Monday, August 31, 2009

The Privacy Implications and Challenges of Google Book Search

As I have written about fairly extensively on this blog, Google has developed a rather adversarial relationship with privacy advocates. The company's seeming disregard for privacy becomes only more serious a problem as its size and scope continues to expand and the corner it has on market after market keeps increasing.

Now, I've posted a lot about Google's less than stellar record in the past, from their lobbying efforts in Congress, to cloud computing, and to its increasing usage and expansion of behavioral marketing techniques. My guess is that if you didn't already know all the "problems" Google has in this area you'll be rather shocked to find out.

Now with the soon to be launch of Google Books just around the corner, privacy advocates have once again been forced to spring into action due to fears the company will give privacy short thrift.

Already, the ACLU, Electronic Frontier Foundation, and the Samuelson Clinic have launched a Google Book Search privacy campaign - one component of the ACLU-NC's dotrights project.

So what is "Google Book Search" and why are privacy advocates so concerned?

The ACLU does a good job framing the issue: What you choose to read says a lot about who you are, what you value, and what you believe. That’s why you should be able to learn about anything from politics to health without worrying that someone is looking over your shoulder.

The good news is that millions of books will be available for browsing and reading online. The bad news is that Google is leaving reader privacy behind. Under its current design, Google Book Search can monitor the books you browse, the pages you read, and even the notes you take in the "margins." Without strong privacy protections, all of your browsing and reading history could be collected, analyzed, and turned over to the government or third parties without your knowledge or consent.

In other words, without strong privacy protections, all of our browsing and reading history could be collected, analyzed, and turned over to the government or third parties without our knowledge or consent.

We're not talking about just another library mind you - librarians utilize a different standards for dealing with user information than does the online world. Many libraries routinely delete borrower information, and organizations such as the American Library Association have fought hard to preserve the privacy of their patrons in the face of laws such as the U.S. Patriot Act.

The concerns of privacy advocates are not hypothetical - nor should they be discarded as paranoia. Our country has a long history of government efforts to compel libraries and booksellers to turn over customer records and information. Why would anyone believe, particularly after the warrantless wiretapping scandal, that the government won't ask a company like Google to turn over the treasure trove of private personal information it has on millions of Americans?

For these reasons and more, it is essential that Google Book Search incorporate strong privacy protections. Without such protections, we're talking about a virtual one-stop shop for government and third party "fishing expeditions into the personal details of our lives."

Again, these concerns are not hypothetical. Just three years ago the U.S. attorney subpoenaed Amazon for the used book purchase records of over 24,000 customers in the course of a grand jury probe investigating a single individual.

The good news was a federal judge agreed that Amazon should not have to turn over this information about its customers, saying that if word spread over the Internet that the federal government was probing book purchase information , “the chilling effect on e-commerce would frost keyboards across America."

If there ever was a time to make sure that Google doesn't put an end to reader privacy as we know it would be now. At present, all Google has done is make a lot of informal statements about privacy, while failing to provide an actual privacy policy with specific promises to consumers.

Criticisms of Google aside, there is reason to believe that citizen and organization pressure on the company can and will pay dividends. After all, it has taken extra steps to preserve privacy with other offerings, from blurring faces on Google Maps Street View to keeping records for Google Health users separate from other Google services to not keeping a log of user locations with Google Latitude (not to say there aren't still concerns with these products).

After the article I'm featuring today, I'll also provide a brief list (and link to) specific recommendations advocated by the ACLU and sent to Google in hopes they will be adopted by the company.

Now to the editorial by Leslie Harris, president and CEO of the Center for Democracy & Technology:

...offline, the right to read anonymously enjoys strong constitutional protection. For decades, libraries have protected the rights of readers to remain anonymous. Such anonymity is protected by the First Amendment and is a cornerstone of intellectual and political freedom. Almost all states have library confidentiality laws. The question is whether and how Google will honor these protections as it designs and builds Google Book Search and develops policies to guide its use of customer data.


Under the proposed settlement, Google will be required to collect a substantial amount of information about the people who use Google Book Search. Google will need certain information to control how much content users access electronically (in most cases, users will have access to about 20 percent of a book's content before they must pay) and to track royalties due authors and publishers, among other things.

Even taken in a vacuum, the idea of a massive database of readers, cross-referenced by their reading preferences, choices and activities, raises serious privacy concerns. But those concerns are magnified when considered in the context of the sensitive personal information that Google already collects and controls. Through its broad array of applications and services, Google has access to a great deal of user information.


Combining reader information with its existing database of user information would allow Google to add a rich and intimately personal dimension to its profiles that could become very attractive to marketers, litigators, the government and others with an interest in profiting from sensitive personal data.

It's easy to see how such an environment could easily lead to significant privacy exposures, especially given the absence of a comprehensive federal consumer privacy law.

Taking thoughtful steps to protect privacy now will help to ensure that Google Book Search lives up to its promise as a powerful social good, rather than becoming the next lightning rod in our ongoing national debate over privacy on the Internet.


First and foremost, Google must make absolutely clear to its users what information it is collecting, and how that information will be used. While such notice is a linchpin of all privacy policies, Google Book Search should strive to set a new bar for clarity and conspicuousness. Readers should know exactly what they're getting, and exactly what they're giving up in return.

The recommendations also call on Google to establish limits so that it collects only the information it needs to complete Google Book Search transactions. For instance, Google shouldn't have to collect or store significant information about how users are accessing books online (what pages they read, their annotations, etc.). Google's default position must be, "if we don't need it, we won't collect it."

It is also critical that Google limit how it uses the information it is required to collect about users. If such information is needed to calculate payments to publishers, then it should be used for that purpose and no other. Reader data is simply too sensitive to be lumped indiscriminately into online marketing dossiers.

Most importantly, Google should commit to take strong steps when others, including the government, demand reader information.


With the settlement hearing fast approaching, Google has an opportunity to set a high standard for online reader privacy that will set a precedent for all who follow: first, by publishing a strong privacy policy for the service that covers the full range of issues raised by privacy advocates and, second, by pledging adherence to that commitment in its filing with the court. With so many issues likely to be raised before the settlement judge, taking the privacy concerns off the table now is good for Google, as well as for readers everywhere

Click here to read the rest of the editorial.

