Category: Privacy

I’m very proud of the Know Privacy team, a group of three students who performed a broad analysis of online privacy issues for their master’s project at UC Berkeley’s School of Information. The study is featured today on the New York Times Bits blog. Several findings are notable:

They found: “From our analysis, it is apparent that Google is the dominant player in the tracking market. Among the top 100 websites this project focused on, Google Analytics appeared on 81 of them. When combined with the other trackers it operates, such as DoubleClick, Google can track 92 of the top 100 websites. Furthermore, a Google-operated tracker appeared on 348,059 of 393,829 distinct domains tracked by Ghostery in March 2009 (over 88%).”

Also, under the Bush administration, the Federal Trade Commission has framed privacy as one of “consumer harms.” That is, they claimed (without any evidence), that consumers really cared about privacy issues that caused harm. However, in an analysis of the FTC’s own consumer complaint data, the group found that American consumers were most frequently complaining about a lack of control over personal information.

The team investigated web site affiliate sharing too. The public policy debate around information sale generally is limited to third parties. There is a growing consensus, driven by international privacy rules, that companies should not sell personal information to third parties without affirmative consent from consumers. However, affiliate networks are very large, and US privacy law generally does not allow consumers to restrict the flow of personal information among affiliated companies. In looking at the top websites, the average had almost 300 affiliates. Newscorp, the company that owns myspace, has 1,500 affiliates. Identifying affiliates was very difficult: “We sent each company a request via email or an online web form for a list of each affiliate they may share data with. We received 14 replies, but none included the lists we asked for.”

Finally, it’s worth checking out the team’s findings on third party tracking: “…36 of the [top 50] websites affirmatively acknowledged the presence of third-party tracking. However, each of these policies also stated that the data collection practices of these third parties were outside the coverage of the privacy policy. This appears to be a critical loophole in privacy protection on the Internet.” Regulators should rethink this practice. Websites claim that they do not sell personal information to third parties, but then they allow third parties to follow you on their site. This seems to me to be outside consumers’ expectations.

Following up on my earlier post about Beyond Google and Evil, I just came across this article from the Wall Street Journal on one of Google’s detractors, Consumer Watchdog. Believe it or not, Google went after their funding!

…In January, Consumer Watchdog circulated a press release alleging a “rumored” lobbying effort by Google to enable it to sell personal medical data stored on its Google Health service. Simpson said the organization merely wanted to examine whether Google was trying to avoid new regulation under the Health Insurance Portability and Accountability Act, or HIPAA, which guards the confidentiality of patient data.

But Google was incensed. “That’s when Bob Boorstin went ballistic,” Simpson said, referring to Google’s director of corporate and policy communications in Washington.

Simpson defended the use of hearsay to make public allegations, arguing that it was appropriate for an advocate. “I don’t see any obligation in particular to call up the other guy and get his side of the story,” he said, adding, “We don’t lie, but we put out the facts we think are interesting.”

Google, however, was prompted to take the unusual step of asking the Rose Foundation to reassess its funding for Consumer Watchdog.

“In 17 years as a grant maker, that’s never happened to me before,” the Rose Foundation’s Little said. “Nothing Google has done has discouraged us from follow-up funding” for Consumer Watchdog, Little said, though no decisions have yet been made. He added, “Google would be much better off engaging with them.”

If you are proposing products that would put individuals’ health records online, you have to be ready for some criticism. But Google responded by trying to shut down Watchdog, and by trying to link Watchdog to Microsoft! (Microsoft is not linked to Watchdog.) Way to go, Google. That’s a standard PR tactic. I wonder whether it is good or evil.

In a sense, Watchdog did have the right intuition about Google. Google health is all about capturing the DTC drug advertising market away from the TV networks. Just imagine the types of targeting that will be possible when you’ve decided to upload your health information to Google!

I apologize for the infrequent blogging. A tough semester. I did have time, however, to publish an essay about Google’s rhetoric that might be of interest to Denialism readers.

No, I’m not calling Google denialist, but am trying to explain what Google means when the company talks about privacy (most companies interpret information privacy to mean security). And it’s not all bad for Google–the company’s rhetoric has created confusion, and clarifying it would help Google communicate why search advertising might be better for the consumer than other forms of targeting.

We’re discussing a junk mail case from the 1970s in my information privacy law case. In Rowan, Justice Burger laments:

…the plethora of mass mailings subsidized by low postal rates, and the growth of the sale of large mailing lists as an industry, in itself, have changed the mailman from a carrier of primarily private communications, as he was in a more leisurely day, and have made him an adjunct of the mass mailer who sends unsolicited and often unwanted mail into every home. It places no strain on the doctrine of judicial notice to observe that, whether measured by pieces or pounds, Everyman’s mail today is made up overwhelmingly of material he did not seek from persons he does not know. And, all too often, it is matter he finds offensive.

