Online privacy debates heat up in Washington

Can new online privacy laws be balanced with innovation and societal benefit?

IMG_1227.JPGThe issue of electronic privacy is as hot as the weather in Washington this summer. Last week, both the House and Senate held hearings on online privacy, featuring testimony from top executives from Facebook, Apple and Google. The Washington Post published a massive investigative report on the growth of “Top Secret America” in July. And the Wall Street Journal’s new series on online privacy, “What They Know,” has laid bare the scope of tracking technology on the Internet. In the Information Age, our family, friends, neighbors, employers and government all have unprecedented abilities to watch one another, changing the nature of our relationships, workplaces and schools. Solving the privacy dilemma will be difficult, controversial and crucial for the nation’s citizens, businesses, regulators and lawmakers.

Can privacy, social media and business get along? The balance between privacy and societal benefit will be difficult to strike, given the potential to harm civil liberties and the need to preserve the expectation of privacy described by the Fourth Amendment of the Constitution.

The risks and rewards for federal agencies that adopt Web 2.0 technology weigh government innovation and cost savings against potential security and privacy issues. The risks that social networking poses to consumers, businesses and government aren’t theoretical, either, given the expansion of cybercrime and non-state actors targeting online users.

Given the context of the moment, putting online privacy in perspective will be a key component of the upcoming Gov 2.0 Summit in Washington, where Jules Polonetsky, Tim O’Reilly, John Clippinger and others will discuss privacy in the context of innovation and government. Despite the ongoing debate about Facebook privacy controls, electronic privacy reaches much further than social networking. From cellphone tracking to data brokers to cloud computing to credit bureaus to satellite imaging, our daily lives have become more scrutinized than at any point in human history.

Digital privacy matters more than ever to citizens in ever country, particularly where autocratic regimes are not constrained by the laws enacted in the United States. As privacy watchdogs like the Electronic Frontier Foundation and Electronic Privacy Information Center have highlighted, law enforcement officials have pushed privacy boundaries in the name of national security.

Privacy is not dead, though it’s fair to say that some of the norms around how, where and when people are sharing information about location, purchases, reading habits or relationships have shifted for some populations. For marginalized members of society, privacy breaches can have tragic outcomes, as danah boyd has discussed in her thoughts on Facebook and radical transparency.

How might the FTC or FCC regulate online privacy?

Gov 2.0 Summit, 2010At some point, the Federal Trade Commission (FTC) will also publish the results of the privacy roundtables it held over the past year. The FTC. currently protects consumer privacy under the the FTC Act, which directs the commission to “guard against unfairness and deception by enforcing companies’ privacy promises about how they collect, use and secure consumers’ personal information.” The FTC also has purview over regulating financial privacy under the Gramm-Leach-Bliley Act, consumer privacy under the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act. The Department of Health and Human Services enforces healthcare privacy breaches under HIPAA and now the HITECH Act.

Specific new guidance for the FTC from Congress on electronic privacy, however, has yet to emerge. One direction for legislation comes from the Digital Due Process Coalition, which advocates for an update to the Electronic Communications Privacy Act, given the considerable changes to mobile, location, cloud computing, webmail and social networking technology since it was enacted in 1986.

In his testimony on online privacy before the Senate Commerce Committee last week, FTC Chairman Jon Leibowitz acknowledged the online advertising industry’s principles for self-regulation, including “results that were encouraging.” That said, he observed that “if we don’t see more progress, we probably will see more focus on prescriptive rules in the next Congress.”

Leibowitz noted three principles for online privacy that had emerged from the roundtables:

  1. Privacy baked in from the beginning, or “privacy by design
  2. Simplified controls, including the potential for a “do not track” mechanism in a Web browser
  3. More transparency about how private information would be used

In general, the use of private data should be opt-in, not opt-out, said Leibowitz, with clear notice. “Most of the cases that we’ve brought involve instances where disclosures or use of information was in fine print or designed to be where consumers can’t find it,” he said. “Good companies want to make these things clear.”

