Archive for the ‘Online Privacy’ Category

Twitter Fights for Occupy Protester: Data Belongs to User!

May 16, 2012 1 comment

Last October an Occupy Wall Street protester was arrested for “disorderly conduct” in New York City. As part of his prosecution Twitter received a court order, requiring it to hand over 3 months of Twitter data to the court. The prosecutors obviously hoped that he sent some infringing direct messages since usual Twitter messages are public anyway. It wouldn’t have surprised anyone if Twitter would have handed over the data without complaining. However, recently the company refused! And not only that, the amazing part is that they did this because they state that the data belongs to their users! Thus, the court has to ask the user to hand over the data (who is not very willing either). This is an astounding development, given that generally Internet companies make their privacy policies stricter so they can do whatever they want with their users data.

These are the cases when companies can show how serious they take their privacy policy and, essentially, on which side they are on.

Reading Privacy Policies Would Cost us 250 hours per year

May 2, 2012 1 comment

Google's unified privacy policy

A paper, already published in 2008, by Aleecia McDonald and Lorrie Cranor of the Carnegie Mellon University, suggests that the time needed to read all privacy policies we accept in our daily online lives amounts to 250 hours of “work” in a year and the cost of reading these policies amounts to $781 Billion per year. It is obvious that no one can spare the time to read these policies and I do not know anyone who does. It is also obvious that these are not there to inform the user in any way but to create legal protection for the companies against lawsuits. As a result, it is claimed that only 3% percent of users read the policies carefully (though this number still sounds quite high to me, the original study does not seem to be available anymore).

Even though quite controversial, I believe the new Google Privacy Policy, which unifies privacy policies from all Google services, is a step in the right direction. At least they try to explain to the user what it means. Also Facebook recently proposed to update their policies in order to be easier to understand for users. And since a large portion of services we use are Google or Facebook anyway, we save a big chunk from those 250 hours per year…

A Solution to Internet Snooping in the EU

April 23, 2012 Leave a comment

Starting from April 1st, the so called “Vorratsdatenspeicherung” (VDS, data retention) took effect in Austria (after being sued by the EU for non-compliance in 2010). Basically, this law requires telecommunication providers (telcos, ISPs) to store all communication data (though no content of calls and emails etc.) for six months. There is much controversy about this law and a growing opposition against it. But rather than writing about VDS, which has been discussed in numerous places before, I find it much more interesting to look at the situation in other countries.

Generally, the EU Data Retention Directive requires member states to store Internet information for at least six months. Some member states, such as France, Bulgaria and the Netherlands, already implemented the directive, some resisted and got sued by the EU, such as Sweden or Austria and implement it now. Germany implemented it 2008 but stopped in 2010 following a court ruling that stated that VDS is unconstitutional.

Further, most notably, in the UK there is currently a proposal for a bill making the rounds, which would allow somewhat of an extension to VDS. The big difference to Austria is that in the UK this bill would allow real-time government surveillance and surveillance without any warrant. For the time being, no content of any messages would be surveilled, but, as this article points out, in a time of crisis this is just a small step to take. This is especially interesting since the current UK government pledged in its coalition agreement that they would stop storage of Internet data without reason! But I would have been surprised if they actually stopped it. I find it rather surprising that they didn’t manage to pass such a bill well before the Olympics 2012 for which security and surveillance systems were upgraded significantly.

I believe that generally there is no reason why ISPs and telcos should not store connection data (not content). I would be surprised if they don’t do that already anyway. And I think it is okay to use this data in criminal investigations.

However, I do see a problem if this data can be accessed at any time, without any warrant and without explaining yourself to anyone. In Austria, police does need a warrant and is only allowed to access this data if the charge for the crime committed is over two years prison time. But this is not enough, there needs to be stricter regulation. I propose an external, independent institution (ideally directly elected) that controls police who access this data. In Austria, this might be the “Datenschutzkommission” (DSK, data protection agency). The police would regularly have to report, which data they accessed and, more importantly, why. This institution would have to have the authority and political independence to stop access and inform the public. This institution in return has to publish regular public reports on their work. Of course, this institution has to be adequately funded with enough people to check and regulate. This is something that is definitely not the fact right now at the DSK. I believe it is only fair to provide more financial ressources for this since these new regulations cost the telcos and ISPs significantly more money, which they will collect from their customers.