And things have only gotten worse since 1970. Here are the most recent statistics from the Postal Service on junk mail (here, roughly defined as “standard mail”). Starting in 2005, the Postal Service started carrying more standard mail than first class, and now the gulf between the two is pretty significant. Also, note that the standard mail is much heavier than first class mail, and it generates LESS revenue!

San Francisco recently passed a resolution calling for a do-not-junk-mail list. I’ll be signing up.

If you are socking money away in offshore banks, pay attention to this man’s expression. He’s saying, you’re screwed.

Yes, taxpaying citizens, you can rejoice, because tax cheats across the country are having panic attacks. They’re thinking about refiling their tax returns, or going to the IRS to beg forgiveness with a check to cover past taxes and potential fines. Some are evening thinking about sailing away from this great country. Good riddance.

As part of a 9/11 trend that requires banks to collect more information about their clients, and the fact that our government needs money, bank secrecy is on life support. Governments are willing to share information nowadays, and as the Times reports, the US government is going after 52,000 customers of UBS bank. (If you’re a customer, call your lawyer, today.)

When rich and powerful people have their privacy invaded, it oftentimes results in new privacy laws. Maybe the long-term result of this will be less privacy for the ultra tax cheating rich, and more for us. Maybe.

I’m very pleased with today’s decision from the DC Circuit Court of Appeals on recently-strengthened privacy protections for phone records. The short history goes something like this: the FCC created strong opt-in (affirmative consent) provisions for the sharing of phone records (who calls whom, for how long, etc). In 1996, the 10th Circuit held that the restrictions violated the First Amendment rights of companies that wanted to sell this data to marketers. Thus, the FCC relaxed the standard to opt-out, meaning that you had to take affirmative action to stop your phone records from being sold.

Did you know that the burden was upon you? Probably not! That’s why in 2005, I petitioned the FCC to reestablish stronger privacy protections, because all sorts of investigation companies were pretexting and obtaining phone records for perverts, stalkers, etc. The FCC opened a rulemaking and reestablished opt-in protections for phone records again. The industry sued, arguing that the First Amendment barred opt-in protections. Today the DC Circuit rejected the industry’s argument, holding that the FCC had sufficient justification for the heightened protections.

But what’s more important is that the DC Circuit’s opinion “gets” privacy. Many courts conceive of privacy as a way to shield oneself from embarrassment. The DC Circuit disagreed, writing, “There is a good deal more to privacy than that. It is widely accepted that privacy deals with determining for oneself when, how and to whom personal information will be disclosed to others. See Daniel J. Solove, Conceptualizing Privacy, 90 CAL. L. REV. 1087, 1109-10 (2002).”

Further, “…the carrier’s sharing of customer information with a joint venturer or an independent contractor without the customer’s consent is itself an invasion of the customer’s privacy – the very harm the regulation targets. In addition, common sense supports the Commission’s determination that the risk of unauthorized disclosure of customer information increases with the number of entities possessing it. The Commission therefore reasonably concluded that an opt-in consent requirement directly and materially advanced the interests in protecting customer privacy and in ensuring customer control over the information.”

Wow! In privacy law, courts are often wedded to waiting for some type of harm to arise, such as unwanted telemarketing calls. They rarely get the idea that it is the data sharing itself that is the problem, and that privacy is about how personal data is controlled. Good job, Judge Randolph. Now the burden won’t be upon you to shield your phone records from sale to marketers!

I’ll be on Minnesota Public Radio this morning with LA Times consumer reporter David Lazarus, talking about identity theft. Here’s the preview and I’ll post the stream later. I’m going to be talking about my recent articles on identity theft: Identity Theft: Making the Known Unknowns Known and Towards a Market for Bank Safety.

“All that remains is . . . recognition of a man.”

Patrick McGoohan, the creator of one of my favorite television series, The Prisoner, has died at 80. The Prisoner was a challenging and entertaining series that explored civil liberties, privacy, individuality, and democracy. My favorite episodes were Free for All and A Change of Mind. The good news is that these and all the other episodes are available online free at AMC.

I am really proud of my colleagues here at UC Berkeley for performing a first of its kind (in the US) study of the efficacy of police surveillance cameras. Its findings are limited to San Francisco’s system, but it is valuable in thinking through whether and how surveillance cameras should be implemented. I have to be careful about characterizing it, but here is an article in the Chronicle on its findings, and the full report is here (8.9 MB PDF). The authors explain: “…The findings include a determination that while the program decreased property crime within the view of the cameras by twenty percent, other forms of crime, including violent crime, one of the primary targets of the program, were not affected.”