Monday, December 27, 2010

Napolitano: Get used to invasive scans, pat-downs

Nevermind that more and more evidence is coming forth that the TSA body scanners don't work...because apparently, they're here to stay...



I'll have more on some of the recent revelations regarding just how useless and overpriced these machines are (in addition to being grossly invasive) in a future post.

In the meantime, here's the clip of the ABC News investigation cited by CNN reporter Candy Crowley to Janet Napolitano:

Tuesday, December 21, 2010

Is the Government Spying on You?

Watch this great Countdown segment with the Nation's Chris Hayes on the recent revelations regarding the massive FBI domestic spying program:

Visit msnbc.com for breaking news, world news, and news about the economy

Commerce Department Weighs in On Internet Privacy

I want to stay with the internet privacy issue for a bit more. Let's face it, the internet is where the vast majority of all future communication will take place, and information will be gathered and stored - yet it remains the wild west when it comes to privacy.

And, efforts are finally being made in Congress and in agencies like the FTC, and now the Commerce Department, to tackle this issue, and establish some semblance of privacy rights, and protections, on the net.

The other big story, one I'll get to tomorrow, is the revelations that the FBI is compiling massive databases filled with our personal information, whether you're a suspect or not.

But for today, let's get to the Commerce Department's announcement that they are close to endorsing new federal laws regulating companies' data collection practices and requiring that customers be notified of data breaches.

In an 88-page report (PDF), the department also suggested rewriting a 1986 privacy law to address "privacy protection in cloud computing and location-based services," but didn't offer any details. That broad approach is backed by tech companies including Google, Microsoft, AT&T, and eBay, but is likely to be opposed by the Justice Department.

In all, this a rather ho hum, thanks for finally joining the discussion type of report. Hell, in California, we have had a data breach notification law for seven years (one the Consumer Federation of California was active in supporting), and a pair of House of Representatives committees approved similar legislation back in 2006. No fewer than 46 states, plus the District of Columbia and Puerto Rico, have followed California's lead.

The Federal Trade Commission's 122-page report on these topics served up a generally similar set of recommendations, including that consumers should have "reasonable access to the data that companies maintain about them."

I don't know which agency will be taking the lead on this issue, but it will be important to watch them both being that privacy has become such a hot topic, be it the explosion of social networking sites, the personal data collection industry's rapid growth, and the behavioral advertising boom. In each case, these topics are now being debated in Congress (with industry trying to do everything in their power to ensure we have as little control over our data as possible), and the future of privacy on the internet itself could well be determined in the coming months and years.

While the reports, as I will explain, haven't been widely embraced by privacy advocates, they at least represent a slight break from the "free market fundamentalism" that has infected government for the past decade or more as it pertains to the net. Finally we have some federal agencies actually pushing for, and debating, new regulations targeting private companies and protecting consumer privacy.

With that said, these reports were not greeted with applause by privacy advocates. NetworkWorld reports:

The Commerce Department paper calls for an online privacy bill of rights and codes of conduct for Internet companies, with enforcement by the U.S. Federal Trade Commission. But several privacy groups questioned whether the codes of conduct would be effective because of the paper's suggestion that affected companies help write them.

The policy recommendations in the report are an "early Christmas gift to the data collection industry," said John Simpson, consumer advocate with Consumer Watchdog. Internet-based groups have been creating their own codes of conduct for years, and Web-based tracking and data collection continue to grow, said Susan Grant, director of consumer protection at the Consumer Federation of America. "The solution is not more self-regulation," she said. "That seems to be the main thrust of the Commerce Department report."


The report seems to give more attention to concerns of Web-based companies than to consumers, with little change in online data collection likely, other privacy advocates said. The report is "designed to marginalize consumers," said Jeffrey Chester, executive director of the Center for Digital Democracy.

...

Some of the privacy advocates suggested the report's recommendation for a privacy bill of rights may be helpful. The report may also help push Congress to act on privacy legislation next year, the Future of Privacy Forum said.

"The report is a sophisticated effort to advance consumer privacy without thwarting innovation," the group said in a statement. "Although it sets a framework that will influence legislation, it creates an alternate path for a mode of government initiated self-regulation, with advocates at the table and the FTC providing enforcement. If businesses respond by seriously engaging in efforts to advance fair information practices, the U.S. has the chance to take back the international privacy leadership role it once had."

In other words, as per usual the case when the issue is regulation of big business practices, the devil will be in the details. Will there be loopholes, and how big will they be? Will the focus be on "self regulation" or mandatory compliance? Will opt-in be the standard modus operandi, or will it be opt-out? These are the questions I'll be asking as I watch this debate unfold. Clearly, the odds are stacked against us...companies like Google, Facebook, and AT&T rank among the most powerful and well financed forces in the country.

