Paper is the New Black

It’s Friday, it’s April and it’s snowing - this is no time for serious stuff.  We’ll do the Big Data thing next week.  Today let’s talk more about paper instead.

As we said earlier this week, paper has many advantages not found in the digital world – security being one. Now we find that it’s possible to sync paper to the cloud. All you need is the Mod. It’s an old school notebook that lets you think analog and store digital.

If you need instruction in pencil sharpening, go here and order – How To Sharpen Pencils A Practical & Theoretical Treatise on the Artisanal Craft of Pencil Sharpening for Writers, Artists, Contractors, Flange Turners, Anglesmiths, & Civil Servants.

Yes Fast Company, paper is awesome.

Posted in Big Data, Friday Fun, Fun Facts, Old School | Tagged , , | Leave a comment

For the Ultimate in Bitcoin Security – Use Paper

You can’t make up this stuff.

From an Ars Technica article:

Carlson continues to store bitcoins both on hosted platforms like Coinbase and Blockchain.info. He also keeps bitcoins on his own hardware and uses paper wallets stored in a bank vault as a sort of low-tech backup. Bitcoin paper wallets contain a wallet’s Bitcoin address and private key, and, if secured properly, it can be one of the safest ways to store bitcoins.

From Blockchain.info – self-described as “Bitcoin’s most popular bitcoin wallet and block explorer.”

Paper Wallet Advantages

  • Protection from malware and keyloggers.
  • Maintain 100% ownership of your private keys. You own the coins not a 3rd party service.
  • No dependence on the security of any website.
  • Keeping a piece of paper safe is easier than keeping your computer secure.

That’s right – keeping a piece of paper safe is easier than keeping your computer secure.

Here’s another idea:

Want to communicate with no risk of interception by the NSA?  Use the mail – the one with stamps and envelopes. The only code you’ll need is a zip code.  Plus – it’s open source technology.  Get some stationery and ask someone over 50 how it works.

Neither snow nor rain nor heat nor gloom of night can stop it!

This is fun.

Posted in Big Data, Bitcoin, Data Security, Fun Facts, Privacy, Technology | Tagged , , , , | Leave a comment

Data Governance and the Law – Facebook’s Acquisition of WhatsApp Might Bring Some Needed Clarity

By now it should be clear to everyone that when you have a privacy policy you are expected to abide by the terms of that policy.  So, for example, if your privacy policy says you will not disclose any personal information that you collect, you should not disclose any information that you collect. 

But what if you change your privacy policy?  What if your new privacy policy says that you have the right to disclose personal information that you collect after, let’s say, December 31, 2014?  Presumably that means that you can disclose any personal information that is collected after December 31, 2014.  But that should not give you the right to disclose personal information that you collected before January 1, 2015. 

This raises a data governance problem.  How do you separate (and keep separate) two bodies of information that are collected during at two different times under two different rules?

Here at Big Data and the Law we assume this happens more frequently than we hear about.  Perhaps in some cases the changes in privacy policy aren’t significant and don’t require a change in information practices.  In other cases, the collecting parties might have data governance practices that can handle any problems that result from privacy policy changes.  It’s likely, however, that the issue is just ignored in some cases and no one noticed. 

In this case — people noticed.  The Electronic Privacy Information Center and The Center for Digital Democracy filed a complaint with the Federal Trade Commission (FTC) in which they assert:

    • Facebook routinely incorporates data from companies it has acquired.
  • WhatsApp’s privacy policies and official blog posts reflect a strong commitment to user privacy.
  • WhatsApp’s messaging service regularly collects and stores virtually all available user data.
  • The Commission has previously found that a company may not repurpose user data for a use other than the one for which the user’s data was collected without first obtaining the user’s “express affirmative consent.”
  • By failing to make special provisions to protect user data in the event of an acquisition, WhatsApp “unreasonably creates or takes advantage of an obstacle to the free exercise of consumer decisionmaking.”
  • Specifically, WhatsApp users could not reasonably have anticipated that by selecting a pro-privacy messaging service, they would subject their data to Facebook’s data collection practices.
  • Therefore, WhatsApp’s inadequate disclosures constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(n).

We’re skipping around a bit here, but we invoke the blogger’s right to summarize and generalize for the sake of brevity.

The complaint makes these requests for FTC action:

EPIC urges the Commission to investigate WhatsApp, Inc., and enjoin its unfair and deceptive data collection practices for any future changes to its privacy policy.

Specifically, EPIC requests the Commission to:

a. Initiate an investigation of the proposed acquisition of WhatsApp by Facebook, specifically with regard to the ability of Facebook to access WhatsApp’s store of user mobile phone numbers and metadata;

b. Until the issues identified in this Complaint are adequately resolved, use the Commission’s authority to review mergers to halt Facebook’s proposed acquisition of WhatsApp;

c. In the event that the acquisition proceeds, order Facebook to insulate WhatsApp users’ information from access by Facebook’s data collection practices; and

d. Provide such other relief as the Commission finds necessary and appropriate.

Which brings us to the point – what might we learn from the FTC addressing the EPIC/CDD complaint?  We’re hoping the FTC answers these questions:

1.         Can information collected under the terms of a privacy policy be used in a manner that is inconsistent with the terms of that privacy policy?

2.         Can the FTC intervene in a situation where there is only a possibility or risk of comingling information collected under two or more different rules or assumptions?

3.         What remedies can the FTC impose if the FTC finds that possibility or risk?

Justice Oliver Wendell Holmes, Jr. said, “Great cases, like hard cases, make bad law.”  We’re hopeful for good law to come out of this case, because the facts of the case are clear – even if the issues are not. 

The complaint can be found here: http://www.centerfordigitaldemocracy.org/epic-and-cdd-file-unfair-and-deceptive-practices-complaint-ftc-facebookwhatsapp-deal-whatsapp-users

Posted in Big Data, Data Blending, Data Governance, Facebook, Federal Trade Commission, Privacy | Tagged , , , , , ,

Maybe Edward Snowden Works for Google, or Facebook, or Microsoft, or One of those Guys

Ok, probably not. 

But consider who benefits from all the attention the NSA thing is getting.  Answer: all those other organizations that collect information about you.  We discussed this previously here at Big Data and the Law.  The NSA gets some of its information from those folks - in fact the NSA has gotten information from all of these folks:

Microsoft – Yahoo – Google – Facebook – PalTalk – AOL – Skype – YouTube – Apple

Some of them have joined the protest against the NSA.  We here at Big Data and the Law would never question their motives.  But, for the time being the focus on the NSA seems to have taken attention away from them.  So they are benefitting.

Let’s consider what we’re ignoring while there is such an all-consuming focus on the NSA.

Well first of all, our friends in the private sector continue to collect lots of information about us.  Sometimes we agree to give it to them. 

We don’t always want to volunteer our information.  But in some cases our choice is to agree to give up personal information or lose access to technology we want or need.  Sometimes we have to participate in social media (with the consequent need to disclose some of our personal information) or lose timely access to financial information that might affect our investments.

Sometimes our information it collected without any participation from us.  By these guys for example.

There is another way in which our information can be obtained without or disclosing it.  Information that we did not disclose can be discovered through the analysis of information that we did disclose.

And what about the things that are being done with our information? 

No doubt we don’t really know what the NSA does with the information that it gathers.  But, what about the uses of our information that we  do know about and that should also be concerning to us? 

For example, what about using our on-line information in hiring decisions?

Questions about collection, and questions about use. 

What else are we ignoring?

Well one big thing we seem to be ignoring is the exposure of our information to data breaches.  For example, the very concerning data breach at Facebook

And what about public entities other than the NSA?  What about countries other than the United States?

For some reason we seem to have forgotten that the United States is not the only country that gathers personal information. 

Consider this from a former French foreign minister:

“The magnitude of the eavesdropping is what shocked us,” Bernard Kouchner said Tuesday in a radio interview. “Let’s be honest, we eavesdrop too. Everyone is listening to everyone else. But we don’t have the same means as the United States, which makes us jealous. “

We don’t mean to pick on France.  As the man said, “Everyone is listening to everyone else.”  Russia, for example, is expanding Internet surveillance even though many think that new surveillance is not legal under Russian law. 

This week we had “The Day We Fight Back”.  That’s fine. 

We here at Big Data and the Law don’t want to rain on anyone’s parade.  If you have a problem with what the NSA is doing, there is no reason why you shouldn’t make an issue of it. 

But why is it that “The Day We Fight Back” seemed to be focused on only the United States?    Wrong is wrong – yes? 

Protest is easy.  It’s harder reach agreement on some principles and to apply them generally – to both the private sector and to the public sector - and to all governments.  Objective principles – not subjective principles.

One more thing.

Let’s look at ourselves a little.  It’s not only business and government that collects information without the consent of those from whom it is collected.  Sometimes its individuals acting on their own.   

We haven’t heard anything about that yet.

Posted in Big Data, Edward Snowden, NSA, Privacy | Tagged , , , , ,

Senate Continues Data Broker Investigation – Talk of Data Privacy and Security Legislation

Senate Investigation

On December 18, 2013, the US Senate Committee on Commerce, Science and Transportation held a hearing titled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?”   

Following up, Committee Chair Senator Rockefeller has now sent requests for information to six data brokers. 

