Tag Archives: privacy

Internet currency Bitcoin lacks privacy protections

WASHINGTON — Bitcoin lacks the anonymity that many users have come to expect and desire, especially for a currency advertised as “cash for the Internet.”

All transactions made using the online currency is logged in a public ledger to ensure their validity.

“It’s inherent in the system to have it be transparent,” said Jim Harper, a senior fellow at the libertarian Cato Institute and a member of the board of directors at the Bitcoin Foundation. “You could have greater privacy if it was a system that one party controlled, but that would have costs relying on that party to get it right.”

Bitcoin is a digital currency that has no central authority and can be used, in many ways, like cash. Many businesses, from restaurants to WordPress, have begun to accept bitcoin as payment. To get started, it only takes a few minutes to go online to set up a Bitcoin wallet.

“It is fast and free,” said David Barrett, the CEO of Expensify, a company that supports Bitcoin use for international transactions. “It’s secure. And I would say it works everywhere in the world. And it is a very powerful technology for moving money around the world.”

Bitcoin offers an “acceptable level of privacy,” according to Bitcoin.org, which is managed by its developers. And for many Bitcoin users, any potential loss of privacy is an acceptable trade-off to circumvent traditional financial institutions.

“The idea of having this flexible payment system where you can pay someone on the other side of the world without having to turn to Western Union or something, that is quite an appealing concept,” said Sarah Meiklejohn, a lecturer at University College London who has done research on the currency.

Because this cybercurrency is not tied to any country or bank, it can be a relatively stable option for those in developing countries, where the local currency is often unreliable.

But, because of Bitcoin’s transparency, it is relatively easy to track a user’s entire transaction history. The public ledger shows the location of the Bitcoin user who is making a transaction as well as the history of the Bitcoin they are spending.

The public ledger shows a Bitcoin's transaction history and the user's location.

The public ledger shows a Bitcoin’s transaction history and the user’s location.

“It is kind of anonymous, but the second that you do any transaction with Bitcoin, every transaction is there,” said Barrett. “Once you pay me a bitcoin, basically I can look at the log and see every transaction you’ve made.”

Bitcoin.org claims no responsibility for any “losses, damages or claims,” for invasions of privacy or thefts, according to its terms and conditions. It suggests encrypting Bitcoin wallets and using secure connections to avoid thefts.

There are ways to improve the anonymity of the currency, but they require a concerted and technology-intensive effort that many do not even know is an option.

“There’s a thing called mixing, which is a process where you commingle your bitcoins with the bitcoins of others and the output of those transactions is harder to trace back to individuals,” said Harper, the Cato fellow. “It might make it a probabilistic calculation rather than drawing a direct line.”

This process is the equivalent to moving funds through banks in countries like the Cayman Islands and Panama which have strict bank-secrecy laws.

Today, some experts are cautious in accepting Bitcoin as a widespread currency. However, many see the Bitcoin concept as one that will remain.

“It’s actually a good alternative to a currency if there is inflation,” Barrett said. “In Venezuela and Africa, it is getting larger adoption. Russia also has a big growth in bitcoin. It’s a safer and less volatile way to keep your currency. Over time, Bitcoin will, in certain parts of the world, become a daily occurrence.”

Bitcoin and its supposed anonymity gained prominence in its role with the Silk Road, an online black marketplace known for selling illicit drugs and weapons. Buyers and sellers were able to connect virtually and use the cybercurrency to conduct anonymous transactions.

“This perception of anonymity might be driving groups towards Bitcoin, but then the transparency is giving law enforcement or anyone interested in these illicit transactions this beautiful view of all of these types of illicit transactions,” said Meiklejohn, the Bitcoin researcher. “Instead of going to somewhere like Western Union and wiring cash over to the Islamic State or whatever, if you’re doing it with Bitcoin then you are creating this paper trail that is never going to go away, literally ever.”

What may scare off more potential Bitcoin users, however, is not its lack of anonymity, it’s the volatility of the currency. In the last 12 months, the value of the currency has fallen by nearly half.

“Maybe I’m just cynical, but it’s hard to see why Bitcoin, as it is now, would achieve widespread adoption, which ultimately is what you would need to have any kind of stable currency,” Meiklejohn said. “So, as long as Bitcoin is this niche market, it is going to remain pretty volatile.”

