Thursday, May 26, 2011

CA Privacy Legislation Targeted by Google, Facebook, and Other Tech Firms

A few weeks ago, in discussing the landmark Do Not Track bill, SB 761 (Sen. Alan Lowenthal), that would require any company collecting data from a California resident to provide a method of opting out of that data collection, I pointed out how two of privacy's greatest enemies - Facebook and Google - had come to oppose the legislation.

Yes, strange bedfellows in once sense, but brothers in arms in another (they both are aggressive opponents of the right to privacy). Recently, there's been another bill targeted by these tech goliaths, SB 242 (Ellen Corbett).

As noted by Bill Mullin of Paid Content, "The bill, as currently written, would require big changes to social-networking sites like Facebook. Most significantly, it would require users to set their privacy settings upon registration, rather than look for privacy settings after they’ve joined. It would also require settings to default to keeping information private, rather than making it public. (It almost doesn’t need to be said at this point, but the settings for a new Facebook profile default to public.) Willful violations of the proposed law would result in $10,000 fines."

As he also points out, technology and social media companies, from Facebook and Google to social media startups, are starting to form active coalitions designed to prevent California privacy bills from becoming law. This anti-privacy coalition now includes Google, Facebook, Yahoo, Zynga, Oodle, an online classified site; Identified, a professional networking site; Zecco, a community investing site; and BranchOut, a professional networking service on Facebook.

Before I get to a major article in the Wall Street Journal detailing this alliance - particularly between Google and Facebook - let me return to a couple key points by Mullin, who wrote, "It may seem surprising that national and even global tech companies might be regulated from Sacramento—but it has happened before. In fact, the requirement that websites have privacy policies displayed at all is due to a California state law passed in 2003. There is no federal requirement to have a privacy policy at all; but the California privacy law includes fairly detailed language about what must be included in a privacy policy. It also defines what constitutes personal information."

As I said, apparently California's efforts to bring regulatory protections up to speed with rapid technological advancements is garnering some well deserved attention.

The Wall Street Journal reports:

There’s not much love lost between Facebook and Google these days, but the companies are joining forces in one area – fighting two online-privacy bills that are moving through the California legislature.

One of the bills, a “do not track” proposal introduced by State Sen. Alan Lowenthal, would require companies to let people opt out of having their online data collected. The other, by State Sen. Ellen Corbett, would require social-networking sites to keep users’ information private by default and to remove personally identifying information if requested.

Both bills were approved by the Judiciary Committee, but they face strong opposition from some big players in the state. Google Inc. and Facebook Inc. are among dozens of companies and trade groups opposing at least one of the bills.
The bills are evidence of growing interest in privacy legislation, which is also being debated at the federal level. Last month, Sens. John Kerry (D., Mass.) and John McCain (R., Ariz.) proposed legislation that would create a “privacy bill of rights” that would let people block information from being shared and access personally identifiable information about themselves.

And the bill from Sen. Lowenthal adds to other efforts to regulate a “do-not-track” mechanism. Earlier this month, U.S. Sen. Jay Rockefeller (D, W.Va.) proposed a bill called the Do-Not-Track Online Act of 2011 that would prohibit companies from collecting information from people who have indicated they don’t want to be tracked. The Federal Trade Commission has discussed requiring companies to honor such opt-outs.

This year, makers of the Firefox, Internet Explorer and Safari Web browsers have all made tools within their browsers that let users indicate they don’t want to be tracked. But tracking companies aren’t required to honor those messages.
The California bills are the latest in a series of moves by the state to confront privacy concerns more aggressively than the federal government has thus far. The state already allows residents to get access to some of the data companies have on them, for example.
“There may be more of a chance for federal legislation if we see states threatening action,” said Justin Brookman, the director of the Project on Consumer Privacy at the Center for Democracy and Technology.
Privacy advocates have praised the general intent of the California bills – giving consumers more access to their information and more control over it. But even supporters of the ideas have said there are a few problems. The bill from Sen. Corbett, for example, would allow parents to request the removal of a child’s personally identifiable information as long as the child was under 18. Proving that someone is a child’s parent or guardian would be extremely difficult, and removing teens’ information would be problematic, Mr. Brookman said. “Teenagers actually have First Amendment rights,” he added.

To read more on the Do Not Track bill in particular, you can check out my recent posts, here, here and here

Clearly, I believe, strongly, that consumers should have the right and ability to tell websites not to spy on them or collect detailed profiles based on what they choose to do on the web. Remember, we should OWN our data, and that means we should have control over how its used - if used at all.

I've also often made the point, that when it comes to this issue in particular, an interesting dichotomy is at work. On one hand, while its true people seem to "care" about privacy on one level, they tend to do very little to actually do so. Which in my mind, makes easy to use, clear options to protect privacy all the more paramount. Because, once people are given such a choice, not only will more people choose to "not be tracked", I think more people will become more AWARE of just how all pervasive such monitoring of nearly everything we do has become.

Monday, May 23, 2011

Another "Temporary" Extension of the Patriot Act

This is becoming an annual slap in the face to the Constitution and codification of our burgeoning security state that I have termed the "Fear Industrial Complex". Yes, its Patriot Act extension time! The Senate, thanks to a deal between majority leader Harry Reid and his Republican colleagues to sidestep debate and jam the civil liberties killing legislation through, is expected to extend the Act for another 4 years.

Forget about the fact that if there's ANYTHING deserving of debate, its the Patriot Act. But what of this increasingly common procedure to abdicate, you know, democracy related responsibilities in Congress (War on Libya anyone?)?

Ironically, this is EXACTLY how the PATRIOT Act first came into existence 10 years ago. No debate, no reflection on the precedent we were about to set, and no real consideration for the pandora's box we were about to open.. Yet, here we are, again, with Congress putting its stamp of approval on such "unconstitutional greatest hits"as:

  • provisions allowing broad warrants to be issued by a secretive court for any type of record, from financial to medical, without the government having to declare that the information sought is connected to a terrorism or espionage investigation; 
  • the continuation of so-called “roving wiretaps”, allowing the FBI to obtain wiretaps from the secret court, known as the FISA court, without identifying the target or what method of communication is to be tapped. 
  • the so-called “lone wolf” measure that allows FISA court warrants for the electronic monitoring of a person for whatever reason — even without showing that the suspect is an agent of a foreign power or a terrorist.
As for the question regarding why we need more debate, and more protections, how about the report recently released in which the FBI admitted to the President’s Intelligence Oversight Board to violating the law at least 800 times on national security letters, going well beyond even the loose safeguards in the original provision. According to the report the FBI “may have violated the law or government policy as many as 3,000 times” between 2003 and 2007, according to the Justice Department Inspector General, while collecting bank, phone and credit card records using NSLs.

But don't take my word for it. The Electronic Frontier Foundation (EFF) has found plenty of evidence regarding FBI abuses of the PATRIOT Act. For instance, the FBI itself reported nearly 800 violations of privacy laws and regulations to the President's Intelligence Oversight Board from 2001 to 2008.

EFF said it has also uncovered "indications that the FBI may have committed upwards of 40,000 possible intelligence violations in the 9 years since 9/11." It said it could find no records of whether anyone was disciplined for the infractions.  

We also know that the FBI used the Patriot Act under the Bush Administration to target liberal groups, particularly anti-war ones during the years between 2001 and 2006 in particular. According to a recent report by the ACLU, there have been 111 incidents of illegal domestic political surveillance since 9/11 in 33 states and the District of Columbia.

The report shows that law enforcement and federal officials work closely to monitor the political activity of individuals deemed suspicious, an activity that was previously common during the Cold War. That includes protests, religious activities and other rights protected by the first amendment.

The spying could take the form of listening to phone calls, intercepting wireless communications, harassing photographers or infiltrating protest groups. Also discovered was the way in which agencies' are increasingly connected through various information sharing measures, making it more likely that information collected on an individual by a small police department could end up in an FBI or CIA database.

All of this of course is part of a much larger trend that paints a disturbing narrative, a narrative that points in one direction only: an increasingly intrusive surveillance state with an Executive Branch getting dangerously close to being above the law.

As noted scholar Juan Cole noted, "The US Bill of Rights says that people have the right to privacy in their personal effects and their communications from government prying except where the police obtain a warrant from a judge. The tendency in the US for the past 40 years has been to chip away at this requirement, giving government agencies more and more unsupervised surveillance authority."

Yet, knowing all that, Congress isn't going to even have this debate in the light of day.

As I point out each year we renew this abomination, it wasn't long ago that the American public, and certainly the majority of congressional Democrats would have been rightly outraged by Patriot Act provisions that allow for broad warrants to be issued by a secretive court for any type of record, without the government having to declare that the information sought is connected to a terrorism investigation; or that allow a secret court to issue warrants for the electronic monitoring of a person for whatever reason — even without showing that the suspect is an agent of a foreign power or a terrorist; and of course, that allow the government to search your home as long as it doesn't tell you it did.

But that was then, this is now. Granted, during the Bush years there was at least some resistance in Congress to the Act, and at least some attention was given to the numerous, and continuous government abuses of the law. As the years have passed however, and a Democrat now sits in the White House, that resistance has largely evaporated, particularly with the last elections defeat of privacy champion Russ Feingold.

To give credit where credit is due, Sen. Jeff Merkley (D-OR) did release a strong statement today lamenting the lack of debate

    Senator Jeff Merkley says he was very concerned when he heard Thursday Senate leaders would move to close debate Monday on a package extending three Patriot Act rules. Jeff Merkley: “I think it’s outrageous that there’s a proposal for a four-year extension in which the intention is to have no significant debate on the floor of the Senate, and no opportunity for amendments.” [...]

