Privacy: Sorry, You Can’t Have it Both Ways

There is so much happening with privacy right now that it is enough to make my head spin. What is clear though is that individuals, companies and government all want it both ways.

Some parts of government want private enterprise to do a better job of protecting individuals’ information from other individuals and companies. At the same time other parts of government are looking for wholesale access to individual data bypassing any and all privacy policies and constitutional rights. Sorry, you can’t have it both ways.

Similarly individuals want to be able to share information with more than 500 of their best friends on Facebook and yet have it be private. Sorry, you can’t have it both ways.

Companies want to gather tons of information about their customers but not disclose much or anything about their own activities or have third parties collect that information. Sorry, you can’t have it both ways.

We are entering unchartered territory here because of our amazing information gathering and sharing capabilities. As I have said before we need to start with a discussion of values first. I don’t believe that privacy is a value in and of itself. If you want to see my own grappling with this complicated topic, here are all my past posts on privacy.

California’s Right To Know Act

One of the major issues we are struggling with in this flood of data is the question of what data belongs to whom and in particular how much access and control endusers should have over their data (or for that matter what “their” data even means). In California a “Right to Know” bill has been introduced that would require companies to let endusers access what data has been stored about them and which third parties that data has been shared with. The definition of personal data in the bill is quite broad “including inferences or conclusions drawn from other information” if those are shared with third parties. The bill has the support of EFF and the ACLU. Not surprisingly over a dozen companies and several trade groups have come out against this arguing that it would put an unreasonable burden on them.

I actually think this kind of regulation could be very helpful even though there are some details that need to be thought through. For instance, it will generally be easier for large companies to comply with this as they have more resources that smaller companies, so there might be some time period or scale threshold for which companies would be exempted. I also think it is critical that completely electronic request (a button in the user’s profile or setting page) and electronic delivery in plain text or even something like JSON can be used to satisfy the requirement. The current draft still mentions such things as “addresses” as if it should or could be possible for users to request this over the phone or by mail.

This kind of act could be particularly powerful in conjunction with another set of regulation that I would really like to see: legalizing personal internet bots. By that I mean a law that makes it clear that as an enduser I can authorize a third party service to interact with a service on my behalf. And if I have explicitly authorized the third party service then this cannot be a terms of service violation. The combination would allow for the emergence of third party services that monitor information on my behalf across other services. This would be all that we need for market solutions to emerge around privacy. With the right amount of work both of these bills could be quite concise.

Privacy and DRM: The SnapChat Case

When I first heard about SnapChat I was immediately reminded of the attempts of a friend of mine to establish a DRM‘d email platform that would let recipients read an email but not do anything else with it that hadn’t been explicitly authorized (printing, forwarding, etc). There was some amazingly fancy crypto technology involved. In the end though it was never possible to close up the many holes inside general purpose computing technology. Those of course include the ultimate hole — the so-called A-Hole which here stand for Analog Hole: the ability to take a picture of the screen. Music and video companies have of course found the same truth the hard way in their own DRM efforts. So I was not at all surprised to see this headline: Not-So-Ephemeral Messaging: New SnapChat “Hack” Lets Users Save Photos Forever. Anything that gives you a false sense of security or control will come to bite you eventually. Personally I consider this a feature and not a bug of digital technology.

Do Not Track (Continued)

Yesterday I posted about how the current Do Not Track debate is muddling the underlying issues.  I got a great reply from Mike Yang on Twitter that rightly pointed out at P3P had been a mess in part because Microsoft jumped the gun on it.  That got me to think about an even broader context here which is the shift to mobile.  A do not track battle on the web only is even more absurd in the context of a rapid shift in where people spend time and can be tracked even better (at least in the new iOS).

Mike then pointed out that Android has a pretty good permission system, which I agree with.  The system is easy for end users to understand and doesn’t get in the way because you need to approve it once when you start using an application and then only if an upgrade to that application wants more permissions.  

So the better idea here might be to start with mobile and then extend that model to teh web.  When you first visit a site there would be a one time permission dialog.  Websites in the EU already do this with regard to cookies.  Now one might think that this becomes very cumbersome.  But with a standard, browsers could be configured so that you don’t even see the dialog if a site is only requesting permissions that you are willing to always grant. 