For a bit more details on what a strong privacy policy would look like, I suggest you check out the ACLU's recommendations.

Here's a brief summary of what they have urged:

Protection Against Disclosure: Readers should be able to use Google books without worrying that the government or a third party is reading over their shoulder. Google must promise that it will protect reader records by responding only to properly-issued warrants from law enforcement and court orders from third parties.

Limited Tracking: Just as readers can anonymously browse books in a library or bookstore, they should be able to anonymously browse, search, and preview books using Google Book Search. Google must allow users to browse, search, and preview books without being forced to register or provide any personal information.

User Control: Readers should have complete control of their purchases and purchasing data. Readers must be able to review and delete their records and have extensive permissions controls for their "bookshelves" or any other reading displays.

User Transparency: Readers should know what information is being collected and maintained about them and when and why reader information has been disclosed. Google must develop a robust privacy policy and publish annually the number and type of demands for reader information that are received.

Stay tuned...I'll reporting on developments as they come to light.

Friday, August 28, 2009

DHS Revises Border Laptop Search Rules - ACLU Not Satisfied

I'm doing a follow up on yesterday's post about the ACLU's lawsuit demanding that U.S. Customs and Border Protection (CBP) release details of its policy that allows the agency to search travelers' laptops at U.S. borders without suspicion of wrongdoing.

It appears that the government has at least been pressured into attempting to address (though inadequately) complaints by privacy advocates that the CBP policy violates the Fourth Amendment to the U.S. Constitution, protecting U.S. citizens against unreasonable search and seizure.

The CBP policy allows agents to conduct searches of "documents, books, pamphlets and other printed material, as well as computers, disks, hard drives and other electronic or digital storage devices," without suspicion of a crime.

I do take some solace that this issue also made it into the Washington Post today. I am consistently dismayed by what short thrift the issue of privacy seems to get in today's mainstream media - particularly in light of the Obama Administration's adoption of nearly all of what many believe were the Bush team's unconstitutional approaches to "national security".

Before I get to the Post article, here's today's follow up in PC World:

The new guidelines, unveiled Thursday, continue to allow U.S. Customs and Border Protection (CBP) and U.S. Immigration and Customs Enforcement (ICE) to search electronic devices during border crossings without suspicion of wrongdoing. Both CBP and ICE are part of DHS.

The new rules were announced by DHS a day after the ACLU filed a lawsuit in an effort to get more information about border laptop searches. The ACLU and other groups have complained that the laptop search policy violates the U.S. Constitution's Fourth Amendment against unreasonable search and seizure.


The guidelines require CBP to complete a search of an electronic device within five days and ICE to complete a search within 30 days. In addition, agents must take additional steps to inform and educate travelers about the searches, and the DHS Office for Civil Rights and Civil Liberties will conduct an assessment of the policy's impact on civil rights within 120 days, Chandler said.


"DHS' latest policy announcement on border searches is a disappointment and should not be mistaken for one that restores the constitutional rights of travelers at the border," she said. "Members of the public deserve fundamental privacy rights when traveling and the safety of knowing that federal agents cannot rifle through their laptops without some reasonable suspicion of wrongdoing."

The ACLU does not oppose border searches, she added. "But it does oppose a policy that leaves government officials free to exercise their power arbitrarily," Crump said. "Such a policy not only invades our privacy but can lead to racial and religious profiling."

Click here to read the article in its entirety.

Now here are some choice clips from the Washington Post piece:

The Obama administration will largely preserve Bush-era procedures allowing the government to search -- without suspicion of wrongdoing -- the contents of a traveler's laptop computer, cellphone or other electronic device, although officials said new policies would expand oversight of such inspections.

The policy, disclosed Thursday in a pair of Department of Homeland Security directives, describes more fully than did the Bush administration the procedures by which travelers' laptops, iPods, cameras and other digital devices can be searched and seized when they cross a U.S. border. And it sets time limits for completing searches.


"It's a disappointing ratification of the suspicionless search policy put in place by the Bush administration," said Catherine Crump, staff attorney for the American Civil Liberties Union. "It provides a lot of procedural safeguards, but it doesn't deal with the fundamental problem, which is that under the policy, government officials are free to search people's laptops and cellphones for any reason whatsoever."


Under the policy begun by Bush and now continued by Obama, the government can open your laptop and read your medical records, financial records, e-mails, work product and personal correspondence -- all without any suspicion of illegal activity," said Elizabeth Goitein, who leads the liberty and national security project at the nonprofit Brennan Center for Justice.

Goitein, formerly a counsel to Sen. Russell Feingold (D-Wis.), said the Bush policy itself "broke sharply" with previous Customs directives, which required reasonable suspicion before agents could read the contents of documents. Feingold last year introduced legislation to restore the requirement.

Click here to read the rest of the article.

Again, I just feel there's something especially invasive about the government - or anyone for that matter - searching through my laptop. Let's face it, laptops are practically like a diary these days...there simply is almost NOTHING that I have that isn't on my computer. I am wholeheartedly with the ACLU on this.

I hate to always go back to the "slippery slope" argument - because it is often overused and misused by people trying to make a political point - but it really applies here. We're talking about seizing laptops without any suspicion of wrongdoing! The ways and degrees to which such a right could be abused by the government sends shivers down my spine (I'll get into what I believe some of the ways this could be done in the next post on this topic).

Thursday, August 27, 2009

ACLU Seeks (and Sues for) Information on Border Laptop Searches

As usual, the ACLU is on the front lines of the battle to protect the public from the growing power of government to bypass the 4th Amendment in the name of national security. One place this expansion of government power is especially glaring has been at, and even around the US border to Mexico. I guess its always easier to rationalize draconian, "constitution free" border policies when people are convinced they should be afraid of foreigners, terrorists, and of course, Mexicans.

