Tuesday Oct 07, 2008

Note to Google: I Drink Too Much

Big Brother Is Watching

Dear Google,

Please help me. I'm prone to bouts of drunken foolishness. They usually end with me sending a string of ill-advised and highly embarrassing emails.

I feel good about sharing this with you, since you're already handling information about my health conditions, sexual preferences, and financial concerns.

John Doe

1975 Elm Avenue
New York, NY 10041
Ph: 212-555-1278
SSN: 123-45-6789

Sound like a good idea? Then you're going to love Gmail's new feature.

Tuesday Apr 24, 2007

When Does the Real Privacy Backlash Arrive?

Big Brother is coming. And we're welcoming him. He's hiding in our email, our web searches, the banner ads that annoy us, and our kids' MySpace pages (that frighten us). But most of all, he's hiding in plain sight. You see, Big Brother isn't coming from secret government agencies shrouded behind dark tinted windows. He's coming from colorful buildings filled with bright young programmers who have whimsical company logos on their business cards.

I've written about this before. And now Google's agreement to purchase DoubleClick has gotten more people thinking about the company's privacy impact. Why? Because Google is gaining an even larger window into everyone's online activities. Rich Tehrani estimated that if the acquisition is completed, Google could end up with "access to the behavioral information of over 90% of web users".

Tehrani also provides examples of just how this data can be used, such as quoting a Yahoo executive who brags that his company can now "predict with 75% certainty which of the 300,000 monthly visitors to Yahoo! Autos will purchase a new car within the next three months."

So a handful of web giants are amassing thorough records of our online activities and learning how to turn that data into a full picture of our behavior (and likely future behavior). Scary stuff. Still, it doesn't feel like the general public really cares. Yet.

We haven't yet seen real public outcry and backlash against these privacy threats. Part of that is because the companies involved have good reputations (and deservedly so, in most cases). Part is because most of us assume that only "bad people" with something to hide have reason to worry about privacy. But these are just delaying the backlash, not preventing it.

At some point, a catalyst will grab the attention of the general public. It could be a security breach at one of the web giants, exposing so much information about so many people that we can't ignore it. Or it could be the story of how lost privacy has ruined one individual's life, told in such a way that we can't forget it.

I don't know what that event will be or when it will happen. But I do know it's coming. The giants of the Internet are on a collision course with the privacy of the little guy. And when it happens, it won't just be the privacy watchdogs that are complaining.

Thursday Mar 15, 2007

Privacy and the Private Sector

Big Brother Is Watching

How would you feel if you saw this headline on a search form? I bet the "I'm Feeling Lucky" button would take on a whole new light, for one thing.

In many ways, it's already happening. Major search engines keep records of every one of your searches. Tracing these records back to you depends on many factors: whether you've received a tracking cookie by logging into other services from that company, whether your ISP has assigned you a static IP address, whether you use a large or small ISP, and more. But the core point is this: by retaining search logs, these companies place your privacy at risk.

Google recently announced that they will be anonymizing search logs after 18-24 months. It's better than their old approach (retaining all information indefinitely). But is it good enough? Your searches in the last 18-24 months probably add up to a pretty interesting picture. It can be scary to think how accurate that picture might be. Even scarier is thinking about where its accuracy would be be an illusion.

Take the case of Thelma Arnold, for example. She is the 62-year-old widow who was identified from "anonymized" search records which AOL deliberately exposed in 2006. She's not a terrorist, a drug dealer, or a sex addict. So she shouldn't have anything to hide. Right?


As the NY Times article reports, "Her search history includes 'hand tremors,' 'nicotine effects on the body,' 'dry mouth' and 'bipolar.'" Yikes. Hope Thelma isn't looking for health insurance... Or life insurance... Or a job with a company wanting to minimize the cost of insuring employees... Or anything else where this picture of her health could be held against her.

The worst part? It isn't a picture of her health at all. It's her friends' health. As the Times article continues: "Ms. Arnold said she routinely researched medical conditions for her friends to assuage their anxieties. Explaining her queries about nicotine, for example, she said: 'I have a friend who needs to quit smoking and I want to help her do it.'"

But aren't Ms. Arnold and the foolish release of AOL's search records a special situation? No company would follow in those footsteps after seeing the grilling AOL took. Right? Maybe. But why do they leave the possibility open by retaining these logs? Could one disgruntled employee expose the logs to harm the company? Could a failing company sell off the logs as a final way to salvage assets? Could one company become so large and involved in so many different fields that the Big Brother scenarios we fear could occur entirely within its own corporate boundaries?

Or could widespread tracking and sharing of online activity data just become a standard part of business? Look no further than our all-important credit reports to see how the monitoring of our personal information can become deeply ingrained into the private sector. Is it really so far-fetched to imagine a similar system built on information culled from our online activities?

George Orwell was brilliant in highlighting the importance of privacy to everyone (not just "bad guys" with something to hide). He was brilliant in foreseeing the clash between technology and privacy. Did his one error come in choosing a villain? Maybe the government isn't the primary threat.

Maybe Big Brother will be born out of Big Business.

Friday Feb 23, 2007

Courts Encouraging Online Vigilantes?

As the Orange County Register reports, former Superior Court judge Robert Kline has been sentenced to 27 months of prison for child pornography. I hadn't heard of this case until Slashdot featured it yesterday, but it's not hard to see that it has a long and complicated history.

That history makes it pretty clear that Kline is guilty (having even admitted such, at one point). He committed a serious and indefensible crime, and the conviction is bound to make his neighborhood a safer place. But does that mean the conviction was right? Not necessarily.

You see, police never would have known about Kline's activities if not for the unlawful activities of Brad Willman, a young Canadian hacker who had compromised Kline's computer and monitored his activities there. In fact, Willman says he has done the same with some 3000 others who he suspects of exchanging and viewing child pornography. For this, the Ottowa Citizen calls him a "cyber hero", and the U.S. courts declared that the resulting evidence was admissible against Kline (and no doubt led to his conviction).

Every court involved said that Willman's hacking and surveillance was illegal. Every court said that law enforcement officials must never engage in such blanket surveillance--and that if they did, any resulting evidence would be inadmissible. And yet, the 9th U.S. Circuit Court of Appeals ruled that this case could go forward with the evidence. Why? Because Willman's hacking was done of his own volition and not due to any request or coordination from law enforcement (whose involvement came later).

That feels to me like the slipperiest of slopes. This court has effectively said that civil liberties may be violated, as long as the government outsources its dirty work. If done directly by the police, these monitoring activities would be illegal and result in inadmissible evidence. If done by others, they're still illegal--but somehow the resulting evidence is allowable. How does that logic work? How does it not turn into an open invitation for more vigilantes like Brad Willman? And how can we possibly expect such vigilantes to choose who is and isn't a valid target?




« July 2016