    Merkley says he isn’t sure if the extensions will pass, but notes some of his colleagues sounded unhappy about the parliamentary move used to forestall more debate.

    Jeff Merkley: “There is some chance that reaction may be strong enough to change that and turn this into a real debate. Leadership may say we have other things to get to by next Friday. My reaction is we’ve had plenty of time to have a thorough debate on the floor.”

As David Dayen lays out, in addition to Merkley, Sen. Mark Udall (D-CO) opposes the quick reauthorization without debate. He sent an email to his supporters asking for them to sign a petition calling for the reform of the Patriot Act.

    Benjamin Franklin once said that any society that would give up essential liberties to pursue security deserves neither and will lose both. Those words ring true today [...]

    But while many of the PATRIOT Act’s provisions — which I support — have made our nation safer since the devastating terrorist attacks of 9/11, there are three provisions that fail to strike the right balance between keeping us safe while protecting the privacy rights of Coloradans. Instead, these three provisions have been far too susceptible to abuse by the federal government, even in the name of keeping us safe from terrorism [...]

    These three provisions are troubling because they are ripe for abuses that involve expansive government surveillance of innocent people, even though common sense fixes and protections exist if only we were allowed to debate them.

Sadly, we are on the brink of yet another renewal of the act, with the active support of what was once an ardent critic of it - President Obama.

Julian Sanchez provides another aspect of the Act that should be garnering more attention, stating:

More urgent than any of these (provisions), however, is the need to review and substantially modify the statutes authorizing the Federal Bureau of Investigation to secretly demand records, without any prior court approval, using National Security Letters. Though not slated to sunset with the other three Patriot provisions, NSLs were the focus of multiple proposed legislative reforms during the 2009 reauthorization debates, and are also addressed in at least one bill already introduced this year. Federal courts have already held parts of the current NSL statutes unconstitutional, and the government’s own internal audits have uncovered widespread, systematic misuse of expanded NSL powers. of NSL authority — and, indeed, should significantly curtail it. In light of this history of misuse, as well as the uncertain constitutional status of NSLs, a sunset should be imposed along with more robust reporting and oversight requirements.

John Whitehead wrote an excellent piece a couple months ago entitled "Renewing the Patriot Act While America Sleeps". He states:

The Patriot Act drove a stake through the heart of the Bill of Rights, violating at least six of the ten original amendments–the First, Fourth, Fifth, Sixth, Seventh and Eighth Amendments–and possibly the Thirteenth and Fourteenth Amendments, as well. The Patriot Act also redefined terrorism so broadly that many non-terrorist political activities such as protest marches, demonstrations and civil disobedience were considered potential terrorist acts, thereby rendering anyone desiring to engage in protected First Amendment expressive activities as suspects of the surveillance state.

The Patriot Act justified broader domestic surveillance, the logic being that if government agents knew more about each American, they could distinguish the terrorists from law-abiding citizens–no doubt an earnest impulse shared by small-town police and federal agents alike. According to Washington Post reporter Robert O’Harrow, Jr., this was a fantasy that had “been brewing in the law enforcement world for a long time.” And 9/11 provided the government with the perfect excuse for conducting far-reaching surveillance and collecting mountains of information on even the most law-abiding citizen.

Suddenly, for the first time in American history, federal agents and police officers were authorized to conduct black bag “sneak-and-peak” searches of homes and offices and confiscate your personal property without first notifying you of their intent or their presence. The law also granted the FBI the right to come to your place of employment, demand your personal records and question your supervisors and fellow employees, all without notifying you; allowed the government access to your medical records, school records and practically every personal record about you; and allowed the government to secretly demand to see records of books or magazines you’ve checked out in any public library and Internet sites you’ve visited (at least 545 libraries received such demands in the first year following passage of the Patriot Act).

In the name of fighting terrorism, government officials were permitted to monitor religious and political institutions with no suspicion of criminal wrongdoing; prosecute librarians or keepers of any other records if they told anyone that the government had subpoenaed information related to a terror investigation; monitor conversations between attorneys and clients; search and seize Americans’ papers and effects without showing probable cause; and jail Americans indefinitely without a trial, among other things. The federal government also made liberal use of its new powers, especially through the use (and abuse) of the nefarious national security letters, which allow the FBI to demand personal customer records from Internet Service Providers, financial institutions and credit companies at the mere say-so of the government agent in charge of a local FBI office and without prior court approval.


