Here's the wired headline: Scribd Facebook Instant Personalization Is a Privacy Nightmare. The article is about what you'd expect. There are complaints about automatically generated spam emails to your automatically created friends and confusing or non-existent opportunities to opt out. There's a Scribd PR person explaining how privacy is really very important to the company. There's the author suggesting that one way to fix the problem is to delete your Scribd profile, but characterizing that as extreme. I'm not 100% sure why I read the article. True, I don't use Scribd, and have never run across this particular feature. However, just seeing Facebook in the title gave me a pretty good idea what to expect. Someone in marketing wants to take advantage of the tremendous amount of data on Facebook (and get in on the whole "social media" bandwagon) and so they make it really easy to share data, and relatively difficult not to so do.
So what should people do instead of this? Well, there's always the possibility of not integrating with Facebook. Frankly, regardless of what they've been forced to do by public pressure, I will always distrust a company who's CEO famously doesn't believe in privacy. In the event that you must integrate with Facebook, you could always try little things like opt in rather than opt out participation, not automatically spamming Facebook friends, and sending making sure it's clear for someone how to opt out if they decide they don't like the program. There are also guidelines for interactive and behavioral advertising put out by organizations like the FTC and the IAB (though I consider those to be a bit outside the scope of this post). Whatever you do though, if you're going to move into the world of social media, you need to do it with your eyes open, or your company is likely to be integrated with Facebook in a headline that also includes unpleasant words like "nightmare" or "disaster."
Friday, October 1, 2010
Monday, August 23, 2010
July/August Privacy Catch Up
So...the blog has been uncharacteristically quiet for the last month or so. This is not because nothing privacy related has happened in the legal world. For example, the FBI and federal prosecutors announced that they will not be filing criminal charges related to the Lower Merion Spy Cam Scandal (link here), something I wrote about hereas possibly being the creepiest privacy violation of 2009. Also, it turns out that the millimeter wave scanners used to see through clothes to catch those ever-elusive terrorists can store and transmit images, despite assurances from the TSA that that was not the case (link. In more positive news, the appeals court for the District of Columbia circuit has rejected a claim by the government that round the clock warrantless GPS surveillance is ok (article here). There was also some legislative action, as internet advertisers warned that a new privacy bill, the "best practices act" would "would turn the Internet from a fast-moving information highway to a slow-moving toll-road." Also, speaking of slow-moving toll-roads, Google and Verizon came together to formally announce that net neutrality (i.e., the concept that all traffic on the internet should be treated equally) is a rather quaint notion that shouldn't apply to wireless networks. All in all, it's been a relatively busy month or so.
So why no posts? Well, in addition to all of these privacy events, we also got a huge non-privacy decision - Bilski v. Kappos - which basically upended a decade's worth of precedent on whether you can get patents on novel software or business methods. Since software and business method patents are a big part of my practice, a good deal of the time that I would have spent on privacy was spent on patent stuff instead. To make matters worse, at least time-wise, I also got a copy of Starcraft II, which turned out to be a huge time suck. Happily, rather than releasing a full game, with three playable races and campaigns for each (the approach taken with the original), Blizzard decided to only release a human campaign, which turned out to be approximately a third of a game's worth of play for a full game's price. As a result, I not only get to get back to blogging sooner, I also get to know to avoid new releases from Blizzard in the future, which I guess means that everyone wins.
So why no posts? Well, in addition to all of these privacy events, we also got a huge non-privacy decision - Bilski v. Kappos - which basically upended a decade's worth of precedent on whether you can get patents on novel software or business methods. Since software and business method patents are a big part of my practice, a good deal of the time that I would have spent on privacy was spent on patent stuff instead. To make matters worse, at least time-wise, I also got a copy of Starcraft II, which turned out to be a huge time suck. Happily, rather than releasing a full game, with three playable races and campaigns for each (the approach taken with the original), Blizzard decided to only release a human campaign, which turned out to be approximately a third of a game's worth of play for a full game's price. As a result, I not only get to get back to blogging sooner, I also get to know to avoid new releases from Blizzard in the future, which I guess means that everyone wins.
Sunday, July 11, 2010
Why Do People Keep Thinking This is a Good Idea?
Earlier this month, Blizzard Entertainment (makers of World of Warcraft, among other successful computer games) decided that they would change their game forums from anonymous forums (i.e., you can't tell the identity of someone posting to the forums unless they tell you) to forums where comments are connected with a person's real name. After a firestorm of criticism (e.g., here) Blizzard spiked the program, at least for now. And the reason for going down this path, with its utterly predictable and embarrassing trajectory? Two words: Facebook Integration. Actually (as explained here) it's slightly more complicated than that, but what it boils down to is that Blizzard wanted to get in on some of that social networking magic, and giving everyone a single ID that was consistent across all of Blizzard's forums (and Facebook) seemed to be a good way to do it.
