robots.net blog for MRyan

PrivacyCamp Washington, DC 2009

Mon, 8 Jun 2009 23:11:00 GMT

Co-sponsored by the Center for Democracy and Technology, the Electronic Privacy Information Center, and the Future of Privacy Forum (among others), this inaugural "unconference" brings together interested individuals and organizations to share knowledge and foster collaboration. The event is June 20th, 2009, from 8AM to 5PM at the Center for American Progress (1333 H Street NW, Washington, DC 20005). You can register here and Shaun Dakin is the contact should you have any questions.

Patient Privacy Rights FTC Comments

Thu, 4 Jun 2009 07:09:51 GMT

Teneille Brown, Joshua Auriemma, and I helped Patient Privacy Rights draft the public comments it submitted to the Federal Trade Commission on Monday. Thanks to Patient Privacy Rights executive director Ashley Katz for the opportunity to assist.

The FTC sought comment on a proposed interim rule that would require certain entities to notify consumers upon the unauthorized acquisition of electronic health information.

Patient Privacy Rights' recommendations include:

*Clarifying that the rule covers Microsoft HealthVault, Google Health, and similar entities that deal in electronic health information.

*Requiring entities to keep an audit trail of unauthorized access and clarifying that publishing electronic health information on the web constitutes "acquisition" under the rule.

*Reconsidering the position that de-identified electronic health information may be excluded from the proposed interim rule in all instance.

The final comments are attached.

State AG Threats To Craigslist Implicate Free Speech

Tue, 19 May 2009 23:12:27 GMT

This post is co-authored by Ryan Calo and CIS summer intern Joshua Auriemma.

On Saturday Night Live’s classic segment “Really?!? With Seth & Amy,” two incredulous news anchors blast a ridiculous current event—for instance, the fact that AIG held a lavish retreat six days after receiving 85 billion dollars in federal bailout money to celebrate the company’s top earners. “Really?” Amy Poehler asks. “What does it take to be a top earner at AIG right now? Did you sell your office furniture on Craigslist?”

Some lawyers following the ultimately successful pressure placed by various state attorneys general on Craigslist to take down its erotic services section have experienced a “Really?!?” moment of their own. A particularly unsubtle letter from South Carolina AG Henry McMaster basically threatened Craigslist with "criminal investigation and prosecution" of its management personnel if the popular classifieds website didn’t remove all offending material by 5:00PM, Friday, May 15, 2009.

Really? A state attorney general can send a letter to Craigslist threatening to initiate criminal charges against its management unless it shuts down a predominantly legal forum on the basis that the AG dislikes the kind of stuff that gets posted there?

As an initial matter, it is not clear what legal hook an AG would have. Section 230 of the Communications Decency Act would appear to immunize Craigslist for the content posted on the site by its users. See 47 U.S.C. § 230(c)(1) (“No provider … of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”). See also id. at §230(e)(3) (“No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.”). Our best guess is that Craigslist ultimately gave in to state AG demands not out of fear of losing a criminal trial, but due to the sheer prospect of facing investigations and lawsuits in multiple states, generating bad press and costing potentially thousands of dollars in defense fees regardless of outcome.

What is clear, however, is that threats of criminal action motivated by disapproval of lawful speech constitute state action for First Amendment purposes. In the 2007 case of Porter v. Bowen, for instance, the Ninth Circuit applied intermediate scrutiny to find that the California’s Secretary of State violated the First Amendment when he threatened to prosecute the owners of a website devoted to vote-swapping. 496 F.3d 1009 (9th Cir. 2007). Interestingly, the plaintiff in Porter was a distinct website, not even affiliated with the vote-swapping website that actually received the legal threat. Id. See also Carlin Communications, Inc. v. Mountain States Tel. & Tel. Co., 827 F.2d 1291, 1295 (9th Cir. 1987) (deputy attorney’s threat to prosecute a telephone company unless they dropped plaintiff’s adult phone service converted activity to state action).

No state AG is going to voice disapproval of erotic content per se. Thus, McMaster’s open letter refers to the harmful activities that Craiglist’s erotic services section allegedly facilitates. But even in this public document, McMaster cannot resist multiple references to “the unrestricted manner in which graphic pornographic pictures are posted and displayed by users on the craigslist site.”

