Examining the Obama Administration’s Proposed Privacy Bill of Rights

Doug Bernard | Washington DC

There aren’t many things the world’s three largest web browsers – Microsoft’s Explorer, Google’s Chrome and Mozilla’s Firefox – can agree on. This week saw the unveiling of one of them.

The Obama administration is putting forward a new set of Internet privacy “principles” that it says balance privacy protection with economic growth. The proposal, dubbed a “Privacy Bill of Rights” by the White House, is earning plaudits from major players in the Internet industry, including Google, Apple and Microsoft, for choosing voluntary guidelines over strict regulation. Not surprisingly, some privacy advocates are less than convinced.

“Privacy and trust online has never been more important to both businesses and consumers as it is now,” said Secretary of Commerce John Bryson at a Thursday news conference. Bryson notes that 2011 online retail sales in the United States alone neared $200 billion – an economic engine the White House is eager to keep revving. To that end, government and industry officials crafted a voluntary set of guidelines which industry leaders like Mozilla and Google say they will agree to follow.

The 60+ page white paper spells out seven principles aimed at protecting web users’ online privacy, starting with the first principle of Individual Control. “Companies should offer consumers clear and simple choices,” reads the White House white paper. “Companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.”

The other principles are a mix of consumer-oriented, such as “#2 Transparency,” and business-minded, such as “#3 Respect for Context,” meaning that individuals browsing online should be expected to understand that firms such as Google and others make money through targeted online advertising, and the only thing that can generate that is private information.

The proposal is little more than a statement of values. Rather than take a regulatory approach, requiring Congressional action, the White House has created a voluntary framework where individuals take responsibility for safeguarding their privacy while the industry will police itself against infractions. Gene Sperling, director of the White House economic council, calls it a “we can’t wait” approach; that is, waiting for the lengthy, contentious congressional hearings needed to craft regulations. It sounds good on paper, but in practice some worry these principles are unenforceable, precisely because they’re voluntary.

A central initiative of this proposal is what is called a “Do Not Track” or DNT system. In essence, large Internet firms such as Yahoo or Google collect and store a great deal of data on individuals who use its services. That information is used to tailor online ads for specific services or offerings the firms believe consumers will be more likely to click on. And this is all accomplished by placing bits of code – called tracking cookies – on user’s web browsers.

In announcing their support of the proposal, the large Internet firms and the Digital Advertising Alliance, or DAA, say they will soon voluntarily begin offering users a “Do Not Track” option in the form of a button on their browsers or their web pages. Individuals concerned about information being collected on them can simply click the button, and the firms won’t track a user’s browsing history or personal data. Some firms, such as Mozilla, already provide a Do Not Track option; others say they soon will.

“The White House is arguing that commercial and consumer interests are aligned here,” says Justin Bookman, director of Consumer Privacy at the Center for Democracy and Technology. Bookman calls the proposal a positive development, but says privacy rights groups like his argue that to be meaningful, a voluntary framework needs to be backed up by law:

“To the White House’s credit, the new version of the report does call for a law. But they also recognize that 2012 is going to be a difficult year to get anything passed, so they’re going to use the bully pulpit to get industry to come to the table to agree to negotiate binding rules with regulators and consumer groups.”

The White House’s Gene Sperling agrees that laws to ensure privacy are “appropriate, needed and fitting.” But until those laws can be created, the new “Bill of Rights” moves web users closer to the end goal of protecting their privacy.

Critics remain: David Gerwitz, writing for ZDNet this week, calls the proposal more of a public relations ploy than an actual solution:

“I’m far less concerned if Google knows I went to yet another muscle car web site than I am that my doctor’s office insists on keeping copies of my drivers’ license in a manila folder along with an image of my credit card, my social security number, my home address, my various phone numbers, and my health records.”

And the Campaign Against “Breaking The Internet”

Doug Bernard | Washington DC

Periodically we like to share a few of the stories and posts from across the web that caught our eye.  There are no editorial threads implied connecting these items together, other than being interesting.

#1: What’s With The “Weirdness” from China? There’s been a tremendous amount of web news coming from China lately. Perhaps the most eye-grabbing headlines have been regarding the online campaign to defend artist Ai Weiwei against possible charges of pornography. What to do when your favorite artist is investigated by the government for earlier nude photography he released? Release your own nude photography. Ai Weiwei’s supporters have flooded the web with unclothed pictures: some of them as infants, some with discreet obscuring images, and some just unclothed. So far, the artist has not been charged with any offense.

Chinese artist Ai Weiwei (AP)

However, submerged by the nude photos story are disturbing reports that some Chinese ISPs might be testing out new tools to shut off encrypted communications. Forbes’ Andy Greenberg has this item about curious data traffic coming from computers in China attempting to access encrypted “web tunnels” such as Tor, Freegate or UltraSurf; all commonly used by individuals to cloak their online activities:

“In recent months, administrators of services with encrypted connections designed to allow users secure remote access say they’ve seen strange activity coming from China: when a user from within the country attempts to reach a server abroad, a string of seemingly random data hits the destination computer before he or she can connect, sometimes followed by that user’s communication being mysteriously dropped.”