A true democracy can only work if for every power there is an opposition. This is an ancient concept and works in Parlament and between the different powers of the state. So if one institution has the power to surveil communication data, there should be an opposition to hold the balance. This is how it works in a democracy and I think this where all of us want to live.

Privacy Bill of Rights: Toothless Election Stunt or Clever Way to Make an Impact?

March 26, 2012 Leave a comment

Obamas “Consumer Data Privacy in a Networked World: A Framework For Protecting Privacy and Promoting Innovation in the Global Economy”, better known as simply “privacy bill of rights” has made some headlines this year. Recently, since it was one of the topics at the EU Conference on Privacy and Protection of Personal Data held on March 19th, both in Washington DC and Brussels. The aim of the bill is to increase the privacy of consumers on the Internet and get closer to a common international privacy standard. Currently, the EU is known to have much stricter privacy regulation laws than the US and is working on a proposal for new data protection regulations. Now, the Obama administration created a draft for a new kind of privacy regulation to protect the privacy of consumers. However, critics state one major problem with the plan: It won’t become a law anytime soon. Instead, it is planned to create a more or less voluntary code of conduct that big corporations should commit themselves to. If they do, the FTC has the authority to enforce this commitment. This shows fundamentally different approaches to privacy protection in the US and EU. In the EU privacy is a human right while in the US it is more of a consumer right than anything.

However, I do find arguments in favor of this approach, this code of conduct, interesting. In an interview with a US civil liberty group it is argued that in an election year, it is hard to pass a law, which brings tougher regulations to corporations. Further, one problem with European privacy law, it is stated, is avoided: European law stated “protect peoples privacy” and nobody knows what that exactly means. Instead, the US approach gives this responsibility to the corporations: They have to define what it exactly means and then stick to it. And this is enforceable by the FTC. I personally think it is a nice touch that they want a “do not track button” in browsers, so consumers can turn off cookie tracking. This is one of the few, very concrete measures for privacy protection. I think that this bill is a big step forward in privacy protection in the US and that eventually it will find its way into a law. Until then, this privacy bill of rights is a good start: Amazon, Apple, Google, HP, Microsoft, and Research In Motion already confirmed that they would abide by new privacy principles. And it is definitely not the worst kind of press Obama can wish for in his election year.

Link: Full text of the privacy bill of rights
Link: Full text of the EU proposal

The Outrageous Practice of Asking Employees for Facebook Passwords

March 24, 2012 1 comment

Facebook recently publicly threatened employers who ask (potential) employees for their Facebook password to perform a “background check”. Facebook stresses that legal action against these employers is possible. And rightly so.

This increasing practice is simply outrageous. Private social media accounts should be off limits for anyone. Do employees get the password to their employers accounting software? No.

Some things just should be kept private. And access to a social media account should be among them.

Is our privacy just worth 50 cents?

March 21, 2012 1 comment

Participants had to choose between more privacy and cheap movie tickets (less privacy).

A recent study published by researchers from Berlin and Cambridge performed an experiment where ultimately they let consumers choose between providing more information (less privacy) or paying more for a service (more privacy).

The setup was like this: Participants were given the choice to buy movie tickets at two online shops. Shop #1 asked for name, email and birth date. Shop #2 asked for the same information but additionally required the mobile phone number of the participant. For providing the phone number, shop #2 offered the movie ticket for 50 Euro cents less. The obvious choice (for me) would be to provide a fake phone number and pay less. However, this was not possible since phone numbers were checked against the true numbers of the participants.

The result: 71% of customers were willing to provide their phone number to pay 50 cents less for the movie ticket, 29% were willing to pay the premium for more privacy. At first sight this result looks quite shocking. To save just 50 cents people are willing to give up their personal privacy. The study takes a more positive spin in pointing out that 29% of the participants were willing to pay for their privacy.

While 50 cents sounds like a small amount and is good for a nice headline, I believe this should be seen in relation to the ticket price (which isn’t mentioned in the summary). In the long version of the study the ticket price is mentioned: The authors subsidized the ticket so the participant had to pay as little as €3 per piece. This means that people were willing to give up their privacy for a 17% price drop. This does not sound so little anymore and is quite an incentive to give up the phone number. A further contributing factor is that annoying marketing calls are still quite rare in the German region (in Austria at least) where the study was done. So giving up your phone number has little practical implications. I personally probably would have taken the cheaper ticket (yes, call me cheap!).

Link: Study “Monetizing Privacy”
Link: Full study

%d bloggers like this: