Category Archives: Law: Privacy

The Wages of Allowing Federal Spying on Your Customers

Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said.

— according to Bloomberg, U.S. Agencies Said to Swap Data With Thousands of Firms.

Turns out what the firms are getting is not data on customers — nor in the main is that what they are giving. Rather the firms are giving advance info on vulnerabilities in their systems that could be used to by the TLA’s1 to get information from vulnerable systems. Plus some of the firms are allowing the feds to install monitoring equipment on their networks, ostensibly to protect against hacking, but in at least some cases with the ability to spy on message traffic.

In exchange, the firms are getting information about who, especially from abroad, is trying to hack them, and some help and advice on defending themselves.

I have no problem with the feds helping US corporations defend themselves against foreign (or domestic) hackers. I do have a problem if the price of that defense is allowing the feds access to customer data.

My first instinct is that I wouldn’t have a problem with firms like Microsoft giving advance warning about vulnerabilities to the feds — whether it is so they can harden their own systems or even if it is so they can take advantage offensively to hack into foreign targets. I would feel that way, however, only so long as I believed the program had adequate safeguards to prevent its misuse against US persons, whether at home or abroad. And, unfortunately, there is no particular reason to believe that to be the case. There is at present a lack of accountability.

  1. TLA == Three Letter Agencies []
Posted in Civil Liberties, Law: Privacy | 1 Comment

We Predicted This One Years Ago

Accused bank robber wants NSA phone records for his defense

One of the exceptionally odd things about about the revelations about the NSA metadata and phone records revelations is that I, not to mention various other Cypherpunk fellow travelers, predicted all this 15 years ago.

In fact, we predicted it so long ago, that almost no one seems to remember we did.

I have to say, though, that this is the first story I’ve seen on the subject that made me smile. So that’s something.

Unfortunately, this may not be the perfect test case:

Prosecutor Michael Gilfarb told the judge that even if the information is available, it may be irrelevant depending on whether Brown carried a phone.

Brown’s wife, Vesta Murat Brown, who testified for the prosecution Wednesday morning, told jurors that her husband didn’t have a cellphone at the time but sometimes borrowed phones from her, other family members or friends.

But even if it isn’t, it won’t be long:

Local lawyers said they anticipate there will be many more requests for this kind of information now that defense attorneys know the information may have been preserved.

Posted in Law: Privacy | 2 Comments

Meme Watch: “Pocket Stasi”

I think the phrase “pocket Stasi”, meaning a cell phone that tracks and surveils you too much, has legs.

I first ran in to it yesterday, in a review of the Moto X flagged by David Farber’s email list:

… essentially, it’s the world’s most sophisticated cluster of sensors you can wear on your person, and it’s going to know every single thing you do, whether it’s driving, sleeping or taking a walk around the block. Google is betting that you will love your pocket Stasi so much you’ll never want to be without it—and Google is right.

I don’t know what the first use might be – maybe LibrarianShipwreck, The Stasi Agent in Your Pocket?

Yes, it trivializes the horror of the Stasi — totalizing sensors are bad, but not as bad as a secret police, nor is Google a pipeline direct to one. But I still think the phrase has legs.

Posted in Android, Law: Privacy | Leave a comment

A Note From the Surveillance Society

This, spotted at a local fast foodery, is depressing:

Since when is it the rule that if you don’t want to be on camera, you must be up to no good?

And no, I do not find the concept of a “burrito-cam” comforting in any way shape or form.

Posted in Civil Liberties, Law: Privacy | 1 Comment

Big Brother is WWWatching You (feat. George Orwell)

Rap News 15:

Good stuff! Lots of cute in-jokes too.

Spotted via BoingBoing.

Posted in Civil Liberties, Cryptography, Internet, Law: Privacy | Leave a comment

Privacy and the Lumpen Consumertariate

The Secret Shopper by Willie Osterweil has a bit too much jarring Marxist jargon for me to feel in tune with it, but it makes some provocative points about the institution of the “Secret Shopper” — the folks hired by management to go to stores and pretend to be customers and then report on the quality of the service.

Stripped of (some of) the cant, the conclusion is that the mystery shoppers are tools of conformity:

Mystery shoppers are miniature thought police, affective pinkertons, mercenary management to whom real management outsources the legwork of everyday psychic control. They are sent in to break the avenues of refusal available to workers, to enforce the arbitrary standards dreamed up by marketers, bureaucrats, and MBAs that so deaden the experience of everyday life under late capitalism. … All just for a little extra cash for the weekend.

Producing identification with the bosses; smashing labor; and making solidarity difficult through contract labor, precarity, and remote working are key features of neoliberal workplace organization. But central to this vision, too, is workplace surveillance. … Heightened workplace surveillance helps build a workplace where no time is wasted, where all effort is put directly into the production of the bosses’ product. But it transforms more than just the bottom line.

The threat of the ever-present spy, the fear that the woman who forgot her ID in the car but swears she’s 18 is actually a scab employed by your boss, means you trust no one, expecting them all to be against you, out to catch you breaking management’s rules, which you now enforce with paranoiac efficiency. Surveillance, ultimately, isn’t about stopping crime. It’s about making police.

I think that even if you are OK with Taylorized service jobs, this critique ties somehow to the importance of privacy in other realms — or the need for concern about the upcoming Dossier Society — more generally. Data is a way to watch you too.

