Saturday, April 14, 2012

License to Intrude, Part 3

In Part 1, we saw how federal agents were taking shortcuts around the Bill of Rights to collect and retain information on innocent, lawful (and legally-protected) activities of American citizens, and share that with other government agencies. The FBI was the subject of much of the discussion - but don't think it ends (or begins) with them. We also examined the connections between Facebook's senior leadership and national Democrats, and asked the question about what would happen if government agents, following orders from unscrupulous superiors, sought information from a social networking corporation whose executives helped put those unscrupulous superiors into power.

In Part 2 we saw how Facebook inadvertently collected large amounts of information from the computers of its users, even after those users had logged out of Facebook. This was significant, because the information deliberately collected was quite extensive:

Thus, in addition to being populated by traditional Facebook activities — "likes," comments, wall posts, picture posts, and so on—Ticker will soon be filled with detailed information about users' media consumption and lifestyle habits—the TV shows they watch, the books they read, the websites they visit, and the routes they jog, most likely without users affirmatively setting their preferences to share such information.

We also saw an example of how the government of Iran was using Facebook information to persecute activists in the United States! And, we heard about Facebook's policy regarding government requests: "32. Facebook currently grants government access to user information on merely a "good faith belief" that the disclosure is required by law[.]"

Well, it is getting better.

An excerpt from Four Unanswered Questions About the Cybersecurity Bills by Eva Galperin, March 27, 2012, gives a little more insight into the questions being considered in legislating current technology:

What does "information sharing" mean?

All of the proposed cybersecurity bills mandate some kind of "information sharing" or "government assistance" between the U.S. government and the private companies that have access to so much of our personal data, including email, web searches, GPS data, and our social graphs. Companies are encouraged to share information about "cyber threats" or incidents with the government, and to that end it provides them with immunity when sharing information about threats.

Some of the proposals balance this information-sharing with privacy oversight, to make sure that shared information does not impinge on individual privacy or civil liberties, but proposals such as the Rogers bill contain no such protective language. The Rogers bill gives companies a free pass to monitor and collect communications and share that data with the government and other companies, so long as they do so for "cybersecurity purposes." Just invoking "cybersecurity threats" is enough to grant companies immunity from nearly all civil and criminal liability, effectively creating an exemption from all existing law. Additionally, the Rogers bill places almost no restrictions on what kinds of information can be collected and how it can be used, so long as the companies can claim it was motivated by "cybersecurity purposes." S. 2105 (Lieberman) and S. 2151 (McCain) contain similarly dangerous provisions.

As if that wasn't bad enough, "information sharing" is often just a euphemism for surveillance and countermeasures, including monitoring email, filtering content, or blocking access to websites.

The link in the above excerpt goes into more detail on the Rogers bill. From Rogers' "Cybersecurity" Bill Is Broad Enough to Use Against WikiLeaks and The Pirate Bay, March 8, 2012, by Rainey Reitman and Lee Tien:

Under the proposed legislation, a company that protects itself or other companies against "cybersecurity threats" can "use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property" of the company under threat. But because "us[ing] cybersecurity systems" is incredibly vague, it could be interpreted to mean monitoring email, filtering content, or even blocking access to sites. A company acting on a "cybersecurity threat" would be able to bypass all existing laws, including laws prohibiting telcos from routinely monitoring communications, so long as it acted in "good faith."

The broad language around what constitutes a cybersecurity threat leaves the door wide open for abuse. For example, the bill defines "cyber threat intelligence" and "cybersecurity purpose" to include "theft or misappropriation of private or government information, intellectual property, or personally identifiable information."

Yes, intellectual property. It's a little piece of SOPA wrapped up in a bill that's supposedly designed to facilitate detection of and defense against cybersecurity threats. The language is so vague that an ISP could use it to monitor communications of subscribers for potential infringement of intellectual property. An ISP could even interpret this bill as allowing them to block accounts believed to be infringing, block access to websites like The Pirate Bay believed to carry infringing content, or take other measures provided they claimed it was motivated by cybersecurity concerns.

