Control and Code: Privacy Online
April 12
Code is law; the architecture of the Internet and the software that runs on it will determine to a large extent how the Net is regulated in a way that goes far deeper than legal means could ever achieve (or at least ever achieve alone). Technological advances have also produced many tempting options for regulation and surveillance that may severely alter the balance of privacy, access to information and sharing of intellectual property. By regulating behavior, technological architectures or codes embed different values and political choices. Yet code is often treated as a technocratic affair, or something best left to private economic actors pursuing their own interests. If code is law, then control of code is power. If important questions of social ordering are at stake, shouldn't the design and development of code be brought within the political process? In this class we delve into the technological alternatives that will shape interactions over the Internet, as well as the implications of each on personal freedom, privacy and combating cyber-crime.
Readings
- Jonathan Zittrain, Future of the Internet, Chapter 9: Privacy 2.0
- Abelson, Ledeen, Lewis, Blown to Bits, Chapter 2: Naked in the Sunlight: Privacy Lost, Privacy Abandoned
- Solveig Singleton, Privacy as Censorship (CATO)
- Noam Cohen, It’s Tracking Your Every Move and You May Not Even Know (NYTimes, March 26, 2011)
Optional Readings
- NPR On the Media Story "Anonymous Justice"
- "Making Sense of Privacy and Publicity." Transcript of talk given by Danah Boyd at SXSW. Austin, Texas, March 13, 2010
- Lawrence Lessig, Code 2.0: Privacy
- http://paranoia.dubfire.net/2009/12/8-million-reasons-for-real-surveillance.html
- http://en.wikipedia.org/wiki/Human_flesh_search_engine
Class Discussion
Regarding Cato Institute Policy Analysis No. 295
So, I'm struggling with this analysis piece from the Cato Institute. I used to consider myself to be a libertarian; unfortunately, I'm not sure that term means what I want it to mean anymore. Suffice it to say that some of the core ideas in the Cato Institute piece have resonance for me; namely, the idea that one does not own information, that there is no right not be annoyed or offended, and that there is (significant) societal and economic value in businesses being able to access information concerning their customers (the Slate article I posted below goes into this). That said, the Cato Institute seems to be taking the (rather undesirable) position that there *is* no "right to privacy", and the piece itself seems (to my mind) to be riddled with a number of false equivalencies, leaps in reasoning, and glaring oversights. It seems to unduly privilege one portion of the citizenry (those engaged in business) against another (those engaged in consumption). Now, there is nothing wrong with running a business, or turning a profit (verily, the opposite - such activity is key to both individual and national well-being), but I am skeptical at the idea that direct marketing counts as "free speech" and should therefore be immune to government regulation (indeed, there are numerous precedents for limiting marketing speech), that industry self-regulation has proven adequate, or that concerns about privacy, fraud, and identity theft should be so casually dismissed.
On the ownership of information: clearly we do not “own” information about ourselves; information is not property in the traditional sense, but that does not mean we cannot control the release of certain information under certain circumstances. The article mentions confidentiality for medical records, for instance – but then seems to act as if this is the only sort of information that can or should receive protection. Yet there are other categories of information which we can and do privilege – court proceedings and criminal records, for instance, can be sealed in some cases. While it may be lawful to obtain and publish such information by other means, this is not the sort of free access to information that the article seems to envision. The paper compares gathering (and then selling) statistical information on clients with – of all things – gossip, which (to my mind) is nothing like gathering statistical information. Gossip is a natural social occurrence based on casual observation and the relation of second or third hand accounts. It is nothing like using instruments (in this case computer programs) to take detailed recordings of a person’s circumstances and shopping habits and then processing them mathematically to yield commercially valuable statistics. Gossip is an inevitability that cannot be prevented, or even regulated, beyond the use of social norms (legal means for extreme cases, such as libel, have been shown to be remarkably ineffective). Regulation of business practices, either by law or by voluntary codes of business ethics, is, on the other hand, not merely feasible, but common. Furthermore, no contract (save perhaps the social contract) exists between the causal observer and those observed. In contrast, a contractual relationship exists between the consumer of a good or service and the provider thereof – contracts which are subject to regulation by law. I reject the false equivalency drawn between gossip and the gathering of marketing data, and with it a large portion of the Cato Institute’s argument, which attempts to convince the reader that such data collection is not only similar too, but in light of its greater accuracy, more beneficial to the subject being observed. We can make this rejection, however, without disputing that such marketing information may be of critical value to the business operator, or bring other, legitimate benefits to the consumer.