FCC Chairman Genachowski, who testified with the FTC Chairman, noted that “the privacy issues discussed here are not only a fundamental moral issue. To get the economic effects of broadband, people need to be confident that the Internet is a trustworthy place.” With adequate information and real choice, Genachowski said that there was an increasing chance that the market will work.

“With technology changing as rapidly as it does, the lesson should be to pull out core principles and strategies that will work, regardless of how technology evolves,” he said.

Whatever the FTC or FCC do with regards to regulating online privacy, however, is likely to ultimately rely upon Congressional action. The financial regulatory reform bill signed into law by President Obama did not ultimately grant the FTC increased rulemaking authority to regulate online privacy autonomously.

Online privacy hearings in Congress

As security technologist Bruce Schneier has argued, privacy and control are closely intermingled. “If we believe privacy is a social good, something necessary for democracy, liberty and human dignity, then we can’t rely on market forces to maintain it.” wrote Schneier. “Broad legislation protecting personal privacy by giving people control over their personal data is the only solution.”

The nature of that legislation will be on the legislative agenda of Congress this fall after the August recess. Online privacy bills were introduced in the House this year, with varying reactions from industry and privacy advocates.

Rep. Rush’s privacy bill (H.R.5777), has received strong pushback from tech firms, due to its potential restrictions on firms that store personal data. Rep. Boucher’s online privacy bill garnered criticism from both industry and advocacy groups.

IMG_1229.JPGPrivacy and security concerns were highlighted at a House Judiciary subcommittee hearing on social networking last week. At the hearing, the FBI’s Gordon Snow described a rising tide of online fraud, identity theft and phishing schemes over Facebook and other networks, where cybercriminals compromised other accounts due to higher levels of trust from familiar senders.

“Symantec created more malware signatures in the last 15 months than in the past 18 years combined,” said Joe Pasqua, the security software company’s head of research. A representative of the Secret Service said that the use of social engineering had increased as more sophisticated cybercriminals used multi-faceted attacks to trick users into divulging sensitive personal information or account details. The 2010 Verizon Data Breach Investigations Report, released on the day of the hearing, was a joint effort with the Secret Service.

“Facebook and other social networks have the power to enrich people’s lives in ways that were unimaginable before,” said Facebook Chief Security Officer Joe Sullivan, testifying in the hearing. Sullivan said that Facebook was the first major service that required people to build profiles with their real names, “an important choice that allowed people to become more connected and made the service safer.” Sullivan, a former federal prosecutor who specialized in high tech crime in Silicon Valley, asked lawmakers for help with improving cyberliteracy with teachers and students. He also requested broader access to hashes for known images of exploited children that Facebook could run against its database of more than 50 billion pictures, the largest photography collection online.

Sullivan was challenged by EPIC founder Marc Rotenberg, who urged Congress to strengthen privacy laws for Facebook users. Rotenberg said EPIC filed an FTC complaint because of changes in Facebook’s privacy settings last December that created exposure that users couldn’t control. It was an “unprecedented event in the history of the Internet,” said Sullivan, where Facebook “wouldn’t let you use the service gain until you go through those pages.”

The shift presented users with a mandatory wizard that, as Nick Bilton reported in his story on Facebook privacy, required users to click through more than 50 buttons to fully opt-out.”What Facebook needs is not a Geek Squad but a Granny Squad,” said Rep. Zoe Lofgren (D-CA) on the need for simpler privacy controls.

Sullivan emphasized the contextual privacy controls that allow users to specify who an update is shared with on Facebook. “We want people to make decisions for themselves,” he said. “Personally, I choose to share quite a bit, and put different levels of visibility on different types of information.”

That personal choice is at the crux of any statutory solution: if people choose to share information freely online or make an error, neither the government nor tech companies can help. Where the code created by technology providers matters, as Rep. Lofgren observed, is in giving people “the opportunity to have their rights respected.”

Perhaps the most meaningful right is whether user information, behaviors or connections are shared publicly or privately by default. As danah boyd said in her keynote address to the 2010 SXSW Festival, “defaults matter. That’s even more so for teenagers and children, whose safety was a recurrent concern at every hearing on online privacy I’ve attended in Washington. Sullivan noted that Facebook’s default settings are different for people under 18, “in terms of what we allow them to do or the type of information made visible to them.”

