Comments for the FTC's Workshop on "Internet of Things"

FPF today offered comments to the FTC in advance of a public workshop on new security and privacy issues presented by growing networks of connected devices.  Commonly referred to as the “Internet of Things,” these physical devices range from appliances and vehicles to our smart phones, and present an elaborate array of objects that capture, share, and use data.

The Internet of Things has been a focus of FPF’s work since our founding, starting with our original project on the Smart Grid and continuing to our recent projects on Connected Cars and Smart Stores.  While connected, smart devices provide many benefits, new ways to protect consumer privacy may need to be explored.  Connected devices present circumstances where our traditional Fair Information Practice Principles (FIPPs) may not be available or practical.  Codes of conduct, seals and other public-facing and enforceable commitments are examples of how to address the privacy issues in the Internet of Things.

Our full set of comments is available to read here.

New Report Shows Cybersecurity Risks from FBI “Going Dark” Proposal

Today’s New York Times discusses a major new report by 20 technologists about the cybersecurity risks that would result an FBI plan to expand wiretapping capabilities on the Internet.  The administration is reportedly close to sending the FBI proposal to Capitol Hill, to amend the Communications Assistance to Law Enforcement Act of 1994.

FPF Senior Fellow Peter Swire blogs about this issue today at the International Association of Privacy Professionals website.  His post draws on work he has done at FPF with Kenesa Ahmad.  Swire writes:

The FBI argues that new wiretapping mandates on the Internet are needed because it is “going dark,” because new and evolving Internet technologies mean that government may not have a way to get the content of communications with a wiretap order.  In a 2011 paper, Kenesa Ahmad and I argued that “going dark” is the wrong image, and that today should instead be understood as a “golden age of surveillance.”  As members of the IAPP know, law enforcement and national security agencies today have far greater data gathering capabilities than ever before, such as: (1) location information; (2) information about contacts and confederates; and (3) an array of new databases that create digital dossiers about individuals’ lives.

As the debate heats up about expanding CALEA requirements to the Internet, there are thus strong privacy and cybersecurity reasons for concern about the FBI’s proposed approach.

What's Scary About Big Data, and How to Confront It

Any discussion surrounding the benefits–and the risks–presented by Big Data often focuses on the far-off future.  The world of Minority Report is frequently invoked, but in the wake of April’s “Big Data Week,” it is time to recognize that Big Data is already here.  In their recent book, Big Data: A Revolution that Will Transform How We Live, Work, and Think, Viktor Mayer-Schönberger and Kenneth Cukier act as heralds of Big Data, and suggest that the real phenomenon is the “datafication” of our world.  They describe the transformation of our entire world into “oceans of data that can be explored” that can provide us with a new perspective on reality.  The language and rhetoric in the book highlight Big Data’s potential: the scale of Big Data, they suggest, allows us to “extract new insights” and “create new forms of value” in ways that will fundamentally change how we interact with one another.

These new insights can be used for good or for ill, but that’s true of any new piece of knowledge.  What exactly is it then that some find so disconcerting about Big Data?

Mayer-Schönberger and Cukier recognize that Big Data is on a “direct collision course” with our traditional privacy paradigms, and further, that it opens the door to create the sort of propensity models seen in Minority Report.  However, the pair are more concerned with what they term the “dictatorship of data.”  They fear that well-meaning organizations may “become so fixated on the data, and so obsessed with the power and promise it offers, that [they] fail to appreciate its limitations.”

And these limitations are very real.  The popular statistician Nate Silver argues that it is time to admit that “we have a prediction problem.  We love to predict things–and we aren’t very good at it.” It is this dynamic that presents the biggest worries about Big Data.  Its promise is that by transforming our entire world, our whole experience into data points that numbers will be able to speak for themselves, but this alone will not cure our prediction predilection.  As Kate Crawford of Microsoft Research recently pointed out, Big Data is full of hidden biases. “Data and data sets are not objective,” she states. “They are creations of human design.”

Google Flu Trends is often held out as something that can only be done on the scale provided by Big Data.  Using aggregated Internet searches to chart the spread of a disease demonstrates how seemingly mundane web browsing can produce new insights, but it is important to recognize the limitations behind the project’s underlying algorithms.  Google Flu Trends got things wrong this year. Why?  As Google admits, not everyone who searches for “flu” is actually sick. This year, due to extensive media coverage, more people than anticipated were using Google to learn more.  The result was that the algorithms behind the scenes began to see signs of the flu’s spread where it didn’t actually exist. Google Flu Trends’ mistake can be excused for a number of reasons: not only is the tool largely a data experiment, but it also has a generally benevolent purpose.  Had a similar algorithm informed a decision by the CDC to quarantine a community or otherwise directly impact individuals, it would be a different conversation. Organizations and individuals need to become more aware of the biases and assumptions that underlie our datafied world.