In fact, since 9/11, we’ve been spied on by surveillance cameras, eavesdropped on by government agents, had our belongings searched, our phones tapped, our mail opened, our email monitored, our opinions questioned, our purchases scrutinized (under the USA Patriot Act, banks are required to analyze your transactions for any patterns that raise suspicion and to see if you are connected to any objectionable people), and our activities watched. We’ve also been subjected to invasive patdowns and whole-body scans of our persons and seizures of our electronic devices in the nation’s airports (there were 6,600 such seizures in airports alone between October 2008 and July 2010). We can’t even purchase certain cold medicines at the pharmacy anymore without it being reported to the government and our names being placed on a watch list. And it’s only going to get worse.

Most Americans have been lulled into thinking that the pressing issues are voting in the next election or repealing health care. This is largely due to the media hoopla over the Tea Party, the recent elections and the health care law, and the continuous noise from television news’ talking heads. But the real issue is simply this–the freedoms in the Bill of Rights are being eviscerated, and if they are not restored and soon, freedom as we have known it in America will be lost. Thus, Congress should not renew the USA Patriot Act, nor should President Obama sign it into law. If he does so, he might just be putting the final nail in our coffin.

As Glenn Greenwald questioned last year, does such a massive surveillance apparatus actually make us safer? Greenwald says no, statingThe problem is never that the U.S. Government lacks sufficient power to engage in surveillance, interceptions, intelligence-gathering and the like. Long before 9/11 -- from the Cold War -- we have vested extraordinarily broad surveillance powers in the U.S. Government to the point that we have turned ourselves into a National Security and Surveillance State. Terrorist attacks do not happen because there are too many restrictions on the government's ability to eavesdrop and intercept communications, or because there are too many safeguards and checks. If anything, the opposite is true: the excesses of the Surveillance State -- and the steady abolition of oversights and limits -- have made detection of plots far less likely. Despite that, we have an insatiable appetite -- especially when we're frightened anew -- to vest more and more unrestricted spying and other powers in our Government, which -- like all governments -- is more than happy to accept it.”

Again, as I have written in response to past Patriot Act extensions: An undeniable pattern has emerged over the past few years that fundamentally challenges the entire premise of a "war on terror" and exposes just how ineffectual and counterproductive these policies have actually been. The reoccurring theme goes like this: Powerful interests - inside and outside of government - sell fear as way to justify the steady assault on our civil liberties, increased spending on military defense, and the growth of the surveillance state.

But here's another important piece of the puzzle that keeps popping up: more often than not the government HASN'T USED these expanded powers to actually fight terrorism (instead often to thwart anti-war protesters, bust small time drug dealers, monitor journalists, and who knows what else?) - as was promised. This begs a larger question, "Who has been targeted and why?"Another question worth pondering: Can we really "defeat" terrorism by embracing a less free and more fearful society (two primary goals of terrorists)?

Thursday, May 19, 2011

California's Office of Privacy Protection on Budget Chopping Block

In these times of budget deficits and the unfortunate embracing of austerity measures in California and across the country, its not a big surprise that California's Office of Privacy Protection has been targeted for elimination.

But, as with so many other programs on the chopping block, there's a strong case to be made that eliminating this office does more harm than good, both in financial terms, and privacy terms.

Let me explain why I believe this to be the case by posting our (Consumer Federation of California) support letter for the office recently sent to the Assembly Budget Subcommittee 4, where this issue will be debated next.

The Consumer Federation of California opposes the item on Page 114 of the Governor’s May Budget Revision that would eliminate funding for the Office of Privacy Protection. We believe the net effect of the elimination of this agency would be increased state government costs and decreased state government revenues – more than offsetting the $500,000 savings the proposal seeks to achieve.

This small agency, located in the State and Consumer Services Agency, is the nation’s first state agency dedicated to advancing consumer privacy. In the ten years since it was created, it has provided important assistance to tens of thousands of California consumers, including many victims in need of guidance in mitigating the negative effects of identity theft. The Office of Privacy Protection assists small business and government agencies in better understanding privacy laws and best practices, and it conducts education outreach to thousands of Californians each year.

As technology rapidly evolves, new avenues for invasion of privacy are created. This increases the need for a state agency that has as its mission the protection of personal privacy. The Consumer Federation of California has recently worked on privacy impacts of online commerce, deployment of the smart grid, internet tracking, automobile insurance rate setting, and electronic medical records. These are all areas where the demand for the kind of expertise available through the Office of Privacy Protection will only increase.

The Office of Privacy Protection has been substantially reduced over the past few years. Ten years ago, this agency had a budget of some $1,100,000 and a staff of nine FTE employees. Today its budget stands at about $500,000 and seven positions.

We understand the extraordinarily difficult decisions lawmakers must make to balance the state budget during this protracted economic recession. But some reductions have the unintended consequence of increasing government costs or diminishing state revenues beyond the level of short term saving that the cuts may achieve.

