Recent articles on Privacy

February 22, 2012 |

In Beware of ‘little fish’ surfing on privacy the article provides a useful analysis of the privacy implications of apps which move from data storage issues to full blown privacy breaches.  The Path app is as blatant as it comes.

It provides:

The intrusion by the Path social network app delivered an urgent wake-up call.

FOR a country seemingly obsessed with reality television and tabloid journalism, the United States is suddenly very worried about privacy. And I’m not talking about celebrity privacy; I’m talking about your privacy.

For Facebook users, questions of privacy and security are nothing new. In fact, concerns over those topics are regularly raised by users and critics alike. Even the Federal Trade Commission has looked into (and mandated) how Facebook handles your private data.

But Facebook is a big fish. Today, there are hundreds, if not thousands, of smaller fish — many in the form of apps for smartphones, which are dealing with the same kind of access to your data that Facebook enjoys, but with far less scrutiny.

Last week, a social networking app called Path came under fire after a programmer discovered a major issue. Namely, that when you logged into the app on an Apple iOS device — an iPhone or iPad — it automatically uploaded your entire address book to its servers. Without asking.

Ostensibly this was done so you could locate your friends who were also using the service. But if you’re never prompted (which is what most apps do), it looks like a big intrusion.

The discovery was made when the developer used a tool called a “man-in-the-middle”, which could watch what data was sent to and from an application in real time. What he noticed was that the app was sending all of your address book data, in plain text, to Path’s servers. It’s unclear what they were doing with it after that.

As far as invasions of privacy go, that’s a very big one.

The company’s chief executive quickly apologised for the practice and immediately issued an update that removed the offending functionality. Path also promised to delete any data it had stored.

The situation set off a firestorm online among users, app developers and tech bloggers, who hotly debated the practice. Angry members of Path’s network threatened to delete the application, and the media began to investigate just how this was possible in the first place. The assumption was that if one app could pull your contacts without permission, then certainly other apps could as well.

Sure enough, there were others out there. Although many developers have scrambled to squash the functionality, research from media outlets (including my own, The Verge) shows that the issue is far from over.

But how could Apple allow this to happen?

Although Apple is known for its stringent security and opt-in mentality, in five versions of its mobile operating system, there seems to have been no safeguard against the practice. Even in the Android version of Path, users are warned that their data will be collected before they install the program.

Last week, Congress issued a letter to Apple with specific queries about how Path was able to pull users’ data without warning.

On Wednesday, an Apple representative said the company was “working to make this even better for our customers,” adding that “any app wishing to access contact data will require explicit user approval in a future software release.”

Problem solved, right?

Wrong.

It’s great if Apple wants to make it harder for people to get your data, but this isn’t really just an Apple problem, an Android problem or even a Facebook problem. Simply acknowledging that you’re going to take data doesn’t make it a good idea; it just means that now we know you’ve got it.

The question we should all be asking is why. Why is it necessary for services such as Path to take or hold our data at all? As several developers and writers have pointed out, there are other ways to capture encrypted data. One method is called “hashing”, which creates specific, anonymous strings of numbers and letters from plain text data such as your name or phone number.

Using that method, applications pulling the same content will get clear matches while exposing zero user data to a third party. Your data stays private, but you’re still able to find your friends within a service.

Hopefully this is the start of a big wake-up call, as it seems clear that we all need to be thinking more seriously about how our information is used. If there are better ways to protect privacy, we need to push back hard and make companies adopt those practices. Then, we need to keep watching to make sure they stick to it.

There are two interesting articles regarding the proposed European laws on Privacy.  Chris Berg in Internet laws a sledgehammer approach to privacy argues that the proposed

Legislators with little knowledge of internet privacy will do more harm than good.

THE protest against the American Stop Online Piracy Act recently, where Wikipedia and 7000 other websites went dark for 24 hours, made two things plain.

First, online activism can be effective. Before the protest, 31 members of Congress opposed the act. After the protest, that number swelled to 122. The bill died overnight.

More importantly, the protest emphasised that the internet is not the Wild West. Domestic laws and international treaties pervade everything we do online. And bad laws can cause profound damage.