This is an old story, and one that often ends in class action lawsuits (e.g., Google Buzz, Facebook Beacon). Why do people keep doing this? My guess is because they see their existing user data as an asset, and they hate letting an asset go unexploited. However, that's the wrong mindset. The safest way to think of user data is as something that actually belongs to users, which they have allowed you to temporarily safeguard. The point of the user data isn't to exploit it, it's to allow a business to maintain its relationship with its users. If you want to integrate with Facebook - fine. However, the way to do so is going forward, collecting new data (with a clear explanation of what you're collecting the data for), and without degrading or changing the services provided for old users. True, at the outset, this seems much harder than leveraging an existing user base. On the other hand, many existing user bases don't like being leveraged, and going about things the hard way can take that into account, and avoid turning an existing base into a historical user base.
This is an old story, and one that often ends in class action lawsuits (e.g., Google Buzz, Facebook Beacon). Why do people keep doing this? My guess is because they see their existing user data as an asset, and they hate letting an asset go unexploited. However, that's the wrong mindset. The safest way to think of user data is as something that actually belongs to users, which they have allowed you to temporarily safeguard. The point of the user data isn't to exploit it, it's to allow a business to maintain its relationship with its users. If you want to integrate with Facebook - fine. However, the way to do so is going forward, collecting new data (with a clear explanation of what you're collecting the data for), and without degrading or changing the services provided for old users. True, at the outset, this seems much harder than leveraging an existing user base. On the other hand, many existing user bases don't like being leveraged, and going about things the hard way can take that into account, and avoid turning an existing base into a historical user base.
Monday, June 28, 2010
Tech Apologies of 2010
Wired put up an article on the biggest tech apologies so far this year (link). The list is:
Not separately counting the two separate Google apologies squished into the top bullet, that makes 3/7 apologies for privacy gaffes. The moral of the story - privacy mistakes are the gift that keeps on giving, at least in terms of bad publicity.
- Google: Sorry about Buzz, Street View Privacy Issues (providing information to unwelcome Buzz "followers" and recording WiFi data while making Street View maps)
- Adobe Apologizes For Old Flash Bug (failing to patch bug for 16 months)
- McAfee’s Antivirus Snafu (releasing update that shut down computers running XP)
- AT&T Begs Pardon for iPad E-mail Breach (allowed hackers to identify email addresses of iPad customers through a flaw in an authentication web site)
- Facebook Apologizes for Privacy Shortcomings (Sort Of) (Mark Zuckerberg issues non-apology for constantly changing facebook privacy policies)
- Ellen Degeneres Didn’t Mean To Hurt Apple’s Feelings (Apparently, a comedian made fun of Apple...and this made the list why?)
- Apple: Sorry We Couldn’t Keep Up With iPhone 4 Orders (The description says it all)
Not separately counting the two separate Google apologies squished into the top bullet, that makes 3/7 apologies for privacy gaffes. The moral of the story - privacy mistakes are the gift that keeps on giving, at least in terms of bad publicity.
Sunday, June 20, 2010
Ontario v. Quon Decided
As described in this article from Computer World, the Supreme Court has issued its decision in City of Ontario v. Quon. A quick recap of the facts: the city of Ontario California issued Jeff Quon (a SWAT team member) a pager. Quon exceeds his text message allotment on the pager and is audited. The audit reveals the Quon has overwhelmingly used the pager for personal text messages. Quon is subsequently disciplined.
The decision was totally unsurprising - the police department was allowed to audit messages sent during work hours on the pager it provided. What was surprising, or at least, was something of a relief, was that the Court reached the expected result in a way that leaves a nascent right to employee privacy in electronic communications basically unscathed. Indeed, the Court seemed to go out of its way to avoid upsetting precedent like Stengart v. Loving Care, which had found that employees have at least some expectation of privacy in personal emails, even if sent on company computers. For example on page 14 of its decision, the Supreme Court specifically distinguished personal emails such as were at issue in Stengart:
All in all, I think Ontario v. Quon was a good decision. Indeed, given the issues involved, and the potential for damage, it was probably the best that the Court could have done.