“We see weird things all the time,” Tor’s Andrew Lewman tells Greenberg. “But this is a semi-consistent weird thing, and it’s only coming from China.”  It is unclear if Chinese ISPs, or the government for that matter, are trying to probe encryption differences between traffic like that of financial transactions, and private networks like Tor.  What is certain is that developers at Tor and elsewhere are aware of this “weird thing” and are already responding. Full disclosure: VOA’s parent agency, the International Broadcasting Bureau, has working relationships with Tor and Freegate, among other encryption services.

#2: “Don’t Break the Internet” Members of the U.S. Congress are currently discussing several pieces of legislation that could significantly alter the web landscape in the United States, and potentially around the globe.

The two bills – the “Stop Online Piracy Act” (or SOPA) in the House, and the “Protect IP Act” in the Senate – both target copyright violators (i.e., “pirates”) in other nations by giving the U.S. government greater control over shutting down web access and traffic to specific cites, among other tools. Proponents such as the Chamber of Commerce and the Motion Picture Association of America argue online pirates cost copyright holders billions of dollars each year, and that the bills’ provisions are balanced by protections for ISPs and website owners.

But that hasn’t stopped the swelling ranks of critics from arguing, with some effect, that media monopolies are trying to “break the Internet.” Groups advocating greater online freedoms, such as the Electronic Frontier Foundation, Creative Commons, the Free Software Alliance and others were first in line calling for the bills’ defeat. Then came heavy-hitter Internet service companies like Google, Zynga, LinkedIn, Mozilla and more.  Now, this week, the influential Business Software Alliance, which represents giants such as Dell, Microsoft and Apple, has also weighed in opposing the measure.

As policy fights go, this one is a long way from over. Action on the bills isn’t expected until 2012, giving supporters and opponents plenty of time to build momentum and lobby members of Congress. We’ll detail the issues involved in the near future. In the meantime, Washington Post tech columnist Cecilia Kang offers “Five Things to Know About SOPA,” which provides a concise overview.

#3: Four Degrees of Facebook? In his 1929 fiction collection “Everything is Different,” Hungarian author Frigyes Karinthy set two characters to wondering about our increasingly urbanized planet. The world was “shrinking” they said; people were getting closer not just physically but socially:

“One of us suggested performing the following experiment to prove that the population of the Earth is closer together now than they have ever been before. We should select any person from the 1.5 billion inhabitants of the Earth—anyone, anywhere at all. He bet us that, using no more than five individuals, one of whom is a personal acquaintance, he could contact the selected individual using nothing except the network of personal acquaintances.”

Thus was born “six degrees of separation” – the idea that any human is only six social connections away from any other human. For decades researchers like Stanley Milgram explored this idea and, despite its unlikeliness, found there’s actually considerable merit to Karthiny’s game. Despite obvious problems like isolated populations, it’s become something of a maxim among social scientists that as people’s social networks have grown, so have the connections between us. So, in fact, your humble author may in fact only be five or six hops from everyone reading this.

Or, would you believe, four? Researchers at the University of Milan, working with Facebook researchers, have been exploring the “six degrees” idea as well, and this week published new findings suggesting six may be too many:

“We found that six degrees actually overstates the number of links between typical pairs of users: While 99.6% of all pairs of users are connected by paths with 5 degrees (6 hops), 92% are connected by only four degrees (5 hops). And as Facebook has grown over the years, representing an ever larger fraction of the global population, it has become steadily more connected. The average distance in 2008 was 5.28 hops, while now it is 4.74.”

Shockingly, those numbers are even smaller for same-country pairs; for example, any two U.S. Facebook users are only about 3 or so degrees from each other. Meaning that every one of Facebook’s 700+ million users, with a very high statistical likelihood, is only a small number of social connections away from everyone else. Small world, indeed.

Postscript: “Everything is Different” is long out of print, and a web search suggests that English translations of this book are simply lost.

And The Lesson That Never Gets Learned

As news stories go, the tale of Congressman Anthony Weiner and his recent online activities seems rather limited.  It’s not a story about war, or disease, or a major environmental disaster.  But given what it hints at  – online sex – there’s little surprise it’s front page news in the U.S.

In a tearful press conference Monday, the six-term New York Democrat admitted to sending provocative photos and exchanging intimate messages with at least six women via online services such as Twitter.

“I’ve made terrible mistakes,” Weiner said, recounting that for several years – before and since marrying his wife Huma Abedin – he had used various social networks like Facebook to meet and start up online relationships with women.   Expressing “deep regret” over his actions, Rep. Weiner confirmed a story that he initially denied; namely that he had sent a picture of himself wearing little else than underwear to a college-aged woman in Washington State via Twitter.