This requires establishing a data conversation among users. In order to strengthen our understanding of individual privacy without cutting off technological innovation, individuals need to be educated about how their data is used. To start this conversation, we need more transparency. Jules Polonetsky and Omer Tene suggest that organizations should disclose the logic underlying their decision-making processes as best as possible without compromising their algorithmic “secret sauce.” This information has two key benefits: it allows us to monitor how data is used, and it also allows individuals to become more active participants in how their data is used.

Today, the data deluge that Big Data presents encourages a passivity and misguided efforts to get off the grid.  With an “Internet of Things” ranging from our cars to our appliances, even to our carpets, retreating to our homes and turning off our phones will do little to stem the datafication tide. Transparency for transparency’s sake is meaningless.  We need mechanisms to achieve transparency’s benefits. We need to encourage users to see their data as a feature that can be turned on or off, and toggled at will. Letting users declare their own data preferences will encourage individuals to care about what their data says about them and how to actively engage in how their information is processed.

The challenge will be making this process both easily accessible and fun for users. The BlueKai Registry suggests one possible avenue by allowing consumers to see what data companies think about their computer, and Google and Yahoo already offer settings managers for users to select who sees what data. More organizations must think carefully about how best to strike the balance between offering user-friendly and comprehensive controls.

At the same time, transparency also allows experts to police companies in order to monitor, expose, and prevent practices we do not want. Mayer-Schönberger and Cukier call for the rise of the “algorithmist,” a new professional that would evaluate the selection of data sources, the choice of analytical tools, and the algorithms themselves. While offering individuals opportunities to understand and to challenge how decisions about them is important, internal algorithmists alongside the watchful eyes of regulators and privacy advocates can help to ensure that companies are held accountable. This could go a long way toward alleviating fears about Big Data and providing an environment where society can safely maximize its benefits.

New Study Shows Need for De-identification Best Practices

Publically releasing sensitive information is risky.  In 1997, Latanya Sweeney used full date of birth, 5 digit ZIP code, and gender to show that seemingly anonymous medical data could be linked to an actual person when she uncovered the health information of William Weld, the former governor of Massachusetts.   Sweeney in a new study analyzes the data available in the Public Genome Project (PGP) and shows once again that many people can be re-identified by using date of birth, ZIP, and gender, when other data such as a voter registration list is available.

Sweeney’s work is important, but we don’t think it should be considered an indictment of de-identification.   The cases so often cited as proof that de-identification doesn’t work – the AOL Search data release, the Netflix prize, the Weld example and the PGP data – are all examples of barely or very poorly de-identified data.  De-identification experts do NOT consider a publically disclosed database with full date of birth, 5 digit ZIP code, and gender de-identified.  In fact, those three data points divide the US population into over 3 billion unique combinations.  Full date of birth divides a population into over 36 thousand separate groups and ZIP codes further divide the US population into over 43 thousand separate groups.  Publically releasing a database with such a large number of unique combinations allows additional databases to be added and gives attackers all the time in the world to examine the data. Thus, public disclosure greatly increases the risk of identifying individuals from a database.

Sweeney’s study shows the importance of very strong de-identification practices when data is disclosed publically.  With public data, organizations should use very strong de-identification techniques, such as the Privacy Analytics Risk Assessment Tool developed by Dr. Khaled El Emam or the use of differential privacy as proposed by Dr. Cynthia Dwork.

For nonpublic databases, however, strong de-identification techniques may not strike the right balance between data utility and privacy.  When nonpublic databases are protected by both technical and administrative controls, reasonable de-identification techniques, as opposed to very strong de-identification techniques, may be appropriate.  Attackers do not have unlimited time to attempt to break the technical de-identification protection, third party data is not available, and measures are in place to provide legal commitments.  Data breaches can occur of course, but certainly we need to recognize the very different status of protected versus unprotected data and should appreciate the range of protections that can support a de-identification promise.

FPF staff are conducting research exploring the different risk profiles of nonpublic databases and publically released databases and the relevant best practices for “pretty good” de-identification for restricted databases.  Please contact us if you are interested.