Questions about child predators were pervasive at the Senate hearing on online privacy, where Senator Klobuchar (D-MN) focused much of her questioning on the issue and Senator Rockefeller (D-WV) repeatedly voiced his concerns on that count.

“Good parenting is right at the center of protecting children online,” said the Cato Institute’s Jim Harper in reply. “You’re not going to come up with a magical tech solution.”

Klobuchar also questioned Google’s Alma Whitten about where Google’s users learn about its privacy dashboard. Whitten, whose testimony is embedded below, said that she was “adamant when we created the dashboard that it not be strictly a privacy tool. It needed to be useful.”

Senator Kerry (D-MA) focused his questioning upon Facebook privacy controls and deep packet inspection. “It’s fair to say there’s a lot of confusion,” he said, “with a lot of anxiety in the public at large over what power they have over information. It’s not just a commercial component. Information collected might be incorrect or out of context, or might be correct and last longer in the market than they might like to.”

AT&T’s representative did publicly attest to using deep packet inspection in their network “for trying to find malware, spyware or purposes of network security.” In fact, the federal government itself is using deep packet inspection as part of its cybersecurity initiative as part of its EINSTEIN surveillance program. As Harper observed in his written testimony, “if the federal government is going to work on privacy protection, it should start by getting its own privacy house in order.”

Senator McCaskill (D-MO), by contrast, was concerned about consumers’ understanding of their electronic privacy when they printed online coupons to be scanned for offline deals. While McCaskill’s questions to Google’s representative on that count were misplaced, the issue of whether citizens truly understand how much information is being gathered about their online activity is legitimate and goes to the crux of whether the traditional “notice and consent” model of privacy protections in the terms of service for platforms and software will be viable in the future.

“National surveys at Annenburg show that large numbers of Americans don’t understand how database marketing works,” testified Professor Joseph Turow of the University of Pennsylvania.

That prompted Senator Rockefeller to voice a philosophical question, as to whether “we are dividing ourselves into two classes of people,” where some who understand the complexities of online privacy are protected and other who cannot paying a price that they cannot fully understand.

“I used to believe that could be solved by education,” said Turow. “I no longer believe that. It’s much too complex. Privacy policy is a scavenger hunt, where links send you into other links to affiliates.” Turow expressed his concern where many people are unaware of how the information they consume has been customized to their stored data. “We’re going to have a situation where people receive views of the world based upon what others know about them,” he said.

The digital divide in connectivity extends, in other words, to a divide in cyberliteracy. Transparency is not enough. There is deep validity in the concerns of privacy advocates that civil liberties be preserved in the digital age, including a right to privacy that many constitutional scholars perceive in the Constitution. And yet, there are reasons to praise oversharing, as Steven B. Johnson did in Time earlier this year. There are a growing number of ways that social media helps promote better health. Anonymized community health data, can provision healthcare applications that enable citizens and cities to make better decisions. If smart grid privacy concerns can be addressed, more efficient usage could revolutionize the nation’s energy infrastructure.

There may well be reasons to give up some privacy, which means that in enacting new laws and regulations to protect consumers, innovation should be considered. What happens next will be in the hands of technologists, lawmakers and the online community.

Related:


Identity, privacy and informed consent will be discussed at the Gov 2.0 Summit, being held Sept. 7-8 in Washington, D.C. Learn more and request an invitation.

tags: , ,
  • John

    The key is for companies to actually respect user’s privacy and for users to use tools like TrulyMail and PGP and GPG to keep their private matters private.

    Think I like Google having my unencrypted email on their servers?

  • Jimmy

    “if the federal government is going to work on privacy protection, it should start by getting its own privacy house in order.”

    Thankfully, we don’t have that problem in Australia. Just take a look at the website for the Office of the Privacy Commissioner (OPC). They don’t use any third-party tools or anything – oh, except for Google Analytics.

