ANALYSIS: Happy Data Privacy Day, Punk!
Data Privacy Day starts on January 28, but the parties behind it might not be its best advocates, nor even take the concept seriously.
The January 28 date was officially designated Data Privacy Day via resolutions passed by Congress, which hasn't been particularly scrupulous about privacy issues in recent years. Congress has repeatedly extended the U.S.A. PATRIOT Act, a post-911 catastrophe law that further opened up domestic electronic communications for surveillance.
On the telecommunications side, phone lines in the United States have always been subject to wire-tapping via longstanding U.S. CALEA law, but the legally mandated FISA court oversight, ignored by the Bush administration, may also be void today. In the mean time, the Federal Bureau of Investigation (FBI) allegedly has monitored U.S. data traffic with a so-called "Carnivore" packet sniffer, while the U.S. National Security Agency is thought to be intercepting global signaling through a project called "Echelon."
More recently, the FBI recently submitted a Request for Information document seeking proposals for a social networking application that can scrape "open source" data from social networking and news Web sites for surveillance purposes. (Haven't they heard of Google?) Supposedly, this application would be used to monitor so-called "bad actors," which likely isn't restricted to entertainers on the tube.
It wasn't so long ago that Congress supposedly put an end to funding for a 2002 Total Information Awareness (TIA) project. The TIA project was initiated by the Defense Advanced Research Projects Agency (DARPA) with the idea of using computers to harvest various sorts of domestic data for trending analysis and population surveillance purposes. The infamous Admiral John Poindexter, of Iran-Contra fame, was smoking his pipe over the possibilities of using this system to make trades on the stock market. The idea was to profit on secret TIA information about when global disasters and terrorist incidents would strike, thereby causing stocks to plummet.
In an odd bit of surveillance trivia, it was Microsoft's former Chief Software Architect Ray Ozzie's Groove social networking and collaboration product that was used for an early version of TIA, according to a 2002 New York Times story. Groove was later integrated into an edition of the Microsoft Office 2010 suite and renamed as "SharePoint Workspace 2010."
Happy Talk on January 28
Despite those leanings toward a lack of privacy as observed at the governmental level, Data Privacy Day will be marked by a talk by Julie Brill, commissioner at the U.S. Federal Trade Commission (FTC), at 9:30 a.m. Eastern Time on January 28. The event will include participation by the National Cyber Security Alliance (NCSA) and Facebook representatives. Those wanting to hear the talk, which will be broadcast live, can find links at the StaySafeOnline.org site.
The Data Privacy Day organizers aren't disinterested observers, but have a stake in how privacy legislation is shaped. Facebook, of course, is known for its social networking site, with privacy controls that are often under question. The latest controversy is Facebook's new automatic sharing policy, which delivers user profile data to Facebook's business partners.
The NCSA hosts the StaySafeOnline.org site, which advocates for safe Internet use, mostly based on users having to take a series of actions to surf the Web securely. The NCSA's board includes executives from commercial software, hardware, telecom, banking organizations and defense industries, including EMC Corp., Microsoft, AT&T Services, Cisco Systems, Lockheed Martin, Google, Symantec, Bank of America, Intel, Visa, ESET, PayPal, SAIC, Verizon Communications, General Dynamics and Facebook.
The NCSA also works with the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center. The Department of Homeland Security, while focused on national cybersecurity issues, is also noted by the American Civil Liberties Union for tracking the activities of U.S. antiwar protesters and environmental organizations.
Consent and the Commercial Internet Ad Model
The Internet didn't begin as a business operation. Some say it started as a DARPA project to maintain communications after a nuclear war (via TCP/IP); others say that it was intended as a communication system among researchers. In any case, commercial interests followed later. Today, Internet use by individuals is partly funded through advertising, enabling access to "free" e-mail and search services.