A closer examination of the role that the Office of Privacy Protection provides to California’s economy militates against the elimination this agency as a cost cutting move.

California’s modest investment in privacy protection produces a much bigger positive contribution to our state’s bottom line. The improvements to the state’s balance sheet include assistance to law enforcement agencies in combating and enforcing against identity theft. This reduces expenditures by state and local agencies for staff training and hiring of outside consultants to provide this expertise.

The Office of Privacy Protection also provides assistance to California businesses in developing practices that comply with state privacy law, reducing business costs in litigating and settling lawsuits that arise from inadvertent violations of privacy laws. This in turn enhances taxable California business profits. The Office assists taxpayers in avoiding and mitigating the effects of identity theft. This reduces the tax deductions that ordinary Californians would claim for losses resulting from this form of criminal activity.

In other words, the services of the Office of Privacy Protection more than pay for themselves in the form of greater state tax revenues and reduced state and local government agency costs.

We respectfully urge you to restore funding to the Office of Privacy Protection.

Thursday, May 12, 2011

Another "Do Not Track" Bill Proposed in Senate

For all intents and purposes, it appears "do not track" is the privacy story of the past few months. For good reason, there has been a virtual explosion in data collection, data analysis and use of behavioral marketing on the internet without the requisite privacy protections to go along with it.  The fact is, billions of dollars at stake, and your private information is the currency.

Before I discuss the latest legislation advocating for a "Do Not Track" mechanism on web browsers from Senator Jay Rockefeller, let me provide some back-story first. We know for a fact, and they have been sued for it, companies like Google, Yahoo, Microsoft and other Internet companies track and profile users and then auction off ads targeted at individual consumers in the fractions of a second before a Web page loads.

That in itself, may not be all that threatening to most. But it raises some interesting questions: What kind of control should we have over our own data? And, what kind of tools should be available for us to protect it? What about ownership of our data? Should we be compensated for the billions of dollars being made by corporations from their tracking of us? And of course, what of the government's access to this new world of data storage?

The argument from privacy advocates has largely been that this massive and stealth data collection apparatus threatens user privacy and regulators should compel (not hope that) companies to obtain express consent from consumers before serving up "behavioral" ads based on their online history.

For instance, in the Kerry-McCain legislation (that supposedly compliments Rockefeller's bill), Internet companies would be asked to acknowledge that the data they collect about a person's online movements through software "cookies" embedded in a Web browser allows advertisers to know details about them, even if those cookies don't have a person's name attached. More generally, particularly on the issue of privacy on the Internet, the fact that we have next to no privacy standards as related to these technological innovations and trends is disturbing, and more than enough of a reason for legislation like that being offered by Rockefeller (and in California in the form of SB 761) and others.

Rockefeller's bill would create a “universal obligation for all online companies” to not track people who set a browser flag or cookie saying they don’t want to be tracked. The Do Not Track flag is a rather simple concept that's already been built into Firefox and IE9. If users choose to turn on the option, every time they visit a web page the browser will send a message to the site, saying “do not track.”

In explaining the bills need, Rockefeller stated “Consumers have a right to know when and how their personal and sensitive information is being used online — and most importantly to be able to say ‘no thanks’ when companies seek to gather that information without their approval. This bill will offer a simple, straightforward way for people to stop companies from tracking their every move on the internet.”

The bill would also empower the FTC to go after companies that disobey the flag. Companies can collect info needed for their service to work from users who set the flag, but must destroy it or anonymize it once it’s no longer needed.

As detailed by Ryan Singel of Wired Magazine, "The likely winner if such a bill passes is oddly Facebook, since the company targets its ads based on the information that users explicitly provide it, which puts it beyond the bill’s reach. Google faces the most risk, since, depending on the bill’s wording, it could apply not only to its far-reaching advertising network, but also to its collection of user’s search terms."

As you might guess, web firms generally oppose “do not track” rules - arguing that companies can create their own tools to help users manage tracking. Of course, this whole "voluntary" compliance argument made by corporate interests seeking to maximize profits at all costs simply doesn't hold water.

E-Week has more on this legislation and the reaction from some privacy advocates:

The Consumers Union, the Electronic Frontier Foundation, Consumer Action, the Center for Digital Democracy and the American Civil Liberties Union all spoke in favor of the bill during a May 9 conference call. The bill offered "crucial civil liberties protection for the 21st century," Chris Calabrese, legislative counsel at the ACLU, said on the call.

"This legislation would give Americans the right and the right tools to browse the Internet without their every click being tracked," Consumer Protection Director Susan Grant said.


While it was heartening to see the industry coming out with its own solutions, there was no requirement or enforcing companies from complying with user preferences, said Ioana Rusu, regulatory counsel for Consumers Union. Rusu claimed that giving the agency and states’ attorneys general the authority to impose civil penalties against the companies that violate the rules was very important.

