Sunday, December 31, 2006

The Privacy Year: 2006 sent mixed messages

So, as the year ends, what did 2006 do for privacy?

Well, there was plenty of coverage of security breaches that exposed personal data. According to the good folks at Privacy Rights Clearing House, the approximate minimum total number of PII potentially compromised in 2006: 48,419,936. They have a very interesting breakdown right here.

And this was the worst year ever, right? Wrong, the total for 2005 was 54,843,000. But aren't we getting better at catching the culprits? Well, according to Privacy Rights Clearing House, the number of data-breach identity thieves sentenced in 2006 was, wait for it: 5.

So, not a good year for privacy. But maybe not the worst year ever. Let's see what 2007 brings.

Sunday, December 10, 2006

The Real Meaning of Privacy Invasion

At this time of the year some people like to talk about the real meaning of things. So how about the real meaning of "privacy invasion"? These days people often say "my privacy was invaded" after somebody has exposed private information about them. Journalists write "Lax security leads to huge data breach, privacy invasion."

But what is there about Personally Identifiable Information being exposed that suggests the verb "invade" or the noun "invasion"? When we learn that Google keeps a lot of data about how we use the web, data that can be linked to us individually, what aspect of this suggests "to enter forcefully as an enemy; go into with hostile intent"? You might not like it, but surely the term invasion is wrongly applied in cases such as this.

Indeed, the term "invasion of privacy" started out as a way of describing what today we might characterize as people "putting their stuff in your face." Consider a couple who are arguing in voices so loud that the neighbors can hear. That is an invasion of their nieghbors' privacy, information about other people forcing its way in your world. Here's a real world example. I think my privacy was invaded when I was sitting in an aisle seat on a plane a few years ago and a young woman stood in the aisle, waiting to deplane, with her back to me, wearing a bolero top and low cut jeans, thereby revealing to me--before I had time to avert my eyes--an elaborate tattoo reaching down to her butt crack and featuring the word: Daddy.

This is not something I wanted to see. But I was pretty much forced to see it. My space was invaded. My private world was invaded. This might sound old-fashioned, but that's partly the point. People used to be able to go out in public without too much fear that deeply personal aspects of their fellow citizens would intrude upon them. I'm all for people doing whatever they like in private (as long as it causes no harm to the person or property of others) but I think I have a right not to be forced to know about it. That is one privacy right that is too often overlooked.

Sunday, December 3, 2006

Spam really is getting worse, TEOS to the rescue?

"Between May and the end of 2006, the absolute volume of spam has increased by about 100%, said Michael Osterman, president of Black Diamond, Wash.-based Osterman Research. In fact, some estimates suggest that up to 85% of all email is spam."
No, it is not your imagination. You have been getting more spam this quarter. Check out this great set of links to spam statistics. Despite all the laws, lawsuits, fines, filters, counter-measures, the surges of spam continue to clog the net and waste our time and resources.

Of course, this was fairly predictable. We researched this back in 2001 and developed some potentially effective technical responses that were ready to roll by 2002. By early 2003 we were prepared to offer them to the world as the Trusted Email Open Standard or TEOS. The missing ingredient back then was cooperation between the major email providers. That ingredient is still missing today, which is a pity because between them these companies have the power to impose improved email protocols that would greatly reduce spam. Sadly, they prefer to use spam, or rather anti-spam features, as a product differentiator, a way to attract customers, particularly from the smaller, regional Internet Service Providers.

If ever these companies have a change of heart, TEOS is still there, and is still a wealth of good ideas about how to attack the spam problem more effectively than anything we have seen so far.

Wednesday, November 29, 2006

TEOS Lives On: And its time may yet come

For those who missed it the first time round, TEOS is the acronym for Trusted Email Open Standard, a proposal for reducing spam by increasing trust in email. TEOS was introduced in April of 2003 at a Federal Trade Commission Anti-Spam. More than 30,000 people downloaded the 35-page standards document in the first eight months that it was available online. The FTC still hosts a pdf copy of the document today, at the FTC web site. There is some archival coverage of the FTC summit here and coverage of TEOS here and also here.

But what has spam got to do with privacy?

First of all, a lot of people would probably agree that spam is an invasion of privacy, the privacy of one's in-basket. Second, it can be argued that, if there was a trustworthy way of ensuring that the privacy preferences of consumers were respected, it would be possible for email to be widely and beneficially used for commercial purposes without creating spam.

So what happened to TEOS?

Well, a lot of people read it (c.f. the 30,000+ downloads) and Bill Gates plagiarized it in a letter to Congress in May of 2003. Here is what he wrote:

...we support the establishment of an independent trust authority or authorities around the globe that could spearhead industry best practices, and then serve as an ongoing resource for email certification and customer dispute resolution. In short, these authorities could provide mechanisms to identify legitimate email, making it easier for consumers and businesses to distinguish wanted mail from unwanted mail. Of course, any technology designed to establish the identity of legitimate commercial firms and associate them with a trusted sender "seal" should be based on open standards and developed with broad input from affected industries.