Last year I wrote about the ACLU's efforts to challenge what were called "border patrol zones" - which essentially allow government agents to stop and question people anywhere without suspicion within 100 miles of the border. This little known power of the federal government to set up immigration checkpoints far from the nation's border lines came about after 9/11, when Congress gave the Department of Homeland Security the right to use some of its powers deeper within the country.

According to the ACLU last October, DHS had set up at least 33 internal checkpoints where they stop people, question them and ask them to prove citizenship. At that time I noted that if we allow these kinds of constitutional violations along our border, how long will it take before we start allowing them in the heartland? And I tend to be of the opinion that anytime we weaken the fundamental principles of our Constitution for ANYONE, we weaken them for EVERYONE.

As I also said, that as time goes by, and we see our right to privacy whittled away, watered down, or outright eviscerated, we similarly will see our belief in that right and principle weakened, our confidence in them shaken, and our reverence of them debased.

Now, ACLU has filed a lawsuit demanding that U.S. Customs and Border Protection (CBP) release details of its policy that allows the agency to search travelers' laptops at U.S. borders without suspicion of wrongdoing.

PC World Reports:

The FOIA request and the lawsuit seek details about the laptop search policy, including how many laptops have been searched since the CBP instituted its search policy last year, Crump said. "Traveling with a laptop shouldn't mean the government gets a free pass to rifle through your personal papers," she said.

The ACLU and other civil liberties groups have complained that the CBP policy violates the Fourth Amendment to the U.S. Constitution, protecting U.S. citizens against unreasonable search and seizure.

The ACLU also wants to know how many laptops and electronic devices CBP has seized, how long CBP has kept those devices, and statistics about the race and ethnicity of the people whose laptops have been seized, according to the ACLU's FOIA request.


The CBP policy also allows the agency to conduct searches of "documents, books, pamphlets and other printed material, as well as computers, disks, hard drives and other electronic or digital storage devices," without suspicion of a crime.

Several Democratic members of the U.S. Congress have pushed for a change in the policy. The requested documents would be "enormously useful" for lawmakers debating the CBP policy, Crump said.

Another issue I'll be following...Click here to read the rest of the article.

Tuesday, August 25, 2009

What Can Google Do to Address Privacy Concerns?

This is a question I'd like to pose to some of my privacy expert friends, as I'm sure there are a slew of suggestions as to how exactly this could be effectively done by Google. For the sake of today's post, I'm just going to focus on some ideas posed by Thomas Claburn of Information Week.

So to be clear, these are only a few suggestions for Google from one writer - and not meant to be a comprehensive list in and of itself.

As I have written about fairly extensively on this blog, Google has developed an adversarial relationship with privacy advocates and a bordering on disdain for privacy rights and protections. If you don't believe me I'd suggest you check out some or all my prior posts on the subject.

My guess is that if you didn't already know all the "problems" Google has in this area you'll be rather shocked to find out. My last post on the subject was about two weeks ago and it delved into the growing concern over "locational privacy" as individuals move through public space.

But let's get to today. Information Week reports:

Google, which presumably launched Street View in Switzerland last week with full knowledge of all the other privacy controversies related to Street View and the company's other online services, nonetheless said it was surprised by the data commissioner's statement and that it's working with Swiss officials to deliver a service that conforms with Swiss law. That Google can still be surprised by privacy concerns is in itself surprising and suggests the company ought to approach privacy more proactively.


Privacy just doesn't seem to matter much in Google's data-driven world because privacy isn't something that's easily quantified. Google reinforced that view when it refused to put a link to its privacy policy on its home page and later relented when it found that the link could be added without slowing the home page load time.

Even Apple picked up the privacy stick to whack the Google pinata: In its recent response to the FCC inquiry into Apple's refusal to approve the Google Voice app for the iPhone, Apple cited privacy concerns as one of the reasons that it has not approved the application. "[T]he iPhone user's entire Contacts database is transferred to Google’s servers, and we have yet to obtain any assurances from Google that this data will only be used in appropriate ways," the company said.


Google ought to make privacy a priority. Not just as a matter of public relations...but as a core feature of its services. What would that look like? Google could:

Allow users to choose not to have any search data retained

• Allow users to encrypt the data they store with Google

Make users have to opt-in to behavioral ad targeting rather than opt-out

• Put its privacy enhancing tools, like license plate and face blurring algorithms for Street View, into an online service so that users themselves can flag invasive images

Back legislation to establish a mechanism by which consumers can find out what information companies have about them and correct or remove that information

Click here to read the article in its entirety.

I'd welcome other suggestions for what concrete, positive steps Google could take in addressing the issue of privacy from anyone reading this blog today. In general, the ideas laid out in this article match up very well with many of the kinds of policies and principles I and others have argued for too. I would also agree with the author's other important thesis: That it would be in Google's own self interest to do so!

What I find disturbing is that the suggestions advocated in this article aren't ALREADY law or common policy. The right to not have my personal data shared and profited off and the right to have the option to choose what happens to that information and how well its protected seems to me to be a fundamental right protected in our constitution.

Friday, August 21, 2009

Is PASS ID Just REAL ID Reanimated?

As I've said here before, it wasn't too long ago that the REAL ID program appeared to be dying a slow death from the steady drip of states voicing their opposition. Unfortunately, an improved yet totally unacceptable version of the act has been gaining steam in the Senate, no doubt buoyed by support from the President and Homeland Security Chief Janet Napolitano.

Also, little media attention has been given to this new proposal, or the threat it STILL poses to an individuals right to privacy. My hope is that once the health care fight is over, this lack of attention will begin to change.

Today I'm going to include a recent short article on this subject by Richard Esguerra of the Electronic Frontier Foundation (EFF). But first, some background:

PASS ID would - just like Real ID - endanger victims of domestic violence by failing to adequately shield their addresses, raise fees associated with identification cards, expose consumers to identity theft and fail to improve our nation's security. Consider what just happened with the hacking of 130 million peoples credit card numbers? Do we really want to create a database with all of our personal information in it too?

In fact, PASS ID proposes to move forward on the one key component of REAL ID that privacy advocates were most opposed to: the creation of a national identification card.