The language of "theft or misappropriation of private or government information" is equally concerning. Regardless of the intent of this language, the end result is that the government and Internet companies could use this language to block sites like WikiLeaks and, both of which have published classified information. Online publishers like WikiLeaks are currently afforded protection under the First Amendment; receiving and publishing classified documents from a whistleblower is a common journalistic practice. While there's uncertainty about whether the Espionage Act could be brought to bear against WikiLeaks, it is difficult to imagine a situation where the Espionage Act would apply to WikiLeaks without equally applying to the New York Times, the Washington Post, and in fact everyone who reads about the cablegate releases. But under Rogers' cybersecurity proposal, the government would have new, powerful tools to go after WikiLeaks. By claiming that WikiLeaks constituted "cyber threat intelligence" (aka "theft or misappropriation of private or government information"), the government may be empowering itself and other companies to monitor and block the site. This means that the previous tactics used to silence WikiLeaks—including a financial blockade and shutting down their accounts with online service providers—could be supplemented by very direct means. The government could proclaim that WikiLeaks constitutes a cybersecurity threat and have new, broad powers to filter and block communication with the journalistic website.

I am wondering if it doesn't go far beyond that. What about if someone had serious concerns that a social networking company were spying on its customers and passing that information to someone else in deliberate violation of the law? If that someone tried to collect evidence to determine if this was indeed happening, could that attempt be construed as a cybersecurity threat? Of course criminals will cover their tracks by breaking more laws, but this could make it perfectly legal for criminals to cover up criminal activities.

Read some of the rest of the posts at my blog, and tell me if that is not a serious concern.

Facebook's "Timeline" feature has been alleged to go out of bounds. From a December 27, 2011, EPIC letter to the FTC we learn about the threats posed by "Timeline":

Dear Mr. Chairman and Members of the Commission:

Recently, the Federal Trade Commission announced a landmark settlement with the social network company, Facebook. According to the Commission, "The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public."1 We write now to urge the Commission to determine whether Facebook's deployment of "Timeline" complies with the Commission's recent order In the Matter of Facebook, Inc. (Nov 29, 2011).

Having just reached a settlement with the Commission in which the company is required "to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established,"2 Facebook is changing the privacy settings of its users in a way that gives the company far greater ability to disclose their personal information than in the past. With Timeline, Facebook has once again taken control over the user's data from the user and has now made information that was essentially archived and inaccessible widely available without the consent of the user.


Timeline acts as a user's profile page and automatically summarizes the user's life, from birth to the present day.8 Facebook selectively takes user information to display the Timeline summaries from every piece of information that has ever been shared with Facebook.


This level of exposure is vastly different from the old Facebook Profile.


Nor is Timeline limited to the types of information shared in the past. As users connect to social apps, Timeline will contain new categories of information regarding media consumption and lifestyle habits. Timeline's new "Health and Wellness" item, for example, encourages users to disclose medical data, turning Facebook into "an actuarial goldmine."11

In fact, Facebook is already used by the leading pharmaceutical companies to market drugs and medical treatments.12 The use of Facebook by health advertising companies led the Center for Digital Democracy to file a complaint with the Commission last year.13 The complain discussed Facebook applications such as Healthseeker, which was designed to help people with diabetes make informed lifestyle choices, but which neglected to mention "how users are tracked and monitored or what kinds of data are collected."14


One government has already warned consumers about the dangers presented by Timeline. Australia's Privacy Commission warned consumers to be careful what information they share with Facebook, stating that the company is "trying to change how people think and encourage them to normalize over-sharing and abandon any restraing on storage and use and exposure of private information."20


What kind of data is at stake, though? You might be surprised. From COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER To THE FEDERAL TRADE COMMISSION / Face Facts: A Forum on Facial Recognition / Project Number P115406, January 31, 2012:

At a minimum, EPIC recommends that the Commission enforce Fair Information Practices ("FIP") against commercial actors when collecting, using, or storing facial recognition data. We further believe that businesses should never use facial recognitions techniques to obtain the actual identity of consumers without the consumer's actual knowledge and informed consent. Consumers today enjoy enormous freedom and personal safety because they are able to interact with so many merchants, who are essentially strangers, without concern that they will be secretly tracked and profiled. It is critical that the Federal Trade Commission take affirmative steps to ensure the protection of the consumers' right to safeguard their identity. In the absence of guidelines and legal standards, EPIC recommends a moratorium on the commercial deployment of facial recognition techniques.


EPIC's 2010 complaint concerning Google Buzz provided the basis for the Commission's investigation and subsequent settlement concerning the social networking service.2 In that case, the Commission found that Google "used deceptive tactics and violated its own privacy promises to consumers when it launched [Buzz]."3 The Commission's recent settlement with Facebook was based on complaints filed by EPIC and other privacy and civil liberties organizations.4 The Commission found that Facebook had "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public."5 EPIC has also worked to bring the Commission's attention to the issues raised by facial recognition technology. In 2011, EPIC Senior Counsel John Verdi spoke at the Face Facts Workshop,6 and EPIC filed a complaint with the Commission regarding Facebook's use of facial recognition technology.7

But, wait! There's more!

Did you notice how Facebook now tells everyone where you are when you post a status update? Facebook is not just tracking your location; it is making your location public knowledge. To be sure, this is only an approximate location, but do you really want the world to know when you are hundreds of miles from home, away on a vacation or a business trip?

And, it does not stop with location. The potential is for far, far more.

From Are you ready for a 'quantified life'?, by Mike Elgan, April 14, 2012:

Computerworld - That smartphone you carry around is a box full of sensors.

Those sensors are just sitting there doing nothing, or performing mundane tasks like giving you turn-by-turn directions or turning off your screen when you're yakking on the phone.

But what if you could use phone sensors to their full potential?


Smart software with access to all the data gathered by these sensors, combined with an Internet full of information, could figure out all kinds of things about you.

Everybody knows that big companies like Google, Apple and Facebook want to harvest cellphone-generated data and use it to serve up virtual personal assistants with a side order of contextual advertising.

This vision of the future puts your phone's sensor data in the hands of megacorporations.


Alohar's Mobile Behavior Analytics Engine squeezes meaning out of user sensor data and offers libraries of data analysis to developers.

For example, based on the speed at which you're moving and the pattern of your phone's motion sensor, Alohar's software can tell if you're walking, skateboarding, biking, driving or flying. The GPS can tell where this is taking place. The clock tells when.

It can also auto-categorize locations as "home," "work," "restaurant," "gym" and other groupings, and provide you with statistics about, for example, how many hours you spend at work each month.

By combining GPS, light sensor and temperature data, the software can tell if you're inside or outside.

Some people with brains are rightly concerned about having chips implanted in them, without their knowledge or consent.

But, how many of us have already bought such an item, and carry it with us everywhere we go?

1984 is here, and we're paying top dollar to have the latest upgrades to the surveillance system.

And, at least one social networking company whose executives supported Obama's and Clinton's candidacies in 2008 is collecting that information, giving it away to the government and selling it to the highest bidders.

From Are you ready for a 'quantified life'?:

There's another "ambient awareness" app called Highlight that tells you when someone you know -- or someone who knows someone you know -- is nearby.

A combination of a system like Alohar's and an app like Highlight could tell you how you're connected to the strangers around you (those who also use the same app). Here's a guy who goes to the same gym you do. There's a woman whose kids go to the same school as your kids. One of your neighbors works in a building next to your workplace -- maybe you should carpool.

It's impossible to predict what creative developers could do with this service.

I wonder just how seamlessly that might connect with Facebook? :)

No comments:

Post a Comment