Friday, December 17, 2010

Technological Innovation and Privacy

A common theme of this blog has been the trend of technology vastly outpacing privacy. We see this when it comes to social networking like Facebook and we certainly see it when it comes to behavioral tracking of our web usage, particularly in light of what has become a new, powerful, data collection industry.

The fact that we have next to no privacy standards as related to these technological innovations and trends has become an issue of interest of late, both among privacy groups (obviously), and now finally, the government itself.

Some of the key questions that remain unanswered is just what kind of control do we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government's access to this new world of data storage?

The argument by some, such as Time's person of the year Mark Zuckerberg, is that all information should be public, and as time goes on we'll only be sharing more of it. In addition, we all will benefit from this communal sharing of private information in ways yet to even be discovered. Already, from this sharing, we forge more online friendships and connections, old friends are reconnected, distant parents see pictures of their kids' day-to-day activities, jobs might be more easily found due to our profiles being more public, internet services improve as companies like Facebook and Google learn about peoples' Web browsing histories, sites are able to tailor content to the user, and so on, and so forth.

It is hard to argue that there aren't benefits to this new world of open access to information. But there are downsides too - downsides that warrant protections, and "dot rights" (ACLU's term).

As privacy advocates argue, shared information can also jeopardize personal safety, including identity theft. As laid out in a recent CNN article, "earlier this year, a widely publicized site called PleaseRobMe.com collected status updates from Twitter and Foursquare that indicated a person was away from home. That info, in theory, could help burglars figure out the best time to break into a person's house or apartment -- when no one's there. That happened to Beny Rubinstein last year when a hacker compromised his friend's Facebook page and falsely asked his Facebook friends for help. Rubinstein wired the hacker more than $1,100, thinking his real friend was in trouble in a foreign country.

There's also the issue of informed consent. Most internet users don't realize how much information they're giving up just by browsing the Web, nor do they know what is being done with that information.

Digital marketers like RapLeaf, for example, are getting better at sniffing through people's Web-browsing histories and online identities to compile user profiles that can be sold to advertisers. Finally, these kinds of targeted behavioral marketers are now being taken on in Congress and at the U.S. Federal Trade Commission, which, as I detailed last week on this blog, are calling for a "do not track" list for the internet, which would let users essentially opt out from all targeted marketing and tracking.

This leads to the issue of having the necessary tools available so internet users can have greater control over their web using habits, and increased protection from those that might seek to do them harm (or just so they can keep private information private!.

AS the CNN also points out, some of these tools exist already, but they falls short in some critical areas:

Users can opt out of tracking by certain marketers, clamp down access to their social networking sites and employ online pseudonyms as a way to keep some info relatively private. Privacy controls like these are widely used, especially by younger generations. A Pew Internet & American Life survey of people age 18 to 29 found more than 70 percent of them had changed the privacy settings on their social networking profiles. But these tools only go so far.

Virtually any information posted online can become public in an instant. An info-thief easily could take a screen grab of a private Facebook message and post it on a public blog. Private Twitter feeds -- viewable only by people who the author approves -- can be "retweeted," or re-posted, onto the public internet. And third-party Facebook apps have admitted to taking information from app users, against Facebook's rules, and selling that data to advertisers.

Privacy settings on sites like Facebook have become so confusing that some users feel they've lost control of their privacy, said Sherry Turkle, an MIT professor and author of the upcoming book, "Alone Together: Why We Expect More from Technology and Less from Each Other."

Internet users these days have a "sense of always being tracked and always being watched," she said. That leads to people censoring themselves and presenting a version of their life that is "kind of inauthentic" -- much like they're performing in a play they know everyone will see, she said. In the long term, these performance-based communications are dangerous for our personal relationships and for society, she said. They make us less human.
That last point, has particular resonance with me. What concerns me is what are the side effects of living in a society without privacy? Not just on the next, about our personal habits, but from the watchful eye of government, be it the knowledge that we could be wiretapped, that smart grid monitors are daily in home habits, that our emails can be intercepted, that our naked bodies must be viewed at airports, that our book purchases can be accessed (particularly if Google gets its way and everything goes electronic), that street corner cameras are watching our every move, that RFID tags allow for the tracking of clothes, cars, and phones...and the list goes on.

AS I said in a presentation to the CA PUC:

The endless accumulation of our personal data – combined with the outlandish profits being made off it and growing government demand for it – represents a direct assault on our right to privacy. We would do well to contemplate the steady erosion of this right and its long-term implications.