Privacy: Then and now

Americans value privacy. We close and lock our doors when we get home at the end of the day. We close the blinds when we change clothes so the neighbors can’t peek. If someone wants to visit, they don’t just come over unannounced–they call or text first. In terms of technology, we set passcode locks on our computers and smartphones.

A 2014 Pew Research poll asked people to define “privacy” in one word. The most popular answers were security, secret, personal, alone, information and business.

But today, it’s possible to follow your Internet searches, see who you email, text and call, track your geographical location at all times, monitor your purchases and even track your credit card and phone bills.

The trackers include everyone from family and friends to companies, marketing agencies, the government and law enforcement. From basic information posted on social media, to GPS tracking on your smartphone, people around the world can learn a lot about you from your Internet activity — even when you aren’t intentionally on the Internet. Combining these various components gives them a pretty good idea of what you do, your likes and dislikes, and who and where you are.

You know that nightmare where you’re standing naked in front of an audience? Well, this is the very real 21st century equivalent.

Nearly every app on the modern smartphone is programmed with GPS. Whenever you walk by a WiFi-enabled store, café or home with your Wi-Fi turned on, it registers your device– creating a virtual path of your movement. Do you ever search Google for something, and minutes later see advertisements for it on your sidebar or Facebook? That’s not a coincidence.

In 1965 Gordon Moore, co-founder of Intel, made a prediction known as Moore’s Law: computing power doubles every two years. In other words, computers process large amounts of data faster than ever before. That’s why those Google searches turn into ads so quickly.

Further, the price of data storage is steadily dropping. In 1991, one-gigabyte hard drives cost around $2,700. In 2007, one terabyte (1000x GB) hard drives cost $375. Currently, one terabyte drives cost around $60.

What happens when infinitely faster processing meets infinitely cheaper storage?

“It starts to infringe upon privacy,” said Paul Rosenzweig, cyber and homeland security expert.

So what right do Americans have to privacy?

The Founding Fathers wrote the Fourth Amendment to the Constitution in 1791. It grants citizens the right to be “secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” Obviously they didn’t have Internet security in mind. Instead, it was a response to Britain’s “general warrant” allowing soldiers total access to search American colonials and their homes.

Let’s translate this to cybersecurity: without a warrant, the government cannot keep surveillance on devices for which individuals have a reasonable expectation of privacy. It also cannot physically take these devices to later use as evidence in court.

Fast-forward nearly 200 years to the Privacy Act of 1974. This legislation came after concerns about the government’s collection, retention and use of personal data. The federal government has a number of databases with information on individuals, both citizens and noncitizens.

The Privacy Act of 1974 set four basic restrictions on the government regarding these databases. First, it required government agencies to show individuals all records kept on them if requested. Second, it set “fair information practices” that agencies must follow when collecting and saving data, such as giving notice that it is collecting the information, how it is storing it and how it is protecting privacy. Third, it restricted the ways information can be shared with other people and agencies. Fourth, it allowed people to sue the government if it violates these regulations.

Even though the Privacy Act was meant to increase government transparency, it contains many exceptions and loopholes.

For example, nongovernment entities, like email and phone providers and app developers are barely restricted when it comes to information collection. They are legally required to disclose in privacy agreements the information they collect (yes, those long, size five-font agreements that very few people bother to read), but that’s about as far as regulation goes. Further, these companies are required to provide government agencies with these user records whenever requested, leaving virtually no choice.

That’s why privacy advocates like Amie Stepanovich encourage companies to only collect information completely pertinent to the functioning of the business.

Stepanovich is senior policy counsel at Access Now, an international digital rights organization.

Stepanovich also urges further safeguards for personal privacy, such as encrypting emails, turning off smartphone app location services and creating secure passwords for online accounts. While these precautions–ranging from simple to very skillful–can certainly aid in Internet security, there’s no surefire way to be anonymous online.

Privacy professionals know that it’s impossible to function in 21st century society without being active online. They also know that, though it means being tracked, keeping location services turned on for some apps can make life easier and, honestly, more fun. Who wants to carry around–and decipher– a map when a GPS provides voice activated turn-by-turn directions? Similarly, think about apps like Starbucks’ that send alerts and coupons every time you’re near a store.

We’re okay with giving Starbucks our location, and maybe even letting Google track our searches, if it means we’ll be notified of sales. But when did we consent to give our purchase histories to credit companies, address histories to data aggregation companies, or travel habits and telephone records to the government?