Posted in Law: Privacy, Shopping | 1 Comment

Obama Unveils “Consumer Privacy Bill of Rights”

Today the the Obama Administration is unveiling its new “Consumer Privacy Bill of Rights” (quoted in full at the end of this post) which they tout “as part of a comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled.” [Update: The White House issued this ‘white paper’, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy that it says provides the background for the proposal. Despite the January cover date, I think it’s new, suggesting that there may have been some last-minute tussle about the contents?] [Update2: White House “Fact Sheet” on ‘Consumer Privacy Bill of Rights’.]

But as far as I can tell from my initial read, this is only a first step towards rules with a tooth or two. Next, our friends at NTIA (the people who gave you the modern ICANN), will be “conven[ing] Internet companies and consumer advocates to develop enforceable codes of conduct that comply with the Consumer Privacy Bill of Rights, building on strong enforcement by the Federal Trade Commission. The Administration will also work with Congress to enact comprehensive privacy legislation based on the rights outlined here.” Good luck with that in this Congress.

NTIA does have a strong and smart leader right now, Lawrence E. Strickling, the Assistant Secretary for Communications and Information, so this could be good. On the other hand, Strickling has shown willingness to carry the trademark lobby’s water on some ICANN issues (what else is new?), so this bears watching. On the good side, the administration is asking for enforceable legislation, not some blurry new public-private partnership. And the Commerce Department wrote a pretty good requirements document for what the policy should look like in its recent National Strategy for Trusted Identities in Cyberspace (April 2011). That document envisioned an “Identity Ecosystem” described as a system that will enhance privacy and civil liberties:

The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual’s transactions, thus ensuring that no one service provider can gain a complete picture of an individual’s life in cyberspace. By default, only the minimum necessary information will be shared in a transaction. For example, the Identity Ecosystem will allow a consumer to provide her age during a transaction without also providing her birth date, name, address, or other identifying data.

In addition to privacy protections, the Identity Ecosystem will preserve online anonymity and pseudonymity, including anonymous browsing.

However, while setting out the outlines of how such a system might work in theory, the Strategy did not attempt to explain key aspects of how its ambitious goals might be attained in practice. Instead it sets out a ten-year roadmap, in which the first three to five years require “standardization of policy and technology” based on the twin pillars of underlying reliable offline credentials and private-sector leadership. Worse, only one month later, however, the White House released its International Strategy For Cyberspace, a document that while by no means all bad (it extolled the Internet’s benefits and opportunities), also warned darkly of the Internet’s dangers:

Extortion, fraud, identity theft, and child exploitation can threaten users’ confidence in online commerce, social networks and even their personal safety The theft of intellectual property threatens national competitiveness and the innovation that drives it These challenges transcend national borders; low costs of entry to cyberspace and the ability to establish an anonymous virtual presence can also lead to “safe havens” for criminals, with or without a state’s knowledge Cybersecurity threats can even endanger international peace and security more broadly, as traditional forms of conflict are extended into cyberspace.

And it is this latter document, not the better Identity Management paper from a month earlier, that gets cited in today’s press release about the “Consumer Privacy Bill of Rights”. Which vision will prevail – the primarily pro-privacy vision or the Internet-as-danger vision? The Administration’s press release sounds some positive notes, for example this one:

Achieving privacy policies for a Global, Open Internet: U.S. companies doing business on the global Internet depend on the free flow of information across borders. The Administration’s plan lays the groundwork for increasing interoperability between the U.S. data privacy framework and those of our trading partners.

At very hurried first glance the Consumer Privacy Bill of Rights idea seems based on principles that actually sound good…but may not be quite as great as they sound:

American Internet users should have the right to control personal information about themselves. Based on globally accepted privacy principles originally developed in the United States, the Consumer Privacy Bill of Rights is a comprehensive statement of the rights consumers should expect and the obligations to which companies handling personal data should commit. These rights include the right to control how personal data is used, the right to avoid having information collected in one context and then used for an unrelated purpose, the right to have information held securely, and the right to know who is accountable for the use or misuse of an individual’s personal data.

Does this mean the US will catch up with the EU’s data protection regime? I can’t tell for sure, but my first guess is “no”. To say that these are “obligations to which companies handling personal data should commit” is carefully not to say that these are obligations to which corporations will be required to adhere. At least not yet. Or at most only sectorally, rather than generally. Meanwhile, though, we’re going to kick the can down the road a bit, and “convene stakeholders including industry and privacy advocates to develop enforceable codes of conduct that implement the principles in the Consumer Privacy Bill of Rights for specific industry sectors.” But only those rules that “will keep up with, and not hamper, the pace of innovation.” So if your business model is, like Facebook or Google, based on using consumer information, then what?

There is one thing everyone agrees on – that companies should keep their promises about privacy and that the FTC can enforce on them when they do not – and this will remain a major enforcement tool. That’s good as afar as it goes, but in most cases that is only as far as your carefully drafted EULA.

The Administration seems to envision a legislative proposal, I would imagine after the election. It will set out the “basic principles the Administration believes should be reflected in a privacy law” which will on the one hand involve proposing “clear and actionable rights” while also providing “a way for companies to be confident that they are respecting these rights through an FTC-approved enforcement safe harbor.”

Let the food fight begin?

Here is the advance text of the Obama administration’s “Consumer Privacy Bill of Rights”:

Continue reading

Posted in Law: Privacy | Leave a comment