Privacy

Yesterday, Prime Minister Theresa May gave a much-trailed speech purporting to flesh out some ‘detail’ – that most hated and troublesome concept for Brexiteers. On data protection law and institutions, she said:

“But the free flow of data is also critical for both sides in any modern trading relationship too. The UK has exceptionally high standards of data protection. And we want to secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals to achieve our aims in maintaining and developing the UK’s strong trading and economic links with the EU.

That is why we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘one stop shop’ mechanism for resolving data protection disputes.”

This basically summarises the UK’s position since last August:

“After the UK leaves the EU, new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed, as part of the new, deep and special partnership. The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal.”

It is pretty straight down the line UK positioning.

So, ‘you need us at least as much as we need you?’ Tick. Though I’d be surprised if the data flow volume is symmetrical.

‘Believe us when we say we’ll have perfect regulatory alignment while also making the UK more innovative and flexible?’ Tick. Despite its dicking around with the GDPR implementation – especially the huge carve-out that slashes data protection for any non-UK citizens – UK will at least start with a more or less guaranteed adequacy finding that says its data protection regime is enough for transfers to continue.

And ‘We will of course leave the EU and all its institutions, but still expect an influential role in determining future policy and EU law.’ Tick. Magnificent cake-ism, really. Entirely consistent with the rest of the UK’s negotiating stance. Theresa May really believes the 27 member states need the UK’s input on data protection so much, that they’ll let its regulator, the ICO, continue to take part in coordination procedures, and also continue to water down data protection for everyone else. [click to continue…]

It may be the age of big data, but since big data tend to come from those who are already using digital media, such data sets tend to lack information about non-users and those who don’t engage in certain activities online. I make this case in detail about data derived from social network sites in my paper called Is Bigger Always Better? published in the ANNALS of the American Academy of Political and Social Science.* That paper mainly focuses on those who are already connected, but even among Internet users, I find that data derived from social media tend to bias against the less privileged and the less skilled as such folks are less likely to be on those sites. This is a problem when more and more studies about social behavior and potentially policy decisions are made based on information that automatically excludes certain populations.

Today (3/31/16) the US Federal Communications Commission votes on broadband subsidies for low-income households. Yes, making home broadband more affordable is likely a necessary condition for getting more Americans online. However, it is not sufficient. My colleague Ashley Walker and I analyzed data from an FCC study administered in 2009 on both users and non-users, finding that people who are more concerned about their personal data being stolen are more likely to be non-users, results that hold true when controlling for other potentially related factors such as age and education. The issue here is not about price, it’s about privacy concerns. Other research I and others have conducted (some of it reviewed here*) shows that lack of Internet skills is often an impediment to using digital media and using it in ways from which people may benefit. Again, it’s not simply core infrastructural access that’s a problem.

Why are Ashley and I using data from 2009? Because shockingly no federal agency has collected nationally-representative data about Americans’ Internet uses since then. The Census used to be in the business of gathering such data, but at this point it only does so about very basic connectivity questions. The approach seems penny-wise and pound-foolish. Sure, gathering such data is expensive, but it is a drop in the bucket compared to spending over $2 billion dollars on broadband subsidies without having sound evidence on how that will actually improve a more diverse group of Americans using the Internet in helpful ways.

I also have a piece on Huffington Post about all this.

[*] If you can’t access it, feel free to send me a note for a preprint copy.

Paul Mason has an article today [about the impending end of cash](http://www.theguardian.com/commentisfree/2016/feb/15/crime-terrorism-and-tax-evasion-why-banks-are-waging-war-on-cash). The subtitle asks “But what would a cashless society mean for freedom?” but sadly the article itself has little to say on the subject. It isn’t hard to see, though, that the end of cash would give governments almost unlimited power to deny resources to those they consider undesirable. We’ve already seen this with the way that the Obama administration successfully pressured the major credit card companies to block donations to WikiLeaks. And it is a key component of the UK’s rather horrible Immigration Bill 2015 which has as a central purpose to create a “hostile environment” for people who lack authorization to be on the territory of the state by, inter alia, “working with banks and building societies to restrict their access to bank accounts”. In practice this means that people whose right to remain is cancelled could almost immediately lose access to the resources they need to fight the administrative decision against them. History shows that technologies that are first piloted against one group of people can be extended to others. We face a future where people deemed by the executive to be problematic in some way could lose access to all means of payment. At least with cash you can subsist on the margins of society; without it, government control is potentially total. Perhaps this is coming sooner than we think?