Americans have mixed feelings about digital surveillance. Many are willing to sacrifice some privacy in exchange for stronger national security. Wouldn’t we all rather the government use cyber tracking to identify and stop terrorists through before they attack?

But specifically after the Snowden leaks, many Americans have become skeptical of the government’s digital surveillance. The Pew Research poll found that 80 percent of adults believe Americans should be concerned about the government monitoring their phone and Internet activity.

Even more are concerned with company surveillance. That same poll showed that 91 percent of adults “agree” or “strongly agree” that consumers have lost control over how companies collect and use their personal information.

While 61 percent said they would “like to do more” to protect their anonymity online, 76 percent consider that a difficult feat.

Others don’t find any reason for online anonymity.

The “I have nothing to hide” argument is a popular one. But critics say no one wants their entire life exposed, no matter how “good” of a person they are.

Too much privacy may enable corrupt behavior. Too little privacy may bring Orwell’s Big Brother to reality. People act differently when they know they’re being watched, and Americans are being watched now more than ever before.

In 1999, SUN Microsystems CEO and founder Scott McNealy famously said, “You have zero privacy anyway. Get over it.” We may be moving that way.

As Europe’s privacy laws evolve, so must American companies when operating ‘across the pond’

WASHINGTON — In 1998, a Spanish newspaper announced that a man named Mario Costeja González had his home repossessed.

A decade later, González Googled his name and found that the incident came up in search engine results. Incensed, he complained to Google, asking that information related to him be erased because he thought it was no longer relevant.

Google refused and the dispute ended up in court. In 2014, the Court of Justice of the European Union ruled in favor of González.

The ruling may seem like an affront to free speech, but the court’s decision reflected the region’s long-running commitment to privacy protection.

With the global nature of Internet commerce, Google will not be the only American company ensnared by European data protection laws. Many other firms may find themselves – sometimes unwittingly – intruding on European privacy laws, and they are spending more money and effort into coping with this digital clash of cultures.

More than an ocean apart

Citizens in the U.S. and Europe value privacy. But they articulate it differently in legal terms.

Every European citizen has the “right to respect for his private and family life, his home and his correspondence,” according to the 1953 European Convention on Human Rights – and the most significant legislation by the European Union in recent years is a 1995 directive, which outlines core principles its members should observe.

The directive says that governments, institutions and companies should inform citizens of what information is being collected, ensure data is not disclosed to other parties without the individuals’ consent and allow them to access and correct to data about them.

The directive has formed the backbone of many European countries’ national privacy laws protecting citizens against intrusions by government and by companies, said Viktor Mayer-Schönberger, an Internet governance and regulation professor at England’s University of Oxford.

One component of the European Union directive states that personal data can be processed only with unambiguous consent given by the subject, among other requirements.

The EU’s Court of Justice ruled in favor of González last year for precisely this reason: Since individuals must give permission for the search engine to handle their data, the companies have to handle requests that their information be taken down.

Privacy law is articulated very differently on the U.S. side of the Atlantic. It is not explicitly guaranteed in the Constitution and only suggested by the Fourth Amendment’s requirement for a warrant for the government to search a citizen’s home.

“What the U.S. lacks is an omnibus privacy laws that binds not just the public sector but the private sector as well,” said Mayer-Schönberger. “But the U.S. does have a number of sectoral privacy laws that also apply to the private sector, such as in the context of health data.”

In other words, “privacy in relation to private companies is seen as a species of commercial regulation,” said Bill McGeveran, an information law professor at the University of Minnesota.

The implication of this is enormous for companies wishing to collect and process information about their consumers.

“In Europe, you can only do so if the law says you specifically can, but in the U.S. you can collect data about anyone, anytime, unless there’s a law that prohibits it,” said McGeveran.

“Data is a resource in Europe and the U.S. but in Europe, it’s something in the ground and you need to ask permission before you can mine it.”

Why Europe and America differ on privacy issues

People in the U.S. want privacy just as much as people in Europe, Mayer- Schönberger emphasized. But there is no single easy answer for why data protection legislation is more clearly laid out in Europe.

Europe’s tangled history with data privacy could be a reason – the Nazis used personal data to target marginalized communities during the Holocaust, and in the 1980s, privacy advocates in Germany protested against a census in West Germany that asked questions they deemed too invasive.

“As Germany has always been a key power broker in the EU, that spilled over into the European debate,” he said.

Fred Cate, a law professor at Indiana University, also said the economic reliance of the U.S. economy on technology is also an important reason.