Advertisement: Story continues below

The Stop Online Piracy Act (SOPA) is an example of legislative over-reach. SOPA would have given the US government broad powers to shut down access to foreign sites that were suspected of hosting material that breached copyright. This would have given governments the power to interfere with the internal workings of the internet. Such a power would have been an unconscionable threat to free speech.

Yet SOPA is not alone. The internet is surprisingly vulnerable to laws that, with good intentions or bad, have the potential to stifle online liberties. Take for instance, the European Union’s proposed ”right to be forgotten”. Changes to data protection laws now being considered by the European Parliament would give internet users the power to force websites to delete information about them.

There would be privacy benefits from this law. No question it would be lovely if we could make websites remove embarrassing photos or uncomfortable facts years after we uploaded them.

And yes, we need to keep pressure on social networks to protect our privacy. Too many companies are reckless with user data. Yet the EU’s plan goes way too far. A legislated ”right to be forgotten” would be, like SOPA, a threat to freedom of speech. These new rules would, according to the American legal scholar Jane Yakowitz, ”give EU residents an unprecedented inalienable right to control and delete facts that were once voluntarily communicated”.

In the age of social media we all happily put information about ourselves in the public domain. A right to be forgotten is actually an obligation for others to forget things they’ve been told.

Apart from being unworkable (erasing stuff from the internet is a lot more complicated than politicians seem to believe), this new obligation would envelop the internet in a legal quagmire.

The law would turn every internet user into a potential censor, with a veto over everything they’ve ever revealed about themselves. Every time media organisations referred to freely obtained information, they would have to be sure they could prove they did so for a ”legitimate” news purpose. This would create enormous difficulties for journalism. Censorship to protect privacy is just as dangerous as censorship to prevent piracy.

But unlike SOPA, there has been no outcry about these new rules. No blackout of popular websites, no mass petitions.

SOPA was driven by American politicians in the thrall of an unpopular copyright lobby. The European data protection rules are being driven by social democrats claiming to protect people’s privacy. And, in 2012, privacy is a value that many people claim to rate above all others.

By contrast, free speech seems daggy and unpopular. Even our self-styled civil liberties groups have downgraded their support for freedom of speech. Now other rights – privacy is one, the right not to be offended is another – are seen as more important. So these new laws could slip through with disastrous consequences.

Should Australians care what the European Parliament does? Absolutely. The big internet firms are global. If a legislature in one country or continent changes the rules of the game, those firms have to comply. The easiest way to comply is by making global policy changes, not regional ones.

And regulations introduced overseas have a habit of eventually being introduced in Australia. Already our privacy activists are talking up the EU scheme.

Whatever the EU decides about a right to be forgotten, it will have significant effects on the online services we use in Victoria.

Free speech isn’t the only problem with the EU’s proposed privacy laws. As Jane Yakowitz points out, people trade information with corporations all the time – for discounts or access to free services. No one compels us to share stuff on the internet. We share because we think we’ll get something out of it. The new right to be forgotten would make such trades virtually impossible. It could cripple the information economy overnight.

Governments have always struggled to legislate for the online world. Not only do politicians have little understanding of the technological issues, but the internet doesn’t take very well to regulation: according to one old tech saying, ”the net interprets censorship as damage, and routes around it”. So legislators over-compensate.

The internet is complex, borderless and dynamic. Laws are inflexible and heavy-handed. Too many attempts to protect privacy or combat copyright infringement take a brickbat to freedom of expression and internet liberties.

David Lindsay in EU privacy laws: the ‘right to be forgotten’ is not censorship

Most of us leave behind an ever-growing digital trail that includes information that we publish about ourselves — such as Facebook postings — and information published about us. While the ability to share personal information can enhance our lives, there is a dark side. Embarrassing photos of us socialising, for example, can later be used against us for very different purposes, such as in the employment context.

As our personal lives become more visible, it may be that social attitudes will adjust, so we become more tolerant and forgiving of personal lapses or foibles. But one of the paradoxes of the digital age is that just as our lives have become more transparent, attitudes seem to have become more intolerant and less forgiving. In what is called the attention economy, not only public figures but ordinary people are subject to more scrutiny than ever.