Abraham Newman and I have a piece in the new Foreign Affairs, discussing the Safe Harbor decision, and arguing that it’s really an example of the US finding some of its own preferred extraterritorial rules being used against it. Since Foreign Affairs allows me to put the whole piece up for a few months, here’s the full text for anyone who’s interested …

[click to continue…]

When Zoë was maybe 10 and old enough to start randomly looking at things on the internet without much supervision other than Google SafeSearch (well, such a thing was likely to occur; I’m not sure she was old enough per se) I had a little talk with her. And Violet, but Violet wasn’t paying attention. I re-had the talk with Violet later. It went like this: don’t ever go to 4chan, OK? OK. Also, there are weirdos on the internet who are grownups but want to have sex with children. Her: “Whaaaaa–??@? I thought people had sex so that–” Ya, I know. Just, roll with me. They pretend to be other kids so they can talk to kids. So don’t talk to weirdos who ask you a lot of personal questions, and don’t ever tell anyone on the internet where you live, and later when you have photos and an email and attachments don’t send them to anyone. But also if somehow something weird happens and you get scared of someone or feel like something is wrong you should always tell me, and I’ll never be mad at you even if you didn’t do 100% “the right thing,” and it’s never too late to say something is making you scared or feel weird, like, there’s not a crucial window that goes by and then if you miss it you can never speak up because it’s your fault now, because you didn’t say anything before. Also, don’t go to 4chan. Shit, don’t even go to reddit. I’m not saying this because it’s cool and fun, it’s just gross. [Dear CT reader who frequents a perfectly nice and informative knitting sub-reddit that isn’t even sexist at all: them’s the breaks.]

I oke-bray the ules-ray by getting Zoë an FB account for Xmas one year that–her age being the number after ten–was not one of the approved years. It was her top request on her list to Santa. (And free!) I made myself a page administrator, set the privacy settings myself, and said she couldn’t put pictures of herself up. I couldn’t issue a blanket “no anything-chan” rule because of course zerochan.net has all the best pictures in the world. For several years she has obsessively searched for and downloaded both official and (moreso) fan art, and then uploaded it again into massive albums on her FB page. There’s over 5K images on there!
[click to continue…]

Responding to concern about PRISM and the issue of whether intelligence collaboration with the US enabled British agencies to circumvent legal restrictions, Foreign Secretary William Hague told us that “law-abiding citizens” have nothing to fear. Not only do I not wish to be the kind of person Hague thinks of as “law abiding”, more generally it is social movements that willfully break the law that are most likely to bring about change and to threaten established power and privilege. And it is just such movements, and their leaders, who are at risk from pervasive state surveillance of our communications.
[click to continue…]

A recent study by the Washington University School of Medicine in St. Louis found that women using IUDs and other methods like under the skin implants or Depro-Provera injections were much less likely to have an accidental pregnancy than women using ordinary birth control pills, the trans-dermal patch, or the vaginal ring. (CT readers who are not up-to-the-minute on ladyissues may be interested to learn that the ring is a polymer, well, ring, which is inserted into the vagina, and then releases hormones over the course of three weeks. The birth control type is replaced after four weeks. Another version is used to treat the effects of menopause and has a different schedule.)

The women using the pill etc. were, in fact twenty times as likely to have an accidental pregnancy as the other group. “We know that IUDs and implants have very low failure rates — less than 1 percent,” says Brooke Winner, MD, a fourth-year resident at Barnes-Jewish Hospital and the study’s lead author. “But although IUDs are very effective and have been proven safe in women and adolescents, they only are chosen by 5.5 percent of women in the United States who use contraception.” In this case the study provided the various types of birth control at no cost. Worth noting, when the cost barrier was removed, the percentage of women choosing long-acting contraceptives went way up, to 75%.
[click to continue…]

In my original post I, ignoring all of common sense and the experience of the entire internet, imagined that people would click through and read the linked Kevin Drum piece, and then perhaps click on the link there as well. I really don’t know what came over me; I must be out of practice or something. As was mentioned in comments to the previous post, Kevin Drum was responding to a NYT article in which it was suggested that hotel housekeepers receive unwanted sexual approaches fairly often in big hotels. It seems to be necessary to be very clear on this; I am merely suggesting that Kevin Drum’s indignant suggestion (that hotels refuse service to guests who repeatedly flash the staff) is indeed a reasonable one. Even threatening to do so would probably bring lots of men around, since it might be a little hard to explain to the boss why you suddenly can’t stay at the Mandarin anymore. From the NYT:

On top of that [their grueling, physically demanding jobs], they [housekeeping staff] have to be sexually accosted by guests? Sadly, yes. And more often than you’d think. It’s not an everyday occurrence but it happens enough to make this question all too familiar: “Mr. Tomsky, can you give the new girl Room 3501 until next Tuesday? That man is back, the one who loves to let his robe fall open every time I try to clean.” So, yes, we assign the room to the new girl.