Thankfully, a broad coalition of privacy organizations have joined forces (18 in all I believe) to oppose the bill - rightly advocating for the repeal, not the reform of Real ID. But I'll get to them in future posts.

Here's EFF's update and take:

Proponents seem to be blind to the systemic impotence of such an identification card scheme. Individuals originally motivated to obtain and use fake IDs will instead use fake identity documents to procure "real" drivers' licenses. PASS ID creates new risks -- it calls for the scanning and storage of copies of applicants' identity documents (birth certificates, visas, etc.). These documents will be stored in databases that will become leaky honeypots of sensitive personal data, prime targets for malicious identity thieves or otherwise accessible by individuals authorized to obtain documents from the database.

Despite some alterations to the scheme, PASS ID is still bad for privacy in many of the same ways the REAL ID was. And proponents of the national ID effort seem blissfully unaware of the creepy implications of a "papers please" mentality that may grow from the issuance of mandatory federal identification cards. Despite token provisions that claim to give states the freedom to issue non-federal identification cards, the card will be mandatory for most -- the PASS ID Act seeks to require everyone to show the federally recognized ID for "any official purpose," including boarding a plane or entering a federal building.

At the moment, health care reform is commanding tremendous attention and effort on the hill, so the PASS ID Act seems to be on the backburner for now. But after the August recess, anything can happen. So stay tuned for more about PASS ID and critical opportunities to flag your opposition to this flawed national ID scheme.

That about sums up my own thoughts for today. Click here to read the entire EFF post.

Thursday, August 20, 2009

Two California Privacy Bills Included in Consumer Coalition List of Legislative Priorities

California lawmakers returning from summer recess were greeted by a letter from nine consumer rights organizations outlining legislative priorities during the final month of the 2009 session.

Signing the letter were CALPIRG, California Alliance for Retired Americans, Congress of California Seniors, Consumer Action, Consumer Federation of California, Consumers for Auto Reliability and Safety, Consumers Union, Older Women’s League of California, and Privacy Rights Clearinghouse.

This list includes two key privacy protection bills among the list of 13 (2 were "bad" anti-consumer bills and eleven were "good" pro-consumer bills).

Let me briefly describe each of the two privacy bills chosen and how each is progressing in the legislature (I've highlighted and discussed both of these on this blog in the past):

Assembly Bill 943 (Mendoza) - Credit Reports

AB 943 (Mendoza) would prohibit a prospective employer from using consumer credit reports in the hiring process. The bill provides exceptions in cases when the job duties include access to cash or other financial assets, when the job is in law enforcement and in other narrow areas. An employer should not have any right to obtain confidential information that is not germane to a prospective employee’s job.

Credit reports do not have predictive value in determining a worker’s ability to perform job duties, but a bad credit report might unfairly influence a hiring employer’s attitude toward a job applicant. Unemployed workers are more likely to have suffered some downgrading of their credit score due to the circumstances of their unemployment; hence reliance on credit reports as a factor in hiring decisions might adversely impact those most in need of a job.Credit reports are often inaccurate, and could unfairly bias an employer.

Correcting mistaken information in a credit report is a tedious, time consuming process, and in the meantime, the job applicant is harmed due to errors by credit reporting entities. We therefore, are urging the Legislature to protect the financial privacy of Californians from unwarranted snooping by prospective employers by voting Yes on AB 943.

Bill Status...Good News: AB 943 (Mendoza) passed the Senate Judiciary Committee by a party line vote of 3 to 2 on July 7th, 2009. The bill cleared the Senate Labor and Industrial Relations Committee by a vote of 4 to 2 on June 25th - also along party lines. The bill passed the Assembly floor by a vote of 49 to 30 on May 28th. AB 943 is now scheduled to be heard in Senate Appropriations on August 24th.

Click here to read the Assembly Analysis of the bill.

Senate Bill 20 (Simitian) - Data Breach Notifications

SB 20 would amend California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General.This measure also requires that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.

Additionally, SB 20 would amend the substitute notice provisions of California's security breach notification law to require that an entity providing substitute notice also provide notice to the Office of Information Security and Privacy Protection.

California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers.

As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.This leaves consumers uncertain about how to respond to the breach or protect themselves from identity theft.

SB 20 makes relatively modest but helpful changes to the current security breach notification statutes to enhance consumer knowledge about, and understanding of, security breaches.For these reasons, we support SB 20, and have been urging the Legislature to do the same.

Click here to read the analysis of the bill.

Bill Status...more good news: SB 20 (Simitian) was approved by the Assembly Appropriations by a vote of 12 to 1 on August 19th and the Assembly Judiciary Committee by a vote of 7 to 3 on June 30th. The bill passed the Senate on April 27th by a vote of 26 to 7. The bill passed Assembly Appropriations on August 19th and awaits an Assembly floor vote to determine whether it will reach the Governor's desk.

Friday, August 14, 2009

Electronic Frontier Foundation Report Warns of Losing "Locational Privacy"

Today I want to focus on a new report from the Electronic Frontier Foundation (EFF) that warns that Americans are losing their privacy as they travel through public space (i.e. "locational privacy") due to location-based technologies and services such as EZ Pass, Google Latitude and cellphones.

Before I get to the article in Security Management about the report, let me provide the definition of "Locational Privacy" (also known as “location privacy”)- as articulated by EFF:

"...the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use. The systems discussed above have the potential to strip away locational privacy from individuals, making it possible for others to ask (and answer) the following sorts of questions by consulting the location databases:

Did you go to an anti-war rally on Tuesday?
• A small meeting to plan the rally the week before?
• At the house of one “Bob Jackson”?
• Did you walk into an abortion clinic?
• Did you see an AIDS counselor?
• Have you been checking into a motel at lunchtimes?
• Why was your secretary with you?
• Did you skip lunch to pitch a new invention to a VC? Which one?
• Were you the person who anonymously tipped off safety regulators about the rusty machines?
• Did you and your VP for sales meet with ACME Ltd on Monday?
• Which church do you attend? Which mosque? Which gay bars?
• Who is my ex-girlfriend going to dinner with?

