Category Archives: Law: Privacy

Big Brother is WWWatching You (feat. George Orwell)

Rap News 15:

Good stuff! Lots of cute in-jokes too.

Spotted via BoingBoing.

Posted in Civil Liberties, Cryptography, Internet, Law: Privacy | Leave a comment

Privacy and the Lumpen Consumertariate

The Secret Shopper by Willie Osterweil has a bit too much jarring Marxist jargon for me to feel in tune with it, but it makes some provocative points about the institution of the “Secret Shopper” — the folks hired by management to go to stores and pretend to be customers and then report on the quality of the service.

Stripped of (some of) the cant, the conclusion is that the mystery shoppers are tools of conformity:

Mystery shoppers are miniature thought police, affective pinkertons, mercenary management to whom real management outsources the legwork of everyday psychic control. They are sent in to break the avenues of refusal available to workers, to enforce the arbitrary standards dreamed up by marketers, bureaucrats, and MBAs that so deaden the experience of everyday life under late capitalism. … All just for a little extra cash for the weekend.

Producing identification with the bosses; smashing labor; and making solidarity difficult through contract labor, precarity, and remote working are key features of neoliberal workplace organization. But central to this vision, too, is workplace surveillance. … Heightened workplace surveillance helps build a workplace where no time is wasted, where all effort is put directly into the production of the bosses’ product. But it transforms more than just the bottom line.

The threat of the ever-present spy, the fear that the woman who forgot her ID in the car but swears she’s 18 is actually a scab employed by your boss, means you trust no one, expecting them all to be against you, out to catch you breaking management’s rules, which you now enforce with paranoiac efficiency. Surveillance, ultimately, isn’t about stopping crime. It’s about making police.

I think that even if you are OK with Taylorized service jobs, this critique ties somehow to the importance of privacy in other realms — or the need for concern about the upcoming Dossier Society — more generally. Data is a way to watch you too.

Posted in Law: Privacy, Shopping | 1 Comment

Obama Unveils “Consumer Privacy Bill of Rights”

Today the the Obama Administration is unveiling its new “Consumer Privacy Bill of Rights” (quoted in full at the end of this post) which they tout “as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled.” [Update: The White House issued this 'white paper', Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy that it says provides the background for the proposal. Despite the January cover date, I think it's new, suggesting that there may have been some last-minute tussle about the contents?] [Update2: White House "Fact Sheet" on 'Consumer Privacy Bill of Rights'.]

But as far as I can tell from my initial read, this is only a first step towards rules with a tooth or two. Next, our friends at NTIA (the people who gave you the modern ICANN), will be “conven[ing] Internet companies and consumer advocates to develop enforceable codes of conduct that comply with the Consumer Privacy Bill of Rights, building on strong enforcement by the Federal Trade Commission. The Administration will also work with Congress to enact comprehensive privacy legislation based on the rights outlined here.” Good luck with that in this Congress.

NTIA does have a strong and smart leader right now, Lawrence E. Strickling, the Assistant Secretary for Communications and Information, so this could be good. On the other hand, Strickling has shown willingness to carry the trademark lobby’s water on some ICANN issues (what else is new?), so this bears watching. On the good side, the administration is asking for enforceable legislation, not some blurry new public-private partnership. And the Commerce Department wrote a pretty good requirements document for what the policy should look like in its recent National Strategy for Trusted Identities in Cyberspace (April 2011). That document envisioned an “Identity Ecosystem” described as a system that will enhance privacy and civil liberties:

The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual’s transactions, thus ensuring that no one service provider can gain a complete picture of an individual’s life in cyberspace. By default, only the minimum necessary information will be shared in a transaction. For example, the Identity Ecosystem will allow a consumer to provide her age during a transaction without also providing her birth date, name, address, or other identifying data.

In addition to privacy protections, the Identity Ecosystem will preserve online anonymity and pseudonymity, including anonymous browsing.

However, while setting out the outlines of how such a system might work in theory, the Strategy did not attempt to explain key aspects of how its ambitious goals might be attained in practice. Instead it sets out a ten-year roadmap, in which the first three to five years require “standardization of policy and technology” based on the twin pillars of underlying reliable offline credentials and private-sector leadership. Worse, only one month later, however, the White House released its International Strategy For Cyberspace, a document that while by no means all bad (it extolled the Internet’s benefits and opportunities), also warned darkly of the Internet’s dangers:

Extortion, fraud, identity theft, and child exploitation can threaten users’ confidence in online commerce, social networks and even their personal safety The theft of intellectual property threatens national competitiveness and the innovation that drives it These challenges transcend national borders; low costs of entry to cyberspace and the ability to establish an anonymous virtual presence can also lead to “safe havens” for criminals, with or without a state’s knowledge Cybersecurity threats can even endanger international peace and security more broadly, as traditional forms of conflict are extended into cyberspace.