Now I hate to say this, but I’m pretty sure this is the end of most actual stories along this lines, i.e., give it to the new girl. Per the NYT, though, it’s more like some awesome SWAT thing:

But not before hotel managers roll up to the room, flanked by security guards, to request that the guest vacate during cleaning, or at least promise to remain fully clothed or risk expulsion. Often it need not be discussed in detail: those guests who can’t seem to tie their robe properly usually know exactly what they’re guilty of. Typically, an unsolicited phone call from management inquiring if the service in their room is up-to-standard, and offering to send a manager to supervise the next cleaning, improves their behavior. I remember one exhibitionist guest, in New Orleans, cutting me off before I could get down to business:

“Sir, this is Jacob, the housekeeping manager — ”

“O.K., fine, O.K.!” And he hung up. That was that.

Being flashed is very different from being violently assaulted, but they are on a continuum of unwanted sexual encounters. Also, it’s difficult to believe that a man who gets to that point hasn’t gotten away with quite a lot of other skeezy things in the past, such as exposing himself. Perhaps if M. Strauss-Kahn had had repeated, embarrassing conversations with the male hotel staff in which banning him from further stays was mentioned it would have been salutary.

It also occurs to me if a women left her hotel room door unbolted and someone came in and raped her, the number of times (hint: infinity) she would be told that she should always keep the door locked, and call downstairs to check with the front desk when a male staffer came to the door even in uniform, etc. etc., might make her decide to just not bother reporting the crime.

I thought it was interesting that despite the subject matter, the Times was unable to find a woman to write about the topic, perhaps one who had worked as a housekeeper? Just a thought. I understand that “Jacob Tomsky is writing a memoir about his experiences in the hotel business,” but that hardly seems the most salient concern, unless someone’s agent knows someone. And you may object that most of these workers are recent immigrants, but I see Maureen Dowd’s name out of the corner of my eye oftener than I would like, so it’s not as if having a woman with limited English-language skills on the Op-Ed page is somehow a problem.

This ArsTechnica write-up of some recent research of mine has received numerous votes on the recommendation site Digg in the last few hours. I wonder if it will make the front page of Digg, although as a Twitter contact of mine noted, since it’s not a top-10 list (nor, if I might add, does it cover Google or Apple), that may be unlikely.

The post reports on a study in which we found that male college students are more likely than their female counterparts to share creative content online even though both men and women in the sample are equally likely to create such content. However, when controlling for online skill, the gender differences in posting go away.

Gina Walejko and I published the paper “The Participation Divide: Content Creation and Sharing in the Digital Age” this Spring in the journal Information, Communication and Society. We examine the extent to which college students share creative content online and whether we can identify any systematic differences by user background. In particular, we looked at whether students create and share the following types of material: poetry/fiction, artistic photography, music, and video (both completely own and remixed in the case of the latter two), including both private and public sharing. [click to continue…]

Speaking of public intellectuals, Siva Vaidhyanathan gave a talk here a couple days ago on privacy and surveillance, developing the ideas here. (For one thing, he now prefers “Cryptopticon” to “Nonopticon.”)

Siva thinks we should stop our Foucauldian worrying about Bentham’s Panopticon. He says he’s lived in the Panopticon, in New York, where there are lots of visible cameras everywhere (when I lived in one of the home counties, where it is said you can go all day without being out of CCTV range, I knew the feeling). Siva points out a lot of the cameras aren’t maintained, monitored, or even attached to anything; that’s not the point of them. They’re not there to watch you, they’re there to make you think that you’re being watched. Such reminders (your call may be monitored) are supposed to get you to become your own social superego.

On balance, Siva seems to think, this is pretty harmless. The point of the Panopticon is to get you to behave, to hide your real self, to conform. About which we can note two things: one, if you’ve been to London or New York, you see that in the real Panopticon people get their freak on just fine, thank you very much. And two, to the extent that it does work, the Panopticon actually reinforces privacy—getting you to hide your real self draws the boundaries around that real self. What we really need to worry about is unannounced, concealed surveillance: the NonCryptopticon.
[click to continue…]

Henry points us to a new Google initiative and was wondering what I might think about it. I started writing a comment, but thinking that a comment shouldn’t be three times as long as the original post (and because I can), I decided to post my response as a separate entry.

First, I think Kieran is right, knol is way too close to troll, I would’ve picked a different name. (That said, most people out there probably have no idea what a troll is so in that sense it’s just as well although I still don’t like the name.)

I address three issues concerning this new service of trying to create something Wikipedialike within Google’s domain: First, will it gain popularity? Second, what might we expect in terms of quality? Third, what’s in it for Google beyond the potential to showcase more ads? [click to continue…]

Google is staking a claim on the moral high ground of Internet privacy. The company has called for new international rules, ostensibly to protect privacy online. Little of Google’s search information is strictly ‘personal data’, i.e. data directly concerning named individuals. But search data, potentially tied to individuals’ IP numbers, is dynamite, something it’s taken Google a long time to face up to publicly. Google got its fingers badly burnt by the incredulous reaction to its ‘trust us, we’re the good guys’ privacy policy a couple of years back. They hired Peter Fleischer, a well-respected Microsoft lawyer and data protection expert, to put their case more seriously. And now Fleischer is showing Google’s global citizenship willing by suggesting to UNESCO that an international body create a new set of rules on Internet privacy. But would this improve individuals’ privacy?