Security Management reports:

Location-based services that transmit, record, and store where a person is—such as EZ Pass, WiFi networks, transit cards, Google Latitude—can be exploited by government, business, or prying ex-lovers to track and reconstruct where people have been as they go about their daily life.

The EFF concedes that people forfeit some privacy when they go into public. However, the ability to track people as they went about their lives before the rise of such technology was extraordinarily difficult and generally quite expensive: people hired private investigators to do that work. Besides, the person being monitored had a decent shot at detecting the surveillance.


The upside, as the EFF contends, is that modern cryptography can design location-based services that do not collect identifiable data at all, like "electronic cash." The downside, however, is that this costs additional money that companies are reluctant to invest into the original design when not absolutely necessary.


The second reason companies should ensure locational privacy is to gain a competitive edge. According to the EFF, a good deal of customers will find robust privacy protections a reason to purchase one technology or service over another. Until democratic lawmaking catches up with technology, the EFF says, it's up to private companies to protect locational privacy and design systems that do not sacrifice it for expediency.

Click here to read the article in its entirety.

Now, I especially enjoyed, and what I thought particularly effective, was the way EFF ends their report, and answers the typical "you're being paranoid" blow off we privacy advocates hear all too often.

The report reads, "Another common response to worries about locational privacy is to say that law-abiding citizens don’t need privacy. “I don’t commit adultery, I don’t break the law,” people say (and tacitly, “I’m not in the closet, and I don’t belong to any non-majority religious or political groups”).

One answer to this concern is a reminder that there are more subtle reasons for needing privacy. It’s not just the government, or law enforcement, or political enemies you might want to be protected from.
Your employer doesn’t need to know things about whether, when, and where you went to church.
Your co-workers don’t need to know how late you work or where you shop.
Your sister’s ex-boyfriend doesn’t need know how often she spends the night at her new boyfriend’s apartment.
Your corporate competitors don’t need to know who your salespeople are talking to.

Preserving locational privacy is about maintaining dignity and confidence as you move through the world. Locational privacy is also about knowing when other people know things about you, and being able to tell when they are making decisions based on those facts.

Suppose that an insurance company manages to obtain a record of Alice’s movements over the past year, and decides that there is some aspect of that record which is grounds for raising her premiums or denying her coverage. The problem with that decision is not just that it is unfair, but that Alice may have no ability to dispute it. If the insurance company’s reasoning is misinformed, will Alice have a practical way of knowing that and disputing it?


In the long run, the decision about when we retain our location privacy (and the limited circumstances under which we will surrender it) should be set by democratic action and lawmaking. Now is a key moment for organizations that are building and deploying location data infrastructure to show leadership and select designs that are responsible and do not surrender the locational privacy of users simply for expediency.

Click here to read EFF's report.

Thursday, August 13, 2009

Behavioral tracking on the web: The good (FTC) and the bad (OMB)

For some backdrop on the issue of behavioral targeting on the internet and the legislative effort to protect consumer privacy currently underway in Washington, here’s some of what Jeff Chester, executive director of the Center for Digital Democracy (CDD) had to say in recent testimony before Congress. CDD has been at the forefront of exposing invasive online and mobile marketing practices as well as offering concrete regulatory measures that would more adequately protect consumer privacy.

Chester stated, Powerful techniques of data collection, analysis, consumer profiling and tracking, interactive ad creation and targeting have emerged across the online venues Americans increasingly rely on for news, information, entertainment, health, and financial services. Whether using a search engine, watching an online video, creating content on a social network, receiving an email, or playing an interactive video game, we are being digitally shadowed online. Our travels through the digital media are being monitored, and digital dossiers on us are being created—and even bought and sold.”

In order to ensure adequate trust in online marketing—an important and growing sector of our economy—Congress must enact sensible policies to protect consumers.”

Now to two interesting and completely conflicting “approaches” to this issue making news this week: On the one hand we have the Federal Trade Commission’s (FTC) apparently committed effort to better protect internet users from behavioral targeting and ads. And on the other we have the Office of Management and Budget’s (OMB) proposal to allow the use of web tracking technologies on federal government websites.

Let’s first get to the recent positive developments at the FTC.

In a recent article in Business Week, FTC Chairman Jon Leibowitz, Obama's top consumer watchdog, said he wants to terminate—or at least rein in—delivering ads to individuals based on the Web pages they visit and searches they carry out (supporting the establishment of “opt-in” as the standard rather than “opt-out”).

Similarly, David C. Vladeck - the new head of the Bureau of Consumer Protection at the FCT – said in a New York Times article this week that the frameworks used historically for privacy on the web are no longer sufficient, and wants to expand the definition of what is considered “harm” to the consumer when a company infringes on their privacy to beyond solely a monetary measurement, but to whether their dignity was violated.

So two important signals (among others articulated in the articles) are being sent by Leibowitz and Vladek indicating the FTC is considering pushing for two essential legislative reforms advocated by privacy leaders that would protect consumers: establishing "opt-in" as the standard and precedent and redefining what is considered “harm” to the consumer when his/her privacy is violated.If ever enacted, each would represent a landmark improvement in protections for consumers against aggressive behavioral marketing techniques and industry data collection practices.

Now to the negative developments at the OMB:

The OMB recently proposed reversing current federal policy by allowing the use of web racking technologies, like cookies, on federal government websites.

An ACLU press release sent out on August 10th states: Since 2000, it has been the policy of the federal government not to use such technology. But the OMB is now seeking to change that policy and is considering the use of cookies for tracking web visitors across multiple sessions and storing their unique preferences and surfing habits. Though this is a major shift in policy, the announcement of this program consists of only a single page from the federal register that contains almost no detail.

The use of cookies allows a website to differentiate between users and build a database of each user’s viewing habits and the information they share with the site. Since web surfers frequently share information like their name or email address (if they’ve signed up for a service) or search request terms, the use of cookies frequently allows a user’s identity and web surfing habits to be linked. In addition, websites can allow third parties, such as advertisers, to also place cookies on a user’s computer.