Corporations, by definition, care about profit, not reducing energy usage, and certainly not protecting privacy, just as governments, particularly federal, care more about access and control.

Evidence of this abounds: Social networking sites store and publicly share unprecedented private details about their users without telling them what they are doing with that information. A recent study found that the 43 leading sites made privacy control settings difficult to find and to understand; and the defaults were almost always set to allow maximum dispersal of data.

Google’s CEO, Steve Schmidt recently stated "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

As you let that sink in, he also said: "… the reality is that search engines including Google do retain this information for some time, and it's important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities."

The facts bear witness to Mr. Schmidt’s worldview, as one Google product after another – from Google Buzz to Google Books - has been a virtual privacy train wreck. The company’s refusal to make public how often information about their users is demanded by, or disclosed to the government, is all the more disconcerting.

Facebook reportedly receives up to 100 demands from the government each week for information about its users. AOL reportedly receives 1,000 demands a month. In 2006, a U.S. Attorney demanded book purchase records of 24,000 Amazon.com customers. Sprint recently disclosed that law enforcement made 8 million requests in 2008 alone for its customer’s cell phone GPS data for purposes of locational tracking.

It wasn’t long ago that the idea of our government wiretapping American citizens without warrants for purposes other than national security would have been revolting. Now its official Government policy – and the telecom companies that participated in these crimes have been given retroactive immunity while continuing to make billions off overcharging the same customers they betrayed.

Nor was it long ago that we would have been rightly outraged by Patriot Act provisions – recently renewed – that allow for broad warrants to be issued by a secretive court for any type of record, without the government having to declare that the information sought is connected to a terrorism investigation; or that allow a secret court to issue warrants for the electronic monitoring of a person for whatever reason — even without showing that the suspect is an agent of a foreign power or a terrorist; and of course, that allow the government to search your home as long as it doesn't tell you it did.

The trend line is all too clear. More concerning than any single threat posed by any single technology is this larger pattern indicating that privacy as both a right and an idea is under siege. As young people grow up with so much of their information so public and accessible to all, including government, I fear their sense, appreciation and understanding of privacy will continue to fade away. The consequences of such a loss would be profound.
So I would disagree a bit with Zuckerberg, I think people do care about privacy, particularly when they understand the inherent costs of giving it up. Today social networking and internet communications are ubiquitous tools. Opting out of using them would be like opting out of using a telephone - it won't happen, nor should people be expected to do so.

The key is establishing rules of the road with real protections and the tools needed to give consumers more control over their data.

With that, I want to provide a few clips from a New York Times article entitled "Technology Outpaces Privacy" that also delves into this critical topic:

HOW far does consumer privacy protection lag behind data-collection systems, those advanced technologies that media companies use to gather, share and profit from our personal information? Too far, according to two privacy advocates. On the one hand, consumers often benefit from newfangled gizmos — be they cameras, tape recorders or cellphones. On the other hand, the widespread adoption of technology has often left legislators and regulators racing to play catch up.
In a similar fashion, the F.T.C.’s report recommends that Internet and mobile app users receive better control over who sees, collects and shares information about their electronic behavior — like, say, the Web sites they peruse or the terms they plug into search engines. Indeed, the commission proposed a “do not track” mechanism that would allow consumers to opt out of “behavioral advertising,” the kind of marketing that tailors ads to a consumer’s personal track record.

Take the Video Privacy Protection Act, enacted by Congress in 1988, after a local newspaper in Washington obtained and published the video rental records of Robert Bork, a Supreme Court nominee. The so-called Bork law, one of the country’s strongest privacy statutes, prohibits the disclosure of personally identifiable rental information without consumer consent.

...

Indeed, over time Congress has increased privacy regulation in different industries, he says. There’s the Health Insurance Portability and Accountability Act, for one, that in 1996 established certain federal protections for personal health information. And the Gramm-Leach-Bliley Act of 1999, which required financial service companies to notify customers about their information policies and allow them to opt out from having their data shared with unaffiliated parties.

...

The trade commission’s report proposes new industry practices to enhance online privacy choices for consumers. For those to take effect, however, either the interactive advertising industry would have to increase self-regulation or Congress would have to enact a law enabling the commission to enforce new rules. But Christopher Soghoian, a privacy researcher and graduate student at Indiana University, says most Web sites don’t allow consumers to opt out of tracking. Companies “promise they won’t use the data they collect for the purpose of picking the individual ads they are showing you,” he says, “but they don’t actually offer to stop collecting data about you.”