Part of the argument for a new instrument – at least as summarized in reports on the speech – is that the existing ones are too old and were crafted before the Internet really took off. The OECD Guidelines date from 1980 and the EU data protection directive from 1995, so they’re said to be out of date. Fleischer is said to argue for new rules based on the APEC privacy framework, and says Google is in favour of individuals’ privacy. The trouble is the ‘past their sell by date’ argument doesn’t hold up, and the APEC principles are a weak model to anyone who cares about privacy.
[click to continue…]

This “ZDNet article”:http://news.zdnet.com/2100-9588_22-6205716.html on datascraping firm Rapleaf is both interesting and disturbing.

In the cozy Facebook social network, it’s easy to have a sense of privacy among friends and business acquaintances. But sites like Rapleaf will quickly jar you awake: Everything you say or do on a social network could be fair game to sell to marketers. … By collecting these e-mail addresses, Rapleaf has already amassed a database of 50 million profiles, which might include a person’s age, birth date, physical address, alma mater, friends, favorite books and music, political affiliations, as well as how long that person has been online, which social networks he frequents, and what applications he’s downloaded. … All of this information could come in handy for Rapleaf’s third business, TrustFuse, which sells data (but not e-mail addresses) to marketers so they can better target customers, according to TrustFuse’s Web site. As of Friday afternoon, the sites of Rapleaf and Upscoop had no visible link to TrustFuse, but TrustFuse’s privacy policy mentions that the two companies are wholly owned subsidiaries of TrustFuse.

… In other words, Rapleaf sweeps up all the publicly available but sometimes hard-to-get information it can find about you on the Web, via social networks, other sites and, soon to be added, blogs. … Apart from the unusual TrustFuse business, Rapleaf is among a new generation of people search engines that take advantage of the troves of public data on the Net–much of which consumers happily post for public perusal on social-networking sites and personal blogs. The search engines trace a person’s digital tracks across these social networks, blogs, photo collections, news and e-commerce sites, to create a composite profile. … There doesn’t appear to be anything illegal about what these companies are doing. No one’s sifting through garbage cans or peeking through windows. They’ve merely found a clever way to aggregate the heaps of personal information that can be found on the Internet. … Just ask Dana Todd … “It’s my growing horror that everyone can see my Amazon Wish List. At least I didn’t have a book like ‘How to get rid of herpes’ on there, but now I have to go through and seriously clean my wish list,” she said.

This raises all sorts of interesting issues for privacy, going way beyond the dumb-teenager-spliff-smoking-photo-on-MySpace kind of story that get most public attention. If I’m understanding the article correctly, Rapleaf have figured out ways to get at some information from social networking sites that the users of these sites mightn’t have wanted to share with the outside world. This isn’t illegal, but it is fishy. Also, by aggregating together information about people’s networks and tastes across a variety of different websites and networking sites, it’s likely that the firm can draw non-obvious connections that people would prefer not to be drawn. US privacy law is notoriously patchy (your video rental records are heavily protected, thanks to efforts to embarrass conservative Supreme Court nominees, your sensitive financial information … not so much), but I’m not sure what kinds of policies would effectively protect those people who wanted to protected from this kind of widescale data trawling, even in more privacy friendly jurisdictions like the EU. That said, I’m personally quite creeped out by this kind of thing (albeit not creeped out enough to stop blogging or to withdraw my profile from social networking sites, for whatever good that would do me at this stage).

For some time, Josh Marshall has been saying that President Bush won’t fire Alberto Gonzales because he wouldn’t be able to get a new Attorney General confirmed by the Senate who would be willing to keep all of the cover-ups in place. Evidence for this theory is mounting. But Bush won’t be able to keep him in office for ever.

Assume a new Democratic President is inaugurated on January 20, 2009. Focusing on the illegal wire-tap program(s) (as opposed to the other cover-ups), which of the following is most likely:

a. the illegal wire-tap program(s) will be dismantled and all evidence of them destroyed by the time the new administration takes office;
b. they will still be up and running, and the new administration will quietly continue them;
c. the new administration will quietly stop them;
d. the new administration will say that they are stopping them, but actually continue them;
e. the new administration will make a big show about stopping them (and actually do so);
f. the new administration will make a big show about stopping them and move to prosecute members of the previous administration for violating the law.

I can’t believe a. is a viable option, so how would a Democratic administration handle such an illegal inheritance? Is there a significant difference among the candidates? (Maybe I should have made a you-tube video asking this.)