The WSJ ran a front page, above-the-fold headline screaming that Facebook has had a privacy breach. But as Steve DelBianco discusses over at the NetChoice blog, today’s WSJ “breach” is all smoke and no fire.
The WSJ is saying that some of Facebook’s applications are accidentally sharing the public username on my Facebook page, in violation of the company’s privacy policy. This story was nothing like a breach where my credit card numbers or sensitive personal information was leaked or hacked. A closer look at the issue indicates that there is far m
ore smoke than fire in the WSJ piece.
Moreover, the WSJ should step-back from using tabloid-style headings to attract eyeballs (and advertising revenue) to their research and writing. The breathless headline is clearly meant to feed the privacy beast that is increasingly in danger of doing far more harm than good.
While details are still forthcoming, it appears that the issue at hand involves external actions between application developers and advertising companies. Facebook has stepped-up and is holding third parties accountable to existing privacy requirements.
(Second in a series.)
The Register quotes security guru Bruce Schneier saying: “Facebook is the worst [privacy] offender – not because it’s evil but because its market is selling user data to its commercial partners.”
Facebook’s business model is to guide advertisements on its site toward users based on their interests as revealed by data about them. It is not to sell data about users. Selling data about users would undercut its advertising business.
It’s easy to misspeak in extemporaneous comments, and
The Register is not your most careful media outlet. But we’ve almost got enough data points to show a consistent practice of misrepresentation on Bruce Schneier’s part. Perhaps that should be actionable as an unfair or deceptive practice under section five of the FTC Act.
If I ever had any hope of “keeping up” with developments in the regulation of information technology—or even the nine specific areas I explored in The Laws of Disruption—that hope was lost long ago. The last few months I haven’t even been able to keep up just sorting the piles of printouts of stories I’ve “clipped” from just a few key sources, including The New York Times, The Wall Street Journal, CNET News.com and The Washington Post.
I’ve just gone through a big pile of clippings that cover April-July. A few highlights: In May, YouTube surpassed 2 billion daily hits. Today, Facebook announced it has more than 500,000,000 members. Researchers last week demonstrated technology that draws device power from radio waves.
Continue reading →
Sen. Amy Klobuchar just released a letter to Facebook demanding the site require “a prominent safety button or link on the profile pages of users under the age of 18″—akin to the so-called “panic button” app launched earlier this week by the UK’s Child Exploitation & Online Protection Centre (CEOP). She doesn’t seem to realize that this app is available to all Facebook users, not just those in the UK. But her focus on empowerment tools and education is admirable, and it’s certainly a fair question to ask what sites like Facebook and MySpace are doing in these areas.
Unfortunately, Klobuchar’s letter also engages in blatant fear-mongering:
Recent research has shown that one in four American teenagers have been victims of a cyber predator. And when teens experience abusive behavior online, only ten percent discuss it with their parents and even fewer report the misconduct to law enforcement. It’s clear that teenagers need to know how to respond to a cyber attack and I believe we need stronger reporting mechanisms to keep our kids safe.
Klobuchar doesn’t actually
cite anything, so it’s not clear what research she’s relying on. The 25% statistic is particularly incendiary, suggesting a nationwide cyber-predation crisis—perhaps leading the public to believe 8 or 9 million teens have been lured into sexual encounters offline. Perhaps the Senator considers every cyber-bully a cyber predator—which might get to the 25% number. But there are two serious problem with that moral equivalence.
First, to equate child predation with peer bullying is to engage in a dangerous game of defining deviancy down. Predation and bullying are
radically different things. The first (sexual abuse) is a clear and heinous crime that can lead to long-term psychological damage. The second might be a crime in certain circumstances, but generally not. And it is even less likely to be a crime when it occurs among young peers, which research shows constitutes the vast majority of cases. As Adam Thierer and I noted in our Congressional testimony last year, there are legitimate concerns about cyberbullying, but it’s something best dealt with by parents and schools rather than prosecutors (like Klobuchar in her pre-Senate career).