“Americans rely on the information from the federal government to research politics, medical issues and legal requirements. The OMB is now asking to retain the personal and identifiable information we leave behind,” said Christopher Calabrese, Counsel for the ACLU Technology and Liberty Project. “No American should have to sacrifice privacy or risk surveillance in order to access free government information. No policy change should be adopted without wide ranging debate including information on the restrictions and uses of cookies as well as impact on privacy.”

Limitations of the FTC and the Responsibility of Congress

What’s most important to this debate, aside from the vast differences in approach to internet privacy demonstrated this week by the OMB and the FTC, is what kind of regulatory framework will be put in place to protect consumers. As Jeff Chester also pointed out in his testimony, this responsibility will largely fall on Congress:

“The FTC has been largely incapable of ensuring American privacy is protected online. Staff has been reined in from more aggressively pursuing the issue, primarily to ensure that industry self-regulation remains as the agency’s principle approach. The FTC is also encumbered with a lack of staff working on privacy and online marketing issues, including personnel familiar with the technical characteristics of contemporary marketing…

The FTC needs to have additional resources, especially so it can better protect consumers from digital marketing transactions involving their financial and health data. Congress should press the FTC to be more proactive in this arena. We are confident that the FTC is now ready to address online marketing and consumer privacy more meaningfully than in the past."

We (CDD) urge you (Congress) to enact legislation that would ensure that consumer privacy online is protected. The foundation for a new law should be implementing Fair Information Practices for the digital marketing environment.'

Tuesday, August 11, 2009

Is Your Prescription Private?

First, the bad news. The answer to the question I posed in the title is largely "no" (as in no, your prescription drug records are not private). For Californians, the good news is the answer to that same question is largely "yes" (a privacy protection that the Consumer Federation of California fought hard to preserve last year). I suppose also falling into the "good" category is the fact that there is a provision in President Obama's stimulus plan that may significantly increase privacy protections related to prescription drug records.

As the New York Times notes, "The federal stimulus law enacted in February prohibits in most cases the sale of personal health information, with a few exceptions for research and public health measures like tracking flu epidemics. It also tightens rules for telling patients when hackers or health care workers have stolen their Social Security numbers or medical information, as happened to Britney Spears, Maria Shriver and Farrah Fawcett before she died in June.

Before I get to more of the Times article on this issue I want to first discuss a bit more about what was at stake just recently here in California, and how it relates to the larger issue of prescription record privacy. The general rule of thumb in our country when it comes to prescriptions is that "all the information on them — including not only the name and dosage of the drug and the name and address of the doctor, but also the patient’s address and Social Security number — are a commodity bought and sold in a murky marketplace, often without the patients’ knowledge or permission."

Here in California, the state with some of the strictest ( New Hampshire, Maine and Vermont too) protections of prescription record privacy in the nation, a bill nearly passed the legislature in 2007 (that CFC vigorously opposed) that would have permitted drug stores to share confidential patient prescription information with third parties.

The bill raised significant privacy and health care concerns for patients - concerns that Americans should have in states across the country. The bill would have created an exception to California's Medical Information Act, and allowed the sharing of confidential patient drug prescription information among pharmacies, third party corporations and pharmaceutical companies without a patent's consent.

Californians expect that their private medical records will be held in confidence by their doctors and pharmacists. SB 1096 would have allowed pharmacies to share prescription information with businesses that provide mailings to the patient – ostensibly reminders that patients should continue to take their medications. The reminder would appear to come from the pharmacy, but in fact it would be paid for by the drug manufacturer.

The bill's main backer, Adheris Inc., is a subsidiary of inVentiv Health Inc., a drug marketing company currently being sued for privacy breaches related to patient prescription records.

A patient’s doctor - not a third party marketing company - is the best source for informing a patient about how to manage his or her health condition. By intruding upon and confusing this relationship, this bill could have put patients’ health, as well as privacy, at risk.

For example, a physician might discontinue a prescription if a patient complained of an adverse reaction. Unaware of the changed course of treatment, the drug marketing company would continue sending reminders that appear to come from the drug store, urging the patient to keep taking the old prescription. The bill placed no liability on drug markets that provide bad information to patients.

The legislative battle was a fierce and contentious one, pitting privacy and consumer groups and physicians against drug store chains and drug marketers. Thanks to a significant public outcry against the legislation - helped by some good reporting on the issue, the bill was defeated (representing an important victory for California’s landmark medical records privacy law).

I think this California case study I have sourced serves as a useful tool in understanding what remains at stake for patients privacy around the country, how close California came to losing the protections we enjoy, and, why it could be a very important and positive development if the Obama Administration can strengthen our rather lax privacy protections when it comes to prescription records.

The New York Times reports:

MORE than 10 years after she tried without success to have a baby, Marcy Campbell Krinsk is still receiving painful reminders in her mail. The ads and promotions started after she bought fertility drugs at a pharmacy in San Diego. Marketers got hold of her name, and she found coupons and samples in her mail that shadowed the growth of an imaginary child — at first, for Pampers and baby formula, then for discounts on family photos, and all the way through the years to gifts suitable for an elementary school graduate.


The new rules will plug some gaping holes in our federal health privacy laws,” said Deven McGraw, a health privacy expert at the nonprofit Center for Democracy and Technology in Washington. “For the first time, pharmacy benefit managers that handle most prescriptions and banks and contractors that process millions of medical claims will be held accountable for complying with federal privacy and security rules.”

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.

Ms. Krinsk was never able to find out who sold her information, but companies that have been accused in lawsuits of buying and selling personal medical data include drugstore chains like Walgreens and data-mining companies like IMS Health and Verispan. CVS Caremark, which handles prescriptions for corporate clients, has also been accused of violating patients’ privacy. These companies all say that names of patients are removed or encrypted before data is sold, typically to drug manufacturers. But as Ms. Krinsk’s case shows, there are leaks in the system.


Selling data to drug manufacturers is still allowed, if patients’ names are removed. But the stimulus law tightens one of the biggest loopholes in the old privacy rules. Pharmacy companies like Walgreens have been able to accept payments from drug makers to mail advice and reminders to customers to take their medications, without obtaining permission. Under the new law, the subsidized marketing is still permitted but it can no longer promote drugs other than those the customer already buys.

