Posts about privacy

Creepy

I just reamed an ITN producer who emailed me this clip about Google seeking a patent for using background noise in audible search requests and wanted to talk to me “off the record” (why he’d offer that, I don’t know; bad reporters’ reflex) to find out what “worries” I had about privacy and security. Note well that he didn’t ask me what I thought of the technology — whether I thought it was good or bad, how I thought it could be used positively or negatively, what its potential is. No, he showed his bias clearly by asking me to tell him what was wrong with it. Is that how a journalist should operate?

He called me and I challenged him about what was wrong with this. I want Google to know where I am so when I ask for pizza, I don’t get a treatise on the history of pizza. If Google can hear the background when I search for “Raptor” and realize whether I’m in a noisy stadium or a quiet museum, I want it to guess well whether I want jocks or dinosaurs. What’s wrong with that? I ask back. Some people will think it’s “creepy.” I asked him to define creepy. The word is imprecise, emotional, and lazy, used not to elicit facts but quotable opinions. Is that how a journalist should operate?

Thus we see the sprouting of another incident of Luddite reporting on technology with a Reefer Madness touch of sensationalism, just like the Wall Street Journal’s What They Know series and last week’s Consumer Reports moral-panic survey on Facebook.

What gets me angry — besides lazy journalism — is the danger this presents to the freedom of the web. These alleged journalistic endeavors will be used to set public policy and to try to regulate and limit the freedom of the net.

I find that creepy.

Consumer Reports’ moral panic

I’m very disappointed in Consumer Reports for falling into the moral panic about privacy and social services. Today it issues a survey and a Reefer Madness report that covers no new ground, only stirs it up, over privacy and Facebook. Let me address instead the survey. In its press release, Consumer Reports says — as if we should be shocked at these numbers — that:

* 39.3 million identified a family member in a profile. Do we really live in a world where it should be frightening to talk about our family?

* 20.4 million included their birth date and year in their profile. And so? People can wish you a happy birthday. I think that’s nice. I don’t see the harm.

* 7.7 million “liked” a Facebook page pertaining to a religious affiliation. Oh, ferchrissakes. This is a country where people wear their religious affiliations on their sleeves and T-shirts and bumpers and shout about it in their political arguments. This is a country that is founded on freedom of religion. Why the hell wouldn’t we talk about it?

* 4.6 million discussed their love life on their wall. What CR doesn’t say is how often that discussion is restricted to friends and how often it is public. And if it is public, so what. I’ll tell you I love my wife.

* 2.6 million discussed their recreational use of alcohol on their wall. IT’S LEGAL.

* 2.3 million “liked” a page regarding sexual orientation. And thank God for the progress against bigotry that indicates.

* The survey also said that 4.7 million people liked a Facebook page about a health condition. Well, I say that is a wonderful thing, finally taking illness out of the Dark Ages social stigma of secrecy and shame. It’s about time. This week, Facebook allowed us all to donate our organs — publicly or privately; our choice. In the first day, 100,000 new people signed up to do so. You know that I found benefit writing about my prostate and penis there. Who is Consumer Reports to imply that this publicness is a bad thing.

My fear is that such fear-mongering will lead to more regulation and a less open and free net.

Last night, a good friend of mine complained on Twitter that Google had knocked his 10-year-old son off when he revealed his age. My friend got mad at Google. Oh, no, I said, get mad at the FTC and COPPA (the Children’s Online Privacy Protection Act) and its unintended consequences. It makes children lie about their ages and puts us in a position to teach them to lie. It had mnade children the worst-served sector of society online. The intentions are good. The consequences may not be.

That is the case with regulation of the net being proposed under the guises of privacy, piracy, pedophilia, decency, security, and civility. That is why we must defend an open net and its ability to foster a more open society. That is why I find the kind of mindless fear-mongering engaged in by Consumer Reports dangerous.

Consumer Reports is not fulfilling its mission to protect us with this campaign. It will hurt us.