Second, a series of official taskforces have concluded that the cyberpredator technopanic is vastly overblown. Continue reading →
Working in any field of public policy is a bit like living in a haunted house: You spend most of your day dodging bogeymen, ghosts, phantasms, phantoms and specters of imagined harms, frauds, invasions and various conspiracies supposedly perpetrated by evil companies against helpless consumers, justice, God, Gaia, small woodland creatures and every sort of underserved, disadvantaged and/or underprivileged group of man, animal, vegetable and mineral imaginable.
But Internet policy—particularly online privacy—tends to be haunted by such groundless imaginings far more than most other areas of policy, largely because it manifests itself in ways that are far more real and immediate to ordinary users. For example, as outraged as any of us might feel about the Gulf oil spill, how many of us have the slightest clue what’s really involved (beyond what we’ve learned watching TV anchors stumble through a vocabulary they don’t understand)?
By contrast, huge numbers of Americans have daily interaction with web services like those provided by Google, Microsoft, Yahoo, Twitter and Facebook. That doesn’t mean we necessarily
understand how these technologies work. Indeed, quite the contrary! As Arthur C. Clark said, “Any sufficiently advanced technology is indistinguishable from magic.” But we often think we know how these technological marvels work, and certainly sound much more informed when we spout off (pun intended) about these things than, say, “top kills” on the bottom of the ocean floor. In short, we know just enough web services to be dangerous when we ground strong policy positions in our unsophisticated understanding of how things really work online.
There are few better examples of this than the constantly repeated bugaboo that “Facebook sells your data to advertisers!” Or “Facebook only wants you to share more information with more people for advertising purposes!” These myths bear no relation to how advertising on social networking sites actually works, as Facebook CEO Sheryl Sandberg explains beautifully in a short tutorial video. Here’s the key portion: Continue reading →
Not surprisingly, FCC Commissioners voted 3 to 2 today to open a Notice of Inquiry on changing the classification of broadband Internet access from an “information service” under Title I of the Communications Act to “telecommunications” under Title II. (Title II was written for telephone service, and most of its provisions pre-date the breakup of the former AT&T monopoly.) The story has been widely reported, including posts from The Washington Post, CNET, Computerworld, and The Hill.
As CNET’s Marguerite Reardon counts it, at least 282 members of Congress have already asked the FCC not to proceed with this strategy, including 74 Democrats.
I have written extensively about why a Title II regime is a very bad idea, even before the FCC began hinting it would make this attempt. I’ve argued that the move is on extremely shaky legal grounds, usurps the authority of Congress in ways that challenge fundamental Constitutional principles of agency law, would cause serious harm to the Internet’s vibrant ecosystem, and would undermine the Commission’s worthy goals in implementing the National Broadband Plan. No need to repeat any of these arguments here. Reclassification is wrong on the facts, and wrong on the law. Continue reading →
I was interviewed yesterday for the local Fox affiliate on Cal. SB 1411, which criminalizes online impersonations (or “e-personation”) under certain circumstances.
On paper, of course, this sounds like a fine idea. As Palo Alto State Senator Joe Simitian, the bill’s sponsor, put it, “The Internet makes many things easier. One of those, unfortunately, is pretending to be someone else. When that happens with the intent of causing harm, folks need a law they can turn to.”
Or do they?
The Problem with New Laws for New Technology
SB1411 would make a great exam question of short paper assignment for an information law course. It’s short, is loaded with good intentions, and on first blush looks perfectly reasonable—just extending existing harassment, intimidation and fraud laws to the modern context of online activity. Unfortunately, a careful read reveals all sorts of potential problems and unintended consequences.
Continue reading →
I participated last week in a Techdirt webinar titled, “What IT needs to know about Law.” (You can read Dennis Yang’s summary here, or follow his link to watch the full one-hour discussion. Free registration required.)