The ban on marketing is even more strict in California, where Walgreens is fighting off a class-action lawsuit filed on behalf of customers who received the subsidized mailings before the state outlawed them in 2004. Michael Polzin, a Walgreens spokesman, defended the mailings as a cost-cutting measure. “Patients who fail to properly take their medication cost the U.S. health care system $177 billion a year,” when they fall sick and need treatment, he said.


IN another big change, the stimulus law provides $19 billion to push doctors toward installing electronic records systems. It is a milestone on the road toward President Obama’s goal of digitizing all medical records within five years. But digitization creates the potential for more abuses by hackers, as well as blackmail and insurance fraud.

Privacy is under greater duress than ever before as medical records are switched from paper to electronic,” said Pam Dixon, a consumer advocate and executive director of the World Privacy Forum near San Diego.


Google, Microsoft and WebMD all say they will not show advertising alongside a person’s health records. But visitors to WebMD, Google Health and Microsoft’s site, HealthVault, see ads for drugs for diseases like osteoporosis or acid reflux as they seek information on an array of ailments.

Technology experts say identities of viewers and their health interests are often captured at the moment they click on online ads for a drug. That provides the advertiser with a prospective customer to pursue online or by mail.


Since 2003, more than 45,000 complaints have been filed at the civil rights office in the Department of Health and Human Services by people who said their medical privacy was violated. The office says it has taken enforcement actions on more than 8,900 cases in that period, covering millions of people.

A single case can involve thousands of patients. For example, CVS paid a $2.25 million settlement early this year after an Indianapolis television station found paper records with CVS customers’ personal drug information had been tossed into Dumpsters. In the settlement agreement, CVS promised to protect patient information at all 6,300 CVS stores.

A survey sponsored by the Federal Trade Commission suggested that tens of thousands of patients each year had their records broken into by hackers and unauthorized employees of hospitals and other health industry companies. Keith B. Anderson, an economist at the F.T.C., estimated that the personal information of about 890,000 adults was misused between 2001 and 2006. Stolen identities and data were used to trick Medicare, Medicaid and other insurers into paying for bogus medical treatment and supplies, he said.

Click here to read the rest of the article.

Its not hard to predict that these kinds of technological advancements will also lead to an increasingly contentious and important battle between identity thieves and data miners on one side, versus those of us that believe in ironclad privacy protections simply being a non-negotiable component of any system that stores medical or prescription drug records.

As the Times points out, not all people think that the stimulus law goes far enough to protect patients’ privacy (I would be one). While it bans paying a pharmacist for marketing to patients, it does not bar the sale of personal drug information by one pharmacy to another. Baby steps I suppose...

Wednesday, August 5, 2009

More Good Signs on Internet Privacy and Behavioral Advertising

This article in the New York Times about David C. Vladeck - the new head of the Bureau of Consumer Protection at the Federal Trade Commission (the agency that oversees online advertising) fits nicely with yesterday's post about Jon Leibowitz, head of the Federal Trade Commission. Both are Obama appointees, and each is demonstrating a far greater commitment to privacy than anything we've seen before.

As I reported yesterday, Leibowitz wants to terminate—or at least rein in— the delivery of ads to individuals based on the Web pages they visit and searches they carry out. Leibowitz has made behavioral targeting a top priority....even supporting the principle of "opt-in".

Now we have this good news about David Vladeck, who seems to be on the same page as Leibowitz. And here's what's most important for privacy advocates: Vladek is re-interpreting the current, accepted definition of "harm" - the industry's "go to" argument in avoiding any accountability for violating consumer privacy.

One of the continual roadblocks preventing individuals from holding businesses that violate their privacy accountable stems from the fact that they must prove actual "harm" done to them...which can be next to impossible when it comes to violations of privacy that don't necessarily result in someone stealing your identity or ripping you off.

This traditional roadblock, and accepted interpretation of "harm", is now being challenged! This could be a game changer in the fight to institute privacy protections that adequately keep pace with the rapid technological innovation and the accompanying reality that companies can now track nearly everything about nearly everyone.

The New York Times reports:

Most of the online world is based on a simple, if unarticulated, agreement: consumers browse Web sites free, and in return, they give up data — like their gender or income level — which the sites use to aim their advertisements. The new head of the Bureau of Consumer Protection at the Federal Trade Commission, David C. Vladeck, says it is time for that to change.

In an interview, Mr. Vladeck outlined plans that could upset the online advertising ecosystem. Privacy policies have become useless, the commission’s standards for the cases it reviews are too narrow, and some online tracking is “Orwellian,” Mr. Vladeck said.

After eight years of what privacy advocates and the industry saw as a relatively pro-business commission, Mr. Vladeck, has made a splash. In June, the commission settled a case with Sears that was a warning shot to companies that thought their privacy policies protected them. In just over six weeks on the job, he has asked Congress for a bigger budget and for a streamlined way to create regulations. And he said he would hire technologists to help analyze online marketers’ tracking.


Mr. Vladeck’s first moves have been to pick apart industry groups’ proposed self-regulatory principles and to meet with companies to discuss online ad guidelines. “The frameworks that we’ve been using historically for privacy are no longer sufficient,” Mr. Vladeck said.


He said his broad mission was to redefine how the commission looked at online privacy. Predecessors at the agency had different approaches to regulating online behavior, including whether companies were causing harm to consumers, and instructing companies to write privacy policies, Mr. Vladeck said.

The Sears case suggested that Mr. Vladeck had adopted a new approach. Sears had offered customers $10 to download software onto their computers, saying it would track their browsing. The commission said that the software also collected information like prescription records and bank statements. Sears settled with the commission in June.

It wasn’t a case that caused economic harm, though. Rather than taking money from consumers, Sears was paying them for the tracking. “Under the harm framework, we couldn’t have brought that case,” Mr. Vladeck said. (Though he hadn’t officially started at the commission, and the case was under way before he joined, he was consulting for it when the settlement was announced.) Now, Mr. Vladeck indicated, the commission would begin considering not just whether companies caused monetary harm, but whether they violated consumers’ dignity.