As a tacit and largely unstated fee, user information is aggregated, either by a Web site owner or a third-party advertiser. This arrangement makes the Internet less of a free and open information highway and more of a user-tracking system to generate advertising dollars for corporations that provide services on the Web. The ability to traffic in personal user data voluntarily provided at social networking and other Web sites provides a financial incentive to sustain the use of that information for targeted advertising purposes. Under such a system, ignoring user privacy may just be seen as the cost a user must pay for being online.
Sometimes, targeted advertising is portrayed as a service to the user. Anyone who visits Amazon.com's shopping site with cookies enabled soon discovers what this means. Items a user searched for yesterday gets pushed to them for purchase on the next visit. User clickstream data from a Web site can be accessed by third-party advertisers, even if the user doesn't click on a sponsored banner ad. What the advertiser does with that data isn't transparent to end users.
Microsoft has developed some protections in Internet Explorer 9 to give users some control over this clickstream-harvesting practice by third-party advertisers, but they are opt-in protections that have to be turned on by the user. One is a "do not track" feature that includes an HTTP header indicating a desire not to be tracked. This mechanism wholly depends on the request being honored. The Worldwide Web Consortium is currently considering Microsoft's approach. The other privacy control in IE 9 is a "tracking protection" feature that depends on compiled URL lists to block (or allow) the sending of user information. However, some of these tracking protection lists (TPLs) apparently are better than others. The Electronic Frontier Foundation (EFF) specifically advises against using the TRUSTe TPL, which Microsoft includes in its list of TPLs.
Here's what the EFF says about the TRUSTe TPL:
"The main consequence of subscribing to that list in IE9 is to ensure that web users are tracked, not that they are protected from tracking," the EFF claims. "Unfortunately, the design of IE9's TPLs are implemented greatly exacerbates that problem, because once a site has been whitelisted in TRUSTe's list, that overrides a blocklisting in any other list (such as EasyPrivacy). As a result, users should never install the dangerous TRUSTe list, because doing so significantly compromises the blocklist mechanism."
Personal e-mails are even scanned for advertising purposes. Google, which reported net revenue of $2.7 billion in its last quarter, largely based on its search-advertising business, states in a FAQ that it scans the content of users' Gmail messages to that end, but the company claims not to disclose or read the contents of those e-mails. It's all part of Google's "free" service, which may not be too different from other such no-cost services. Recently, Google said that it plans to gather such consumer data across all of its online properties, including search, e-mail and YouTube videos, and users won't be able to opt out of the data collection, the Washington Post reported.
Public Policy and the 'Right to Privacy'
Thus, Data Privacy Day, backed by government and industries -- each with its own need and motive to exploit personal user data -- can be viewed as just a ceremonial exercise, bereft of meaning. Meanwhile, those who may be concerned with online privacy are largely excluded from the decision-making process.
In the United States, online privacy largely has been left alone as a concern for corporations to determine. The Electronic Communications Privacy Act of 1986 provides some protections for electronic communications, but government interception of data is eased (without judicial review) in "counterintelligence" cases, according to a Wikipedia description. More recently, the FTC has floated a white paper (PDF) focused on protecting consumer privacy through a proposed do-not-track mechanism, but the white paper is conceptual and may or may not be used to make policy.
The privacy situation differs markedly among European Union (EU) countries, which offer stricter controls on corporate use of personal data than in the United States. For instance, companies operating in the EU typically have to gain user consent through opt-in campaigns before personal user data can get used or shared. In the United States, the opposite custom holds sway, largely based on corporate profit needs. People first have to wade through lengthy user agreements and find out how their information will be shared, and then they may have choice to opt out. Sometimes opting out of information sharing negates using the service. Even opting out of cookie use through browsers settings will sometimes curtail user access.
It's clear from an institutional standpoint that the U.S. situation on online privacy likely will not change, given U.S. government domestic spying needs and the profit-motive requirements of U.S. commercial interests. The U.S. Supreme Court is said to not even acknowledge the "right to privacy" as derived from the U.S. Constitution and Bill of Rights, which were written when communications were delivered by horseback. However, an upcoming EU initiative could change matters, putting international pressure on fragmented and ineffective U.S. privacy safeguards.