...

Web sites often deposit cookies on consumers’ computers to track online preferences and activities. The F.T.C.’s recommendation for an opt-out mechanism would play on that idea with a privacy cookie, encoded in people’s browsers, that would alert advertising networks to users’ privacy choices. But a few smaller companies have already moved beyond cookies, Mr. Soghoian says, with a technique called “device fingerprinting.” That advanced technology can follow online behavior — not by using cookies but by tracking signals that are specific to a person’s individual laptop or mobile device.
Click here for the rest of the article.

For 5 recommendations on how to better protect your online privacy check this article out.

Friday, December 10, 2010

Airport Body Scanners: An Old Technology with Gaping Security Shortcomings

I'm not going to rehash all the reasons why these airport body scanners are wrongheaded. For that, check out my article published in the California Progress Report entitled "A Hobson's Holiday Travel Choice: Digital Strip Search or Get Groped."

For the purposes of today I just want to alert everybody to an article I found by Pam Marten's that was published on the excellent website Counterpunch entitled "Fears Mount on TSA Body Scanners".

Granted, I've written on this topic extensively, and have posted a myriad of articles on it too. I don't know if there's anything completely new in this piece, but it does a good job of compiling some important information, particularly relating to the inadequacy of the machines themselves in detecting what they're supposed to.

Also of interest in the piece is the testimony cited that exposes a variety of technical shortcomings, namely the age of this technology itself: 20 years!! Somehow this fact slipped by me over the months. I think this is important because one of the key talking points repeated, over and over, by machine proponents is that these somehow represent "cutting edge" technology that is critical in keeping us safe. Ha!

Here are a couple particularly enlightening clips from the article:

Now documents have emerged, on the government’s own web sites, raising questions as to whether the machines are little more than overpriced metal detectors with a “beam me up Scotty” futuristic design. A scientist associated with one of the body scanner manufacturers, Ronald J. Hughes, has submitted patent documents to the U.S. Patent and Trademark Office for various devices involved in airport screening of passengers to detect terrorist threats. In those documents, Mr. Hughes details serious failings of the x-ray body scanning equipment, including its lack of reliability to detect plastics or ceramics used in bomb making.

...

In a detailed report delivered to Congress on March 17, 2010, the U.S. Government Accountability Office (GAO) further revealed the limitations of the body scanner machines in use in U.S. airports, originally called “Whole Body Imager” but now rebranded as the more spiffy sounding Advanced Imaging Technology or AITs. The GAO stated in its report (GAO-10-484T): “The AIT produces an image of a passenger’s body that a screener interprets. The image identifies objects, or anomalies, on the outside of the physical body but does not reveal items beneath the surface of the skin, such as implants.” Hiding potentially dangerous objects in body cavities will not be detected by these machines, raising questions as to why our government is spending $170,000 each for the units at an increased staffing cost of $2.4 billion over the 7-year anticipated life of the machines according to the GAO. (Each machine costs $369,764 in staffing costs for operation annually.)

In another GAO report delivered to Congress in October 2009 (GAO-10-128), researchers found that “TSA has not assessed whether there are tactics that terrorists could use, such as the placement of explosives or weapons on specific places on their bodies, to increase the likelihood that the screening equipment would fail to detect the hidden weapons or explosives.” GAO went on to note in the same report: “TSA has relied on technologies in day-to-day airport operations that have not been demonstrated to meet their functional requirements in an operational environment. For example, TSA has substituted existing screening procedures with screening by the Whole Body Imager even though its performance has not yet been validated by testing in an operational environment… Furthermore, without retaining existing screening procedures until the effectiveness of future technologies has been validated, TSA officials cannot be sure that checkpoint security will be improved.” In a footnote to this passage, GAO notes that the specifics of what it’s talking about here has been classified by the TSA.

One of the individuals who has been widely quoted as disputing the effectiveness of the body scanners is Rafi Sela, an expert on Israeli airport security. Mr. Sela has over 30 years experience in security and defense technologies, was a special advisor to the Israeli security agencies for counter terrorism and is a Managing Partner in AR Challenges, a consulting firm for advanced security technology. According to the company’s web site, it has “participated in applied strategic design of the operations and security at the Ben Gurion airport [in Israel], which is now a standard for many other high security airports.”