“The U.S. is huge on data innovation – privacy is important, but so is economic success,” he said. “There isn’t a European search engine that can compete with Bing and Google, and so fewer European companies are using privacy as a competitive tool.”

What this means for American companies

For American companies, complying with European privacy laws is a complex process because the level of enforcement varies from country to country. McGeveran said that while privacy regulators in England and Ireland tend to be more cooperative, Spain and Germany are tougher on firms, slapping violators with fines.

Firms may have to jump through additional legal hurdles to do something like moving internal company data, such as payroll information, out of Europe to the U.S.

The clashing regulations could put companies in a legal quandary.

Cate cited the example of a company that was required by a U.S. court to produce certain data that the German government prohibited it from obtaining. “You’re stuck between a rock and a hard place,” he said. “Whose law do you choose to violate?”

American companies therefore must plan carefully when operating into Europe, especially with the ever-changing Internet landscape and the privacy concerns it has raised.

“They cannot assume that their structure and business model in the U.S. can be duplicated in Europe without any modifications,” McGeveran warned.

The 2014 European decision about Google highlighted this challenge starkly. Search engines engines have scrambled to cope with the new development in European privacy law.

Google and Yahoo have set up online forms for users to submit removal requests.

To date, Google has approved 286,814 – or 40 percent – of the removal requests they have received, after judging whether the results were outdated, inaccurate, inadequate, excessive or of interest to the public.

Yahoo has set up a similar intake form as well as a task force to figure out how to process the removal requests, said Laura Juanes Micas, a senior legal director of international privacy at the search engine company.

“This situation was about a particular case in Spain and it has been challenging to create general rules for all removal requests from this one case,” she said.

She added that the ruling placed the burden on search engines to figure out how to balance the rights of the individual to privacy and a third party’s right to freely express himselves on the Internet – but this was hard for private companies whose main duty is to make profit and serve its customers.

American search engines are not erasing search results in non-EU web domains for now, meaning that the information would still be viewable in the U.S. version of Google, for instance. However, European regulators are pushing them to apply the ruling for all web domains, said Lucio Scudiero, a privacy legal counsel in Italy and fellow at the non-profit think-tank Italian Institute of Privacy, said.

“I expect this issue to end up in courts on both sides of the pond soon,” he warned.

Should corporations give the government information after a hack?

The Privacy Game

In a hyper-connected world where people click through each others’ photos on Facebook, follow each other’s thoughts on Twitter and track each others’ careers on LinkedIn, personal information is everywhere. It was hardly surprising when Facebook Founder Mark Zuckerberg said that privacy is no longer the social norm. Thanks to Zuckerberg, people voluntarily post their photos, relationship status, political views and sexual orientation on an easily accessible website. What may surprise you, though, is what else you reveal about yourself each day–and who’s collecting your personal information. Did you think about the privacy implications when buying coffee with your Starbucks Rewards card, posting your highest score on Angry Birds or logging into Netflix? How much do you reveal in a day? Play The Privacy Game to find out!

Created by Jessica Floum and Ellen Garrison

Rise of the machines: domestic drones take off

(Defence Images/Creative Commons)

WASHINGTON – Drones – the same unmanned aircraft used for attacking the Taliban and killing Islamist terrorists – could soon come to a sky near you.

On Feb. 14, President Barack Obama signed the Federal Aviation Administration’s Modernization and Reform Act of 2012, accelerating the timetable for unmanned air vehicle use in U.S. skies. The bill greenlighted both public and private UAVs – or drones – for domestic liftoff by September 2015.

But privacy advocates are hotly protesting the law, warning that the FAA bill is the first step down a dangerous road to a surveillance society. UAVs’ high-tech cameras and sensors, they say, coupled with the current lack of regulation regarding drone use, could lead to a nation in which Big Brother watches from the sky.

The FAA previously blocked domestic UAV use due to safety concerns. But the military’s growing drone arm – they now make up a third of military aircraft – has driven improvements in the sense- and-avoid technology that helps prevent mid-air collisions.

Experts agree the bill opens the door for a commercial industry that could bring UAVs to any area from crop dusting to personal photography.

Drones’ main draw, however, is in the public sector – and therein lies their main controversy.

Advocates like Rep. Buck McKeon, R-Calif., say bringing UAVs to U.S. skies will lead to unprecedented gains in border defense, public safety and emergency response.