Winds of Change From Across the Pond?
The European Commission announced on January 25 that it plans to revise its 1995 rules on data protection to unify them across participating member countries and "strengthen online privacy rights." The revisions don't sound at all like the "protections" heard over here in the U.S. wild west. Here's a sampling of the EU's new proposed rules, which, if they are approved, won't take effect for another two years. The EU wants the following:
- "A single set of rules on data protection, valid across the EU." Some notification requirements will be eased for companies under this proposal, according to the EU.
- "Increased responsibility and accounting for those processing personal data." This entails providing notices of serious data breaches within 24 hours, if possible.
- "Organizations will only have to deal with a single national data protection authority." The EU has allowed its member states to specify varying requirements, so this looks to be tightened up. Consent to process personal data "has to be given explicitly."
- "Data portability" rights will be enabled, allowing people to transfer their data from one service to another.
- "A right to be forgotten" will be in effect, allowing people "to delete their data if there are no legitimate grounds for retaining it."
- "EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens."
- Independent national authorities will be able to "fine companies that violate EU data protection rules."
- Finally, there will be rules for "police and judicial cooperation in criminal matters."
Since online services and cloud computing represent global commercial operations, this move by the EU could compel the U.S. government and U.S.-based companies to take online privacy more seriously than they presently do.
A Microsoft editorial, commenting on the EU's proposal, claims that "Microsoft's General Counsel Brad Smith had advocated just such types of improvements to this regulation…." A January 15 document (PDF) submitted to an EU Commission by Microsoft actually does support many of the EU's reform ideas. Still, Microsoft has some objections, such as the following:
- Microsoft appears to want the EU to be flexible in requiring opt-outs from information sharing. The document's language is vague in that regard, but Microsoft states (p. 13) that "an overly rigid approach to obtaining consent on-line focused on requiring the use of particular mechanisms (e.g., opt-in) rather than on enduring meaningful consent offers little gain in terms of privacy protection while imposing significant costs…."
- Microsoft wants location data excluded from protection. The company has faced some embarrassment when it was discovered that users of Windows Phone 7 devices were having their locations tracked. In response, Microsoft released its code used for location tracing in Windows Phone 7, but only after Congressional scrutiny raised questions. Microsoft currently is being sued in Washington state over the issue.
- Microsoft wants the method of notifying the public about data breaches to be left up to the companies involved.
- Microsoft wants clarification on the right to be forgotten, complaining that the rule should be limited to "user data retained by the service provider" and that the requirement can be satisfied by "the anonymisation (rather than deletion) of data."
- Microsoft wants any cloud services data storage requirements to be in "the market in which the provider's primary data centre for processing applicable EU data is located." In Europe, some governments require company data to be retained in the country of origin, even for cloud computing storage. This issue is huge one for Microsoft, with the success of its Office 365 and Windows Azure services riding on greater flexibility about where data are stored.
- Microsoft proposes "self-regulation" for ensuring privacy, rather than an EU certification approach imposed on companies.
Well, it doesn't seem that Microsoft will get all that it wants. It hasn't had the best relations abroad, especially with regard to antitrust cases before the European Commission.
In some cases, the EU's proposals may actually help Microsoft and other companies. It looks like it will lower the compliance costs of companies that currently have to deal with multiple EU county policies on privacy and data retention, for instance.
While the U.S. government has shown little regard for the privacy rights of its citizens, its lawmakers do listen to the concerns of business interests. Companies like Microsoft that need to set public policies according to their financial interests could sway lawmakers toward greater online privacy protections, just to appease the EU and its markets. Money is on the line. The rationale for such change won't be principled -- it'll be about ensuring the profits of Microsoft and other providers of services over the Internet -- but it might actually achieve greater data privacy for people than now exists in the United States.
In the meantime, have a happy Data Privacy Day, as long as you're OK with being tracked by government and industry. The upside to this situation is that your opinions are valued, at least for digital storage purposes.
Kurt Mackie is online news editor for the 1105 Enterprise Computing Group.