The decision was totally unsurprising - the police department was allowed to audit messages sent during work hours on the pager it provided. What was surprising, or at least, was something of a relief, was that the Court reached the expected result in a way that leaves a nascent right to employee privacy in electronic communications basically unscathed. Indeed, the Court seemed to go out of its way to avoid upsetting precedent like Stengart v. Loving Care, which had found that employees have at least some expectation of privacy in personal emails, even if sent on company computers. For example on page 14 of its decision, the Supreme Court specifically distinguished personal emails such as were at issue in Stengart:
OPD’s audit of messages on Quon’s employer-provided pager was not nearly as intrusive as a search of his personal e-mail account or pager, or a wiretap on his home phone line, would have been.
All in all, I think Ontario v. Quon was a good decision. Indeed, given the issues involved, and the potential for damage, it was probably the best that the Court could have done.
Sunday, June 13, 2010
Movement in the Streetview cases
Via this article from Wired's threat level blog, we learn that Google has begun its defense in the Streetview litigation by moving to have all the various lawsuits that have been filed against it consolidated in the Northern District of California (Google's motion can be found here). We also learned what is likely to be Google's defense (at least in the United States). According to the motion
(from page 18 of the pdf)
Actually, maybe learned is a bit too strong of a word, since it was generally expected (see, e.g., here) that Google would defend using the public accessibility exception to the wiretap act. However, it is nice to actually see it in writing from someone who has authority to speak for Google, rather than relying on second-hand prognostications from commentators with no particular relation to the case.
Google will likely argue that even if plaintiff's allegations are true, Google did not violate the federal Wiretap Act (and similar state statutes) for a number of reasons, including the fact that open WiFi transmissions are "readily accessible" to the general public under 18 U.S.C. 2511(2)(g)(i).
(from page 18 of the pdf)
Actually, maybe learned is a bit too strong of a word, since it was generally expected (see, e.g., here) that Google would defend using the public accessibility exception to the wiretap act. However, it is nice to actually see it in writing from someone who has authority to speak for Google, rather than relying on second-hand prognostications from commentators with no particular relation to the case.
Sunday, June 6, 2010
Is Wireless Data Picked up by Google Publicly Accessible?
Some new developments in the Google Streetview WiFi monitoring controversy.
First, according to this article one of the lawyers suing Google is alleging that a Google patent application for increasing the accuracy of location based services by intercepting data communications indicates that the Google Streetview monitoring was intentional. I find this unconvincing. Unlike many other countries, the United States doesn't have a requirement that a company exploit patented technology. Absent some other evidence of intentionality, the patent application proves nothing (and, of course, if there was other evidence of intentionality, the patent application wouldn't be necessary).
Second, and more interestingly, some observers (e.g., here) have stated that the lawsuits against Google may have no merit because the electronic communications privacy act has a safe harbor for intercepting communications which are publicly accessible. It's an interesting argument, but I don't know it's a show stopper. The relevant statutory provision is 18 USC 2511(2)(g)(i):
"readily accessible to the general public" is then defined in 18 USC 2510(16):
That definition is the reason I don't think the publicly accessible argument is a show stopper. As I noted here, at least one of the parties bringing suit against Google has alleged that Google engaged in decrypting the communications it intercepted. I don't know what evidence they have to back that allegation. However, at this point, it doesn't matter, since at this stage in the litigation a court is bound to accept the allegations in the complaint as true.
Whether they have enough to get through discovery is another question entirely, but one which won't be raised until Google files its answer and moves for summary judgment.
First, according to this article one of the lawyers suing Google is alleging that a Google patent application for increasing the accuracy of location based services by intercepting data communications indicates that the Google Streetview monitoring was intentional. I find this unconvincing. Unlike many other countries, the United States doesn't have a requirement that a company exploit patented technology. Absent some other evidence of intentionality, the patent application proves nothing (and, of course, if there was other evidence of intentionality, the patent application wouldn't be necessary).
Second, and more interestingly, some observers (e.g., here) have stated that the lawsuits against Google may have no merit because the electronic communications privacy act has a safe harbor for intercepting communications which are publicly accessible. It's an interesting argument, but I don't know it's a show stopper. The relevant statutory provision is 18 USC 2511(2)(g)(i):
(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person—
(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;
"readily accessible to the general public" is then defined in 18 USC 2510(16):
(16) “readily accessible to the general public” means, with respect to a radio communication, that such communication is not—
(A) scrambled or encrypted;
...
That definition is the reason I don't think the publicly accessible argument is a show stopper. As I noted here, at least one of the parties bringing suit against Google has alleged that Google engaged in decrypting the communications it intercepted. I don't know what evidence they have to back that allegation. However, at this point, it doesn't matter, since at this stage in the litigation a court is bound to accept the allegations in the complaint as true.
Whether they have enough to get through discovery is another question entirely, but one which won't be raised until Google files its answer and moves for summary judgment.
Subscribe to:
Posts (Atom)