Piracy v. do not track

Consider the similarities between piracy and do not track. They’re greater than you think, for both reduce value for content creators. And both are excuses for internet regulation.

In piracy, a content company sets business rules: You must pay for my product; if you take it without paying for it, you are robbing me of value.

With do not track, an advertising-supported content company sets business rules: You will get my content for free because I will serve you ads and I will increase their efficiency, performance, and value by targeting them to your interests and behavior; if you block the cookies that make that possible, you are robbing me of value.

The difference between the two is that there is a furor over piracy as theft but, quite to the contrary, there is a rush to enable the blocking of ad tracking as a virtue.

If you listen to The Wall Street Journal, Apple was a good guy for blocking by default third-party cookies (ask what Apple gets out of that). And it’s good news that technology companies just agreed to implement a do-not-track button on browsers.

There is nothing sinister about third-party ad tracking cookies. They’ve been used since very early in the history of the web when General Motors, for example, insisted in serving its own ads on content sites so it could verify what was bought and optimize its targeting. Without that ability, many large advertisers will refuse to buy ads and the value of ad-supported media could plummet — just at a time when we are concerned about how we will support news media.

Odd that a media company wouldn’t be crying foul. The Journal’s owner, Rupert Murdoch, cries bloody murder over piracy — going so far as to accuse Google of theft — but his paper crusades for blocking tracking, claiming it is a violation of privacy (though in most cases, the cookies have no personally identifiable information and so it’s hard to justify a moral panic based on their use).

Murdoch’s News Corp is, at its core, an entertainment company, thus a paid-content company. The ad-supported portion of his P&L is not only small but is causing him much agita as his journalists in the U.K. are accused of violating laws of the nation and the profession.

I’m not building a conspiracy theory. I’m just pointing to the priorities that emerge when one follows the money.

So what about the rest of the industry — the media, advertising, and technology industries, that is? Oh, they blew it. They were never transparent enough about what technology they were using, what data they were gathering, and why — not to mention the benefits that accrued to their users (i.e., free content). That opened the door for other parties — privacy scare-mongers, competitors for our media attention, and government regulators — to demonize the mysterious cookie and stir up this moral panic and paranoia. The M.A.T. industries have only themselves to blame.

In the EU, government regulators have decreed that sites must obtain opt-in permission to set cookies. In the US, the industry agreement today announced is an attempt to forestall government regulation with self-regulation.

But don’t be too quick to celebrate as if these are consumer victories. I believe the EU dictum could lead to (a) a much poorer web experience as we are bombarded with boxes to tick and (b) poorer media companies and thus (c) the possibility of less free media and more pay walls. And in the U.S., it has been shown that one can whip up an anti-net hysteria and bring even giant technology companies to expose their soft underbellies. Each leads to more threats of regulation of the net. That’s what I fear.

It is time for technology companies especially to adopt radical transparency of how they operate so they can’t find themselves in gotcha moments when the hysterical “discover” something they’ve been doing all along. Under such openness, it is also time for them to learn that doing sneaky things will not benefit them. And it is also time for the media, advertising, and technology companies to start fighting back against accusers’ misinformation and explain the truth of what they are doing and how we benefit. That is transparency’s dividend.

LATER: By the way, this post was inspired and informed by a discussion last night on This Week in Google, in which Leo Laporte said he was grateful that I was going so far that I was making him look moderate.

One more point from that discussion: We all practice blocking ads when we fast-forward through commercials on our DVRs. And the industry adapted and still prospers (for now). That’s what may happen here. But one should still recognize the impact of one’s actions — whether skipping or blocking — on the economics of what is provided. And one difference is that we have to skip each commercial manually (especially since, as Leo pointed out, a company that provided easy 30-second skipping was hounded out of business as a result). In the case of do not track, especially government-mandated opt-in — that is wholesale devaluing of advertising in a medium.

Privacy and speech

Two notable decisions in Europe reflect the tension between privacy and free speech.

