TOP STORY
Why the U.S. needs better privacy laws, now!
By Woody Leonhard
Microsoft recently published an open letter to President Obama, condemning some government surveillance techniques and calling for federal data-privacy legislation.
While some industry heavyweights such as Amazon, Twitter, and Google would probably prefer fewer privacy rules, Microsoft weighs in on the side of consumers.
Microsoft replies to a report on privacy
On May 1, the President's Council of Advisors on Science and Technology (PCAST) published its report, "Big Data and Privacy: A Technological Perspective." The report's executive summary begins:
"The ubiquity of computing and electronic communication technologies has led to the exponential growth of data from both digital and analog sources. New technical abilities to gather, analyze, disseminate, and preserve vast quantities of data raise new concerns about the nature of privacy and the means by which individual privacy might be compromised or protected."
Page after page, the report documents current and potential threats to personal privacy. It also includes some eye-opening examples. A related report (PDF), "Big Data: Seizing Opportunities, Preserving Values," notes:
"This means ensuring that consumers are meaningfully aware of the spectrum of information collection and reuse as the number of firms that are involved in mediating their consumer experience or collecting information from them multiplies. The data services industry should follow the lead of the online advertising and credit industries and build a common website or online portal that lists companies, describes their data practices, and provides methods for consumers to better control how their information is collected and used or to opt out of certain marketing uses."
Following the publication of the two reports, the White House issued a formal request for comment. Microsoft, I'm happy to say, came out with both barrels blazing in its Aug. 5 reply (PDF) to the National Telecommunications & Information Administration (NTIA). As most Windows Secrets readers know, I've criticized Microsoft more than once for collecting personal data. But whatever its motivations, Microsoft's open letter to NTIA director of Internet policy John Morris nicely summarizes the complexities of big data and privacy. The letter's introduction concludes:
"The United States is well placed to take a leadership position on privacy and big data. But it needs to move quickly. Microsoft encourages the Department of Commerce and the Administration more broadly to push for passage of comprehensive federal privacy legislation based on the principles in the Consumer Privacy Bill of Rights. The rise of big data makes this a pressing issue."
The need for better privacy legislation is indeed pressing, but it's unlikely we'll see any changes soon. As noted in a Feb. 24 letter (PDF) to the president, signed by numerous groups, the framework for a Consumer Privacy Bill of Rights (PDF) was published over two years ago but remains largely unimplemented. (And information-industry heavyweights seem more interested in protecting their databases from government access than in protecting the public's privacy.)
You'll be surprised at what info is collected
We aren't yet to the point where your toaster reports back to some marketer, revealing exactly how brown you like your morning toast. But just about anything else of an electronic nature is being tracked and linked to your devices' IP addresses and/or your name.
Here's an example that really caught my attention. Do you own an Android phone? Would you like to know what Google knows about your location? This is aside from your purchases, ad responses, and Google searches (including the ones you don't discuss with others). And I'm not including the contents of your Google Drive documents (those that aren't encrypted) or your Gmail-based correspondence. You already know that Google collects all that information and stores it in massive databases.
In this case, it's the actual locations you (or, more precisely, your phone) have traveled to recently. If you turned on GPS tracking on your Android phone — a necessity for, say, using the locator in Google Maps — Google knows where you've been. And it's not limited to Android phones; if you're signed in to a Google account via an iPhone, iPad, or other device and have GPS tracking turned on, Google has recorded your movements.
To see what Google knows, crank up your favorite browser and go to the Google Locations site. (You might have to sign in with your Google account.) You'll see a map on the right and a calendar widget on the left. Below the calendar, click the Show dropdown box and select "30 Days."
Figure 1 shows everywhere I've been recently. When I zoomed in on the map, I could even see streets I'd traveled.
Figure 1. Google can keep a record of your phone's geographic position — and by extension, your location. Here, Google displays my recent trip to Thailand.