    Privacy policy is a scavenger hunt, where links send you into other links to affiliates

    But, surely the OPC would inform visitors via their privacy statementthat visitors’ usage data is shared with Google , and provide a way to opt-out?

    At least a link to Google’s privacy policy?

    Whoops.

  • Maxim Kharchenko

    A nice piece of evidence to support FB opinion: http://Snoopon.me

  • TahoeBlue

    Has anyone noticed the ongoing campaign in Facebook where FB scans photos uploaded by users, uses face detection software to locate faces, and asks users to supply the identity of the image ?

    This strikes me as a virulent and scary kind of massive attempt to both train facial detection software corroborated by user confirmation along the lines of “re-captcha”, populating a facial recognition database of facebook users corroborated by images from multiple friends of friends of faces from different angles and perspectives, etc.

    How long will it be before the swelled heads of FB executives et. al. will try to monetize this database by sharing/selling it to others (governments, TSA, retail marketers, etc) ?

  • Jeff Rosen

    The current solutions put forth by the media and marketing industries; pay-walls/subscriptions, data collection/behavioral targeting and social networks, in addition to providing sub-par ad revenue, exhibit significant flaws. Pay-walls and subscriptions reduce the size of an audience. Data collection and behavioral advertising use advanced modeling to make flawed predictions and are awash in privacy concerns. A limited, if not single, player dominates social networks. Pay-per-download is currently monopolized by iTunes, and thanks, I always knew I could buy it, but that again limits audience reach.

    Nowhere along the line have I seen what consumers would like to see. Isn’t there a compromise somewhere?

    Here’s what a patent filing I made in early 2008 proposes.

    I’ll give your the most intimate of details about myself, even help you do market research. If I choose to consume some content (video, music, books, publications, blogs, games, code, et.al.) a stock market-like mechanism determines in real-time what I am worth to marketers. If I’m valuable enough, show me targeted advertising and let me have my content free, in an ad supported format (or I can pay that same amount to have my content ad-free)….if my profile doesn’t generate enough revenue to cover the cost of that content, I need to pay for it. Simple enough.

    Everybody is happy. Publishers and artists get paid, marketers get the eyeballs they want and I’m given a choice. Sounds fair to me. Not only does this level the playing field for consumers by offering them choices while respecting their privacy, but it also works for artists and publishers. Finally a way to truly value digital content.

    The Internet, the most addressable form of media transmission ever created, has failed to consistently provide publishers of all forms of digital content enough advertising revenue to be profitable.

    Isn’t it time to try something new?

  • @ANewCLOUD

    Before government can make policy decisions on online privacy, we must first rethink the relationship between individuals and institutions, like government. Privacy and governance both start with individuals.

    From a political philosophy perspective, our country was founded by individuals, and our institutions, like government, followed. It also took us a couple of cracks to get the institutions right, too, starting with the Articles of Confederation and concluding with the Constitution, some 7 years later.

    Paul Wilkinson, my CLOUD colleague and former Sr. Advisor to Chairman Cox at the SEC, and I wrote an article this past spring on just this topic: “Set the Default to Open: Plessy’s Meaning in the 21st Century and How Technology Puts the Individual Back at the Center of Life, Liberty and Government” (http://www.trolp.org/main_pgs/issues/v14n1/Thompson&Wilkinson.pdf).

    The challenge with privacy right now, whether government or business or Facebook, is that we are attempting to manage it at the Web level and not as a part of the architecture of the Internet. If that is where it stays, it means that the many hundreds of companies, agencies and social networks with which I interact must each manage my privacy. This is simply not scalable.

    CLOUD, Inc. (Consortium for Local Ownership and Use of Data) is advocating and building a new language for the Internet that gets at the heart of this problem. As an early Governor’s appointee to the eGovernment Task Force in Texas back in 1999, I realized that this can’t just be about eGovernment because that replicates what was once in blue pages in the phone books with blue links on the Internet.

    As Set the Default to Open articulates, it is about meGovernment and not eGovernment. CLOUD is hard at work building a new language for the Internet to make that vision possible.