privacy

Five-year olds as national security threats

Boing Boing has stories on not one but two five-year-olds whose names are on the no-fly list and so get treated by the TSA as a security threat.  Cory Doctorow comments

You know, if you wanted to systematically discredit the idea of a Department of Homeland Security, if you wanted to make an utter mockery of aviation safety, you could not do a better job than this.

although I think that’s not giving the TSA enough credit: DHS continuing to employ the company that wrote the TSA web site filled with vulnerabilities asking for traveller’s social security numbers and other personal information is equally effective at discrediting themselves.

political
privacy

Comments (1)

Permalink

DHS issues revised “Real ID” regulations

The Department of Homeland Security has released revised “Real ID” regulations — 284 pages long. While according to government jargon these are the “final” regulations, the first deadline for compliance has now been pushed back to December 31, 2009, so there’s still plenty of opportunity for Congress to act and change things.

Their press release now spins the system as “preventing document fraud”, and talks more about the costs of identity theft than it does about terrorism — pretty amusing in light of Privacy Rights Clearinghouse’s Real ID Act will increase exposure to identity theft. It also trumpets substantial cost savings, which it attributes primarily to revisions giving the states “greater flexibility in issuing licenses to older Americans”. Flexibility is a good thing, but it’ll be interesting to see what new holes they’ve introduced for terrorists and identity thieves to exploit.

I’ve blogged in the past on this issue on the Stop “Real ID” Now! blog, and will be updating it with links to analyses from the press and civil liberties organizations as they come out.

political
privacy

Comments Off on DHS issues revised “Real ID” regulations

Permalink

More (negative) attention to Facebook’s privacy practices

With a two-part series on TPM Cafe’s Table for One, an article in the Mercury News on Christmas Day, and the recent settlement of a suit on text messaging, Facebook continues to become a focus for discussion of privacy issues. To some extent this is a consequence of their size and success: they’re a high-profile target. Behind this, though, lurks a pattern of Facebook unilaterally making decisions that compromise user privacy, apologizing, addressing the most egregious aspects while leaving the rest in place — and then repeating.

The TPM Cafe piece is by Ari Melber of The Nation, and starts out

When one of America’s largest electronic surveillance systems was launched in Palo Alto a year ago, it sparked an immediate national uproar. The new system tracked roughly 9 million Americans, broadcasting their photographs and personal information on the Internet; 700,000 web-savvy young people organized online protests in just days. Time declared it “Gen Y’s first official revolution,” while a Nation blogger lauded students for taking privacy activism to “a mass scale.” Yet today, the activism has waned, and the surveillance continues largely unabated.

He goes on to discuss the Beacon fiasco in terms of Facebook’s past behavior, quotes some of my faves (danah boyd and a CMU study that I believe is by Alessandro Acquisti), and in his follow-on post ties Facebook — and web services more generally — to a national surveillance state. People familiar with the privacy space won’t see anything new here; what’s significant is that this is another example of Facebook privacy making the jump out of the tech ghetto to the national political scene: TPMCafe’s the extension of Joshua Micah Marshall’s Talking Points Memo, a DC-based progressive political blog that sees itself as a muckraker in the positive sense of the word and has been very active in helping uncover and publicize recent political scandals.

The lawsuit settlement specifically relates to Facebook continuing to send text messages to cellphone numbers after they had been recycled. Facebook didn’t admit any wrongdoing, but did agree to “make it easier for recipients of text messages to block future messages originating from the social network” and “work more closely with mobile phone carriers to monitor the lists of recycled numbers and reduce the frequency of unwanted text messages.” The fact that people had to resort to a lawsuit to get action on these basic business practices paints a rather unflattering picture of the company’s arrogant attitude towards its users — and to the non-users who got the recycled numbers and then were billed for the messages.

Elise Ackerman’s Facebook alarms privacy advocates again talks about a Facebook signup icon showing up on smartphones without the owners permission. This is privacy in the classic sense of “the right to be left alone”, not being tracked; and of course this is something that phone companies do routinely, viewing phones’ “screen real estate” as a spot for advertising and product placement … so “alarm” seems somewhat overstated. Still, given the pattern above, Jeffrey Chester (of the Center for Digital Democracy) sounds on-target to me when he says “It illustrates a basic problem over at Facebook, which is their need to fatten their bank account is confounding their need to protect the privacy of their members.”

And not to sound like a broken record or anything: this kind of attention augurs well for proposals like the national “do-not-track” mechanism — and increases the probabilities that populist-oriented politicians in any party will seize on privacy as a chance to differentiate themselves this upcoming election year.

political
privacy
social computing

Comments (3)

Permalink

Did Blockbuster and Facebook violate the VPPA via Beacon?

