Debates about online privacy often seem to assume relatively homogeneous privacy preferences among Internet users. But the reality is that users vary widely, with many people demonstrating that they just don’t care who sees what they do, post or say online. Attitudes vary from application to application, of course, but that’s precisely the point: While many reflexively talk about the “importance of privacy” as if a monolith of users held a single opinion, no clear consensus exists for all users, all applications and all situations.
If a picture is worth a thousand words, this picture makes the point brilliantly—showing:
locations where [Flickr] users are more likely to post their photos as “public,” which is the default setting, in green. Places where Flickr users are more likely to put privacy controls on their photos show up in red.
Of course, geography is just one dimension across which users may vary in their attitudes about privacy, but the map makes the basic point about variation very well. Seeing what users
actually do in real life says a lot more about their preferences than merely polling them about what they think they care about in the abstract—as my colleagues Solveig Singleton and Jim Harper argued brilliantly in their 2001 paper With A Grain of Salt: What Consumer Privacy Surveys Don’t Tell Us (SSRN).
From the Columbus Dispatch:
Information on [Joe “the Plumber”] Wurzelbacher was accessed by accounts assigned to the office of Ohio Attorney General Nancy H. Rogers, the Cuyahoga County Child Support Enforcement Agency and the Toledo Police Department.
The security of information about you in government databases is contingent on you keeping your head down.
The Progress & Freedom Foundation has just launched the new Center for Internet Freedom. CIF offers an alternative to the proliferation of advocacy groups calling for government intervention online by offering timely analyses and critiques of proposals that diminish the vital role of free markets, free speech and property rights. We aim to drive the Internet policy debate in new directions by emphasizing a layered approach of technological innovation, user education, user self-help, industry self-regulation, and the enforcement of existing laws consistent with the First Amendment. Such an approach is a less restrictive—and generally more effective—alternative to increased regulation.
Here are some of the issues I’ll be working on as CIF’s Director in conjunction with my esteemed colleagues Adam Thierer, Adam Marcus, and adjunct fellows:
- Defending online advertising as the lifeblood of online content & services, especially in the “Long Tail”;
- Emphasizing market solutions to problems of privacy protection, especially regarding the use of cookies and packet inspection data;
- Protecting online speech and expression both in the U.S. and abroad;
- Defending Section 230 immunity for Internet intermediaries;
- Opposing online taxation and legal barriers to e-commerce and digital payments, especially at the state and local levels; and
- Ensuring that Internet governance remains transparent and accountable without hampering the evolution of the Internet.
Online and IT privacy is a ripe issue for President Obama’s or McCain’s administration. It often takes a confluence of concerns and momentum to elevate an issue to the national forefront, and with privacy we have concerns related to targeted ads, ID theft, government snooping, electronic health records, and to be blunt — Google. There will be pressure for policymakers to enact a “comprehensive privacy policy” — but what does that mean?
I heard that question raised last week. Last Friday the Technology Policy Institute held an event that featured Peter Swire, Obama’s privacy/security advisor, and Orson Swindle, McCain’s privacy/security advisor.
Swindle downplayed the notion of “comprehensive” privacy, because the need for privacy is contextual. Sometimes you’ll want more, other times less. If Congress were to enact privacy legislation back in 2000, when concerns over “cookies” were raging, it would have stunted the growth of the Internet and new business models. What we have now isn’t perfect, he stressed, but regulation is even more imperfect.
Swire ducked the question about whether Obama would favor “comprehensive” privacy legislation. Obama has been silent on the issue, he said. He did discuss what he called “market failure” that occurs when new technologies pose new risks. He brought up electronic health records as an example…shouldn’t government help protect people’s medical information?
Swindle said that the FTC is in a perfect position to respond to the privacy challenges posed by new technology. Swire said that the FTC is necessary but not sufficient to get the job done.
My two cents, which I wrote in my recent paper on cyber security: Continue reading →
Earlier this year, I mentioned an outstanding book that John Palfrey of the Berkman Center for Internet & Society at Harvard Law School co-edited entitled Access Denied: The Practice and Policy of Global Internet Filtering. It’s an excellent resource for anyone studying the methods governments are (unfortunately) using to stifle online expression across the globe. It’s one of the most important technology policy books of the year.
Well, it looks like John Palfrey will have a second title on this year’s “Best Tech Books” list. I’ve just finished his new book with his Berkman Center colleague Urs Gasser, Born Digital: Understanding the First Generation of Digital Natives, and it is definitely worthy of your attention. In my book review posted today on the City Journal’s website, I argue that “Palfrey and Gasser’s fine early history of this generation serves as a starting point for any conversation about how to mentor the children of the Web.” It’s a comprehensive and very even-handed discussion about a variety of concerns or Internet pathologies, including: online safety, personal privacy, copyright piracy, offensive content, classroom learning, and much more.
My
City Journal review is down below, but in coming weeks I will be posting some additional thoughts about some specific things in the book worthy of more attention (including a few things I disagreed with). Overall, I’d say Born Digital is a close runner-up in the race for “Tech Book of the Year,” closely trailing Jonathan Zittrain’s Future of the Internet and How to Stop It (which I have reviewed multiple times) and Nick Carr’s The Big Switch. But I found far more to agree with in Born Digital than I did in those two books. Highly recommended.
Continue reading →
This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year. ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.
Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are
most interested in having the ISTTF evaluate age verification / online verification technologies. In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.” [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn’t require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]
On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification. Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this. I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet’s Chris Soghoian had a brutal assessment of this week’s proposals on his “Surveillance State” blog.]