I wanted to hear directly from Mr. Sela. These are his emailed remarks: “The whole security system used in North America is wrong. The body scanners are just one more obsolete technology that does not provide any more security…it can be circumvented not only in body cavities but in other ways that I do not want to share with the public. This has been a great lobbying-marketing effort on behalf of the manufacturers.” Between 2005 and 2009, Rapiscan spent $1,678,500 on lobbying, according to data compiled at the Center for Responsive Politics (OpenSecrets.org). Michael Chertoff, former head of the Department of Homeland Security, has been a paid consultant to Rapiscan. On January 26, 2010, Congresswoman Jane Harman wrote to Janet Napolitano, head of Homeland Security, noting that Rapiscan was a company in the Congresswoman’s district. She urged Ms. Napolitano to “expedite installation of scanning machines in key airports.” Congresswoman Harman closed with: “If you need additional funds, I am ready to help.”

Another security expert, Bruce Schneier, says what the TSA is increasingly looking for these days is pentaerythritol tetranitrate (PETN). Writing recently at The Atlantic, Mr. Schneier explains PETN is “the plastic explosive that both the Shoe Bomber and the Underwear Bomber attempted but failed to detonate…The problem is that no scanners or puffers can detect PETN; only swabs and dogs work.” (Puffers were the TSA’s last fiasco. Officially called Explosives Trace Portal or ETP, they puff air at the passenger in hopes of sniffing the air for traces of explosives. A highly critical GAO report found they were rolled out without proper testing.)

....

That this technology has been in existence for two decades and is just now being rolled out to airports deserves a few moments of equally intense probing. Under what societal norms would there be a market for routinely taking nude pictures of airline travelers via scientifically challenged skin radiation that reveal genitalia; with a necessary back up plan of hand inspections of the buttocks and genitalia for opt outs. This 20-year old technology could only be massively deployed because of a long line of images since 9/11 which has desensitized the American psyche to human rights through a bombardment of human degradations: the images of thumbs up torture at Abu Ghraib; the televised pictures of the hooded prisoners on their knees at Guantanamo or in monkey cages; the endless columns of typeset devoted to waterboarding, renditions, kidnappings and assassinations – all in the name of making us more secure.

...

Now serious financial damage is looming for the nation’s airlines with Zogby International reporting in a poll taken between November 19 and 22 that 61 per cent of the 2,032 individuals polled oppose the use of body scanners and pat downs. The use of the backscatter x-ray machines and the more aggressive pat down procedures will cause 48 percent of individuals to seek an alternative means of travel. In addition, 52 per cent of respondents think the new security procedures will not prevent terrorist activity, 48 per cent consider it a violation of privacy rights and 32 per cent consider it to be sexual harassment, according to the Zogby poll.

At ACLU.org, the nonprofit organization reports it has received 900 complaints and has posted over 38 graphic accounts that can only be described as sexual molestation. Brief examples include: “The TSA agent used her hands to feel under and between my breasts. She then rammed her hand up into my crotch until it jammed into my pubic bone.” “I cried throughout the groping and have had intrusive thoughts since. It was humiliating.” “The procedure was violating, degrading, invasive and humiliating.” “It was so rough that I felt the effects of it throughout the day.” “I do not feel safer. I feel violated.”

Is this any way to run an airline – or a democracy?

Click here to read the entire piece.

I will admit, I was a little surprised by the Zogby poll numbers she cited, and may need to go see them for myself. If accurate, this is very good news, and tells me that all the outcry, from the public and privacy advocates (as well as others), had an effect. The number I want to confirm is the 61% that now oppose the "body scanners and pat downs" claim. That would be one helluva turnaround being that it the reverse of that in the numbers I've seen.

There is however, more opposition to the pat downs than the scanners, so perhaps by bunching them together that led to the higher figure. AT any rate, this article only strengthens the argument I have been making here for over a year now: these machines need to go.

Tuesday, December 7, 2010

Behavioral Marketing and a "Do Not Track" List

The big news on the privacy front was last week's report released by the Federal Trade Commission (FTC) recommending, among other things, the establishment of a Do Not Track (DNT) mechanism. Not addressed in the report, a concern for some in the privacy community, was the privacy implications of cloud computing and social networking, the need for a US privacy agency, or a comprehensive federal privacy law based on "Fair Information Practices".

Nonetheless, the DNT option is an interesting concept - one that privacy advocates have supported in the past - and worth detailing here today. Before I get to specifics, I should define what kind of "tracking" we're talking about.