When the photograph first emerged last week, the congressman denied it was his picture, saying his Twitter account had been “hacked” by someone clearly trying to make fun of his pun-worthy last name.  But his less-than-clear denials only fueled suspicions, for example when he told one news cable network that he couldn’t say “with certitude” whether or not the picture was of him.

Now that the world knows the truth, it’s natural to ask, ‘Why would he do it?’  But the ‘it’ here doesn’t refer to sex; politicians all over the world have been caught in similar scandals.  Rather, the question now is ‘Why would he do this on the Internet?’  How could someone as smart as a U.S. congressman get so publicly snarled on Twitter? Read the rest of this entry »

Using a “Man-in-the-Middle” to Target Activists

Given the civil unrest roiling the Middle East, Syria’s recent decision to unblock Facebook seemed…well, puzzling.  After all that’s been made of the social network’s role in helping organize the Egyptian and Tunisian uprisings, why would Damascus choose this moment to open it up?

Perhaps now we have the answer.

Illustration: German Ariel Berra

Peter Eckersley with the Electronic Frontier Foundation reports it appears Syrian authorities have launched a cyber-attack against Facebook aimed at intercepting messages and targeting activists inside Syria.  Calling it “very much an amateur attempt,” Eckersley says forensic data analysis makes clear that an unknown culprit – but one with Syrian fingerprints – has compromised Facebook’s security by using one of the oldest tricks in the spy-book: a “man-in-the-middle”, or MITM, attack.

In essence, an MITM hack is an electronic form of code-breaking between two people online who have been tricked into believing they’re communicating over a secure connection – such as https – but are actually passing messages through a third hidden party, where they can be recorded, blocked or altered.   That may seem like a mouthful, but it’s actually a lot less complicated than it sounds.  Let’s unpack it a bit. Read the rest of this entry »

Is the “Wiki” Generation Too Wired For Its Good?

This week we’re partnering with our pals who run the really-worth-your-time blog “VOA Student Union” with this question: what does the Internet generation think about all the wired devices that have come into our lives?

It’s a question we’ve been returning to as we’ve read, and re-read, Ethan Wilkes’ provocative essay “Generation Wiki’s web savvy“, first published in the Guardian on December 14.   Spurred by the controversy still swirling around the Wikileaks organization – and to some degree its just-as-controversial co-founder Julian Assange – Wilkes steps into the discussion with a bit of a generational slap-down.

“We are Generation Wiki,” he begins.  “We are the first of our kind.”

Wilkes goes on to make a new form of a very old argument: you grown-ups just don’t understand us.  The Internet revolution, Wilkes says, and all the devices and changes its spawned have created an entirely different set of expectations of privacy and speech.  And it’s those devices that are pushing a new social order – still undefined – where information necessarily runs free:

“We are aware of these ambiguities of the digital age, and we are comfortable with them. They are the products of a networked world where information is in abundance and easily diffused; it is the only world that we have known…What seems to be missing is an understanding of what Generation Wiki has known all along about information gone viral: we consume, comment and move on; the story dies when we are done with it. Trying to put the genie back in the bottle is no way to deal with an expose once it has gone online. “

OK…perhaps.  Arguably this generation does have different expectations of the boundaries between public and private.  And certainly growing up in an increasingly networked world has changed everyone’s relationship with  information – free or otherwise.

But then again, perhaps not.  You don’t need to have lived so many decades to know it’s the folly of youth to believe it is somehow unique and new, completely different from what came before and freed from the old strictures.  And then, as youth slides into something else, the experiences and shared knowledge of those that came before take on greater resonance.

Pretty heady stuff.  All of which has lead both Digital Frontiers and VOA’s Student Union to pose this question: what devices rule your life?

“What technologies rule your life?  Do you spend a lot of time on your computer or your mobile phone, and what do you use them for?  If you’ve traveled or lived in different countries, how were their tech habits different than your own?  What devices do you wish you had, and which could you live without?”

We expect many of the Student Union’s responses will come from “Generation Wiki.”  We’re hoping here to hear from everyone – young or old, fresh or experienced, wired or not.

Could the New US Congress Find Common Cause with the EU?

Even before the votes were counted, the Internet was buzzing with speculation about the 2010 midterm elections: what their meaning may be, their economic fallout and impacts on foreign policy across the globe.

Now add to the list: increased scrutiny of Internet privacy.

The Washington Post’s Cecilia Kang reports Thursday that Rep. Joe Barton (R-TX), slated to possibly lead the powerful House Energy & Commerce Committee in the next Congress, has sent up an early flare of his intent to revisit the issue of Internet privacy and security.

Doing double duty, Kang also has this item noting that the EU will likely push more stringent consumer privacy protections on the Internet.

Which means we may just have hit on one of the few areas the EU and the 112th Congress may see eye-to-eye.

Much more, after the jump. Read the rest of this entry »