Yeah, Google watched every step I took while traveling halfway around the world — through 12 time zones. The theme from Twilight Zone is running through my head. Granted, Google could collect that information only because I'd turned on GPS tracking — so it's essentially my fault. But, in retrospect, it's scary.
Others can mine your geolocation information, too. Mobile-phone providers can track a device's location by triangulating the signal. That's become a potent tool for law enforcement. As reported in a June 12 JURISTstory, the U.S. Court of Appeals ruled that police need a warrant in order to acquire phone-based location information. But the Supreme Court has not yet weighed in on that.
That's just garden-variety spying. According to a 2013 Slate article, the NSA — and presumably other secret agencies — can track the location of targeted phones even when they're turned off.
Of course, that trick requires a much longer explanation of what "off" means. In current practice, a phone can be tracked only if it's communicating with cellular towers. For most users, "off" really means the phone is in standby mode — the screen is dark but the phone is still ready to receive calls, messages, and data. Possibly more frightening are reports that a phone could be secretly modified to look like it's fully powered down when in fact it isn't. For the truly paranoid, the best solution is to fully remove the battery (which rules out using iPhones.)
And the privacy abuses — real and potential — go on and on. It was recently revealed, as reported in a New York Times story, that the U.S. Central Intelligence Agency spied on its nominal overseers, the Senate Intelligence Committee. It seems clear that any public oversight of the intelligence services is a fiction.
Credit reporting: A less-than-perfect model
If one word best describes the solution to Internet-privacy concerns, it's transparency. Although the U.S. has many data-privacy laws, few of those laws have wide-ranging provisions that allow the spied-upon (us) to look at, challenge, delete, or modify collected personal data.
Currently, the most transparent data-collection industry is the consumer credit–reporting services — primarily Equifax, Experian, and TransUnion. The enactment of the Fair Credit Reporting Act and its consumer enforcement codicil, the Fair and Accurate Credit Transactions Act of 2003 (more info), gave us access to some of the credit information stored by those three companies.
But even with the credit industry, transparency is relative. The Fair Credit Reporting Act gave all consumers the right to free credit reports once a year. But those reports have limited information. You can get fuller reports only if you're willing to pay exorbitant fees. Furthermore, there's no disclosure as to how the credit data is used or how the all-important final score is calculated. I recently discovered these limitations firsthand.
There's also no way to limit who can request your credit rating. For example, an electric company might demand a credit score before connecting electricity; the phone company wants to see the score before setting up a line; the home insurance people require a score before they'll insure a house. There are even recent reports that companies are requesting credit information on job applicants. Perversely, each ping can drive down your credit score.
Essentially, it's a rigged game: credit agencies are using the legislation's shortcomings to goad consumers into paying for something that should be free. But it's the only game in town and just about everybody in the U.S. has to play it. And still it's more transparent than the online collection of personal data. There's currently little likelihood that the U.S. will pass even limited legislation to control online data collection, maintenance, and access — a fact that should send shivers down your spine.
Governmental restrictions on data privacy
Consumer online privacy is bad; protection from governmental intrusion on private data is even worse.
The main bill that controls how the government can access personal data was enacted back in 1986. The Electronic Communications Privacy Act (ECPA; more info) started as legislation restricting law-enforcement access to private digital data. But the world has changed significantly since then. As the Digital Due Process site puts it:
"Technology has advanced dramatically since 1986, and ECPA has been outpaced. The statute has not undergone a significant revision since it was enacted in 1986 — eons ago in Internet time. As a result, ECPA is a patchwork of confusing standards that have been interpreted inconsistently by the courts, creating uncertainty for both service providers and law enforcement agencies. ECPA can no longer be applied in a clear and consistent way, and, consequently, the vast amount of personal information generated by today's digital communication services may no longer be adequately protected. At the same time, ECPA must be flexible enough to allow law enforcement agencies and services providers to work effectively together to combat increasingly sophisticated cyber-criminals or sexual predators. The time for an update to ECPA is now."
Microsoft's stance, in my opinion, isn't as consumer-oriented as most of us would like. But it makes valid, pro-consumer points about government interference and the specific problems involved in manipulating "big data."
On the government-interference side, consider the recent federal court decision (BBC report) requiring Microsoft to hand over to U.S.-based law enforcement copies of email stored on servers in Ireland. I'm still trying to figure out the logic behind that one. Microsoft's well-considered comment is better than any I could offer:
"Absent sound rules of the road, it will likely become harder for U.S. companies to keep the trust of consumers worldwide. Already, some customers for cloud services in foreign markets are turning toward local solutions instead of U.S. providers, precisely because they (and their regulators) do not trust to the sufficiency of U.S. privacy laws. This lack of trust also may be compounded over time as countries adopt new privacy frameworks that — following in the footsteps of the European Union — restrict data flows to the United States out of concern that data will not be robustly protected here."
Microsoft's perspective might be more about its bottom line than its customers' privacy, but the points are still valid. On the big-data side, Microsoft talks about acquiring customer consent for use of data. But that aspect will only get murkier as companies begin accumulating data from newly Web-aware devices: cars, refrigerators, vacuum cleaners, toasters, and who knows what else. To its credit, Microsoft states:
"Practices for obtaining consent in today's big data world should be strengthened. The Consumer Privacy Bill of Rights recognizes this in its individual-control principle. Under that principle, the individual does not cede power to a data collector through a one-time consent. Instead, the individual and the data collector remain in a relationship that may change over time, and one in which the individual remains actively engaged."
Compare and contrast that with the current state of credit-agency reporting.
Giving the NSA a virtual punch in the nose
As any rational person who has read the U.S. Constitution will tell you, the NSA has obviously and excessively overstepped its bounds.
As reported July 29 on his official site, Senate Judiciary Committee chairman Patrick Leahy introduced a bill "that would restore Americans' privacy rights by ending the government's dragnet collection of phone records and requiring greater oversight, transparency, and accountability with respect to domestic surveillance authorities."
It's possible that Leahy's bill might actually make it through our demonstrably dysfunctional Congress. That rare bipartisanship would mostly reflect the number of members of Congress who felt sucker-punched by the revelations of celebrity leaker Edward Snowden and others. Spying on your own citizens might be forgiven by your obviously lax overseers. Spying on those same congressional overseers is unpardonable. Getting publicly outed is just plain stupid.
Keep in mind that Leahy's bill (PDF) is just a starting point. It's far from a panacea. The best analysis I've seen comes from Truthout reporter Liza Goitein; she states:
"Even if the Senate version becomes law, Americans' private information will remain vulnerable — under both the domestic programs addressed by the bill and other, much larger, programs nominally targeted at foreigners. As Leahy acknowledged when introducing the bill, much more remains to be done to protect the privacy and civil liberties of law-abiding Americans."
In a rare show of unity, AOL, Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, Yahoo, and many other companies and privacy organizations support the bill, according to the Leahy site.
What you can do about online privacy — right now
That's a very condensed version of where the U.S. stands on the various interrelated privacy issues. In short, our personal privacy is rapidly dwindling, threatened by both companies and governments. The situation is dire, and it's getting far more complex.
To get a handle on it, start by discussing online privacy with those around you. You're probably the alpha geek in your circle of friends (that's why you read Windows Secrets), so your opinion should count. Unfortunately, the typical online user hasn't a clue where this is all heading — and many are painfully oblivious to the full extent of the problem.
Next, I recommend pushing your senators and congresspersons to support the Leahy bill, known as the USA FREEDOM Act of 2014. Do it now! Thanks to the Congress Merge site, it's easier than you might think.
Read Microsoft's letter. If you agree with it, write to NTIA's John Morris (email address) and tell him you support Microsoft's comments on big data and consumer privacy.
Your actions can make a difference; inaction lets others dictate the outcome.
No comments:
Post a Comment