The current default settings of the internet maximise openness and access. Once information is posted it becomes permanent and easily accessed, especially via search engines. Yet people’s interests in sensationalism, and the operation of search algorithms, means that the most accessible information about us is often the most embarrassing or hurtful.

Permanence, accessibility and searchability clearly benefit the business interests of some of the world’s largest companies. The business models of Google and Facebook, for example, are based on commercialising other people’s information. It is hardly surprising, then, that it is notoriously difficult to permanently delete your Facebook account.

The European Union is proposing to introduce new laws to update privacy protection to take into account changes in technology, including the growth of social networking. The proposed laws include a “right to be forgotten”, meaning a right of users to ensure that some of the information held about them is erased. The proposal has generated a lot of commentary, much of it overwrought and alarmist.

There are two main criticisms of the proposed right: that it would result in unjustifiable censorship and that it is unworkable. These claims are based on a misreading of the European proposal, as well as a simplistic understanding of privacy and freedom of expression.

The proposed European law is a modest attempt to restore some balance in favour of individuals being able to control their own data. The proposed right to delete data is, in fact, highly qualified. For example, the right only arises once certain conditions are satisfied, such as that the data is no longer needed, or where data is collected or processed with a person’s consent and that consent is later withdrawn.

The proposed right is also subject to important exceptions. For example, it does not apply where it would conflict with the freedom of expression of journalists, or with freedom of artistic or literary expression. Claims that the proposal will stifle the press are therefore untrue — there is an express exception for journalists. There is also an exception for individuals engaged in purely personal or household activities.

A couple of points should be made in response to claims that the proposed right is a form of censorship. First, privacy is not necessarily the opposite of freedom of expression — if people feel assured they have some control over their information, they are more likely to share it. On the other hand, if people know that what they say and do online will be accessible to all, and for all time, they may be more likely to self-censor. The negative consequences of the current internet defaults could easily promote a culture of conformity.

Secondly, steps are already being taken by people to manage their digital trails. Especially in the United States, we have seen the emergence of reputation management services, which, often in return for a fee, offer to “sanitise” the internet of embarrassing or harmful information. These services can have some success; when approached, websites often simply take down information. But this raises the spectre of private censorship. And why should people pay to protect what is their own information?

Those who oppose the “right to be forgotten” are correct when they say that getting the balance between privacy and freedom of expression online is complex. As people are often unaware of the consequences of surrendering their information, however, some regulation is needed to ensure a level playing field between consumers and business. And it is preferable for this to be done through a law, which incorporates appropriate checks and balances, rather than being left to the vagaries of the unregulated market.

Regarding arguments that a right to delete information on the internet is unworkable, it is absolutely true that, due to the ease of copying information, it is difficult or impossible to ensure that information can ever be completely erased. It is also true that regulating the internet is challenging, and that it is important that laws do not unduly infringe freedoms or deter innovation.

Like many laws, however, the proposed “right to be forgotten” should not be seen as a cure-all. The most it can do is to restore some control to individuals, and provide a check on some of the most harmful online practices. Moreover, judicious laws are often needed to protect individual rights, as well as to ensure the effective operation of markets. It is ultimately more productive for debates to focus on the kind of laws and regulation that are desirable, rather than to resort to utopian fantasies of the internet as a regulation-free zone.

As we grapple with the challenges of technological change, public debate about whether and how to regulate is necessary. Reasonable people can disagree, but our understanding of these issues is not helped by a knee-jerk hostility to regulation, or by alarmist and ill-founded claims that any removal of material is a form of censorship. Australia could do worse than to consider following the European example.
The Berg article speaks to the general complaint while the Lindsay article deals with the proposed detail.  Both may not be wrong but where most commentators are in error is the assumption that Freedom of Speech exists side by side with Privacy across the entire field.  There is a confluence of interests and that is where the balance has to be right.  But many instances of privacy breaches do not involve freedom of speech issues.

Leave a Reply