“Our state and local law enforcement agencies need a faster, more responsive process,” McKeon said in a statement. “Our neighborhoods deserve safer streets, and these systems can help provide that.

Source: FAA Modernization and Reform Act of 2012 (David Uberti/Medill)

Opponents of the FAA bill don’t dispute drones’ policing capabilities. But they say the same components that allow drones to stalk and strike terrorists in the Middle East and South Asia will be used to scout crime scenes, follow suspects and patrol wide areas. Thermal imaging, for example, makes it easy to look at suspects inside buildings. And high-resolution cameras let operators follow several subjects simultaneously.

The rapidly improving technology is privacy advocates’ main concern. The FAA expects as many as 30,000 UAVs – as minute as small birds and as large as the 116-foot Global Hawk  – to fly in U.S. skies in 10 years.

Keeping up with technology 

“The technology is getting cheaper and more powerful and smaller,” said Jay Stanley, a policy analyst for the American Civil Liberties Union. “It’s entirely predictable that the use of this technology will spread greatly unless there are obstacles put in its way.”

Stanley wrote a December ACLU report urging the FAA to expand its regulations to include privacy measures – not just safety guidelines. Although the air agency has repeatedly denied this responsibility, civil liberties groups insist that ensuring personal privacy helps protect individuals on the ground.

If the FAA doesn’t consider privacy safeguards in its UAV regulations, advocates want Congress to fill the gap. The main concerns are overuses by government and law enforcement agencies that include mass surveillance, video retention and see-through imaging, Stanley said.

“It’s important that these protections be put in place in the infancy of this technology so that everybody understands the ground rules of the game,” he said.

But UAV supporters think otherwise. Ben Geilom, government relations manager for the Association for Unmanned Vehicle Systems International, said current regulations for manned aircraft should extend to their unmanned counterparts.

“The aircraft itself…is new and maturing,” he said. “But the systems payload – the cameras and sensors that are on the unmanned system – are not new. In fact, they have been used by law enforcement and others on manned aircraft for decades.”

Small drones are able to hover outside of house windows to capture images and sounds, but that doesn’t mean it’s legal under current air regulations, Geilom said. Most of the privacy fears, he added, are due to unfamiliarity.

“With any new technology, there will certainly be the ability to abuse that technology,” Geilom said. “But there are also safeguards that are already in place that can serve as the framework.”

Complicating things further is that drone technology is progressing at a furious pace. The last time Congress passed a comprehensive FAA bill before February’s legislation was in 2003, when UAVs were in their infancy.

Future regulations should be limited to “broad safety parameters,” Geilom said, as more-detailed guidelines will be hard pressed to keep up with the accelerating technology.

“If unmanned aircraft can prove that it can seamlessly and safely integrate into the current manned aviation airspace…then they certainly should be able to integrate,” he said.

Medium to large-sized drones used by the U.S. military. (Congressional Research Service

Public up in the air

Despite widespread support from law enforcement agencies and the defense industry, the public remains deeply divided over domestic drone use. A February Rasmussen poll found that only 30 percent of voters approve of UAVs flying in American skies.  More than half, meanwhile, oppose it altogether.

Congress has thus far ignored any privacy concerns, including few regulations in the FAA bill and making no effort yet to add rules elsewhere.

Privacy advocates – notably the ACLU, Consumer Watchdog and the Electronic Privacy Information Center – called for added guidelines in a Feb. 24 petition to the FAA. Regulations must be added to keep up with UAV technology, they wrote, because drone use “poses an ongoing threat to every person residing in the United States.”

But law experts question the likeliness of such safeguards. Ryan Calo, director for Privacy and Robotics at Stanford University’s Center for Internet & Society, said that U.S. privacy law doesn’t hold back drone use.

The Supreme Court ruled in 1986 that no warrant was required for government agencies to take aerial photographs of a person’s backyard. And in 1989, the justices ruled that police do not need warrants to observe private property from public airspace.

“Citizens do not generally enjoy a reasonable expectation of privacy in public, nor even in the portions of their property visible from a public vantage,” Calo wrote in the Stanford Law Review. “Neither the Constitution nor common law appears to prohibit police or the media from routinely operating surveillance drones.”

Geilom and others within the UAV industry insist current rules for manned aircraft will suffice for domestic drones. Over-regulation of a potentially lucrative industry before it gets off the ground could squander opportunities for not only law enforcement, but also photographers, real estate agencies and farmers, they say.