This is exactly what TEOS had earlier proposed but he conveniently omitted mention of the standard or its authors at ePrivacy Group (which included me). However, TEOS also proposed, and depended upon, cooperation between the large email vendors. They talked about it. Meetings were held. But nothing came of it. Which is sad news for all email users.

Tuesday, November 21, 2006

Invasive Technology Has Its Uses: Teen Tracking

About ten years ago, when our daughter was a rebellious teenager, I gave serious thought to installing some sort of GPS recording and transmitting device in the car we let her drive. The goal was something like a web page where we could log in and see where the car was at any particular time.

And I mean serious thought. That girl could somehow put a hundred miles on the car in one evening and yet, when asked where she went, answer "Nowhere." Unfortunately, such devices were big and clunky and very expensive back then, mainly confined to commercial applications like trucking and emergency vehicle assistance. Now there are numerous ready-made solutions.

Would I use one if I had a teenage daughter or son today? You bet! Would it be an invasion of their privacy? No! Parents have a right [and a duty] to knowing where their teenagers are.

BTW, to be 'nice' about it, an invasion of their privacy would be showing them a tattoo located just above my butt crack--that's what invasion of privacy originally meant--putting your stuff in my face, which is what happened to me a few months ago when I was waiting to get off a plane. The young lady in front of me rose up and between her short top and low-cut jeans appeared a large tattoo that read "Daddy's Girl." I really didn't want to see that.

That was an invasion of my privacy.

Friday, November 17, 2006

Privacy Essentials: The Politech Connection

If you're serious about privacy in general, and privacy-as-impacted-by-technology in particular, I highly recommend subscribing to Declan McCullagh's Politech:


"the oldest Internet resource devoted to politics and technology. Launched in 1994, the Politech mailing list has chronicled the growing intersection of law, culture, technology, and politics."

I still meet privacy professionals who haven't found Politech yet, possibly because it is not purely about privacy, but it is well worth subscribing, for Declan's even-handed reporting, and for that early "heads-up" you sometimes get from insiders (e.g. it is where I first heard about the UCLA taser incident).

Thursday, November 16, 2006

UCLA Taser Video Incident Raises Many Privacy Questions

First of all, if you have not seen the video, you can view it here on YouTube.

Then read some of the comments people have left. Now ask yourself how you feel about our society today. What do you think is most disturbing:

  • Not having your student ID on you can lead to something like this?
  • The other students didn't leap to this guy's defense and prevent repeated tasing?
  • Taking pictures to post on the Internet seemed to be more important to some students than preventing a fellow student being physically abused?
  • A lot of people left comments on YouTube that are very disturbing?
  • Somebody in there was shouting something like "this is the Patriot Act in action."
When I was a high school student, my friends and I went toe-to-toe with police to protest racial injustice, risked suspension and worse, like being run down by mounted police. Has that kind of "teen spirit" wilted away?

On the narrow topic of carrying an ID, I actually think an ID is a good idea. But short of shooting the student who didn't have one, those UCLA campus police could not have more to poison the notion of identifying oneself to others.

Friday, November 10, 2006

Mixed Privacy Messages May Point to Future Trends

Numerous studies have shown that many people will hand over sensitive data about themselves in return for relatively minor benefits (an ice cream cone in one case I recall). This tendency has perplexed many privacy professionals and social commentators, myself included, as it seems to run counter to expressed fears about privacy (remember that privacy fears topped the chart of "what worries you most about the new century" in a large-scale 1999 survey, beating terrorism).

One way to resolve the apparent dilemma is to declare these studies flawed, suggesting they somehow fail to reflect people's underlying attitudes to privacy. But I can't accept that explanation. The empirical evidence of a strong "exhibitionist" streak in modern society is just too strong and you must account for it in an theory about privacy. Now I see that some people are making progress along these lines. Check out Douglas Rushkoff's perceptive piece in a recent issue of Discover magazine.

"It's as if we humans are not simply wiring up a communications infrastructure but creating a shared platform for self-awareness as a collective organism. And this goal--this almost instinctive push toward gaining access to one another--far outweighs our concern over how this data might be used."

This meshes quite nicely with my view of how humans are evolving. And it also jives with ideas I advanced in one of my first columns on privacy, back in 1994, which I will post here as soon as I can find the darned thing (Google probably has it somewhere).

Thursday, November 9, 2006

Here Begins Privacy Think

A blog about privacy, with a focus on the far horizon. Asking questions like:

  • Where is privacy headed?
  • If people fear Big Brother why do they reveal all on MySpace?
  • Could a loss of privacy ever be a good thing?
  • What's the difference between privacy and anonymity?
  • What does the exposure of hundreds of millions of personal records mean?

Interested? Stay tuned. Get the feed.

Stephen