The key message of
The Laws of Disruption is that IT and other executives need to know a great deal about law—and more all the time. And Techdirt does an admirable job of reporting the latest breakdowns between innovation and regulation on a daily basis. So I was happy to participate.
Legally-Defensible Security
Not surprisingly, there were far too many topics to cover in a single seminar, so we decided to focus narrowly on just one: potential legal liability when data security is breached, whether through negligence (lost laptop) or the criminal act of a third party (hacking attacks). We were fortunate to have as the main presenter David Navetta, founding partner with The Information Law Group, who had recently written an excellent article on what he calls “legally-defensible security” practices.
Continue reading →
Companies often promote consistent and reliable customer experiences. KLM touts itself as “the reliable airline” while Michelin touts its dependability “because so much is riding on your tires.” And now we have Yahoo, who announced that it will be increasing the social networking functionality in Yahoo Mail. Yahoo has the ability to promote consistency in determining user defaults for sharing information.
But social networking is a product much different than most – it is participatory. Passengers can’t fly airplanes and drivers don’t design tire tread, but social networking users control what and with whom they share information.
So what happens when a social networking service changes functionality or adds new features? How does a company be consistent in carrying-over a user’s preference from the prior version to the new one? What assumptions should it make on user privacy preferences for new features?
These considerations matter whenever an online service tries to increase its social networking functionality. Last week, Facebook unveiled new privacy controls, and we blogged that it was a welcome response to clear-up confusion. In the coming weeks Yahoo will change how status updates work in Yahoo Mail. Michael Arrington’s TechCrunch article describes it well:
[C]urrently to see status updates for others in Yahoo Mail, you have to have a mutual follow, meaning both people have agreed to be “friends.” You can then see that user’s Yahoo status updates as well as updates on third party services that they have added to their Yahoo profile as well. In the new version there will no longer be a requirement for a mutual follow. So, like on Twitter, users can follow whomever they choose. This isn’t actually a dramatic change for Yahoo, since users can follow others in this way already on Yahoo Messenger.
Like Google and Facebook before it, Yahoo is adding features to make its service more “social.” And because of the scrutiny over the changes by Google and Facebook, Yahoo seems to be going out of its way to assure users that they can rely and depend on Yahoo. According to the Yahoo Corporate Blog: Continue reading →
Many of my free market friends have been making the case that government action is unnecessary to address the privacy trouble in which Facebook has recently found itself. I agree with them completely. The reason is that I believe that the given choice, individuals acting in the market will act to discipline unscrupulous or stupid companies. This is precisely what we’ve begun to see happen to Facebook.
It therefore bothers me when folks go beyond mere defense of free market to pretending that corporations can do no wrong. Facebook, for example, has committed a terrible breach of trust against its users, and it should pay the price. Still, on the NetChoice blog, Steve DelBianco writes this about Facebook’s new privacy options:
Facebook is making these moves partly to placate a handful of professional privacy critics, as we described on our post this week. But as with most moves made in reaction to critics, there’s a chance Facebook might have moved too far.
As part of this change, Facebook is making it trivial for users to stop applications and websites from knowing anything about you. If lots of users select this option, I’m afraid it could restrict Facebook’s use of targeted advertising (those ads on the right side of your Facebook pages) and their new instant personalization program. Here’s why we should all be concerned if everyone opts-out of sharing anything:
First, we’ll still see ads, only they won’t be so relevant[.] … Second, and far more concerning, is the effect on Facebook’s ad revenue[.]
I’m not a “professional privacy critic,” yet I know I’ll never trust Facebook with any of my data ever again. I hear the same sentiment from many of my friends, acquaintances, and other regular folks I follow online. Sometimes, companies react because they made a dumb mistake (or perhaps in this case a repeated one that makes one wonder whether it’s a mistake at all), not only in response to privacy advocates. I know Steve’s saying Facebook’s only
partly reacting to critics, but I believe that any such fraction is very small. Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.