The European Court of Human Rights came down on the side of press freedom — thus speech — when it ruled in favor of media reporting on public figures. And a Dutch German court ruled that journalists had a right to interview a Nazi murderer with hidden cameras.

This tension is addressed but only glancingly in the EU’s proposed rules on privacy, which create vague carve-outs for journalism, history, and scientific research.

What none of this acknowledges at a more fundamental level the right we have to talk about someone else (with carve-outs for libel and slander already in the law) — not just the press and not just public figures. If you tell me I must forget you and erase what I have said about you, then you affect my speech. If you reveal something to me and I interact with that information and then you claim the right to pull back your information, then we must debate about who has rights to the results of our interaction (whether that is a conversation or a transaction).

Privacy isn’t as simple as some of its advocates would lead us to believe. It is interweaved with other rights and interactions.

I’ve been studying the full proposed EU privacy regulations and now I’m going through ancillary documents. I’ll be writing more about this soon.

#DLD12: Viviane Reding on privacy

I’m at the DLD conference in Munich. Haven’t live-blogged in ages. But the European Commission vice-president Viviane Reding is speaking and I disagreed with her rather a lot in Public Parts, arguing that her four pillars for internet governance — privacy by default, demanding European standards for storage of data, the right to be forgotten, and transparency — bring unintended consequences.

Reding says that in “Europe, we have too many rules, too many conflicting rules.” So she wants to take over the rules for all Europe. Look at SOPA, too: There is a competition among governments to regulate the internet, to consolidate power.

“Persosnal data is the currency of today’s digital market. And like any currency, it needs stability and trust,” Reding says. Yes, but is government — which can most abuse our data — its best protector?

“Can we be sure that the rules we make today will fit tomorrow?” she asks. She says one cannot build rules that are too rigid; they need to be “futureproof.” But then, they also become very broad and that, too, has consequences.

She argues that following 27 separate sets of regulations costs 2.3 billion euros a year. Again, she justifies taking over local authority. But that is the EU.

She also calls for a smoother exchange of data among police authorities in the EU members to fight terrorism. Well, that sounds like the greatest threat to privacy I can imagine: all governments pooling what they know about you.

Reding says companies will be required to appoint data protection (privacy) officers. Thus the regulatory-industrial complex of the new privacy industry grows.

She says data-protection authorities need to be “independent” of politics. Does that mean they are above government by the people and representation?

Now to her “right to be forgotten.” It is a right, she says, to “withdraw permission” for data held by companies. I fear the implications for free speech. And on a practical level, how can one as a principle to tell people to no longer know what they know?

She says it is not an absolute right. “There are no absolute rights,” she says. She says it’s not a right to erase history or impact media. So this shows the problem with this notion, when one starts making exceptions for a principles.

Now she speaks about the debate about the freedom of the internet. She says the freedom of information and expression is a basic right and “this is directly linked to the freedom of internet, which has thus to be preserved. But those are not the only freedoms…. Sometimes one must balance freedom.” She claims the right of the creator (read: copyright) is “equally important.” Really? Higher than speech? But she says that Europe will never pass blocking legislation (read: SOPA).

No opportunity to question Reding. Shame.

Now a Microsoft guy is giving a talk and I cannot figure out what he’s trying to say. Otherwise, I’d blog it.

Next up, Andrew Keen. Polemic time. He reads a quote from Sheryl Sandberg about deeper portraits online. “I’m here as someone who is raising my voice in defense of lost privacy,” he says. But he doubts that Reding and government are the protectors.

He calls me a spokesman for “the cult of the social.” AKA society, I’d say.

He says we need to learn to live alone. Funny, but the internet was last accused of making us antisocial and now it’s accused of making us too social. It makes us neither. We make it.

Now Nick Bilton leads a panel asking the premise of his book: is privacy dead. Garg.

Odd how the topic of privacy has turned an internet conference into an anti-internet conference.

Nick asks 4Chan’s Chris Poole whether we “should allow anonymity on the net.” That’s how the net is built, Nick. It already is allowed. It is part and parcel of free speech.