The Center for Digital Democracy defines behavioral marketing thusly:

Perhaps the most powerful - but largely invisible - force shaping our digital media reality is the role of interactive advertising and marketing. Much of our online experience, from websites to search engines to social networks, is being shaped to better serve advertisers. Increasingly, individuals are being electronically "shadowed" online, our actions and behaviors observed, collected, and analyzed so that we can be "micro-targeted." Now a $24 billion a year industry [2008 estimates] in the U.S., with expected dramatic growth to $80 billion or more by 2011, the goal of interactive marketing is to use the awesome power of new media to deeply engage you in what is being sold: whether it's a car, a vacation, a politician or a belief. An explosion of digital technologies, such as behavioral targeting and retargeting, "immersive" rich media, and virtual reality, are being utilized to drive the market goals of the largest brand advertisers and many others.

A major infrastructure has emerged to expand and promote the interests of this sector, including online advertising networks, digital marketing specialists, and trade lobbying groups.

The role which online marketing and advertising plays in shaping our new media world, including at the global level, will help determine what kind of society we will create.

  • Will online advertising evolve so that everyone's privacy is truly protected?
  • Will there be only a few gatekeepers determining what editorial content should be supported in order to better serve the interests of advertising, or will we see a vibrant commercial and non-commercial marketplace for news, information, and other content necessary for a civil society?
  • Who will hold the online advertising industry accountable to the public, making its decisions transparent and part of the policy debate?
  • Will the more harmful aspects of interactive marketing - such as threats to public health - be effectively addressed?
Back in April, privacy advocates filed a complaint with federal regulators against tracking and profiling practices used by Google, Yahoo, Microsoft and other Internet companies to auction off ads targeted at individual consumers in the fractions of a second before a Web page loads.

The complaint was filed by the Center for Digital Democracy, U.S. PIRG, and the World Privacy Forum, charging that a "massive and stealth data collection apparatus threatens user privacy," and asks regulators to compel companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.

Internet companies would be asked to acknowledge that the data they collect about a person's online movements through software "cookies" embedded in a Web browser allows advertisers to know details about them, even if those cookies don't have a person's name attached.

Privacy advocates have long argued that when enabled to protect their privacy and control their data. BUT, not if it’s made difficult, confusing, or time consuming. And this is why new rules, laws are so desperately needed for cyberspace...we need "systems" that will allow users to control their information in an easy, logical, and practical way.

And this leads to the need for a DNT mechanism on internet browsers. Essentially what the FTC is rightly arguing is that web users should be able to use a 'do not track' facility to block any use of their browsing habits for advertising purposes.

The feature, which the FTC said could be located within browsers, would prevent a person from being exposed to behavioural advertising and would function like 'do not call' lists of phone numbers.

FTC chairman Jon Leibowitz stated:

"Despite some good actors, self-regulation of privacy has not worked adequately and is not working adequately for American consumers. We deserve far better from the companies we entrust our data to, and industry, as a whole, must do better. So the FTC will take action against companies that cross the line with consumer data and violate consumers' privacy - especially when children and teens are involved. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that's what most Americans want as well....The Commission recommends a simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads. The most practical method would probably involve the placement of a persistent setting, similar to a cookie, on the consumer's browser signaling the consumer's choices about being tracked and receiving targeted ads."

This is a sensible component of a much larger web privacy strategy that will ideally put the individual in control, or ownership, of their own data. While I favor the opt-in versus over the opt-out method as a rule of thumb, certainly a visible DNT mechanism in browsers would be an acceptable piece of the internet "privacy puzzle".

As for the public reaction to this debate, I think its a no brainer. Who doesn't want more choice, and control? Of course, it's not quite like a phone call at dinner. People aren't being physically interrupted from something they're doing, but, again, it comes down to the consumers choice, one we do not currently have. Its also true that young people today are far more likely to want to, or be okay with, sharing personal information. However, studies show that when given the choice, they too care about privacy, and would more often than not choose that privacy if given the opportunity...they're just not going to work for it.

It also seems to me that this could benefit consumers in an additional way, because online marketers would have to find more substantive ways to coax web users into letting themselves be tracked. Thus, under DNT, consumers would likely get better or more free stuff for signing up.

I also liked what Susan Grant, the director of consumer protection at the Consumer Federation of America, had to say about why DNT is needed (in addition to much more comprehensive privacy legislation), stating,

"If someone were following you around in the physical world - tailing you and making note of everywhere you go, what you read, what you eat, who you see, what music you listen to, what you buy, what you watch - you might find this disturbing. On the Internet even if the tracker doesn't know your name, you are not anonymous."

She pointed to technology like so-called cookies and other persistent, digital identifiers that "are essentially personally identifying information."