And it is this latter document, not the better Identity Management paper from a month earlier, that gets cited in today’s press release about the “Consumer Privacy Bill of Rights”. Which vision will prevail – the primarily pro-privacy vision or the Internet-as-danger vision? The Administration’s press release sounds some positive notes, for example this one:

Achieving privacy policies for a Global, Open Internet: U.S. companies doing business on the global Internet depend on the free flow of information across borders. The Administration’s plan lays the groundwork for increasing interoperability between the U.S. data privacy framework and those of our trading partners.

At very hurried first glance the Consumer Privacy Bill of Rights idea seems based on principles that actually sound good…but may not be quite as great as they sound:

American Internet users should have the right to control personal information about themselves. Based on globally accepted privacy principles originally developed in the United States, the Consumer Privacy Bill of Rights is a comprehensive statement of the rights consumers should expect and the obligations to which companies handling personal data should commit. These rights include the right to control how personal data is used, the right to avoid having information collected in one context and then used for an unrelated purpose, the right to have information held securely, and the right to know who is accountable for the use or misuse of an individual’s personal data.

Does this mean the US will catch up with the EU’s data protection regime? I can’t tell for sure, but my first guess is “no”. To say that these are “obligations to which companies handling personal data should commit” is carefully not to say that these are obligations to which corporations will be required to adhere. At least not yet. Or at most only sectorally, rather than generally. Meanwhile, though, we’re going to kick the can down the road a bit, and “convene stakeholders including industry and privacy advocates to develop enforceable codes of conduct that implement the principles in the Consumer Privacy Bill of Rights for specific industry sectors.” But only those rules that “will keep up with, and not hamper, the pace of innovation.” So if your business model is, like Facebook or Google, based on using consumer information, then what?

There is one thing everyone agrees on – that companies should keep their promises about privacy and that the FTC can enforce on them when they do not – and this will remain a major enforcement tool. That’s good as afar as it goes, but in most cases that is only as far as your carefully drafted EULA.

The Administration seems to envision a legislative proposal, I would imagine after the election. It will set out the “basic principles the Administration believes should be reflected in a privacy law” which will on the one hand involve proposing “clear and actionable rights” while also providing “a way for companies to be confident that they are respecting these rights through an FTC-approved enforcement safe harbor.”

Let the food fight begin?

Here is the advance text of the Obama administration’s “Consumer Privacy Bill of Rights”:

Continue reading

Posted in Law: Privacy | Leave a comment

Bus-based Cameras to Watch Cars

We’re clearly moving towards a tipping point on total traffic surveillance. Here’s SF’s contribution:

Big Brother will be watching you.

Within the next 15 months, every one of Muni’s 819 buses will be outfitted with cameras capable of snapping photos of vehicles illegally travelling or parking in The City’s transit-only lanes. Any car caught on tape will be subject to fines of up to $115.

Since 2008, about 30 Muni buses have been equipped with the cameras. And even though the rollout has been modest so far, the results have been telling, said John Haley, transit director of the San Francisco Municipal Transportation Agency, which operates Muni.

“The cameras have been instrumental in changing driver behavior,” said Haley. “When cars see a bus coming, they get the hell out of the way now.”

Muni expanding camera program to nab drivers in transit-only lanes

Spotted via Slashdot, San Francisco Enlists Bus Cameras For Traffic Law Enforcement.

So both government and private industry (insurance) will be watching us. Parents following kids are next (cellphone based apps already provide a form of this service, but it’s easier to ditch the phone than the car). Then we start monitoring people parked near bars. Eventually we move to predictive models of traffic violation. Then maybe we start modeling other crimes, like drug buys and curb crawling. (Pity it doesn’t work for insider trading.) Meanwhile the huge databases are constructed for use by law enforcement, and discovery in civil suits. Even if all this remains on balance benign in rule-of-law democracies, it invites small-scale abuses.

And in autocracies we can expect large-scale abuses on a grand scale. That’s a serious problem that doesn’t get thought about nearly enough as we build and then export the technologies.

Posted in Law: Privacy | 1 Comment

Another One for the “I Warned You” File (Updated)

TomTom has signed a deal with an insurance company to use its satnav technology to measure driving ability to set premiums.

The satnav specialist said it has teamed up with Motaquote on Fair Pay Insurance – a product that the companies claim rewards ‘good’ drivers with lower premiums, using technology to monitor driver behaviour.

TomTom tech to set driver insurance premiums (spotted via Slashdot.)

