Andy Oram

Current activities at the Electronic Privacy Information Center

by @praxagora  | +Andy Oram  | Comments: 219 March 2010

When Marc Rotenberg founded the Electronic Privacy Information Center in 1994, I doubt he realized how fast their scope would swell as more and more of our lives became digitized and networked. Now it seems like everything that happens in society has an electronic component and a privacy component. I had the chance to drop in to their office on Monday and heard about the front-burner items they're working on.

  • Whole-body imaging in airports, a very hot issue right now. While Americans push back against it, the European Union has to vote on it soon.
  • The Smart Grid: a massive upgrade planned for the American system for delivering electricity across the nation as well as over the last mile to your home. Could the Smart Grid tell marketers your life style?
  • Privacy of text messaging. EPIC is very active on City of Ontario v. Quon, where the government asserts that using a city-issued device allows the city to read all of the employee's messages.
  • Freedom of Information Act. Why are government agencies (except for a few exemplary ones) fulfilling a smaller percentage of demands during the Obama administration than they did during the Bush administration?
  • Ballot initiatives. EPIC has argued in Doe v. Reed that signing a petition to put a question on a ballot should be private, like voting.

And if you visit the EPIC home page this week, or the companion privacy.org page, you'll see that they're following even more diverse issues: the FCC broadband proposal, consumer privacy, data retention by ISPs, etc. They were interested to hear what I've been learning recently about privacy in electronic health records.

EPIC has been remarkably effective over the years as an organization with about a dozen staff (mostly young and idealistic rather than canny and seasoned) and no cash-wielding lobbyists. They haven't compromised their principles in the dozen years I've been following them, but they not only get to the table most of the time but manage to bend the decision their way most of the time.

I attribute this success to single-mindedness (they can nail the privacy chink in any initiative) persistence, coalition-building with like minded organizations (leading the Privacy Coalition, collaborating with London's Privacy International, among other organizations around the world, and work closely with such natural allies as the ACLU), but mostly knowing their stuff cold. They sail into debate with a full understanding of technical details as well as the legal issues that impinge on their position.

The Smart Grid is an excellent example of how EPIC investigates an issue early in its existence and hones in on the dark underside. The Smart Grid is a buzzword covering changes that should save us huge amounts of electricity lost in old, inefficient switches, as well as improve the efficiency of energy delivery in neighborhoods. A key part of the Smart Grid is monitoring and logging our electricity usage, building by building and even machine by machine.

In this futuristic vision, the electric utility would know when you've started your air conditioner or clothes dryer and could send you messages suggesting new patterns of behavior that will relieve pressure on the grid and save you money as well. This is nice, but it also means the electric utility basically knows how you lead your life.

Traffic analysis on your device usage could show who stays home during the day, when kids come home from school, and who plays video games (heavy electricity usage from a home computer) late at night.

Currently no one has discussed who controls this data. Implicitly, it is left in the hands of the utility, which is free to sell it like any other information. There is little doubt that advertisers would love to get their hands on this information. So would the government, I bet--remember when police were scanning homes for evidence of marijuana cultivation? EPIC would like the information to be in the hands of the consumer.

A bill just introduced by Representative Ed Markey, the "Electric Consumer Right to Know Act" (H. R. 4860), would inform electricity users of their energy usage in a form they could process on a computer or other device, typically every 15 minutes. The bill mandates a smart meter that "provides adequate protections for the security of such information and the privacy of such electric consumer." It doesn't go into any more detail about what the utility could do with the information.

The ambiguous ownership of Smart Grid data illustrates why privacy is such a hard turf to defend, once you have declared your jurisdiction over it as EPIC has done. Data flows from one place to another--whether from the electric meter to your cell phone, your camera to Facebook, or your vendor to your bank--and is therefore intrinsically shared. Privacy is an umbrella term that encompass attempts to set limits or impose rules on all these types of sharing.

In trying to protect our privacy EPIC is swimming against the tide, of course, but what's really challenging is how data collection and dissemination has shifted. When EPIC started, most electronic data was held by large institutions who made ready targets for EPIC's legal challenges. Now each person is his or her own worst enemy, freely sharing personal information, pictures, and videos online--a phenomenon termed Little Brother.

Cameras and sensors are also creating millions of new sources for data, while advances in data mining and analysis allow people to learn more from the data than ever before.

I think EPIC is handling this shift well. They stay focused on policy rather than pursuing the idealistic but impractical course of training people to use privacy safeguards and protect themselves. There are just too many ways to weasel data out of us, some of which will never be under our control, and most people just can't learn everything they need to know to be safe, whether it be about Web proxies, Flash cookies, or document metadata.

EPIC demands that institutions take responsibility for privacy, designing it into their systems. A recent, well publicized example of this doctrine was their complaint to the FTC about Facebook's changes to privacy settings in December 2009. EPIC doesn't believe it's enough to boast about flexibility and user control--something that endangers the 99.9% of users who don't understand how to change a default is a violation of users' rights.

But EPIC is neither rigid nor abstentionist. They may complain about Facebook, but maintain a Facebook page. They're totally into the new electronic age. But they want it to serve its users rather than a few centralized institutions, and for privacy advocates they're not shy about letting us know what they think.

tags: Electronic Privacy Information Center, EPIC, privacy, Smart Grid, whole-body imaging

Comments: 2

Michael Holloway [23 March 2010 02:18 PM]

I understand that the brand of device you own will have a signature that can be read by Smart Grid.

I'm thinking that it's the pull of amps on start-up, or the time between spikes that gives the info; how about a series of electrical capacitors that hold enough electrical energy to hide that spike.

The valuable information could be recorded out of the capacitor on the homeowners side for them to do with what they wish.

The pull on the grid form homeowner use would refill the capacitors at an even rate, making the grid more stable than it is now - which is the point, I think.

@m_holloway

Trish@Five Borough AC & Heating [11 February 2011 09:59 PM]

All valid points. Full body scanners are already causing headlines. Once a famous celebrity gets proof they were targeted for the scan because of who they are, things will really come to a head.

I welcome this, I think the scanners are a horrible invasion of privacy.

Most Recently Discussed
Sign up today to receive special discounts,
product alerts, and news from O'Reilly.
Privacy Policy >
View Sample Newsletter >