 

Do Not Track Hearing Takeaways

Organized by Sen. Rockefeller (D-W. Virginia), who has repeatedly pushed for a “Do Not Track” law, yesterday’s Senate Commerce Commerce Committee hearing  on Do Not Track (DNT) was billed as an opportunity for industry to provide senators with an update on how voluntary DNT standards were proceeding.  Joined by Senators Blumenthal, Heller, McCaskill, and Thune, Sen. Rockefeller engaged in a two hour discussion that touched on not only the state of the online economy and behavioral advertising, but also important consumer privacy concerns.  The hearing produced three key takeaways:

1)     Advertisers and Industry Must Be More Proactive

Advertising and industry groups need to be more proactive in encouraging the DNT process or risk the government imposing its own solution.  Sen. Rockefeller (D-W. Virginia) criticized industry for “deliberately dragging its feet” and “undermin[ing] the very essense of a meaningful Do-Not-Track standard.”

Part of the problem, as FPF’s Jules Polonetsky and Omer Tene have suggested previously, is that there remains wide debate surrounding the question of whether behavioral tracking is a net social good or an unnecessary evil.  Discussions surrounding the technical implementation of DNT “camouflage deep value judgments which have yet to be made,” the pair concludes.

This dilemma was on full display during the hearing.  Sen. Heller (R-Nevada) asked directly whether behavioral tracking was producing any sort of harm, and the panelists explained that this may be the most difficult question of all.  Determining whether tracking produces either quantitative or qualitative harm to consumer privacy is a huge challenge.  “Privacy is a highly subjective condition,” Adam Thierer of the Mercatus Center noted, explaining that behavior we find to be creepy may not be harmful in any real sense.

The Digital Advertising Alliance’s Lou ­Mastria suggested that the question should revolve around user choice, arguing that the DAA was already voluntarily providing a consumer opt-out mechanism largely in line with that Sen. Rockefeller has proposed.

Harvey Anderson, speaking for Mozilla, stated that the DNT debate has mistakenly focused on business revenue models.  Models, he claimed, that lack consumer transparency.  The solution he put forward was for Internet industries to emphasize developing and encouraging trust with consumers.

However, though the World Wide Web Consortium (W3C) provides the perfect forum to hash out technical standards, it is ill-positioned to make these types of privacy value judgments.  The inability of everyone to agree what behaviors are good or bad may be hamstringing the process.

2)     Senators Are Skeptical of the W3C 

Perhaps as a result, senators appear skeptical of the ability of the Word Wide Web Consortium (W3C) to adequately tackle the problem.  Acknowledging that Congress may be ill-equipped to handle complicated technical policy questions, Sen. McCaskill  (D-Missouri) questioned whether  a technical body such as the W3C was the proper forum to be making sweeping Internet policy decisions.  Justin Brookman noted that the W3C already includes all of the major players, and Harvey Anderson explained that the organization was better positioned than regulators or other entities to achieve a technically feasible agreement.

Sen.  Rockefeller remained skeptical.  “The WC3, W3C, whatever it  has no authority whatsoever,” he said, and none of its standards were legal enforceable.  Beyond that, he was worried about the group’s generally slow progress at developing a self-regulatory framework for DNT.

Theirer, a frequent critic of the process, defended the W3C, emphasizing that developing technical standards, let alone establishing Internet policy, is incredibly challenging work.

Peter Swire, a senior fellow at FPF and the co-chair of the W3C DNT standards process, wrote in advance of the hearing that failure to come to a negotiated standard threatens a “new digital arms race.”  Further, he warned that failure at the W3C would lead to a government imposed solution, and if yesterday’s hearing was any indication, this is an avenue several senators want to explore.

3)     There Is Some Enthusiasm to Explore Legislative or Regulatory Solutions

Indeed, Sen. Rockefeller appears eager to pursue a legislative response.  He has reintroduced his Do-Not-Track Online Act, but it is worth noting that the bill currently only has on co-sponsor:  Sen. Richard Blumenthal (D-Conn.). Thus, it is unclear how successful Sen. Rockefeller’s effort will be.  For his part, Sen. Blumenthal, who also sits on the committee, was left wondering what sort of action might be required by either Congress or the FTC to spur the DNT process along.

“If voluntary agreements are not forthcoming, is it time for a law?” Sen. Blumenthal (D-Conn.) asked.

While the panelists did not directly address this question, the general sentiment was that stakeholders were on a path to finding a solution without congressional involvement.  Justin Brookman from the Center for Democracy & Technology noted that part of the problem remains that the United States simply lacks any sort of comprehensive privacy law to provide a baseline.  DNT receives much attention, but it is hardly “the worst thing out there,” he suggested.