Opponents, however, paint a much darker picture. Only a few hundred of the 19,000 law enforcement agencies in the country have a manned aircraft arm. Stanley said the ACLU fears that without further privacy protections, government organizations could overuse or mishandle such drone technology.

“That would fundamentally change the nature of our public spaces and public life and the nature of the relationship between an individual and government,” he said. “It’s not a road we should not go down.”

Supreme Court decision leaves unanswered questions on GPS tracking

(Mike Renlund/Flickr)

WASHINGTON — As Antoine Jones drove his Jeep Grand Cherokee around the Washington area  in the fall of 2005, he was simply going about his daily routine.  But unfortunately for Jones, whose daily routine involved frequenting a drug stash house in Maryland filled with $850,000 and 97 kilograms of cocaine, the U.S. government was watching.

Thanks to a global positioning system covertly placed in the underbelly of Jones’ car, the government was able to track and record the Jeep’s every move.  But Jones challenged the legality of evidence, saying the GPS had not been installed within the time frame or physical jurisdiction outlined by the court in issuing a search warrant. The government argued that the GPS placement didn’t actually constitute a search under the Fourth Amendment so the fact that police had not followed the warrant guidelines was irrelevant.

In what many viewed as a strong victory for privacy rights, the Supreme Court unanimously ruled that the attachment of the device was  a search under the Fourth Amendment, thus requiring a warrant.  But while the opinion authored by Justice Antonin Scalia answered the specific question in regards to a “physical search,” it was mum on the broader implications of the ruling.

“[The case] simply left for another day whether monitoring a device that had been preinstalled or otherwise gathering a large quantum of data on somebody would also raise a Fourth Amendment issue,” said David Gray, an associate law professor at the University of Maryland’s Carey School of Law.  “That was the ground that the four-justice concurring opinion by Justice [Samuel] Alito was ready to reach, but the narrower ground identified by the Scalia majority didn’t need to get there, so it didn’t.”

This narrow ruling was not unusual, Gray explained.  Courts usually try to “reach the narrowest grounds for a decision” and, because the court did not believe that the larger issue was adequately presented, Gray believes it would have been “irresponsible” to extend the decision more broadly.

A whole new level of technology

The Jones decision was built off of the Fourth Amendment, which protects “the right of the people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures… [unless] upon probable cause, supported by oath or affirmation.”  Over time, the amendment has been understood to assert the necessity of a search warrant before law enforcement can begin a search of people or property.

While the U.S. government did concede that officers had violated the terms of the warrant, the lawyers argued that GPS tracking did not require a warrant, citing previous cases that ruled placing a homing beacon on a car did not require a warrant.  However, the defense asserted that GPS technology was exponentially more intrusive than the homing beacons, which essentially allowed police to track the beacon only when they were within its line of sight.

“This is an exceptional form of technology in terms of what resources have been available to law enforcement in the past,” said Kendall Burman, a senior national security fellow at the Center for Democracy and Technology.  “They are able to track individuals and cars in this instant without the use of human beings.”

The third party doctrine

Because Scalia’s ruling stated that the “government physically occupied private property, questions continue to arise in regards to “nonintrusive” searches.

The Supreme Court’s third party doctrine outlined in United States v. Miller explains that citizens cannot expect privacy protection under the Fourth Amendment over information they disclose to a third party.  When coupled with the growing amount of location information collected by private companies, this doctrine allows companies to use this information however they see fit.

Graphic by Ben Kamisar

John Villasenor, a senior fellow in the Center for Technology Innovation at the Brookings Institution, said that as private companies continue to amass mountains of information on the general public, location tracking without a “physical search” that would require a warrant under the U.S. v. Jones is already becoming less relevant

“Technology has changed so much that a lot of us have our locations tracked anyway without a warrant, so the issue of before-the-fact warrants will, in many cases, be less important than it was even when the events that led to Jones started,” he said.  “…The location data to track you and me and almost everyone else is already stored somewhere.  The question is, [who can] go and get it.”

As of March, a Pew Internet report found that 46 percent of American adults use a smart phone.  These devices, which mostly run on operating systems created by Apple or Google, collect location data which is aggregated and stored by the company.

Justice Sonia Sotomayor addressed the issue of the third party doctrine in her concurrence, where she mentioned the possibility of reviewing the doctrine.   Burman said that she was “heartened” to see Sotomayor question this doctrine and hopes that the court will address situations where people are not intending to lift the “veil of privacy” from their activities.

