Open for Questions at change.gov: What about privacy?

The Obama transition team’s Open for Questions pilot last week went extremely well for a first attempt.  Combined with all the other promising things Micah Sifry discusses in Kudos to the Change.gov New Media Team, it seems to me that the Obama administration is on track for some effective ways of leveraging cognitive diversity and “wisdom of the crowds” effects, cutting past the gatekeepers in the media, and getting Obama direct feedback from Americans.

At least for those Americans who are willing to give away their privacy as the price for interacting with their government.

Bob Fertik’s Americans Want Real Change from Obama – Not Media Garbage on Democrats.org is a good summary of Open for Questions first week from the perspective of a participant.  People from across the country submitted a wide range of questions.  The ones that were voted to the top were excellent: cleanly worded and on topics that need more attention.  Here’s one on civil rights, from Kari in Seattle, which finished #2 overall:

“What will you do as President to restore the Constitutional protections that have been subverted by the Bush Administration and how will you ensure that our system of checks and balances is renewed?”

Yeah, really.  There’s a lot that Obama can do here (the Liberty and Security coalition’s recommendations are a good summary).  Will he?  I’m all ears!

So it’s great stuff, especially for a pilot.  At least until you pull back the covers …

Change.gov’s privacy policy reassuringly says “It is our general policy not to make Personal Information available to anyone other than our employees, staff, and agents.”  However, as James Grimmelmann just pointed out in Total Information Awarness in TNR in describing the similar “mealy-mouthed” privacy policy on my.barackobama.com, courts have repeatedly found that statements about “general policy” have no legal force.

And in fact the reality is very different.  Open for Questions’ functionality is provided by Google Moderator, and seeing the “Sign in” link on a .gov site route through Google* is downright creepy.  Scroogled! As Christopher Dorobek points out on DorobekInsider, this means the information isn’t covered by the Privacy Act.  And that’s just the tip of the iceberg.

Dan Goodin in The Register and Chris Soghoian on CNet’s Surveillance State have already described the issues with change.gov’s usage of Google Analytics and YouTube giving a private corporation the ability to track people as they interact with a government site; this is more of the same and even worse.  The precise information about people’s opinions from Open For Questions adds a whole new level of concern.

Mike Stark made a really interesting point to me in email that I haven’t seen expressed so crisply elsewhere:

Google could (conceivably – and especially for those of us with gmail addresses) use a record of this data to really get involved in people’s personal political predilections.

Indeed.  They wouldn’t do it to be evil, of course, they’d just think of it in terms of “efficiency”, “user convenience”, and “monetization” … but still, it starts to look a lot like selling democracy.  I wonder if anything in change.gov’s contract with Google prohibits this?

Not according to the privacy policies.  A quick glance at the relatively-short Google Moderator on change.gov privacy policy gives the impression that the only way Google will this information is internally, “to deliver the best possible service to you. ” If you click through a couple more links,** though, you get to the Google Privacy overview and privacy policy and there are a bunch of other uses.  Like for example

We may share with third parties certain pieces of aggregated, non-personal information, such as the number of users who searched for a particular term …. Such information does not identify you individually.

Even giving everybody involved the benefit of the doubt that this information can’t be disaggregated and used to identify individuals, I don’t much care for our government giving Google control over which third parties it “shares” this information with.  About that selling democracy …

And then there’s this:

Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information on a server outside your own country.

Um, isn’t this something people might want to know before using change.gov, instead of having to chase down three levels of links?   Shouldn’t there be something in big red letters on the main page of Open for Questions along the lines of

Warning: this site whose URL looks like part of the US government may send your personal information to another country where it is governed by local laws.

Or hey, even better, why not provide this functionality in a way that doesn’t put people’s personal information at risk in this and a zillion other ways?

To be fair, Open for Questions is a pilot.   If things like this start to get addressed now, they’ll be seen in retrospect part of the growing pains of change.gov – it’s far from the first V1 product that ignored privacy early on.  But will they?

There’s a broader pattern of the Obama transition ignoring privacy concerns, discussed in posts by Sarah Lai Stirland on Wired’s Threat Level, Nancy Scola on techPresident, and me in Some early disquieting signs.  There’s no way to know if this is an intentional decision by the transition team not to prioritize this — or just lack of attention to it or understanding of the issues — but in any case it’s a bad sign.

The risk is that if nobody’s paying attention to it, this kind of privacy-invasive behavior get institutionalized and the participative democracy of the future is also a panopticon.  And if it’s a lack of understanding, that also bodes ill for the discussions coming up about behavioral advertising, the PATRIOT Act, and other privacy-related issues.***

It sure would be great to hear the Obama team’s thinking on this.  Their technology policy commits to “safeguard our right to privacy” but their actions certainly don’t match the words.

Maybe I’ll ask about it in next week’s Open for Questions :-)

jon

* yea, really: the Sign In button routes you to a URL that starts with https://www.google.com/a/change.gov/ServiceLogin?service=

** to get there from Open for Questions, scroll down to the fine-print Disclaimer and click on the privacy policy.  Then ignore all the big and bolded headlines and instead click on the Google Privacy Policy link which takes you to a page with the headline “At Google, we’re committed to transparency and choice”.  Then you can click on either the Privacy overview and privacy policy.  Studies consistently show that most people don’t read privacy policies … when you have to go through hoops like this, is it any surprise?

*** like FISA, for example, where Obama’s actions similarly haven’t matched his rhetoric.