Sorry to sound like a broken record here, but I predicted something like this over a decade ago in The Death of Privacy?. That doesn’t mean I have to like it…although in principle this one I hate a little less than some, since at least it’s a private transaction, and in theory you have some choice about whether you sign on for it.

The problem is that the choice to refrain likely won’t last long. Other companies are already doing something similar. See for example Progressive Insurance’s “Snapshot” program that monitors your driving for 30 days in order to figure out your quote. Once this sort of monitoring becomes widespread, those who do not sign up for it will be dumped into the high-risk pool. This seems to be an example of the phenomenon discussed so well by Lior Strahilevitz in Privacy versus Antidiscrimination.

Previously:

Update (2/10/12): Looks like insurers will be tracking drivers in the UK too:

The AA is set to launch a new insurance policy which uses sat-nav technology to track driver performance.

The firm said the system would allow its better drivers to receive cheaper premiums.

It follows similar efforts by smaller insurers. Larger rival Direct Line has told the BBC it is also piloting its own “black box” scheme.

Posted in Law: Privacy | 1 Comment

Total Traffic Surveillance Systems

Canada is building a total traffic surveillance system based on Automatic Licence Plate Recognition (ALPR):

With ALPR, for $27,000, a police cruiser is mounted with two cameras and software that can read licence plates on both passing and stationary cars. According to the vendors, thousands of plates can be read hourly with 95-98 percent accuracy. These plate numbers are automatically compared for “hits” against ICBC and Canadian Police Information Centre “hot lists” of stolen vehicles; prohibited, unlicensed and uninsured drivers; and missing children. When such “hits” occur, plate photos are automatically stamped with time, date, and GPS coordinates, and stored. The officer will investigate details in the above-mentioned databases directly, and may pull over suspect vehicles.

At least, that’s how the popular story goes ….

… the Privacy Commissioner described the ALPR program to parliament as “general and ubiquitous surveillance, without adequate safeguards,” …

… the categories of people that generate alerts or “hits” in the ALPR system, alongside car thieves and child kidnappers, are much broader than has ever been disclosed publicly. And information on these people’s movements is being retained in a database for two or more years. For example, though you may not be stopped, your car is a “hit” and its movements are tracked and recorded if you’re on parole or probation or, in some cases, you’ve simply been accused of breaking a criminal law, federal or provincial statute, or municipal bylaw. You’re also a hit if you ever attended court to establish legal custody of your child, if you’ve ever had an incident due to a mental health problem which police attended, or if you’ve been linked to someone under investigation. The list of hit categories continues through three more pages, and a fourth page that the RCMP completely redacted.

Meanwhile, according to the Privacy Impact Assessment, the RCMP is also keeping records for three months on the whereabouts of everybody else’s cars, too—this is called “non-hit” data.

I predicted something like this over a decade ago in The Death of Privacy?, but that doesn’t mean I have to like it.

I wanted to write that undoubtedly we’ll be doing this here very soon. But in fact it seems we’re already using Automatic License Plate Reader/Recognitiontechnology in many parts of the US.

(Canadian article spotted via Slashdot.)

Posted in Civil Liberties, Law: Privacy | 3 Comments

A Different View of the New Google Privacy Policies

I thought this post on the Google privacy changes by the uber libertarian technophile Technology Liberation Front was interesting, given that so much of what one reads is of the TIME TO FREAK OUT variety.

Key bits:

Although we have yet to see it play out in practice, this likely means that if you use Google services, the videos you play on YouTube may automatically be posted to your Google+ page. If you’ve logged an appointment in your Google calendar, Google may correlate the appointment time with your current location and local traffic conditions and send you an email advising you that you risk being late.

At the same time, if you’ve called in sick with the intention of going fishing, that visit to the nearby state park might show up your Google+ page, too.

The policy, however, will not include Google’s search engine, Google’s Chrome web browser, Google Wallet or Google Books.

arguable is the operative word. There indeed may be enough significant user backlash that Google backs off. In the last six months we’ve seen at least two instances of rapid market correction–Netflix’s decision not to go through with structurally separating mail and online video rental accounts and Bank of America’s reversal of its plan to charge online banking fees. Both occurred before the government could step in a provide its own (and no doubt clumsy) remedy.

Then again, there’s a significant body of research that suggests that, in spite of their own complaints, users may opt to accept greater benefits and convenience in exchange for more disclosure about their habits. With this mind, it will serve consumers best if companies like Google are allowed to experiment with the privacy paradox to find where actual boundaries are, rather than hamstringing potential innovation by pre-emptively and blindly setting them.

Posted in Internet, Law: Privacy | Leave a comment