“I think the concurrence really draws that doctrine into question,” she said.  “The strength of [Justice] Sotomayor’s concurrence along with [Justice] Alito’s suggests that there is a real opportunity to reevaluate what the third party doctrine means.”

But while Gray understands the need to re-evaluate the doctrine, he believes that the current doctrine “reflects a pre-existing assessment [of] the proper balancing of interests under the Fourth Amendment” between private rights and the ability of law enforcement to perform their duties.  In his view, there are many legitimate circumstances in which law enforcement should be able to work with private companies. As a hypothetical example, he cited  a social network company turning evidence of criminal activity to the police on its own accord.

“If you had a broad rule that any information that was detected and aggregated by a private company could not be shared with government without violating the Fourth Amendment, then you would essentially be building this artificial wall that would dramatically limit the ability for law enforcement to get involved in circumstances we would like them to get involved,” he said.  “It’s going will be hard to make the case that building an artificial wall best serves the proper balance.”

Cash is king: Jim Harper and privacy in the digital age

[field name=”Harper-Video”]

WASHINGTON — After his first year of law school, Jim Harper was driving across the country with a friend when sirens suddenly started flashing in his rearview mirror.

Harper, who is now the director of information policy studies at the Cato Institute, said in a mid-February interview that what ensued after he pulled over ultimately shaped his libertarian outlook on life.

The police officer, Harper recalled, told him he detected the scent of marijuana and not only brought out a drug-sniffing dog to search the car, but also a television show crew to document the process.

“I thought to myself, ‘If a police officer can invent a smell and take well-educated, well-spoken white guys out of the car and mess with them, imagine what it’s like for people who aren’t as well-educated or from minority communities,'” Harper said. “What do you suppose life is like for them?”

Such questions have formed the ideological basis of Harper’s career, which coincided with the Internet’s rise in the mid-1990s and early 2000s.

He served as a founding member of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee in April 2005, providing input at the intersection of personal information and national defense. In his free time, he began laying the groundwork for his own consulting firm.

He joined Cato in September 2004, shuttering his private consulting firm, Policy Counsel.

Harper explained he lost his “team mentality” in transitioning from the Department of Homeland Security to the lobbying industry to the libertarian-leaning think tank.

“Once I left the Hill, I really abandoned the idea that one party is better than the other,” he said. “It’s all about policy — I work on what the right policy is.”

For libertarians, the right policy tends toward less government intervention in Americans’ day-to-day lives, Harper explained.

“It’s so important for individuals to protect themselves, rather than rely on the government to protect them,” he said.

Harper downplayed the notion that the country is at risk for another large-scale terrorist attack, saying that he is not concerned if someone in a foreign nation declares he or she is targeting the United States because it’s that person’s ability to actually carry out those intentions that matters.

“Terrorists have very little capability — happily so,” Harper said. “They got lucky on 9/11, but they won’t get lucky again.”

Instead, Harper suggested Americans should be more focused on little-known threats against their civil liberties on the home front. For example, he pointed to Internet monitoring as a real danger most Web users overlook.

He added it’s “very likely” that the National Security Agency, which operates under a confidential federal budget, has peeked at Americans’ Internet browsers on occasion.

“They might have everything that happens online — the surveillance possibilities are enormous,” Harper said. “And obviously the civil liberties consequences are enormous as well.”

His advice for privacy-minded citizens:

— Educate yourself about how both technology and government work.

–Know that every time you swipe your credit card or turn on your cell phone, your personal data is being recorded and stored somewhere.

Those pointers hark back to Harper’s first brush with libertarian principles as sirens flashed in his rearview mirror almost two decades ago.

“We need government for some things, but the power of government can be readily abused,” he said. “If I was a victim of a small abuse, the other people in my society could be living with huge abuses.”

Story by Patrick Svitek
Video by Ed Demaria, Rebecca Nelson and David Uberti

Who’s afraid of the World Wide Web? Major advertisers agree to ‘do not track’ technology

WASHINGTON — In an effort to ensure online privacy for consumers, major online advertisers have come together after more than a year to install “do not track” technology into Web browsers in compliance with new White House privacy guidelines.

The technology is one of several requirements included in the Obama administration’s “Privacy Bill of Rights” announced this month.