As described in a press release from the Committee (referencing the December 18, 2013 hearing):

Rockefeller sent letters today to six companies, including two – NextMark, Inc. and MEDbase200 – that were highlighted in testimony presented at the hearing as data brokers that produce lists of consumers exhibiting certain financial and health characteristics, such as “Empty Wallets,” “African American Pay Day Loan Responders,” and “Dementia Sufferers”. Four other letters were issued to Acxiom, Epsilon, Experian, and Lexis Nexis – companies that were part of Rockefeller’s initial inquiry into data brokers that sell products focused on consumers’ financial circumstances.

This might sound familiar.  You might have seen the recent incident when a man received some junk mail from OfficeMax that was addressed to “Mike Seay, Daughter Killed in Car Crash.”  Mike Sheay’s daughter was in fact killed in a car crash.  (To make things worse, the letter was also addressed to “Or Current Business.”)

Hope for Privacy and Data Security Legislation?

There are rumors of momentum toward something getting done this year on data privacy and security legislation.

According to The Hill:

Several lawmakers in Congress are optimistic that a new law to protect consumers’ data from being stolen can be passed quickly, weeks after major hacks dominated the headlines.

So it appears that the interest is there in data privacy issues in Congress.

On the other hand, in the very next sentence in the same article, The Hill notes:

The retail and banking industries have begun to face off over potential new legislation, with each worried that new provisions could unduly affect their businesses.

It’s always something.

Strangely though, The Hill brings hope in the form of Republican Congressman Joe Barton:

“It’s one of the few issues in the next 10 months that the House and the Senate can work with the president on,” he said. “I’ll go out on a limb here and predict that we’ll actually do that.”

Can those three work together on anything though?  Certainly it seems that data privacy hasn’t been one of those “few issues” they can get resolved.  For evidence, I note the failure to enact bills for:

Data Security and Breach Notification Act of 2011

Data Security and Breach Notification Act of 2012

Data Security and Breach Notification Act of 2013

A definite pattern.

But that was before the Target incident.  Maybe that’s enough to get things moving.  Already this year we have proposals for:

Personal Data Privacy and Security Act of 2014

Data Security Act of 2014

Data Security and Breach Notification Act of 2014

Commercial Privacy Bill of Rights

That’s just the Senate stuff, and that’s just as of this writing.

So maybe something can happen.  But then ….

The Problems are the Problem

As we know, there are a lot of privacy and data security problems to solve.  Data breach notification is a problem.  It’s a pretty simple problem though, as privacy and data security problems go.  No doubt that simplicity will make data breach notification a focus (probably the focus) of any successful privacy and data security legislation.

What about all the other data privacy problems?  Here at Big Data and the Law, we’re betting those problems are too hard for Congress to deal with.

Look at the 2011, 2012 and 2013 bills (below).  Note how simple (and similar) they are, and ask yourself why such simple legislation couldn’t get passed.  Then ask yourself whether anything more complex could possibly get passed.

Additional Information on the Senate Data Broker Investigation

You can see an archived webcast of December 18, 2013 hearing.

This is the Majority Report presented at the hearing:

This is Senator Rockefeller’s letter to Acxiom:

In a post here at Big Data and the Law you can see an example of the scope of personal information that data brokers collect.  In this case, at Versium Analytics – a company with “…billions of records with billions of real life attributes on consumers and businesses.”

Background on the Privacy and Data Breach Legislation

2011, 2012 and 2013 bills

2014 Bills

 

Posted in Big Data, Data Brokers, Data Security, Policy, Regulation | Tagged , , , , ,

A Marketing Expert Thinks Business should Take Privacy Seriously – and that You Don’t Understand how Your Privacy is Being Violated

I don’t know enough about marketing to know who is a real marketing expert, but Jonathan Salem Baskin seems to be a big deal in the marketing business.  He writes for Forbes and Advertising Age and consults a lot.  Look at his website.  Impressive stuff.  He must be an expert.

In this article in Advertising Age, Mr. Baskin says that business should:

Figure out how to do a better, more proactive job of telling consumers what we know about them, what we do with that information and why. What we’re doing now isn’t enough, and we know it. We should prepare for — if not proactively prompt — a better, more-informed conversation about privacy before we get hit over the head with it.

We here at Big Data and Law agree. 

It’s in the best interest of the business community to assert some leadership on privacy matters, and the business community hasn’t been doing it. 

Maybe Mr. Baskin’s advice is based on the poor showing of the business community in this regard.  Consider the reaction to the California mobile privacy initiative last year from these groups:

    • American Association of Advertising Agencies
    • American Advertising Federation
    • Association of National Advertisers
    • Direct Marketing Association
    • Interactive Advertising Bureau
    • National Business Coalition on E-Commerce and Privacy
    • Association of Magazine Media

They wrote a letter to the California Attorney General in which the strongly complained about, among other things, not being included in the process of developing California’s policies about mobile device privacy.