In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front. I will argue:
- There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
- First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
- Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined. But how do we establish a clear link between parents and kids? And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
- It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
- It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.
Continue reading if you are interested in the details.
Continue reading →
By Berin Szoka & Adam Thierer
Progress Snapshot 4.19 (PDF)
Since the fall of 2008, a debate has raged in Washington over “targeted online advertising,” an ominous-sounding shorthand for the customization of Internet ads to match the interests of users. Not only are these ads more relevant and therefore less annoying to Internet users than untargeted ads, they are more cost-effective to advertisers and more profitable to websites that sell ad space. While such “smarter” online advertising scares some—prompting comparisons to a corporate “Big Brother” spying on Internet users—it is also expected to fuel the rapid growth of Internet advertising revenues from $21.7 billion in 2007 to $50.3 billion in 2011-an annual growth rate of more than 24%. Since this growing revenue stream ultimately funds the free content and services that Internet users increasingly take for granted, policymakers should think very carefully about what’s really best for consumers before rushing to regulate an industry that has thrived for over a decade under a layered approach that combines technological “self-help” by privacy-wary consumers, consumer education, industry self-regulation, existing state privacy tort laws, and Federal Trade Commission (FTC) enforcement of corporate privacy policies.
In an upcoming PFF
Special Report, we will address the many technical, economic, and legal aspects of this complicated policy issue-especially the possibility that regulation may unintentionally thwart market responses to the growing phenomenon of users blocking online ads.
We will also issue a three-part challenge to those who call for regulation of online advertising practices:
- Identify the harm or market failure that requires government intervention.
- Prove that there is no less restrictive alternative to regulation.
- Explain how the benefits of regulation outweigh its costs.
Continue reading →
Forget net neutrality and the growing Googleplex. The real threat to Internet freedom comes from plain old criminal law.
In three weeks time, Missouri housewife Lori Drew will face trial for entering false personal details when she signed up for a MySpace account. Her indictment alone, whether or not she is convicted, should frighten anyone who’s ever filled out a form online.
The case, which captured the tabloid media when it broke last year, turns on unusual facts. Drew, posting as a teenage boy, created the MySpace account to probe why a neighbor’s daughter, Megan Meier, had broken off a friendship with her own daughter. She gave a few others access to the account, and things quickly spiraled out of control. Before long, “Josh Evans” (the fictional teen) and Meier were an online couple, and soon after that, they were hurling insults at one another on public message boards.
Meier, already suffering from depression, was devastated by Josh’s turnabout. A final private message from the Evans account–“The world would be a better place without you”–pushed her over the edge. Twenty minutes after receiving it, Meier hung herself in her closet.
Even though she was not responsible for the worst of the messages (according to a prosecutor who investigated the case but declined to file charged), Lori Drew mislead an emotionally troubled youth, and that was surely wrong.
But it’s more problematic to say that it’s a crime.
The theory of the prosecutor behind this case would make all Internet users criminals. Continue reading →
The introduction below was originally written by Berin Szoka, but now that I (Adam Marcus) am a full-fledged TLF member, I have taken authorship.
Adam Marcus, our exceptionally tech-savvy new research assistant at PFF, has published his first piece
at the PFF blog, which I reprint here for your edification.
Today Google’s DC office hosted an interesting panel on cloud computing. What was missing was a good definition of what “cloud computing” actually is.
While Wikipedia has its own broad definition of cloud computing, many think of cloud computing more narrowly as strictly web-based for which clients need nothing but a web browser. But that definition doesn’t cover things like Skype and SETI@home. And just because PFF has implemented Outlook Web Access so we can access the Exchange server via the Web, doesn’t necessarily mean we’ve implemented what most people might think of as “cloud computing.” Yet these are all variations on a common theme, which leads me to propose my own basic definition: any client/server system that operates over the Internet.
To understand the potential policy and legal issues raised by cloud computing so-defined, one must break down the discussion into a 4-part grid. One axis is divided into private data (
e.g., email) and public data (e.g., photo sharing). The other axis is divided into data hosted on a single server or centralized server farm and data hosted on multiple computers in a dynamic peer-to-peer network (e.g., BitTorrent file sharing).
Continue reading →
In response to Adam and Berin’s excellent introduction to their Googlephobia series, invaluable TLF commenter Richard Bennett succinctly sums up the rap on Google.
There’s no denying that Google has the capacity to do some pretty heinous things with all the sensitive data stored on its servers. But the relevant question isn’t whether Google could do evil, but whether it realistically will. What incentive is there for Google to do anything but keep private data as secure as humanly possible? Sure, Google could earn a nice chunk of change if it were to sell user search queries to the highest bidder. But why would Google put its entire business on the line for a comparatively insignificant short-term gain?
A major privacy breach is Google’s nightmare scenario. If anything happened to cause users to lose trust in Google, they’d go someplace else for email and search. Advertisers would follow suit, causing Google’s stock price to plummet. Google might never be able to recover from a severe privacy fiasco. Obviously, Google is well aware of its vulnerabilities on privacy, which is why Google has incredibly strong safeguards to ensure that sensitive data can’t be uncovered by a rogue product manager with an itchy trigger finger.
Then there’s the liability issue. The multi-billion dollar lawsuits that would ensue were Google to suffer a data breach or an internal leak would deal a serious financial blow to the company, especially because Google’s privacy policy is more than just a comforting statement—it’s legally binding.
Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.