Eric Newland of the Center for Democracy and Technology had some more critical points to add, writing:

While DNT is an intriguing idea, and one CDT has supported, it is not a silver bullet. If implemented, it would likely address, at best, just a portion of a larger problem. In its narrowest conception, DNT might give consumers an opportunity to state that they do not want data that has been collected about them to be used for the targeting of behavioral advertisements; enforceable rules would ensure that these expressions of consumer intent are respected.

But conceived in this way, DNT would leave consumers in the same, unfortunate position with regard to how their data – web browsing history, transaction data, contact information – is collected and how it is shared for purposes outside of behavioral advertising: with market research firms, data brokers, life insurance companies and the like. DNT further fails to address emerging challenges to online privacy: cloud computing, social networking, and the growth of the app economy. And DNT would certainly not address the collection and use of offline consumer data such as mortgage information, credit card information, DMV records, and other business records. DNT alone will not solve all of our privacy challenges.

Meanwhile, just unpacking the term “do not track” requires navigating a wide array of challenging questions. The very broad concept of DNT is appealing for consumers. But does DNT mean don’t collect user data, don’t use it for behavioral advertising specifically, or don’t use it for non-operational purposes generally? What are operational purposes? Should there be distinctions between first party collection and use and third party collection and use? What about sensitive information?

In fact, unpacking the term “do not track” requires grappling with the same questions that must be addressed before baseline consumer privacy legislation can be passed. It seems inefficient to slog through these questions in pursuit of a narrow answer to one particular privacy problem, when instead the process can be harnessed to reach consensus around baseline consumer privacy legislation.

In short, DNT is no replacement for baseline privacy legislation. While DNT-type mechanisms could function as useful privacy-enhancing technologies, we should not let a discussion about DNT distract us from a task that American businesses, the Department of Commerce, Congress, and consumers have all said is a priority: finally passing baseline privacy legislation.

The Electronic Frontier Foundation also added some important insights, stating:

...the biggest problem is not the targeted ads but the exhaustive records of peoples' reading and other online activities that are collected in order to facilitate that targeting.

The FTC report specifically endorses the idea of a standardized
"Do Not Track" mechanism that would allow individuals to restrict the flow of their personal data to advertisers. Do Not Track is a response to the fact that it is currently extremely impractical for consumers to defend themselves against the astonishing array of sophisticated tracking technologies that are easy to deploy and in widespread use. One of the strongest arguments for the technical feasibility of Do Not Track can be found in this interesting blog post.

Of course, behavioral advertising is not a new issue for the FTC. They issued proposed principles for industry self-regulation back in 2007. However, this self-regulatory approach has been widely criticized as ineffective -— leading to speculation that it is time for direct regulation of behavioral tracking.

...

The FTC's new privacy report is a promising development in the evolution of online consumer privacy. EFF looks forward to working with other organizations to address the issues raised by this report. The House Subcommittee on Commerce, Trade, and Consumer Protection will delve into the issue of Do Not Track more fully during a hearing scheduled for tomorrow, and we have high hopes that the conversation will be furthered by an upcoming Department of Commerce report.

With the publication of the privacy report, it seems that the FTC is ready to tackle some of the most challenging issues of online consumer privacy - including revolutionary approaches to defending personal privacy such as Do Not Track.

All in all I think there is some reason to be hopeful about the direction of the FTC, and supportive of the DNT concept. But, as with any issue this large, and this uncharted (i.e. privacy on the internet), there are going to be HUGE moneyed interests out to stifle progress in the name of the bottom line. This issue will be no different...as marketers will be lining up to stop anything that might slow their ability to make money off your private data.

I don't think its by accident that we are told by the same interests that profit off our information that privacy is dead, and people don't care about it anymore. Well, that's easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with.

My guess is if given the choice and opportunity to choose to not be tracked consumers will in droves. But, as pointed out in today's post, this is only one small component of the much larger effort underway to establish comprehensive internet privacy protections and data rights.

Stay tuned for that continuing fight.

Friday, December 3, 2010

TSA Manipulates Opt-Out Day Figures, Harvard Students Sue

Okay, this will be my last post on this topic for at least a little while, and I think this is a good place to leave it. Last post, in explaining why I wasn't that surprised the National Opt-Out Day wasn't a rousing "success" I mentioned a few key factors.

One, only a small percentage of passengers are actually asked to go through the digital strip search machines. Two, the vast majority of airports still aren't equipped with them. Three, when people are traveling on the holidays (or any time for that matter) its very difficult to get them to willingly delay their own trip...or be blamed for delaying others.

I also pointed out something else peculiar about the statistics that the TSA reported about that day. Based on government accounts, the numbers certainly were impressive. Only 1% opted out? Really? “Detroit: 25,000 passengers screened today, and 57 AIT opt-outs!"Amazing, right?