“This bill will put regulatory support behind these industry initiatives and make sure that online providers listen to the many consumers who want to clearly say ‘no’ to online tracking,” said Rusu.

The Rockefeller bill “complements” the online privacy bill introduced by U.S. Sens. John Kerry (D.-Mass.) and John McCain (R.-Ariz.) in April, Rusu said. The Kerry-McCain bill would require companies to inform users up-front what data was being collected and to provide a clear way to opt out of the collection. Consumer groups and privacy advocates criticized the fact that the Kerry-McCain bill did not explicitly address “do not track” and gave the Commerce Department too much power over regulating consumer online privacy.

The Rockefeller bill is expected to be discussed as an amendment

Rockefeller included mobile phones in the bill and the provisions would apply to mobile phone network operators as well as Websites and online advertising networks. The mobile phone provisions are important in light of recent reports that Apple and Google are tracking user locations using the user’s smartphone, according to Jamie Court, president of Consumer Watchdog.

Click here to read more.

It should be noted, that the most far reaching "Do Not Track" (DNT) and financial privacy legislation being proposed comes from Congresswoman, Jackie Speier. Her bill would essentially allow Internet users to opt-out from "cookies, sniffing, scraping, or any other new and creative methods developed by those looking to profit through these activities." The "DNT" legislation would allow the Federal Trade Commission to force online advertisers to respect the wishes of users who do not want to be tracked for marketing purposes.

Likewise, in California, SB 761 is modeled after the Speier bill, thus also offering consumers a "Do Not Track Me" mechanism, something the bill's sponsor describe as "one of the most powerful tools available to protect consumers' privacy." The mechanism will allow anyone online to send Websites the message that they do not want their online activity monitored.

Certainly one strong point of the legislation is that it is in line with public opinion, which a poll by Consumer Watchdog last summer found 80% of Americans support a Do Not Track option. In addition, a recent USA Today/Gallup poll found that most Americans are worried about their privacy and security when they use Facebook and Google.

Interestingly, though expected, the European Union is going even further by making the mechanism and opt-in, rather than opt-out. Let's face it, opt-out options are often confusing, and buried a few clicks away often in fine print (though 'Do Not Track" mechanisms will be easier to locate...which is a good thing). But for me, opt-in is superior not just due to "convenience". It goes deeper than that, its about having control over YOUR information. AS I have written here before, "If someone wants to borrow something of mine, like my car, I don't have to find a way to opt-out of doing so after they've taken it on a spin, they have to come to me first. The same should be true of what I do in my private time, on the net, or in my home (think smart meter)."

I'll continue to cover the details, and the progress, of these, and related bills.

Wednesday, May 11, 2011

Sen. Franken Holds Hearings on Mobil Device Tracking, Justice Dept. Wants More of It

As you probably are aware, a few weeks ago security researchers discovered that Apple's iPhone keeps track of EVERYWHERE you go – and saves every detail of it to a secret file on the device which is then copied to the owner's computer when the two are synchronized.

As I have written here before, the fact that Americans are losing their privacy as they travel through public space due to location-based technologies isn't debatable. The question, as is so often the case when it comes to issues at the intersection of privacy and technology, is what kind of say do we have in the matter and what kind of rules are in place protecting our privacy rights?

To help answer questions like these, Senator Al Franken decided to hold hearings on the topic yesterday - inviting Google, Apple, and the Justice Department to participate. The Senator also sent a letter to Apple a few weeks back questioning why it included the feature in its software in the first place. The letter reads, “The existence of this information — stored in an unencrypted format — raises serious privacy concerns,” He later emphasized the information — which could be “accurate to 50 meters or less” — also applies to iPhones and iPads owned by children, and could easily be exploited by “criminals and bad actors.”

Franken also asked Steve Jobs to explain whether the location data has been disclosed, and whether the same technology is also included as part of the operating system software that runs on the company’s popular MacBook laptops.

Yesterday's hearing is particularly significant in that it demonstrates a heightened interest in Congress in reforming federal laws on privacy, tracking and surveillance. But what stood out to me in Tuesday's hearings wasn't the ardent claims of "innocence" by Google and Apple, but rather, the asserted desire from the Justice Department that such companies should be mandated to store MORE consumer data, not less.

So, before I get to the specific arguments over the devices themselves, and Franken's comments, let me direct you to the article in CNet that details the bold, and disconcerting position of the Justice Department itself - a position completely, at least seemingly, at odds with the theme and purpose of the hearings themselves.

Declan McCullagh reports:

The U.S. Department of Justice today called for new laws requiring mobile providers to collect and store information about their customers, a proposal that pits it against privacy advocates and even other federal agencies.

Jason Weinstein, the deputy assistant attorney general for the criminal division, picked an odd place to describe the department's proposal: a U.S. Senate hearing that arose out of revelations about iPhones recording information about owners' locations, and, in some cases, transmitting those data to Apple without consent.


