Technology Review: Privacy Requires Security, Not Abstinence - The Diigo Meta page

• 30 Jun 09
  

  Yule Heibel

  Article by Simson Garfinkel on "Protecting an inalienable right in the age of Facebook," i.e., privacy.
  
  Privacy matters, as Garfinkel eloquently argues:
  QUOTE
  Privacy matters. Data privacy protects us from electronic crimes of opportunity--identity theft, stalking, even little crimes like spam. Privacy gives us the right to meet and speak confidentially with others--a right that's crucial for democracy, which requires places for political ideas to grow and mature. Absolute privacy, also known as solitude, gives us to space to grow as individuals. Who could learn to write, draw, or otherwise create if every action, step, and misstep were captured, immortalized, and evaluated? And the ability to conduct transactions in privacy protects us from both legal and illegal discrimination.
  UNQUOTE
  But Garfinkel argues that it's not the case that merely "opting out" of "some aspects of modern society" (i.e., abstinence) should be the way to secure it. You should have a right to privacy, and still be able to participate in online activity or electronic/ digital transactions.
  QUOTE:
  Now, however, abstinence no longer guarantees privacy.
  (...)
  In this environment, the real problem is not that your information is out there; it's that it's not protected from misuse. In other words, privacy problems are increasingly the result of poor security practices.
  UNQUOTE

  privacy security online_privacy simson_garfinkel

  • The Constitution
    The word privacy doesn't appear in the U.S. Constitution, but courts and constitutional scholars have found plenty of privacy protections in the restriction on quartering soldiers in private homes (the Third Amendment); in the prohibition against "unreasonable searches and seizures" (the Fourth Amendment); and in the prohibition against forcing a person to be "a witness against himself" (the Fifth Amendment). These provisions remain fundamental checks on the power of government.
  • Over time, however, the advance of technology has threatened privacy in new ways, and the way we think about the concept has changed accordingly.
  • 35 more annotations...

  • • Back in 1890 two Boston lawyers, Samuel Warren and Louis Brandeis, wrote an article in the Harvard Law Review warning that the invasive technologies of their day threatened to take "what is whispered in the closet" and have it "proclaimed from the house-tops." In the face of those threats, they posited a direct "right to privacy" and argued that individuals whose privacy is violated should be able to sue for damages.

      
      

      Warren and Brandeis called privacy "the right to be let alone" and gave numerous examples of ways it could be invaded. After more than a century of legal scholarship, we've come to understand that these examples suggest four distinct kinds of invasion: intrusion into a person's seclusion or private affairs; disclosure of embarrassing private facts; publicity that places a person in a "false light"; and appropriation of a person's name or likeness.

    • In our world, "intrusions into a person's seclusion or private affairs" might describe someone's hacking into your computer system.
    • You can also be intruded upon in many lesser ways: when companies force advertisements onto your screen, for example, or make pop-ups appear that you need to close. It's intrusive for a telemarketer to call you during dinner. That's why programs that block Internet advertisements and the federal government's "do not call" list are both rightly seen as privacy-protecting measures.
    • The desire to prevent the disclosure of embarrassing private facts, meanwhile, is one of the driving forces behind the privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA).
    • "False light" is a problem we still don't know how to address online.
    • Using a name or likeness without permission is at the heart of most "sexting" cases that reach the newspapers. Journalists often focus on the fact that teens are willingly sending sexy or downright pornographic photos of themselves to their boyfriends or girlfriends. But the real damage happens when a recipient forwards one of these photos to friends. That is, the damage is caused by the appropriation, not the receipt.
    • The fact that a dusty Harvard Law Review article corresponds so closely with the online privacy problems we face today suggests that even though technology is a driving factor in these privacy invasions, it's not the root source. The source is what sits in front of the computer's screen, not behind it.
    • It's comforting to know that U.S. law eventually gets things right with respect to privacy--that is the power of our republic, after all. But it's also troubling how long it sometimes takes. A lot of injustice can happen while we wait for the law to accommodate advances in technology.
    • Consumer data banks as we know them today--big repositories of personal information, indexed by name and specifically constructed for the purpose of sharing information once regarded as "private"--didn't start with computers. But computers certainly helped.
    • In the 1980s and early 1990s, while lawmakers in Europe and Canada passed comprehensive privacy legislation complete with commissioners and enforcement mechanisms, the United States adopted a piecemeal approach. Some databases had legally mandated privacy guarantees; others didn't. Wiretapping required a warrant--except when companies taped employees for the purpose of "improving customer service." But even if policies weren't consistent, they basically covered most situations that arose.
    • All activity on the Internet is mediated--by software on your computer and on the remote service; by the remote service itself; and by the Internet service providers that carry the data. Each of these mediators has the ability to record or change the data as it passes through. And each mediator has an incentive to exploit its position for financial gain.
    • It's not that Congress was shy about regulating the Internet. It's just that congressional attention in the 1990s was focused on shielding children from online pornography--through laws eventually found unconstitutional by the Supreme Court, because they also limited the rights of adults. The one significant piece of Internet privacy legislation that Congress did manage to pass was the Children's Online Privacy Protection Act (COPPA), which largely prohibited the intentional collection of information from children 12 or younger.
    • Instead, it fell mostly to the Federal Trade Commission to regulate privacy on the Internet. And here the commission used one primary tool: the FTC Act of 1914 (since updated), which prohibits businesses from engaging in "unfair or deceptive acts or practices."

