Too soon to judge Obama administration on privacy…
A number of the most fervent privacy groups today put out a report critiquing the Obama administration’s record to date on privacy issues. At only 9 months in, it seems a bit too soon to rate the Administration. As we have written previously, we do think there have been early indications of a commitment to ensuring that privacy issues are given high priority in the policy process. But clearly there are very high hopes in the advocacy community that this Administration will lean on its many tech savvy appointees to forge new paths that ensure the advances of technology are harnessed in a manner that advances both the needs of government and civil liberties. Likewise, we think that many of the more progressive companies in the business community are eager to see the government take steps to help increase the trust necessary for citizens to embrace the advances enabled by new technologies.
What about the privacy of our youth? Obama may be the first president to offer our children some personal privacy advice. Yesterday, when he was asked for some guidance on how to become president, he told several ninth graders, “Be careful what you post on Facebook.”
One thing that Congress can do to help is to confirm Cass Sunstein, the Administration’s nominee for the Office of Information and Regulatory Affairs, which is the office at OMB that helps oversee government agency privacy issues. Sunstein comes to the position with a close relationship with the President and a long history writing and thinking about the impact of technology and society. The sooner the administration can have a focal point for privacy issues, the sooner we can expect to see progress on many of the privacy issues at stake.
How We’re Losing Our Privacy Online
How We’re Losing Our Privacy Online
Christian Science Monitor
By Gregory Lamb
August 31, 2009
Gail Heyman didn’t go on Facebook often. In March Mrs. Heyman, who lives in the Atlanta area, opened an account just to keep up with a few friends. She found herself rarely checking the social-networking site, letting days or even weeks slip by between visits.
But in late June, she received a phone call from a cousin. He had responded to what he thought was her emergency plea for money on Facebook and wired her $2,000 – in London. As he thought about it more, he decided to call her just to double-check.
Heyman, who was still in Georgia, was astounded. Someone had figured out her password, taken over her account, and posted the fraudulent request. “They told my [Facebook] friends that I had been mugged, and that I was in a hotel and that I needed money,” she says.
Her cousin was able to quickly contact Western Union and cancel the transfer before the money was picked up by the imposter in London. Heyman, still a little shaken, hasn’t reopened her Facebook account but hopes to get back online in the future. “It’s made me think differently about doing things online,” she says.
Jules Polonetsky quoted:
“Let’s make it easier for folks to act in the way they want to act,” says Jules Polonetsky, co-chairman and director of the Future of Privacy Forum, a Washington, D.C.-based think tank underwritten by companies such as AT&T, AOL, Intel, eBay, and Facebook. “Yes, I can make a silly joke to my friend. It can be easily watched by my friends, but I can easily make it go away if I need to.”
Facebook agreed Thursday to give users more control over the information they share with outside applications like games and quizzes in response to concerns raised by Canadian privacy officials.
Currently, people who wish to use such software have to agree to share all their data with the application. For example, when a user signs up to take a quiz, the software developer could tap the user’s biographical information, photos and hobbies, along with profiles and information on friends, even if such data aren’t needed to take the quiz.
Jules Polonetsky quoted:
Jules Polonetsky, co-chairman and director at the Future of Privacy Forum think tank in Washington, D.C., said that while users will be more aware that applications are accessing their data, they may still click through the notices without regard for what information they are ceding to the developers.
Several weeks ago the Office of the Privacy Commissioner of Canada, issued a comprehensive report about Facebook’s privacy policies and asked the company to address several privacy concerns they laid out or face imminent legal action. In response, Facebook announced today a series of changes that intended to address the concerns offered by the Commissioner.
Among the changes Facebook will be making:
• Updating its Privacy Policy to better describe a number of practices, including the reasons for the collection of date of birth, account memorialization for deceased users, the distinction between account deactivation and deletion, and how its advertising programs work.
• Encouraging users to review their privacy settings to make sure the defaults and selections reflect the user’s preferences.
• Increasing the understanding and control a user has over the information accessed by third-party applications. Specifically, Facebook will introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings.
In my opinion, the most important change is related to applications. As I have previously discussed, the challenge of policing the activities of tens of thousands of independent developers around the world is a daunting but necessary task. The current process on Facebook allows users to opt-in to giving applications permission, but allows apps to require users to provide access to all of their own data and all their friends data. Many users have no clue that by doing quizzes, they are providing a developer with access to all the information in their profile and access to their friends profiles and their information.
The new process will require applications to spell out the data they want from users with more detail and to more specifically approve access to categories of an individual’s data or their friends’ data.
For the first time, when users authorize an application, they will have the opportunity to opt out of giving certain pieces of information. Fields that are necessary for the application to function will still be mandatory. Facebook also said that it anticipated that users will need to opt-in to giving applications access to their friends’ data.
These changes are absolutely a very positive step,and do lead the way for other platforms that support applications to step up to provide more transparency and control.