Recall that attempts to restrict access to online pornography by adults on the basis of its alleged availability to children have repeatedly been struck down as unconstitutional under the First Amendment. See, e.g., Reno v. American Civil Liberties Union, 521 U.S. 844, 875 (1997) (“It is true that we have repeatedly recognized the governmental interest in protecting children from harmful materials . . . [b]ut that interest does not justify an unnecessarily broad suppression of speech addressed to adults.”).

The issue is not, in the end, even about safety. Shutting down a section of Craigslist will not stop sex crimes. If anything, having solicitations appear online and in a central location creates an additional tool for law enforcement concerned about prostitution and exploitation by creating a digital trail. Law enforcement apprehended the alleged “Craigslist Killer,” who set off the whole controversy to begin with, in part by tracing the IP address of someone who emailed the victim. No such trail exists on the street corner or in printed classifieds.

Simply put, we need to let go of the puritanical urge to force change on mainstream Internet services because their content offends someone. State governments are accomplishing through threat what they never could through regulation. This represents a blow to our collective liberty.

Really.

WhatApp? Alpha (Preview)

Fri, 15 May 2009 00:10:55 GMT

A generous grant from the Rose Foundation has made it possible for the Center to develop WhatApp?, an expert and user-driven review website for software apps that focuses on privacy, security, and other Silicon Values. We now have a working alpha, which we will spend the summer testing, improving, and populating with content in anticipation of a beta next year. The attached is a series of screen shots from a Power Point presentation of the demo. Thanks to Quinn Interactive for their timely, high-quality work thus far.

Does NAI’s Opt Out Tool Stop Consumer Tracking?

Tue, 28 Apr 2009 00:08:45 GMT

I heard a rumor that I hope isn’t true. Specifically, I heard that opting out of behavioral profiling may not stop advertising companies from tracking you as you travel across the Web. Rather, according to the rumor, in many cases you merely opt out of seeing the tailored ads your web history might otherwise trigger.

The ability to opt out of behavioral profiling essentially underpins the argument for self-regulation by the industry. The idea is that (1) people like tailored ads and (2) those that worry about the practice, for instance, from a privacy perspective, can opt out of it. Setting aside the apparent frailty of cookie-based opt out (when you delete your cookies, you delete your opt out as well) and the availability of other means to track users (like flash cookies), this seems pretty straightforward and convincing.

But what does “opting out” mean, exactly? A close look at the Network Advertising Initiative website, which offers an opt out tool on behalf of most major online advertisers, turns up no guarantee that opting out will stop a company from logging where a user has traveled.

In the NAI's words:

The NAI Opt-out Tool replaces a network advertiser's unique online preference marketing cookie on your browser with a general opt-out cookie. It does not delete individual cookies nor does it necessarily replace other cookies delivered by network advertisers, such as those that are used for aggregate ad reporting or mere ad serving purposes. Such cookies allow network advertisers to change the sequence of ad banners, as well as track the aggregate number of ads delivered (impressions).

You don’t need to be Derrida to see that this carefully crafted language comes apart upon reflection. How can the tool "replace[] a network advertiser's unique online preference marketing cookie" but at the same time not "delete individual cookies [or] replace other cookies delivered by network advertisers, such as those that are used for … mere ad serving purposes”? Where I come from, "replace" means "to put something new in the place of" something else. You take the cookie that tracks me away, and you replace it with a cookie that says not to.

So does opting out stop tracking or not? Lawyer and blogger Sarah Bird wrote about the NAI’s opt out cookie about a year ago after attending a conference at Berkely Law School. Specifically, she wrote:

The audience was extremely interested in cookies and how they work. ... People were surprised and confused to learn that the NAI’s opt-out program doesn’t prevent advertisers from collecting information about you; it only prevents advertisers from serving you targeted ads. The companies still get to benefit from your information, you still have to see ads, but the ads aren’t targeted towards your preferences. Somehow, I have a feeling that most consumers who bother to use the NAI's opt-out program don't realize this. After all, I have to imagine that it is the tracking itself that bothers privacy-sensitive people, not the targeted ads.

I have to agree with Sarah here.

To be clear, I’m not convinced that behavioral advertising is all that dangerous a practice from the perspective of personal privacy. Advertisers don’t really care who you are and much of the tracking that occurs is anonymous. True blocking is easy—for a veritable buffet of privacy enhancing technologies, visit our wiki database—and the government can go directly to users’ Internet service providers if they want access to web surfing habits.

But still, this rumor bothers me. Have advertisers allowed the misapprehension to persist that opting out of behavioral profiling stops the practice of tracking? If so, for shame. The industry should confront the harms of tracking, real or imagined, head on, instead of lulling users into a false sense of control over their browsing history.