On the validity of privacy concerns: Furthermore, I find the paper in question entirely too dismissive of consumers’ privacy concerns – as if large corporate marketing databases posed little to no increased risk for those who’s information they contain. Just today, I heard news of a large corporate email database being hacked into (http://losangeles.cbslocal.com/2011/04/04/banks-retailers-warn-customers-after-email-database-hacked/), exposing the customers of several major firms to the potential of spam and fraudulent email. This is not the first such occurrence; indeed, we have seen much more sensitive bank account and credit card data stolen from financial institutions. The Cato institute seems to think that the abuse of cooperate databases can be adequately prevented by industry standards, existing legal penalties, and that the only real danger is that posed by the government. To further its case, it argues that many instances of criminal abuse are essentially inevitable – making the spectacular leap of logic that since certain abuses are not 100% preventable, that there is little value in attempting to increase legal protection against them. This is fallacious at best, disingenuous at worst. It is often said that there is very little one can do to prevent a determined assassin from assassinating a public figure; yet we do not throw up our hands and, say, allow the President to travel unescorted. On the contrary, the Secret Service and other government agencies spend an enormous amount of time, energy, and money attempting to safeguard key public officials by preventing or otherwise making such assassination attempts as difficult as possible. Likewise – to take a considerably more mundane example – even the best bike-lock will not prevent the most determined and organized of bike thieves from stealing or stripping a parked bike. That does not mean we encourage cyclists to leave their bikes unlocked and unattended on the street. I am willing to accept the argument that there is a price to be paid for greater privacy rights and safeguards, and that no such measures provide perfect protection, but I am not willing to entertain the notion that such safeguards are doomed to failure and therefore are of no value to the consumer, and to society as a whole. I am also troubled by the piece’s treatment of direct marketing; namely the glaring omission of any mention of spam email. While direct marketing is no doubt crucial to many businesses, and more tailored marketing would no doubt be a blessing to many consumers, when it comes to email, “junk mail” or “spam” can be crippling to the very businesses who’s interests the Cato Institute seems to have in mind; sorting though hundreds of spam messages a day can have serious impact on productivity for employees who make heavy use of electronic communications as part of their work duties – increasingly efficient spam filters help, but they are not solely responsible for reductions of spam mail; rather governmental regulation and prosecution of spammers has played a vital role in this. I doubt that many recipients of spam mail would be favorably predisposed to the argument that such mail constituted a category direct marketing constitutionally protected as “free speech”. We are not a talking about mere “annoyance” here, as the Cato Institute suggests, but rather a phenomenon that new technology has allowed to grow to such proportion that it has a serious impact on people’s lives, let alone its role as a conduit for illegal and unethical predatory activity. The government is commonly held to have a responsibility to protect citizens from unwanted and intrusive harassment by other private citizens. While the “Lands End” catalogue may not fall into this category, spam mail, as well as persistent telemarketing calls at inappropriate times, increasingly are seen to do so. As a consumer I am inclined to think that the rights of business to conduct their business need to be balanced against the rights of consumers to conduct their lives without undo interference.