I have no tongue left. I bit it off.

FTC Fines Santa Claus Over COPPA Violations

WASHINGTON–Federal Trade Commission Chairman Jon Leibowitz today announced a record fine against Santa Claus for violations of the Children’s Online Privacy Protection Act.

“Mr. Claus has flagrantly violated children’s privacy, collecting their consumer preferences for toys and also tracking their behavior so as to judge and maintain a data base of naughtiness and niceness,” Leibowitz said. “Worse, he has tied this data to personally identifiable information, including any child’s name, address, and age. He has solicited this information online, in some cases passing data to third parties so they may fulfill children’s wishes. According to unconfirmed reports, he has gone so far as to invade children’s homes in the dead of night. He has done this on a broad scale, unchallenged by government authorities for too long.”

Claus was fined $2 million and ordered to end any contact with children. Prior COPPA fines include $1 million against now-virtually-unknown social site Xanga, $400,000 against UMG Recordings, and $35,000 against notorious toymaker Etch-a-Sketch.

The FTC action follows similar complaints against Claus brought by European privacy authorities. European Commission Vice-President Viviane Reding has complained about Claus holding data on children outside of EU data-protection standards in North Pole server farms. German head of consumer protection Ilse Aigner has called for an investigation of Claus’ use of Google Street View in navigating his Christmas Eve visits. German Federal Commissioner for Data Protection and Freedom of Information Peter Schaar has demanded that Claus give children, naughty or nice, the right to be forgotten in his data base. And Thilo Weichert, head of the privacy protection office in the German state of Schleswig-Holstein, demanded that German web sites take down any Facebook “Like” button referring to Claus.

Meanwhile, Canadian Privacy Commissioner Jennifer Stoddart has attempted to bring together an international coalition of privacy officers opposed to Claus’ practices. In California, Claus has been threatened with severe penalties for nonpayment of the state sales tax. And the UK has vowed that Claus will be detained and could face extradition should he set foot in any English chimneys on Christmas Eve.

Reaction to the FTC decision was mixed in Washington. Republican presidential candidate Rick Perry vowed to kill the Federal Trade Commission, relieved that he had finally recalled the final agency he had marked for death. Rival Newt Gingrich suggested that Claus apply for U.S. citizenship, “having contributed much to U.S. industry by stimulating greed at all ages; we need more Clauses and more spending to fix this Democrat-ruined economy.” Ron Paul suggested that Claus set up a Liberatarian nation at the North Pole and offered to run for office there. Herman Cain, whose candidacy remains on hold after allegations of sexual improprieties, said that he “always wondered why the old coot didn’t get in hot water for plopping kiddies on his lap; seemed a lot creepier than anything I ever did.” President Barack Obama refused comment.

From his North Pole headquarters, Claus said through a spokesman that he endeavored only to fulfill children’s dreams. “I regret that the world has come to this: treating any adult who wants to make a child happy as a dangerous stranger,” he said. “The problem with our modern world is not technology but fear, suspicion, and cynicism.” He vowed to continue his Christmas mission of joy. “What’s the worst they can do to me?” he asked, “cookie me?”

Contact: Elfelman Public Relations
Photo via Dreadcentral

Do-not-track hypocrisy

Sunday’s New York Times editorializes in favor of Do Not Track and other privacy legislation going through Congress and the Federal Trade Commission. Yet The New York Times itself makes much use of personal, private, and tracking information itself. Indeed, it requires tracking.

The editorial (my emphasis): “Congress should act on the F.T.C.’s recommendation to establish a system that would allow consumers to effectively opt out of all tracking of their online activities. There are other worthy proposals, including the administration’s call for limits on the collection of data about consumers online. Lawmakers have proposed about a dozen privacy bills this year alone. But with Congress stuck in a partisan rut, it is reassuring to see the F.T.C. at work.”