Of course web sites don’t operate in a sandbox so there would be some trust involved.  But a standard like this would also make it possible to construct automated services that can crawl the web, register for sites and services, monitor marketing systems and see if sites are abiding by their requested permissions.

The permissions themselves should be things that can be worded in relatively plain English (substitute your language here), such as “Permission to send emails to you” or “Permission to share anonymized information with third parties for marketing purposes.”  This approach would also make it possible to weave in things that are one off now, such as sites permitting access to location or potentially local storage.  

It will take some work, but I think one could come up with something that works across both mobile and the web with the same language.  That would be a real win for consumers and also provide operating clarity for companies.

Do Not Track Debate Is Muddling The Real Issue

The Do Not Track discussions that are currently going on are fascinating because they highlight the huge gap between how the internet actually works and how people are talking about policy.  Politicians are giving consumers a false sense that there is an easy “on/off” switch for tracking.  And industry groups aren’t helping the debate by making it easy to argue that they are using self policing as a fig leave.  All of this completely drowns out the difficulty of the underlying problem: our online activities leave a huge data footprint because of the many different connected systems that data passes through.  To really not be trackable, consumers would have to start using a network such as Tor which is clearly not a mass market behavior. Anything else implies some level of trackability.  So the question really is more one of who does tracking and to what ends.  For industry this means more transparency and more consumer friendly tools for understanding and changing their browser behavior.  It may be time to revisit prior efforts along those lines such as P3P.

CISPA

I wrote a blog post last week about the current Privacy Theater in the US, where the government is simultaneously pushing stricter privacy regulations and huge backdoors that would completely undermine privacy.  The backdoors come in the form of the Cyber Intelligence Sharing and Protection Act or CISPA.  The folks at Lumin Consulting have put together a good infographic that illustrates how CISPA undermines privacy:

I am actually sympathetic to the basic idea behind CISPA, which is to make it easier to share incident data as a way to identify and protect against attacks.  But the way that CISPA goes about it is wrong on two important levels.  First, it would stuff the incident information into the existing agency and vendor world instead of making it widely available on the Internet.  Wide availability would let researchers, hobbyists and new vendors all work on improving security. In other words it would enable the Internet to help protect the Internet.

The second big mistake in CISPA is that it uses broad language when what we need is a tight and well specified sharing protocol.  I am not suggesting that such a protocol can be devised to cover all types of attacks and attack related information but rather that by starting with something tight we can go from no public data to a lot of public data.  For instance, reporting IPs involved in DDOS attacks would be a great and very precise starting point. The way the government can help here is by helping to define the reporting standard and starting small instead of shooting for some all encompassing solution.

If you want to read the full text of CISPA you can find it here.  You can also head over to POPVOX to express your views on CISPA (as of this writing 97% opposition).

Privacy Theater

I wrote recently about how we are at a time during which lots of little decisions will determine whether we find ourselves in an information utopia or dystopia.  There is a lot of legislation in the works both here in the US and abroad that speaks directly to this.  In particular, there is a schizophrenic approach to privacy.  We are simultaneously getting efforts to provide more privacy in commercial settings and less privacy vis-a-vis the government.  In the US, the FTC is working on new privacy regulations at the same time that the Cybersecurity bill drafts have provisions that could amount to enormous backdoors into consumer data. The UK is doing much the same with an even more aggressive government access bill.  I am beginning to think of the commercial legislation as “privacy theater” (akin to security theater) which in no small part distracts from the simultaneous attack on privacy from the government.

Privacy and Facebook

So Facebook settled with the FTC over privacy and Mark Zuckerberg wrote another apologetic blog post (as pointed out by Liz Gannes this is his tenth).  Part of the need for these apologies comes from Facebook’s aggressive approach to releasing features which at some level is admirable in a company of their scale.  But what is really driving the problems is a fundamental conundrum about privacy in the digital age.  Anything that was private a second ago can be made public by someone else with often little more than a click.  One click public-making if you so want.

There is no doubt that this extremely powerful technology will over time transform our conceptions of private and public.  I highly recommend Jeff Jarvis’s book Public Parts as it provides some interesting historical and cross cultural contexts.  What the book makes eminently clear is just how much “private” and “public” are social constructs and how fundamentally they have changed with past changes in technology.