Nonetheless, even as panelists pushed for more time, all eyes will be on the W3C’s next meeting among all the major stakeholders on May 6.

Peter Swire's Op-Ed on Do Not Track

FPF Senior Fellow and the Ohio State University Moritz College of Law Professor Peter Swire wrote an Op-Ed today for Wired on “How To Prevent the ‘Do Not Track’ Arms Race.” The article highlights the challenges of implementation and the need for a multistakeholder negotiated Do Not Track standard.

 

Techworld: Our Internet Privacy is at risk – but not dead (yet)

With this year declared, “The Year of Privacy on Steroids” companies, policy makers and professional experts alike agree that privacy is essential but the real conversation on the matter is, where is the sliver lining?

Future of Privacy Forum’s own, Jules Polonetsky, shared his own professional expertise on the topic specifically when it comes to companies tracking user’s online behavior and their attempt to self-regulation.

To read the article click here.

Domestic Drones Should Embrace Privacy by Design

On Wednesday, the FAA held an online forum to seek input from members of the public on the agency’s development of a privacy policy for unmanned aircraft systems, or civilian drones. For two hours, privacy advocates, engineers, and representatives of the unmanned aircraft industry went around in circles debating whether drones even present novel privacy questions–and whether the FAA was the appropriate government agency to conduct such a conversation. If the unmanned aircraft industry wishes to encourage the widespread societal embrace of this technology, suggesting that drones do not present privacy challenges and moreover, arguing that our current legal and policy framework can adequately address any concerns is counterproductive.

Drones Are Different

As the Associated Press reported last week, public fear that unmanned aircraft technology will be misused threatens the health of the entire unmanned aircraft industry. Robert Fitzgerald, CEO of The BOSH Group, provides drone support services, was quoted as saying that the industry’s “lack of success in educating the public about unmanned aircraft is coming back to bite us.”

While it may be true as a technical matter that unmanned aerial surveillance is no different than a manned overhead flight, the privacy implications are worlds apart. As a practical consideration, unmanned aircraft are degrees cheaper and more accessible to use than their manned counterparts. The ACLU’s Jay Stanley has suggested that unmanned aircraft erase “natural limits” of aerial surveillance, and as drones become both smaller and more technically advanced, will pose bigger and bigger challenges to individual privacy.

But what truly makes unmanned aircraft so unique is that they provide a physical manifestation of our generally abstract, mental conceptions about privacy. Professor Ryan Calo surmises that drone surveillance is “visible and highly salient” in a ways that people experience quite different from network surveillance or commercial data brokerage. “People would feel observed, regardless of how or whether the information was actually used,” he explains.

Privacy Approaches to Unmanned Aircraft Systems

The Association for Unmanned Vehicle Systems International (AUVSI) has put forward a broad privacy statement that endorses efforts to ensure unmanned aircraft are used in an accountable and transparent fashion. So far, so good. However, the statement also calls for technology neutral policies. In other words, data collected from unmanned aircraft would be treated no differently from information uncovered from manned aircraft–or mobile phones. Additionally, while AUVSI has embraced limits on information collection, storage, use and sharing, it recommends enforcement via “established law and policy.” This might not be such a problem if the United States had more comprehensive privacy protections in place, but as Professor Calo and others have pointed out, there are few privacy laws that actually limit surveillance by either private or public parties.

Thus, because of this reality, it is problematic for organizations like AUVSI to suggest, as it did on Wednesday, that the solution is to trust the judicial system to sort out any privacy issues that may arise. Relying on either the traditional privacy torts or the Department of Justice to somehow police privacy intrusions by private companies is not only inefficient, but it does nothing to address the public’s broader concerns about unmanned aircraft. AUVSI claims to want a broad, society-wide discussion about privacy, but it fails to recognize that its own technology may well be the catalyst that forces us to readdress our privacy laws.

Alleviating these fears should be the industry’s top priority should it wish to see the projected economic boom from unmanned aircraft come to fruition. It may make sense to redirect this conversation to an agency with more substantive privacy expertise, but that will only further delay a policy discussion that is already behind where our technology is moving. As unmanned aircraft technology advances, it faces a patchwork of different laws and regulations across the country. A legislative fix by Congress is unlikely, and moreover, Congress has specifically mandated that the FAA work to safely integrate drones into our national airspace.