Kevin Bankston Discusses Wiretapping On Countdown

Fri, 10 Apr 2009 19:18:10 GMT

Visit msnbc.com for Breaking News, World News, and News about the Economy

The True Danger Of The Internet: What Occurs To Us

Mon, 30 Mar 2009 22:13:02 GMT

The most interesting aspect of cyberspace is not what happens for a time to its visitors. It’s not the absence of regulation nor the presence of perfect regulation; it’s not the staggering variety of content nor the sudden arbitrariness of geography; it’s not the constant threat of surveillance nor the occasional absence of accountability. The most interesting aspect of cyberspace flows from its status as an engine of realization: cyberspace widens the range of what we think of as possible. The Web is home to phenomena that never quite happened before—not because the technology was untenable, but because no one thought to do it. The importance of cyberspace is not what occurs to you when you visit; it’s what occurs to you.

If you’ve visited Google’s physical campus in Mountain View, you likely noticed that the sign in procedure amounts to a click-wrap. Google requires that you accept a non-disclosure agreement, presented on monitors by the front door, before it will print you a visitor pass. It occurred to the Internet giant that it could treat its campus like an Internet service by requiring visitors to click-through a terms of use at the entry portal. This generates a record that you either agreed to play by the rules, or you were trespassing.

This is hardly an isolated example.

A central reason online ads continue to gain on traditional ads is because they allow for sophisticated targeting and analytics. You can know where a user has surfed and what she is looking at, so you can advertise to her based on relatively good intelligence about her preferences. And you can follow her clicks and views to determine what's effective.

Not coincidentally, it now occurs to outdoor advertising companies to listen to what is playing on your car radio and change the billboards you see accordingly. Suddenly they place cameras in billboards to detect demographic and other information about the people who look at ads. Today's malls can follow you around using your cell phone signal as you shop to rearrange their store displays for maximum impact.

The latest and most sophisticated technique in use on the Internet is probably deep packet inspection (DPI). Such technology “sniffs” the content of data packets traveling node to node by Internet protocol. DPI can be used, among other things, to detect the illegal sharing of copyrighted content. It works invisibly and need not disrupt lawful activities. You would think that DPI would be hard to reproduce in the real world. It turns out not: it has occurred to the Motion Picture Association of America to pay to train dogs to sniff luggage and mail for the tell-tale scent of recently burned (read: pirated) CDs and DVDs.

It’s often said that where there’s a will, there’s a way. I don’t agree. We want many things that we cannot make happen no matter how hard we try. I’d say the converse is more plausible. Where there’s a way, there’s a will. If one day a new road for thought yawns into the distance, some adventuring mind will take it. This is the lesson of cyberspace—its promise and its greatest danger.

Yes, A Copyright Law Joke

Thu, 26 Mar 2009 00:10:36 GMT

You don't see a lot of law comics, much less comics about copyright law. Does this clever cartoon from across the Web describe an instance of fair use? You be the judge.

Have Fun Watching The Country

Sat, 14 Mar 2009 05:15:37 GMT

826 National is an incredible non-profit dedicated to improving writing and other skills among children ages to six to eighteen. A few days after the election of Barack Obama, 826 centers in seven cities asked children to offer advice to the new president. The result was the deservedly celebrated book Thanks And Have Fun Running The Country.

As you might imagine, this book is a major tour de cute. One 9-year-old in Los Angles opines that if he were president, he “would help all nations, even Hawaii.” A Seattle 7-year-old suggests that President Obama “turn on the heater, so it won’t be cold.” In short: awwwww.

You can imagine my surprise, then, when I came across the following suggestion from a Boston 12-year-old: “Dear, Barack Obama, … You should also build cameras all around our city to find out who is breaking the law, and also in movie theatres so we can tell who is making illegal copies.”

Wait, what??? Did the DOJ and RIAA have a child together? The rest of this writer’s suggestions are eminently reasonable—more power efficient cars, less smoking, and the like. Still, it’s not often that you see a 12-year-old proponent of ubiquitous surveillance!

Privacy And Free Speech (ACLU No. Cal. Primer)

Fri, 13 Mar 2009 19:12:21 GMT

The ACLU of Northern California has published a primer (PDF) on the advantages to businesses of good privacy and free speech practices. The primer assembles many real-world instances of harms and benefits to companies due to their choices around user privacy and value speech. Congratulations to Nicky, Chris, and no doubt others in putting this together.