The changes Mr. Vladeck is considering could mean a different online world, where sites couldn’t depend on targeted ads to make money. But could a site refuse to allow access to people who wouldn’t hand over data?

Mr. Vladeck said that the commission would have to consider whether that meant businesses were treating consumers unfairly, but over all, he said he was not troubled by the problems this might pose for marketers.

Click here to read the rest of the article.

What can I say? This is truly exciting! I'm so used to reporting bad news I'm not sure how to react! :) Now let's see just how much push back Vladeck gets from big business...and how much that will water down what clearly are some very encouraging positions. I'm especially heartened by his clear reverence for the principle of privacy and deep understanding of how strict regulatory consumer protections will be required to preserve it in light of our modern, and rapidly evolving technological age.

Tuesday, August 4, 2009

Targeting Ads, Behavioral Marketing, and the FTC

I want to come back to the issue of behavioral targeting on the web and the likelihood that we may actually get legislation to better regulate the practice. Let's begin with what to look for first in legislative efforts to protect privacy: Does it include the holy grail of the privacy movement: establishing "OPT-IN" as the standard and precedent, rather than OPT-OUT?

This is most certainly what too look for, and demand, in any legislative attempt to crack down on behavioral marketing and aggressive industry data collection practices. Jeff Chester, executive director of the Center for Digital Democracy (CDD) has been at the forefront of exposing all kinds of invasive online and mobile marketing practices as well as offering concrete regulatory measures that would more adequately protect consumer privacy.

So, before I get to the article about some positive signals being sent by Jon Leibowitz, Obama's top consumer watchdog, let me give you a few choice clips from Chester's testimony before Congress a few weeks back urging it to pass legislation that would ensure meaningful online privacy protections.

This from CDD's press release on his testimony:

As more consumers increasingly rely on the Internet to obtain such sensitive services as financial products or health is especially critical that the public be assured they will be treated fairly when engaged in online commerce. Chester pointed to the failure of the regulatory system that should have protected Americans from irresponsible business practices that led to the current financial crisis.

“As with our financial system, privacy and consumer protection regulators have failed to keep abreast of developments in the area they are supposed to oversee,” he explained. “In order to ensure adequate trust in online marketing—an important and growing sector of our economy—Congress must enact sensible policies to protect consumers.” “Whether using a search engine, watching an online video, creating content on a social network, receiving an email, or playing an interactive video game, we are being digitally shadowed online,”

Our travels through the digital media are being monitored, and digital dossiers on us are being created—and even bought and sold.” Singling out behavioral and “predictive” targeting for their violations of user privacy, Chester noted that the “consumer profiling and targeted advertising take place largely without our knowledge or consent, and affects such sensitive areas as financial transactions and health-related inquiries. Children and youth, among the most active users of the Internet and mobile devices, are especially at risk in this new media-marketing ecosystem.”

Chester called on Congress to enact meaningful regulations to protect consumer privacy in the online and mobile arenas, effectively bringing the FTC’s Fair Information Practice Principles fully into the digital age. “Americans shouldn’t have to trade away their privacy and accept online profiling and tracking as the price they must pay in order to access the Internet and other digital media,” Chester declared, adding that far from being an impediment to continued growth in the online sector, meaningful privacy safeguards will actually stimulate the digital economy.

“The uncertainty over the loss of privacy and other consumer harms will continue to undermine confidence in the online advertising business,” he explained. “That’s why the online ad industry will actually greatly benefit from privacy regulation. Given a new regulatory regime protecting privacy, industry leaders and entrepreneurs will develop new forms of marketing services where data collection and profiling are done in an above-board, consumer-friendly fashion.”

Now that you have some background and understanding of the issue and topic, let's take a look at what's happening at the Federal Trade Commission and Jon of the truly positive steps the Obama Administration has taken on the privacy issue.

Business Week Reports:

Now, Leibowitz wants to terminate—or at least rein in—a different practice he finds no less harmful to consumers: delivering ads to individuals based on the Web pages they visit and searches they carry out. Appointed by President Barack Obama in February to run the country's top consumer watchdog, Leibowitz has made so-called behavioral targeting a top priority.

How far he goes in regulating the practice could have big implications for a host of companies that depend on Web advertising and engage in some form of targeting. These include Google (GOOG), Facebook, and Microsoft (MSFT), which on July 29 announced a plan to partner with Yahoo! (YHOO) in the area of Internet search. It would also affect the way legions of companies and advertisers craft marketing campaigns.


Researcher eMarketer estimates that advertisers will spend $960 million on personally targeted ads next year, accounting for about one-fifth of all display ads on the Web, up from $705 million this year, when they accounted for 15% of the total. The average Web surfer benefits, too: An array of free services, from Google's Gmail to social network Facebook, are partly supported by targeted ads.

But the FTC and a growing chorus of consumer advocates warn that online advertisers are not always forthcoming about their use of targeting. And some are downright deceptive, Leibowitz said in an interview with BusinessWeek. "There's a critical issue about whether consumers have notice of what companies are doing with their information and whether they're making informed choices about [sharing] information," Leibowitz explains. For example, if an advertiser sends an ad based on sensitive information about a person's health, "you might want to take that off the table."


But Leibowitz hints that he's growing impatient with marketers' efforts. "It's not clear that they're moving far enough or fast enough, even though they're making some progress," Leibowitz says. He supports the controversial approach of making more of the targeted ads on the Internet "opt-in"—meaning they would require consent from Web users before collecting data—and is in talks with members of Congress intent on drafting legislation for online ads.


Although the FTC has no direct sway over legislators, Leibowitz is building alliances in Washington. In recent weeks he's met with Representative Rick Boucher (D-Va.), who plans to introduce a bill by September that may require opt-in consent for certain types of online ads. "My overall purpose is not to interfere with the legitimate practice of people who are doing targeted advertising," Boucher says. "My goal is to try to create a greater sense of confidence on the part of consumers."

So there you have it. An FTC chairman that's actually looking out for our interests rather than those of the corporations that profit off our private information. Nice. This is a bill I'll definitely be following closely on this blog.