These large scale social changes, however, tend to take much longer than the underlying technology changes that drive them. So we now find ourselves in an in-between period.  We have the one-click public-making technology but we still (mostly) have our previous notions of public and private.  Facebook started out by incorporating these previous notions deeply into the system but it is difficult if not impossible to get to the kind of clear lines that people are still looking for in a system of Facebook’s complexity (e.g., what is the privacy expectation around something shared with friends of friends?).

What has worked much better for people to date is to have easily understood conventions around the privacy expectations for completely separate types of communication.  If you text or IM a person your expectation is one of privacy.  That’s the primary reason a site such as bnter hasn’t taken off yet.  It goes fundamentally against the grain of people’s expectations of privacy for a particular type of communication. The same is largely true for email, which is why even smart people get caught in sending emails to reporters who then occasionally publish those as on the record conversations.  

When we have settled into whatever our new social constructs will be (and I don’t expect that to be anytime soon), the discussions we are having now will seem as quaint as the debates over whether newspapers could publish photographs.   I don’t know what exactly those new constructs will be, but I highly doubt that reflecting them in software will require users to make complex adjustments to privacy settings.

My Facebook Setup

Following f8, there has been a new explosion of discussion around Facebook’s voracious data gathering.  For instance, Facebook keeps cookies on your machine even when you are logged out which allows them at least in principle to track your visits to sites with Facebook social plugins.  Add to that the Ticker, which is really just Beacon redux with better timing and some semblance of an opt-in, and you have a ton of data on your activities on the web flowing to Facebook.  Since I have been bothered by this for some time, I have come up with a setup that makes me feel more in control.

Before describing the setup, I should point out that I don’t really use Facebook actively other than (a) to sign into some sites that require it (eg canv.as) and (b) respond to the occasional Facebook message from a friend.  I am happy to use individual services which together work better for me than Facebook (Tumblr, Twitter, Foursquare, Kik - it is not by accident that USV is an investor in these).  So if you are a super active user of Facebook, the following may not really work for you.

First, I periodically visit the settings page in Facebook and make sure that I am opted out of features such as instant personalization or letting people automatically add stuff to my profile through tagging.  I do this periodically because as Facebook’s service evolves they are changing the settings accordingly (this is not a criticism, simply a statement of fact and over time they have actually simplified the controls).  Second, I use multiple browsers.  I use Chrome as my workhorse and have gmail, gcal, twitter, tumblr open in it at all times.  I use Firefox for most of the services that I try out and this is where I  tend to be logged into Facebook.  Finally, I use Safari in private mode and have cleared all cookies.  Any and all personal browsing and  transactions take place through Safari.

While this may seem like overkill, I find that it not only lets me be less concerned about Facebook’s data gathering but also I wind up having just enough tabs open in each browser that I can readily navigate.  On the Mac, Alt Tab switching makes going back and forth between the three a breeze.  The only occasional hold up occurs if I run across a URL in one browser that I want in another which then requires a quick copy and paste.

For A Change: Some Sensible Legislation on Privacy

This seems to be the week for legal blog posts.  After trying a slightly revised version of COICA with new branding (now: PROTECT IP), Senator Leahy has come out with a very sensible piece of legislation, the ECPA Amendments Act of 2011. 

As the name says, this is is an amendment to the Electronic Communication Privacy Act of 1986 for which Senator Leahy was also the lead author.  The proposed amendment brings the act into the 21st century by adding email, cell phone, private messages on social networks to the types of communication that require a search warrant based on probable cause.  I suspect that most Americans today assume that this is already so (as the analogy to phone calls and snail mail seems obvious) but that’s not the state of the law today.

The EFF is rightfully supportive of this bill.  They do point out some problem areas, such as the expanded use of National Security letters to circumvent the warrant process, but I suspect that this is the kind of compromise that has to be made to give a bill like this a shot to be passed at all.

So I find myself thoroughly disagreeing with Senator Leahy on one bill (PROTECT IP) and being supportive on another (ECPA Amendments) all in the space of a couple of days.  That raises some interesting questions about how to best make representative democracy work in the Internet age.  I would love it if Senator Leahy’s web site allowed for comments (ditto for all elected officials).  A requirement to be a registered voter and to disclose your real identity for commenting would seem sensible to prevent a bunch of random rants.  Maybe our portfolio company disqus can offer something to help with this.  Probably a good topic for another blog post altogether.