to the contrary, hundreds of US citizens overseas have been eavesdropped on as they called friends and family back home, according to two former military intercept operators who worked at the giant National Security Agency (NSA) center in Fort Gordon, Georgia.
It’s a simple formula: Lack of oversight produces abuses. Members of Congress may scurry around and declare outrage, but the responsibility is their own as much as anyone else’s.
This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year. ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.
Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are
most interested in having the ISTTF evaluate age verification / online verification technologies. In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.” [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn’t require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]
On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification. Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this. I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet’s Chris Soghoian had a brutal assessment of this week’s proposals on his “Surveillance State” blog.]
In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front. I will argue:
- There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
- First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
- Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined. But how do we establish a clear link between parents and kids? And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
- It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
- It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.
Continue reading if you are interested in the details.
Continue reading →
Yours truly shows up in a good story on surveillance cameras on the Christian Broadcasting Network today. Watching the whole thing, I was impressed by the sophistication of the host, who observed in the discussion segment: “We’re giving up so much privacy in order to obtain the illusion of security.”
Forget net neutrality and the growing Googleplex. The real threat to Internet freedom comes from plain old criminal law.
In three weeks time, Missouri housewife Lori Drew will face trial for entering false personal details when she signed up for a MySpace account. Her indictment alone, whether or not she is convicted, should frighten anyone who’s ever filled out a form online.
The case, which captured the tabloid media when it broke last year, turns on unusual facts. Drew, posting as a teenage boy, created the MySpace account to probe why a neighbor’s daughter, Megan Meier, had broken off a friendship with her own daughter. She gave a few others access to the account, and things quickly spiraled out of control. Before long, “Josh Evans” (the fictional teen) and Meier were an online couple, and soon after that, they were hurling insults at one another on public message boards.
Meier, already suffering from depression, was devastated by Josh’s turnabout. A final private message from the Evans account–“The world would be a better place without you”–pushed her over the edge. Twenty minutes after receiving it, Meier hung herself in her closet.
Even though she was not responsible for the worst of the messages (according to a prosecutor who investigated the case but declined to file charged), Lori Drew mislead an emotionally troubled youth, and that was surely wrong.
But it’s more problematic to say that it’s a crime.
The theory of the prosecutor behind this case would make all Internet users criminals. Continue reading →
From triumph to terror—that’s the likely emotional rollercoaster of the denizens of the “/b” message board on the 4chan website who hacked into Gov. Sarah Palin’s email account earlier this week. The toasts of the left-learning Internet on Tuesday, by this morning they knew themselves to be in the crosshairs of the FBI and Secret Service.
Next stop: jail. That’s the law, and it’s a fair punishment for digital breaking and entering.
According to British tech tabloid
The Register, the hackers accessed Palin’s Yahoo account by way of a proxy, relaying all traffic through it to cloak their identities. The proxy’s owner promises to make his log data available to authorities, and it’s probably only a matter of time before that leads to living, breathing (nervous, sweating?) people.
The most likely charge is hacking. Federal law prohibits virtual trespassing for the purposes of stealing information. So cracking the password to a governor’s email account and perusing her messages is a clear violation. The punishment: criminal fines and imprisonment of up to 5 years.
Throw in a few conspiracy offenses—according to reports, a slew of “/b-tards” were in on the act—and the prison term could double.
No, going after a major party’s vice presidential candidate was not smart: Police and prosecutors put extra effort into famous crimes.
As for the media publishing Palin’s emails and family photos, shame on them, but it’s not against the law. In
Bartnicki v. Vopper, the Supreme Court held that they have a First Amendment right to publish materials of public importance, even if illegally obtained, so long as the media doing the publishing committed no wrong itself.
But just because it’s legal doesn’t mean it’s right. No one deserves to have their private correspondence stolen (not, as per the AP, “leaked”) and posted online for the world to see. It speaks to Palin’s classiness that nothing objectionable—not even a cuss—has come to light. Too bad that the press and online gossip-mongers don’t share that trait and take the material down.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.