Now read The Times’ privacy policy (and highlights):

* If you subscribe to the print New York Times, the company will sell your name *and address* and other unspecified data to others. “If you are a print subscriber to The New York Times newspaper and subscribed either by mail, phone or online, we may exchange or rent your name and mailing address and certain other information, such as when you first subscribed to The New York Times (but not your e-mail address) with other reputable companies that offer marketing information or products through direct mail.” That’s not opt-in; it’s opt-out.

In Public Parts, I argue that privacy policies in old media have long been far worse than online. Magazines, newspapers, and other recipients of your media money have for years sold information about what you read and consume and who you are and where you live to large data-base companies and marketers. If a library or an online site did that, it would be shot. But The New York Times does that. Want to pass a law about that, Times?

* The New York Times requires that you use cookies. It decrees: “You will not be able to access certain areas of our Web sites, including NYTimes.com, if your computer does not accept cookies from us.” So what happens when Congress passes Do Not Track, Times?

In its explanation of cookies, The Times says: “Our registration system requires that you accept cookies from NYTimes.com in order to log in to our Web site. Cookies are not spyware, viruses or any other kind of malicious program. For best results, set your browser options to accept all cookies from NYTimes.com. You can use your browser options to clear the cookies later, if necessary.”

Precisely. You have many means now to get rid of cookies: You can turn them off, kill them at the end of every session or whenever you want, or open a private session (an “incognito” window in Chrome) that relays no data about you. Do Not Track is redundant. It’s political cynicism.

Oh, and The Times — which gathers more personally identifiable data about you than most any other newspaper — could not operate its paywall without cookies.

* Just like other online marketers, The Times uses cookies to target advertising. “The New York Times Home Delivery Web site also transmits non-personally identifiable Web site usage information about visitors to the servers of a reputable third party for the purpose of targeting our Internet banner advertisements on other sites. To do this, we use Web Beacons in conjunction with cookies provided by our third-party ad server on this site.” Would The Times outlaw this essential business behavior? This is how The Times earns its premium rates with branding advertisers.

* The Times hires a number of analytics companies to track your behavior, from the creepily named Audience Science to WebTrends for the web and from Localytics to the fluffily named Flurry for mobile.

* The Times logs what pages you see and uses that to recommend content.

* It logs your location if you use mobile applications.

* It allows third-party ad servers to place cookies on your computer and track your behavior.

Note, too, that The Wall Street Journal, which has been on a Reefer Madness high regarding privacy, also collects personally identifiable information and connects it to browsing history without users’ permission. More hypocrisy.

Mind you, I do not object to any of these tracking behaviors. They are, in my opinion, necessary to pay for the content we get from The Times and The Journal and much of the rest of media. They are used to reduce noise, repetition, and irrelevant advertising and content. They are all-in-all harmless and have been demonized by privacy’s regulatory-industrial complex and now even by The Times. If The Times gets its wish and Do Not Track passes, enabling too many consumers “to effectively opt out of all tracking of their online activities,” then I fear we will get less content or more paywalls or both.

I also argue that media and marketing companies have done a godawful job of letting their customers know what information they were gathering and what they were doing with it and how consumers benefited. They long ago should have learned from Amazon, which reveals what it collects and what results and enables customers to see and control and correct that information (which also only gives Amazon yet more valuable data). So it’s their own damned fault they’ve been demonized, opening the door to the cynical pols and bureaucrats who proposed Do Not Track — and to their allies, such as The Times editorialists, who argue on the basis of nonspecific emotions rather than tangible facts about harm and consequences.

Debate on privacy: the fuller text

The Wall Street Journal today publishes excerpts from a debate among me, danah boyd, Stewart Baker, and Christopher Soghoian about privacy (and publicness). They had us write to specific lengths, so I was surprised that they didn’t publish the entire conversation, even online. So if you can bear more, here are my complete bits; I’ll let me fellow debaters post their own.

Later: Here are danah boyd’s complete answers.

Part I:

Privacy is important. It deserves protection. And it is receiving protection from no end of self-appointed watchdogs, legislators, regulators, consultants, companies, and chief privacy officers: an entire regulatory/industrial complex. Privacy is in good hands.