James Grimmelmann has an excellent post over at the Laboratorium. His summary:

Another member of a professorial mailing list I’m on asked whether Facebook may have violated the Video Privacy Protection Act of 1988. Nicknamed the “Bork Bill” (a newspaper published his video rental records during his confirmation hearings), the VPPA protects your privacy in the videos you rent and buy. Well, guess what? One of Facebook’s Beacon partners was Blockbuster, so some of the items that wound up in people’s news feeds were the names of videos they’d bought. Oops.

I dug a bit into the legalities of the issue, and this is roughly what I came up with: Facebook and Blockbuster should hunker down and prepare for the lawsuits. Their recent move to allowing a global opt-out may cut them off from accruing further liability, but there’s probably an overhang of damages facing them from their past mistakes.

As usual with James, it’s a very detailed analysis; the discussion is also excellent.

Looking specifically at Blockbuster’s liability, there’s an interesting parallel to my as-yet-unanswered question in the thread about Beacon’s announcement of a global opt-out about whether Beacon caused advertisers to violate their privacy policies. In the web 2.0 world, the dependencies between software components mean that service providers (Facebook in this case) can put their customers (Blockbuster) at legal risk. As Google, Yahoo, Microsoft, Amazon, eBay, Facebook et. al. compete, it will be a major advantage to whoever first seizes the high ground by providing services and platforms that are noticeably less risky. In addition to the classic considerations like security and ability to deliver on service level agreements (SLAs), this will increasingly include considerations like well-thought-out policies — and getting and listening to a broad range of perspectives, including from privacy advocates, before launching new services.

privacy
social computing
social sciences

Comments (2)

Permalink

Facebook introduces better opt-out, apologizes for “Beacon”

Well, it’s a start: in response to what’s getting characterized as a firestorm of criticism, and Monday’s disclosure that the tracking extends to third-party sites (including IP addresses of people who haven’t even signed up for Facebook), they’ve now followed up last week’s shift to more of an opt-in model with the introduction of a global privacy control that lets users, um, opt out. At least that’s what it seems to me that Mark Zuckerberg’s blog post says:

Last week we changed Beacon to be an opt-in system, and today we’re releasing a privacy control to turn off Beacon completely. You can find it here. If you select that you don’t want to share some Beacon actions or if you turn off Beacon, then Facebook won’t store those actions even when partners send them to Facebook.

It’s a good thing, of course, and Facebook does seem to get it that they screwed up: “We’ve made a lot of mistakes building this feature, but we’ve made even more with how we’ve handled them. We simply did a bad job with this release, and I apologize for it.” Still, it’s just a band-aid; and especially since this is the second time in a year Facebook’s done something egregious from a privacy perspective and then backtracked slightly and slowly under pressure, I really wonder how much user trust they’re losing in the process.

What’s interesting and encouraging is that the opposition to this didn’t come just from privacy advocates or the tech community: there was significant mainstream coverage, and MoveOn getting involved takes things to a whole new dimension (although risks politicizing the issue). This is significant both because it alerts politicians to an opportunity here, and because it strengthens the hand of the consumer rights and civil liberties groups calling for stronger protections. If the call for a do not track list was the “first salvo in the war over behavioral targeting”, then this was the first skirmish — and it’s going in favor of the good guys.*

* in the gender-neutral sense of “guys”, of course

privacy

Comments (7)

Permalink

“The Facebook betrayal – users revolt over advertising sell-out”

Nice article in by Susie Mesure and Ian Griggs in the Independent on Sunday on responses to Facebook’s new “social advertising” direction from users and consumer advocates.  The contrast betweeen the 35,000 people in “My photos are MINE! NOT Facebook’s! Change the Terms and Conditions” and less than 600 “fans” of Coke is a nice hook (although of course it’s early days yet).  Featuring a quote from my favorite privacy advocate, Deborah Pierce: “Users should be concerned. They have no idea who has access to information about them from the site.”

This follows on the discussions at the recent FTC Town Hall, an FTC letter from Center for Digital Democracy (Jeff Chester’s quoted in the article as well) and US PIRG,  and the call for a national “do not track” list by a broad coalition of organizations including Privacy Activism, EFF, Privacy Rights Clearinghouse, World Privacy Foundation, Consumer Federation of America, and CDT.  One of the articles describing the do not track list called it the “first salvo in the next privacy battle” or something like that; looks like things are heating up quickly.

jon

privacy

Comments (3)

Permalink