Given the slim likelihood of legislative action, stakeholders are more or less stuck with the FAA.  Thus, it is essential that the FAA work to develop guidelines that encourage public trust and confidence. The industry’s current approach is unlikely to accomplish this, so how can we best ensure the development of unmanned aircraft technology in a way that protects privacy? One strategy is to couple aircraft safety with privacy protections, and a number of mechanisms put forward by privacy advocates, such as metadata transmissions or “drone license plates,” would promote safety, as well. Another strategy is to develop policies that are informed by the Fair Informational Practice Principles (FIPPs), and for its part, this is the approach the FAA has suggested so far.

Incentives to Embrace Privacy by Design

Data minimization, security, transparency, and accountability are all important principles to respect, but one way of operationalizing these principles in the context of unmanned aircraft is to embrace the concept of Privacy by Design. Developed by Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario, Canada, Privacy By Design encourages organizations to build privacy in–early, robustly and systematically–across products and business ecosystems.

According to the Federal Trade Commission, Privacy by Design requires entities to “promote consumer privacy throughout their organizations and at every stage in the development of their products and services.” Applying this notion to the field of robotics, researcher Aneta Podsiadła has suggested that privacy protections can be operationalized through a combination of technical solutions during product development and “embedding privacy” into an organization’s operation. Unmanned aircraft manufacturers and operators do not appear to be seriously thinking about privacy from either perspective, however.

Ironically, the vocal public concern about drones actually combats one of the biggest challenges to implementing Privacy by Design. Often economic incentives to protect privacy are simply inadequate. Privacy scholar Ira Rubinstein explains that this combines with inexact guidance by regulators on how to implement Privacy by Design to make investing in privacy safeguards costly to firms. In the case of unmanned aerial surveillance, however, public demand for privacy safeguards is salient–and indeed, an economic opportunity.  Already firms are developing surveillance “countermeasures” for sale to the general public.

This provides an opening to make the FAA’s privacy proposals a model for future privacy policies and operationalizing Privacy by Design. Both regulators and industry needs to begin elaborating design principles, discussing best practices, and researching how privacy can be engineered into unmanned aerial systems. Absent an ongoing dialog, we are committing ourselves to privacy protections that are more aspiration than reality in the skies above. All parties have every incentive to consider these issues: the drone industry anticipates adding 70,000 high-tech jobs and $14 billion to the economy by mid-decade. If we hope to see those figures come to fruition, everyone should be working with the FAA to encourage innovation and experimentation with privacy-protecting technologies.

How Obscurity Could Help the Right To Fail

In a post on Policy@Intel, David Hoffman explains why Internet obscurity can help the “Right to Fail.”  Absent providing individuals with “a sphere of privacy where they know they can make mistakes,” society may make it impossible for individuals to pursue ideas that “challenge the status quo” and are needed “to break away from conformity and innovate.”

He also highlights Woodrow Hartzog and Evan Selinger’s suggestion that obscurity might actually be better than privacy when looking at conceptual tools to protect personal information.

 

Increasing Calls for a Big Data Dialog

Big Data promises to open new doors to curing diseases, cleaning the environment, and easing life’s burdens, but is it opening too many doors?  Writing for The New York Times on Sunday, Steve Lohr suggested that the privacy challenges posed by Big Data are so large that it might trump any potential benefits.  The surveillance possibilities permitted by data today, he noted, “could leave George Orwell in the dust.”

Whether privacy challenges should trump how we use data or vice versa, there is an obvious need for organizations and society at large to address what we hope to achieve with Big Data—and what we are willing to take off the table. In that spirit, FPF is joining with the Stanford Center on Internet and Society to host a day-long event this fall to tackle how best to bring together the value of data with the value of personal privacy. There should be some room for agreement.  As Lohr notes, “corporate executives and privacy experts agree that the best way forward combines new rules and technology tools.”

Yet Big Data may require us to have a bigger discussion about how personal data is used.  In response to research posted on Monday that concluded that anonymized data in the context of day-to-day location tracking can be re-identified with relative ease, David Mayer declares on GigaOM today that we need a “new realpolitik” for data privacy:

We are not going to stop all this data collection, so we need to develop workable guidelines for protecting people. Those developing data-centric products also have to start thinking responsibly – and so do the privacy brigade. Neither camp will entirely get its way: there will be greater regulation of data privacy, one way or another, but the masses will also not be rising up against the data barons anytime soon.

As Mayer concedes, it is impossible to stop our ever-increasing data collection capabilities, and even if we could, it would likely be to our greater detriment.  While our legal constructs tend to view privacy as a binary all-or-nothing concept, our Big Data reality suggests that privacy be viewed as a spectrum in which benefits are weighed against the specter of the dictatorship of data. Who is doing what, for what purpose and for what benefit are important considerations, and it is past time for policy makers to begin engaging with these questions in earnest.