It’s publicness I worry about: our corresponding right and newfound ability to use this Gutenberg press we all now own—the internet—to speak, assemble, act, connect, and collaborate in a more open society. I fear that that if we over-regulate privacy, managing only to the worst-case, we could lose sight of the benefits of publicness, the value of sharing.

Our new sharing industry—led by Facebook, Twitter, Google+, YouTube, Foursquare, blogs, and new services launched every day—is premised on an innate human desire to connect. Eight hundred million people can’t be wrong. That’s how many people use Facebook alone to post more than a billion artifacts of their lives every day. These aren’t privacy services. They are social services.

But the private/public discussion to date has focused almost exclusively on privacy and worry. New technologies that cause disruption have often led to collective concern about privacy. After the invention of the press, the earliest published authors fretted about having their thoughts associated with their names, set down permanently and distributed widely. The first serious discussion of a legal right to privacy in the United States did not come until 1890, spurred by the invention of the portable Kodak camera and the rise of the penny press. For a time, President Teddy Roosevelt banned “kodakers” from Washington parks.

Now we are at the dawn of the greatest technological disruption since the press and it brings corresponding concern. It is well to worry about what could go wrong so we may guard against it, to assure that companies and especially government do not surveil us to our detriment.

But I ask us to also recognize and guard the publicness our new tools empower. I hope we engage in another discussion about the principles of an open society: the right to connect, speak, assemble and act; privacy as an ethic; the call for our institutions to become transparent by default and secret by necessity (now it is reversed); the value of maintaining the public square; and the need to safeguard the people’s net from tyrants, censors, private control, and the unintended consequences of well-meaning but premature regulation.

Privacy has its protectors. What of publicness?

Part II:

Privacy legislation and regulation are awash with unintended consequences.

Germany’s head of consumer protection, Ilse Aigner, surely believes she is guarding citizens’ privacy when she urges them to exercise their Verpixelungsrecht, their so-called right to have photos of buildings taken from public streets pixilated in Google Street View. But she sets a precedent that could affect the free-speech rights of journalists and citizens. She diminishes the public square at the public’s cost.

The U.S. Children’s Online Privacy Protection Act says sites may not use information specific to a child under 13 without written (that is, faxed, scanned, or videoconferenced) parental consent. The result: Children learn to lie about their age. And young people are likely the worst-served sector of society online. That is a tragedy of lost opportunity.

The Do Not Track legislation making its way through Congress threatens ad tracking and cookies. This newspaper demonizes them as “intrusive” and “intensive surveillance.” FTC Chairman Jon Leibowitz denounces media that use them as “cyberazzi.” Though most of this data is anonymous. Taken too far, Do Not Track could devalue online media, resulting in less content, more pay walls, and a less-informed populace. The road to ignorance may be paved with good intentions.

Part III:

Stipulated: Anonymity, pseudonymity, and even nicknames need to be protected for the vulnerable, dissidents in danger, whistleblowers, and even game players, for the sake of their speech.

That said, real people and real relationships have proven to add value, accountability, and civility to online discourse.

Stipulated: The advertising, media, and sharing industries have done a dreadful job being open about what they track, why, and what benefits accrue to their users. The mess they’re in is much of their own making.

Even so, online tracking is being demonized in shrill fear-mongering (Chris’ is but one example), which doesn’t acknowledge that most of this data—unlike the consumer data bases of preinternet marketing—do not contain names and addresses. There is little discussion of harm or benefit, only vague fear.

Stipulated: We need to come together as one society to perform certain functions, such as voting and taxation.

But we are not a mass. The myth of the grand shared experience of media—all of us hanging on Uncle Walter’s every pause—was an unfortunate, half-century-long aberration. Democracy should be a cacophony of ideas and perspectives. Thanks to our new tools of publicness, we are regaining the power to create and find our own publics.

Identity can aid connections. Tracking can produce relevance. Personalization can reduce noise. These are benefits of the net.