What they failed to mention is how many passengers actually were asked to go through the scanners, and how many of those opted-out. Yes, they reported the number of opt-outs at airports, but they've been contrasting that with the total number of those that flew. Also not reported is how many passengers flew over the holidays versus the past, and whether any decline might be due to people "opting out" of flying altogether.

But there appears to be even more to this data rigging story than that. It turns out, in addition to the above, the machines weren't labeled as "body scanners," nor were there any images posted by or on them showing what they do. In addition, when the TSA reports 99 percent of travelers consented to the body scanners that consent was neither verbal nor written (in other words, nobody will ask you if it's okay). That consent is presumed if you walk into the machine without objecting. So no "opt-out" choices were presented. In other words, to opt out, a traveler would have to realize he was being directed into a body scanner, understand that he had a choice, and stop and speak up to a TSA agent.

But THAT'S not even the whole story. As reported in Rawstory, the group Liberty Guard (libertarian organization) has filed a Freedom of Information Act request with the Transportation Security Administration to determine why many airport imaging scanners were reportedly shut down and roped off on November 24th, the day of a planned "opt out protest.

Eric Dolan writes:

But reports from travelers and local news sources suggest that at some of the busiest airports in the US the TSA backed down and resorted to using the old screening procedures, such as metal detectors and less-intrusive pat-downs.

"We'd like to know if we can expect a policy shift from the TSA or if they were merely attempting to shut down the public outcry regarding their search procedures," Joe Seehussen, President of Liberty Guard said.
"

...

The American Civil Liberties Union (ACLU) says it has received over 900 complaints from travelers over the last month who've been subjected to the new screening procedures.

Click here to read the story in its entirety.

Taking into account those factors, the fact that the National Opt-Out day didn't have the impact some believed it might isn't all that surprising - nor is it a blow to the effort to rein in our increasingly intrusive, wasteful, and absurd security state.

I'm under no illusion there is some national uproar about to take root. I'm also very concerned with the way in which this issue is being framed by a lot of right wing interests who seek to use it as a battering ram against public employees and the President. Similarly, I would hate to see this all lead to some privatization of security scheme.

Nonetheless, I would also take what you have heard from the TSA and the media regarding public opinion on this subject with a healthy dose of skepticism.

On that note, some Harvard students have taken it upon themselves to file a lawsuit seeking to rein in use of these full-body scans and pat-downs. The Boston Globe reports:

Two Harvard Law School students have sued the Transportation Security Administration, seeking to restrict the use of full-body scanners and pat-downs at airports and joining a growing number of lawsuits filed across the country that claim the screening procedures infringe on constitutional rights to privacy.

...

The students, Jeffrey Redfern and Anant Pradhan, are asking the court to ban the TSA from using the screening procedures without reasonable suspicion. Margaret Paget, a partner at the Boston law firm Sherin and Lodgen, said the Harvard students, who are representing themselves in the suit, have a valid claim and a chance of winning.

The suit is at least the sixth filed against the TSA since the agency put the enhanced screening procedures into widespread use following the so-called underwear bomber’s unsuccessful attempt to blow up a plane last Christmas with explosives hidden beneath his clothes. A suit filed in US District Court in Denver last week claimed the pat-downs were “disgusting, unconscionable, sexual in nature.’’ The Electronic Privacy Information Center, an advocacy group, described the scanners as the equivalent of a “digital strip search’’ in a suit filed in Washington in July.

I see the lawsuits as part of a genuine citizen rebellion against invasive and ineffective airport screening,’’ said John Verdi, senior counsel at the privacy information center. “These scanners fail every conceivable constitutional test. They are not narrowly targeted at individuals that the government suspects of wrongdoing. They are not the least invasive means. And they are not effective at achieving the government’s stated end, which is detecting powdered explosives.’’

Under TSA screening procedures, passengers selected for full-body scans can opt for a pat-down search instead. Redfern and Pradhan both chose the pat-down at Logan International Airport while traveling separately in November, according to their complaint. The search, which included “prodding and lifting of genitals and buttocks,’’ was so intrusive that, “if done non-consensually, would amount to sexual assault in most jurisdictions,’’ the complaint said.

In an interview with the Harvard Law Record, Pradhan said an agent put his fingers inside the waistband of his pants, lifted his buttocks, and felt his groin. “They’ll go all the way up until — well, they go all the way up,’’ he told the law school newspaper.

Click here to read more.

Now, in coming posts I want to get into some new privacy related topics, from Google books to "do not track" legislation and more.