A “do not track” button allows users to opt out of having their Web history tracked by third parties, including advertising networks, analytics services and social platforms. These groups commonly use consumer data to craft customized ads and other offers related to employment, credit, health care and insurance.

However, the button will not put an end to all tracking. Advertisers will still be able to use online consumer information for market research and product development. In addition, all online data will still be available to law enforcement officials.

Loopholes will still exist for certain companies as well, according to Consumer Reports. Even if users click the “do not track” button, Google will be able track searches if conducted while users are signed into Google services, such as their Gmail account. The same is true for Facebook, which will be able to track logged-in users through the “Like” and “Share” buttons on outside pages.

“It’s a good start,” Christopher Calabrese, legislative counsel at the American Civil Liberties Union, said of Obama’s privacy initiative in an interview with the Wall Street Journal. “But we want you to be able to not be tracked at all if you so choose.”

Implementation of “do not track” is not new – several companies already offer the technology on their browsers, including Mozilla’s Firefox and Microsoft’s Internet Explorer. Apple has promised a version of the button in its next edition of Safari, according to The Washington Post. Google is expected to install the button on its Chrome browser by the end of this year.

Despite the option’s presence and calls to implement it by the Federal Trade Commission beginning in 2010, until recently all advertisers had not agreed to honor the system.

Now, 400 companies in the Digital Advertising Alliance have agreed to abide by the request from the White House, according to reports from the Wall Street Journal.

“Central to the value proposition of the Internet is trust,” said a representative for the group in a statement. “Consumers must trust that their personal data will be kept private and secure as they surf the Web aboard myriad devices seeking news, services and entertainment tailored to their very personal interests.”

“[This] marks not the end of a journey, but the beginning of an important collaboration among government, business, and consumer organizations to assure that the free Internet…can continue to flourish.”

Members of the Alliance will begin honoring the agreement within the next nine months.

The White House released its bill on Thursday, after the conclusion of a two-year study on the collection of consumer data online. The proposal outlines seven privacy guidelines pertaining to personal data: individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

The framework would allow users more personal control over what information is collected about them and how it is used.

According to PC Magazine, even if the administration’s rules are not approved by Congress, the measures could still be put in place if a cohesive industry agreement is made.

 

Social network apps criticized for downloading data

WASHINGTON — Several social media companies came under fire last week after the discovery that they were downloading users’ full address books – without their knowledge or consent.

Programmer Arun Thampi discovered last week that Path, a social journal application, downloaded his entire iPhone address book, including names, phone numbers and email addresses, without his consent. Path executives responded by explaining that the data were used as part of a method to find other users on the network. They have since promised to delete the data and improve the transparency of their app.

Path, however, is far from the only social media app that downloads information without permission, according to a Los Angeles Times interview with Path CEO Dave Morin. Morin said downloading information this way “is currently the industry best practice and the App Store guidelines do not specifically discuss contact information.”

Twitter, a much more prominent social media network than Path, uses similar data collecting practices. According to the Times, Twitter executives confirmed that the “find friends” feature on the Twitter mobile app allows the company to download users’ entire address books, including email addresses and phone numbers, and  store them for up to 18 months.

On the Twitter mobile app, the “find friends” feature allows a user to “scan your contacts for people you already know on Twitter,” but does not inform users that their address book information is being downloaded.

In a statement, Twitter spokeswoman Carolyn Penner said new updates on the app would add transparency to the downloading process by “updating the language associated with Find Friends — to be more explicit. In place of ‘Scan your contacts,’ we will use “Upload your contacts” and “Import your contacts.”

The Path news also  brought scrutiny of Apple for its policy regarding apps that download user information. According to The Washington Post, the Android version of Path warned users about the information collection, while the Apple version did not.

The New York Times reported that according to Lookout, a mobile security company, more than 10 percent of free apps in the iTunes store had access to user contacts.

“What separates malicious use from legitimate use is the element of surprise. If a user is surprised, that’s a problem,” Kevin Mahaffey, Lookout’s chief technology officer, told The New York Times.

In response to these issues, Reps. Henry Waxman, D-Calif., and G.K. Butterfield, D-N.C., both members of the House Energy and Commerce committee, sent a letter to Apple questioning the implications of the company’s privacy standards.

The letter said the discovery of Path receiving information “raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts,” according to Reuters.

An Apple spokesman responded by suggesting that apps that collect user data without permission violate Apple guidelines, according to Reuters.

“We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release,” the spokesman told Reuters.