    • 9/11: The First National Scare of the Computer Age
      The terrorist attacks of September 11, 2001, changed the terms of the debate. Suddenly, the issue was no longer whether Congress should protect consumer privacy or let business run wild. Instead, the question became: Should Congress authorize the Bush administration to use the formidable power of state surveillance to find terrorists operating inside the United States and stop them before they could carry out their next attack?

      
      

      The administration itself had no doubts. Where laws protecting privacy got in the way of its plans to prevent attacks, it set out to change those laws. The pinnacle of this effort was the USA Patriot Act, signed on October 26, 2001, which dramatically expanded government power to investigate suspected terrorism. In the months that followed, representatives for the administration repeatedly denounced those who complained about threats to privacy and liberty; they were, said Attorney General John Ashcroft, "giv[ing] ammunition to America's enemies."

    • Total Information Awareness (TIA)
    • renamed Terrorism Information Awareness, TIA was the brainchild of the Defense Advanced Research Projects Agency's newly created Information Awareness Office, which was run by retired admiral John Poindexter (a former national security advisor) and his deputy, Robert L. Popp.
    • While I was a graduate student at MIT during the summer of 2003, I got a job working on the TIA project, because I thought that data mining would be a way to objectively look through mountains of personal information without compromising privacy. Congress, however, opposed TIA on the grounds that it treated everyone in the country as a suspect, and because it feared that a massive data surveillance system might be used for purposes other than catching terrorists.
    • Another data fusion project launched in the wake of 9/11 was the Multistate Anti-Terrorism Information Exchange (Matrix), which was also shut down amid privacy concerns.
    • Since then, a number of states and cities have partnered with DHS to create so-called "fusion centers," with the goal of helping sensitive information flow between federal, state, and even local law enforcement agencies. There were 58 fusion centers around the country by February 2009, according to the department's website, and DHS spent more than $254 million to support them between 2004 and 2007.
    • Few details of what actually happens at these centers have been made public.
    • At least in the eyes of the Bush administration, sacrificing the privacy of Americans to the security of the country had proved well worthwhile. But now the pendulum is swinging back, showing once again that our republic values privacy and will act to protect it from abuses--eventually.
    • Facebook
      Here's a kōan for the information age: Why do so many privacy activists have Facebook pages?

    • The roughly one in five Internet users who spend an average of 25 minutes each day on Facebook implicitly face a question every time they type into a Facebook page: Do they trust the site's security and privacy controls? The answer is inevitably yes.

      
      

      That's the reason privacy activists are on Facebook: it's where the action is. It's easy to imagine a future where most personal messaging is done on such platforms. Activists and organizations that refuse to take part might find themselves irrelevant.

    • Scott McNealy, then CEO of Sun Microsystems, famously said, "You have zero privacy anyway. Get over it."
    • Four and a half years later, he told the San Francisco Chronicle, "The point I was making was someone already has your medical records. Someone has my dental records. Someone has my financial records. Someone knows just about everything about me."
    • Today it's not just medical and financial records that are stored on remote servers--it's everything. Consider e-mail. If you download it from Post Office Protocol (POP) accounts, as most Internet users still did in 1999, the mail is copied to your computer and then deleted from your ISP's servers. These days, however, most people use Web mail or the Internet Message Access Protocol (IMAP), which leaves a copy on the server until it is explicitly deleted. Most people don't know where that server is--it's just somewhere "in the cloud" of the Internet.
    • But leaving your data on some organization's servers creates all sorts of opportunities for mishap.
    • All these are security threats--security threats that become privacy threats because it's your data.
    • But one fundamental problem is harder to solve: identifying people on the Internet. What happens if somebody impersonating you calls up a company and demands access to your data?
    • When someone can wreak havoc by misappropriating your personal data, privacy is threatened far more by the lack of a reliable online identification system than it would be by the introduction of one.
    • I believe that we will be unable to protect online privacy without a strong electronic identity system that's free to use and backed by the governments of the world--a true passport for online access.
    • One of the fundamental duties of government is to protect the internal security of the nation so that commerce can take place. For hundreds of years, that has meant creating identification documents so that people can prove their citizenship and their identity.
    • The difficulty of identifying people in the electronic world is a problem for every single company, every single organization, every single website. And it is especially a problem for Facebook and Google, because at a very basic level, they don't know who their customers are.
    • Many privacy activists see mandatory ID cards as one of the hallmarks of a police state. And many state governments fear the costs.
    • For more than 100 years, American jurisprudence has recognized privacy as a requirement for democracy, social relations, and human dignity. For nearly 50, we've understood that protecting privacy takes more than just controlling intrusions into your home; it also requires being able to control information about you that's available to businesses, government, and society at large. Even though Americans were told after 9/11 that we needed to choose between security and privacy, it's increasingly clear that without one we will never have the other.

Would you like to comment?

Join Diigo for a free account, or sign in if you are already a member.