The Justice Department's suggestion conflicts with what the Federal Trade Commission--which also sent a representative to today's hearing--has recommended. A company should adopt a policy of "not collecting or retaining more data than they need to provide a requested service or transaction," said Jessica Rich, deputy director of the FTC's bureau of consumer protection.

"I believe that consumers have a fundamental right to know what data is being collected about them," Franken said. That can be, he said, "really sensitive information that I don't think we're doing enough to protect."

It should be noted that Weinstein didn't elaborate on whether the government wanted to require wireless providers to record location information as well - but it certainly seems likely they would view that as valuable too.

In related news, Sen. Ron Wyden is currently working on legislation that could become part of the chamber’s larger effort to set new rules for how and when federal law enforcement can access consumers’ location data. Something I believe - clearly after yesterday's hearing and the comments by Weinstein - is needed.

In that past, we had services such as EZ Pass (allows you to bypass stopping to pay the bridge toll), Google Latitude, the GPS tracking of cellphones, the right of police and government to track our whereabouts (both by phone and car), transit cards, social networking sites, WiFi networks, and more, all opening up a brave new world of real time, locational tracking of Americans.

We shouldn't view any of this as that big of a surprise then. A recent study by the Worcester Polytechnic Institute (WPI) in Massachusetts found that mobile social networks are giving data about users' physical locations to tracking sites and other social networking services. Researchers reported that all 20 sites that were studied leaked some kind of private information to third-party tracking sites.

As the report notes, "The combination of location information, unique identifiers of devices, and traditional leakage of other personally identifiable information all conspire against protection of users' privacy."

I addition, we also know that the FBI uses 'dragnet'-style warrantless cell phone tracking. In other words, there are more and more ways, through more and more devices, that can track and store our location, and that data is worth more and more money.

As for Apple, as a result of these recent revelations, the company is facing at least two lawsuits by consumers who allege the company violated federal computer fraud laws by capturing data information about their locations. In addition, Apple and Google face separate lawsuits by mobile users who allege that the companies transmitted their devices' unique identifiers with outside companies.

With that, let me get to some of what was discussed in the hearings. ZDNet reports:

....Davidson affirmed that Google never sells “users’ personally identifiable information

Even though users have the choice to opt-in to location sharing, there are plenty of unanswered questions left. Google execs haven’t provided information as to how long the data is stored, nor how this data might be used either by Google or third parties in the future.

The USA Today has more: 

"People have the right to know who is getting their information and how (it) is shared and used. I still have serious doubts those rights are being respected in law or in practice," said Sen. Al Franken, D-Minn., who chaired the hearing. "This is an urgent issue."

Franken scheduled the hearing of the Judiciary panel's subcommittee on privacy, technology and the law after recent incidents showed risks for consumers' data. In addition to researcher reports that mobile apps on Apple and Google devices shared location-based data with third parties, network breaches at Sony and Epsilon put customers' personal and financial information at risk.

"Federal laws do far too little to protect this information. … No one wants to stop Apple or Google from producing their products," Franken said, but Congress must "find a balance between all of those wonderful benefits (from devices) and the public's right to privacy."

Guy Tribble, Apple vice president of software technology, told Franken that Apple's devices gather and store location data only about nearby cell towers and Wi-Fi hot spots. Apple, he said, "does not share personally identifiable information with third parties for their marketing purposes without our customers' explicit consent … (and) Apple does not track users' locations. Apple has never done so and has no plans to ever do so."

Tribble added that a coming software upgrade will encrypt the location data on devices.

In all, I give kudos to Senator Franken for bringing this issue out into the open. He appeared to get both companies to admit that a "clearer and more understandable" privacy policy is necessary. But then, who reads privacy policies?

As I wrote in a prior post, "A constantly monitored citizenry used to conjure up images of totalitarian states - not Google and I-Phones. And granted, now technology does the surveillance — generally in the name of being helpful and entertaining, not to stifle dissent or oppress the public.

This fact does not mean that these technologies can't still be used in ways that don't reduce freedoms, play into the hands of overly aggressive and/or oppressive governments, or invade privacy by using our personal information to maximize corporate profit. Perhaps its time for a serious conversation about how much of our privacy of movement we want to give up - and how much control do we get over that decision?"

Wednesday, May 4, 2011

"Do Not Track" Legislation Clears Hurdle - Facebook/Google Oppose

As I wrote about last month, State Senator Alan Lowenthal and our friend's at Consumer Watchdog are carrying a bill that would allow California consumers to stop unwanted online tracking. The bill, SB 761, would offer consumers a "Do Not Track Me" mechanism, something the bill's sponsor describe as "one of the most powerful tools available to protect consumers' privacy. The mechanism will allow anyone online to send Websites the message that they do not want their online activity monitored.