Unfortunately, I don’t see how Facebook can take on the job of policing hundreds of thousands of applications, without creating huge bottlenecks or hiring hundreds of reviewers. Who will decide what data is necessary for an application to function? Will users pay attention and exclude the sharing of data which isn’t required or will they just click through? Clearly, there is a desperate need for third parties such as seal companies or application rating sites to fill the void here so that users can look to trusted experts for help before deciding to share the details of their lives with unknown and unverified developers. Of course, this issue isn’t unique to Facebook as the focus tomorrow will be on the other social network platforms. And, it’s only a matter of time before open mobile platforms feel the heat as well.
The other important note here is that, once again, the international privacy regulators are driving the global privacy agenda and setting standards for US companies. In response to recent pressure from European authorities, search engines have all reduced the time they keep search queries. Although international regulators have for many years published opinions or made public declarations about their views that companies weren’t meeting local standards, they have begun to play a significantly more aggressive role in demanding actual changes from companies active in their jurisdictions. A review of the agenda of the November international conference of data commissioners makes it clear that social networking, kids privacy, behavioral advertising will continue to be lead topics of discussion. Although the FTC cooperates with many of the international regulators and has observer status at some of the conferences, I re-iterate the call for the Obama administration to appoint a Chief Privacy Officer who can ensure that the US is more visible and relevant on this increasingly global playing field.
Dan Solove
Above the Law has an entertaining interview with FPF advisory board member Prof Dan Solove on the “skanks” case, as well as some background on his career. Check it out here.
New York Times on Government Use of Cookies:
Kudos to the New York Times for addressing the government’s use of cookies in an editorial in this morning’s paper . As the piece indicates, currently there is no ban in place which prevents a federal agency from using tracking devices, such as cookies. Unfortunately, it is an all or nothing policy, which allows agencies in the government to use cookies with the approval of their agency head or a specific designee. If approval is granted by an agency head, the current use of cookies is allowed without any substantial privacy protections or use limitations. A new policy is needed that would both enable government web managers to ensure federal web sites are optimized for the public and to make the government policy more privacy protective. By addressing issues that the Future of Privacy Forum and other advocates have proposed, such as limiting the retention of Internet Protocol addresses and setting policies that would increase transparency and user control, we can have our cake (or our cookies in this case) and eat it too.
Massachusetts Tweaks Its Data Security Regs
The Commonwealth of Massachusetts, home of the infamous 2007 TJX data security breach, is the first state to require detailed regulation over how personal data is secured. As an incubator of a new kind of law, it has found that getting the regs right is no easy task. The regs have been revised once already, and the deadline for compliance has been extended once before.
Our friend from her FTC days, Barbara Anthony, now Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation, took up her post this year, and heard various concerns expressed by many small businesses and others about the effect of even the revised regs. So, yesterday she announced that a second revision to the Massachusetts data security regulations will occur, and that the original compliance deadline of January 1, 2010 will be extended again, this time to March 1, 2010. The regulations now will have a “risk-based approach”, which is intended to make it easier for small businesses that may not handle a lot of personal information about customers. Several specific provisions required to be included in a business’s Written Information Security Program have been removed from the regulation and are intended as guidance only. The scope of the regulations was revised to cover “persons who own or license personal information,” removing previous regulatory language related to those that “store or maintain personal information”. (Thus, if a business simply uses swipe technology for credit cards only, and does not have actual custody or control over the personal information, then a business does not own or license personal information with respect to that data. Still, Payment Card Industry (PCI) standards would have to be observed.) The encryption definition was amended to be technology neutral and, in addition, technical feasibility will apply to all computer security requirements.
As to portable devices, only those that contain personal information of customers or employees need to be protected and only where “technically feasible”. And as to back-up tapes, there is a requirement to encrypt backup tapes on a prospective basis, but with respect to the transport of a backup tape from storage, only if it is technically feasible to encrypt must one do so prior to the transfer. If it is not technically feasible and there is sensitive personal information on the tapes, the regs suggest that using an armored car service (rather than an ordinary courier) would be in order.
Getting granular is hard, as the regulators in Mass. have found, but kudos to them for trying. Interested parties will have another opportunity to weigh in on this round of revisions at a public hearing in Boston on September 22d and written comments will be accepted until September 25th. For more details, click here.
31st International Conference of Data Protection & Privacy Commissioners – November 4-6, 2009
Jules is scheduled to participate in the 31st Annual International Conference of Data Protection and Privacy Commissioners in Madrid, Spain at the Palacio de Congresos (Congress Palace).
Click here for more information regarding this event.
Web Analysis, Behavioral Targeting and Advertising: Individual Visitors Tracking v/s Aggregate Data
In our comments on the federal government’s request for input on the use of cookies, we made the point that for the purpose of Web site analytics use of data in the aggregate was quite sufficient. This discussion and debate between analytics industry experts from Google and Comscore provides some insight on the issues around analytics, individual data, personalization and related privacy issues.
“Transparency alone is not the right answer to the quandary over privacy and targeting. The users must not only feel in control but be able to see a real benefit from the technology”.