On the government and business ethics: The Cato Institute is quite correct to point out the special danger presented by the government and government information gathering, with the unique powers of enforcement it holds over the citizenry. I applaud this healthy skepticism; however, I think the institute’s libertarian biases have blinded it to potential for abuse posed by corporate databases, both by corporations themselves and – in the most glaring omission of the piece – abuse of said databases by the government with the acquiescence (if not outright support) of their private administrators. We have already seen such (mis)use of corporate marketing databases in our current reading: eloquently detailed by Christopher Soghoian on his weblog (http://paranoia.dubfire.net/2009/12/8-million-reasons-for-real-surveillance.html). Keep in mind that these databases were never intended to be used for surveillance purposes, but rather intended for just the sort of marketing uses which the Cato Institute is advocating in favor of. The purity of purpose the institute ascribes to business – that is, the pursuit of profit – did not prevent these companies from secretly divulging customer information for (what the institute itself would surely see as) abuse by government agencies. And why should it have? If businesses are conceived for the sole purpose of making profit, then why should we expect them to do anything but what they have done? – namely seize the opportunity to turn the sale of consumer information to the government into a profitable revenue source. The only potential curb on this sort of behavior would be the ire these corporations’ customer base, but since the widespread sale of geo-location and other private information is largely hidden from the public no outcry is possible. Furthermore, while I am sure that the Cato Institute would be quick to demand new restrictions on the government concerning the acquisition of such information (judicial oversight through a system of warrants, and laws requiring transparency in reporting), I am equally sure that the Institute would casually dismiss any need for tighter regulation on the business end. This is troubling to me. Industry self-regulation is only valuable as far as it achieves the desired results; it is only too easy for self-regulation to be corrupted into a self-serving obfuscation. And, as much as we should respect business’ (entirely necessary) role as an engine of societal growth and prosperity, we can still demand that said businesses conform to certain codes of business ethics. Requiring that businesses respect the privacy of their customers by providing clear explanations of how and to what extent customer information will be used, requesting permission for certain uses, and abiding by terms of service agreements which govern these uses is entirely is, to me, entirely reasonable. Telling customers that they can just “opt out” of internet or cell phone use if they are concerned about privacy seems to me to be about as sensible as relying on abstinence-only education to prevent the spread of STDs and unwanted teen pregnancy.
Conclusion:
To synthesize the thoughts presented here: 1) A certain degree of personal privacy is desirable and should be protected. 2) Businesses have a legitimate need for marketing information gathered from consumers who use their services. 3) Therefore, efforts must be made to balance these two nontrivial concerns. 4) Self-regulation is insufficient to guarantee freedom from abuse of corporate consumer information databases. 5) Both the government and private corporations should be restricted in this regard.
Highly tailored direct marketing is the wave of the future. This development cannot be stopped; neither should we attempt to stop it, as it promises significant benefits to both business and consumer. This sort of analysis (http://www.theatlantic.com/business/archive/2011/04/how-the-american-man-spends-money/236888/) is not only critical to business, but can tell us important things about society as a whole. However, this does not mean we need to, or should, sacrifice the entirety of our personal privacy rights on the altar of innovation. Privacy is an important issue, and it behooves us to define with a degree of clarity to what extent a citizen’s personal privacy is to be protected. It is naïve to believe that such protection is of little benefit to society, or that the natural (unregulated) course of evolution will adequately provide for its existence. This is not a call for heavy handed regulation; rather it is a call for serious, objective thought on the subject. I am not sure that the Cato Institute’s advocacy piece (as valuable as it its insights might be) qualifies in this regard. BrandonAndrzej 03:36, 10 April 2011 (UTC)
RE: Privacy as Censorship (typing this on my Blackberry, sorry for any typos)
Singleton says that, "...value does not somehow inhere in a person's name.
Rather, the activities of marketers and list compilers create the value of the name." Really? If the name wasn't worth anything, why collect it? The miner doesn't create the value of the gold, he is mearly the conduit. My name is valuable to marketers because of who I am and what I have accomplished in life. The sum total of what we each accomplish and the labor we expend to produce the income that the marketers seak to extract from each of us among other things is what creates the value of a name.Gclinch 04:33, 12 April 2011 (UTC)
Links
Get in the ring: US, Europe vow to bash out Internet personal privacy protection --Gclinch 21:51, 30 March 2011 (UTC)
New York Times op-ed on new privacy legislation being considered by Sen. Kerry: http://www.nytimes.com/2011/03/19/opinion/19sat2.html?_r=1&scp=1&sq=privacy%20on%20the%20internet&st=cse --[[sjennings 20:03, 6 April 2011 (UTC)]]
Slate's (skeptical) take on online privacy: http://www.slate.com/id/2290719 BrandonAndrzej 03:25, 9 April 2011 (UTC)
Also, a link to the FTC filing mentioned in the above article (regarding Google Buzz): http://www.ftc.gov/opa/2011/03/google.shtm BrandonAndrzej 03:42, 9 April 2011 (UTC)
The internet in action: "My Dad is Li Gang!", courtesy of Know Your Meme. http://knowyourmeme.com/memes/my-dad-is-li-gang-%E6%88%91%E7%88%B8%E6%98%AF%E6%9D%8E%E5%88%9A BrandonAndrzej 06:05, 11 April 2011 (UTC)