The reason I'm going back to the bill today is twofold. One, California’s State Senate Judiciary Committee voted on Tuesday to move it  forward to the Appropriations Committee. And two, two of privacy's greatest enemies - Facebook and Google - have come out guns a blazing against the legislation (surprise!). Now, before I get to the article in Marketwatch about this increased new fire coming the bills way, let me provide some backdrop for those that are unfamiliar with the legislation.

The legislation would be the first in California to explicitly provide for a Do Not Track mechanism, and its modeled after a federal Do Not Track bill introduced in Congress by Rep. Jackie Speier.

Public opinion is clearly on the side of privacy advocates, as a poll by Consumer Watchdog last summer found that 80% of Americans support a Do Not Track option. A recent USA Today/Gallup poll found that most Americans are worried about their privacy and security when they use Facebook and Google.

As I also wrote in the previous post on this legislation, "I have talked about this interesting dichotomy a lot. This being the fact that while people see to "care" about privacy on one level, they tend to do very little to actually do so. Which in my mind, makes easy to use, clear options to protect privacy all the more paramount. Once people are given such a choice, not only will more people choose to "not be tracked", I think more people will become more AWARE of just how all pervasive such monitoring of nearly everything we do has become."

The fact is, there's no longer any anonymity on the Web. The most personal information about people's online habits is collected and eventually bought and sold, often instantaneously and invisibly. Data collection practices have become a business in themselves, driven by profits at consumers' expense. The Wall Street Journal recently highlighted these practices—which included targeting children—in its groundbreaking series "What They Know."

A few other factoids to consider before I get to the article, as detailed by Senator Lowenthal: Nearly 80% of Californians use the internet and nearly 45% use Facebook. But, today millions of Californians are unaware that their online behavior is being tracked; their data collected and sold to advertisers. The type of data that is collected is far reaching. Anywhere from the type of sites a person frequents, to the time of day and the location from where the person is accessing the sites. Most disturbing, however, is that the information that is being shared may include very personal information such as a name, home address, email address, or financial information.

As Beth Givens, Privacy Rights Clearing House Director said, "A Do Not Track Me mechanism gives consumers a simple way to tell websites not to spy on them and not to collect detailed profiles of their web usage. Consumers should have the right to control how their data is used or whether it is gathered at all."

Now let's get to what appears to be a campaign by Google and Facebook to defeat the bill. Marketwatch reports: 

Large Internet firms have generally bristled at the notion of regulating their collection of user data, which helps target online advertising. Companies argue that policing their own, collective privacy policies makes more sense than passing legislation. An Internet privacy bill proposed recently at the federal level does not include a specific Do Not Track provision.


Facebook, Google and other Internet firms have lobbied California lawmakers this year on Sen. Lowenthal’s proposed Do Not Track legislation, according to public filings.

In a letter sent last week to Sen. Lowenthal, Facebook, Google and a number of other firms wrote that his proposed legislation would create unnecessary confusion and would add significant new costs for cash-strapped regulators.

The measure would negatively affect consumers who have come to expect rich content and free services through the Internet, and would make them more vulnerable to security threats,” the companies wrote in the letter, reviewed by MarketWatch.


During the State Senate Judiciary Committee hearing on Tuesday, Sen. Lowenthal acknowledged the new privacy tools offered by individual firms, but added that “the mechanism is often not simple, or user-friendly.”

Jeff Chester, a privacy advocate and executive director of the Center for Digital Democracy, said that strong Do Not Track legislation has made little progress in Washington, D.C. — making a focus on state bills necessary. “The online ad lobby has convinced Washington that Do Not Track will kill off the Internet economy,” Chester said. “We think there’s a real role now for states to come in, and regulate the profiling going on within their borders.”

Chester said that if California does not ultimately pass Sen. Lowenthal’s Do Not Track bill, he and others may push for a related ballot initiative in the state...Chester said it’s natural that Internet firms, which rely on serving relevant advertising to a growing number of users, would challenge Sen. Lowenthal’s Do Not Track bill, as “they have the most to lose.”

We now have new poster children for the California Do Not Track campaign, Sergey Brin and Mark Zuckerberg,” Chester said, in reference to founders of Google and Facebook. 

Click here to read more.

As I have also written before, its not by accident that we are told by the same interests that profit off our information that privacy is dead, and people don't care about it anymore, or that it will "kill business". Well, that's easy to say when you are the ones developing the complicated and difficult to find privacy settings consumers have to deal with - and profiting off our personal information without our consent.

More to the point is the simple, unavoidable point that consumers should have MORE control, not less, over what information of ours is used, shared, and profited off. This bill is one step of many needed to establish certain core, DotRights (see ACLU's Dotrights campaign).

The good news is the