You can find their letter here

On the other hand, some in the business community appear to have taken a leadership role on occasion.  Perhaps most conspicuous among those activities has been the National Telecommunications and Information Agency “stakeholder” process intended to create a Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices.

We here at Big Data and the Law consider that effort a failure.  One principal reason is that the business community participants decided not to adopt to the code they developed.  Seriously.  So much for the stakeholder process and the business community taking a leadership role.

So we have further evidence that Mr. Baskin is correct in his unstated assumption that the business community needs to step and get involved in this privacy thing. 

All good, but we must now part company with Mr. Baskin.  Unfortunately, it appears that one reason for his concern is that he believes the public doesn’t know that their personal information is being gathered and used – and that the public might find out about that.

In short, he thinks we’re ignorant.  Consider these comments in his article, in which we means marketing professionals or business generally and they means the rest of us:

Only we don’t really know if our scrutiny matters to consumers, because they don’t really know what we’re doing. 

Sure, they tolerate it, but that’s mostly out of ignorance, not informed choice.

If they ever figured out what giving away all the free information about themselves gets them, even the most publicly exposed millennial might think otherwise.

Unfortunately, Mr. Baskin is not alone in his low opinion of us.  That’s a problem. 

Privacy issues are complicated. You know that even if some people think you don’t know it.  Those issues will not be resolved if the public in general is considered important only when the very smart and important people think that we might get wise to what  are up to.

Posted in Big Data, Privacy | Tagged , , , | 2 Comments

NSA Loses One, Wins One – Interesting Differences in the Courts’ Reasoning

After the NSA’s loss in the D.C. District court, the NSA has a win in the Southern District of New York.  Here at Big Data and the Law we’ve dialed it back for the holidays, so haven’t yet spent much time reviewing the two decisions. 

A cursory review does reveal one interesting fact though.  In the D.C. District Court opinion, Judge Leon makes frequent mention of not only the data that the NSA collects, but the analysis that the NSA conducts using that data.  For example:

The threshold issue that I must address, then, is whether plaintiffs have a reasonable expectation of privacy that is violated when the Government indiscriminately collect their telephony metadata along with the metadata of hundreds of millions of other citizens without any particularized suspicion of wrongdoing, retains all of that metadata for five years, and then queries, analyzes, and investigates that data without prior judicial approval of the investigative targets.

In contrast, in Judge Pauley’s opinion in the Southern District of New York case, there is relatively little mention of that analysis.

As we’ve discussed here before, how you can use data to discern other data is a big deal.  The courts will need to consider how data is (or can be) used – every bit as much as where it comes from.

 

More on this soon.

Posted in Big Data, NSA, Policy, Privacy | Tagged , , ,

Google, Facebook, AOL, Twitter, Apple, Microsoft and Yahoo to U.S. Government: Stop Collecting Personal Information – That’s Our Job

As you likely know, Google, Facebook, AOL, Twitter, LinkedIn, Apple, Microsoft and Yahoo are suddenly concerned about our privacy.  They have all signed on to an open letter to the President and Congress, in which they say:

We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.

For our part, we are focused on keeping users’ data secure — deploying the latest encryption technology to prevent unauthorized surveillance on our networks and by pushing back on government requests to ensure that they are legal and reasonable in scope. 

We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight. To see the full set of principles we support, visit ReformGovernmentSurveillance.com

It gets better.  On the ReformGovernmentSurveillance.com website these guys created, Mark Zuckerberg says:

Reports about government surveillance have shown there is a real need for greater disclosure and new limits on how governments collect information. The US government should take this opportunity to lead this reform effort and make things right.

Limits on how information is collected?  Really?

Let’s review some facts:

1.         There is no evidence that, before it became public, any one in this group has objected to the government’s eavesdropping activity.

2.         As to their true motivations, these companies have an economic interest in raising the government surveillance issue, as they stand to lose business outside the United States because of concern about the actions of the NSA. 

3.         The courts haven’t been particularly friendly to individuals making privacy related claims.  These companies have vigorously and successfully defended their privacy practices.  For example, in a recent Google case here and a LinkedIn case here. 

4.         Perhaps, most damning, Google has been accused of collecting communications itself – as summarized in this quote from a New York Times article:

In addition to photographs, Street View vehicles secretly collected e-mail, passwords, images and other personal information from unencrypted home computer networks.     

This nonsense is obviously not a serious attempt to change anything.  But there hasn’t been enough media coverage that is critical of it. 

For example, while it does make some critical points, this PC World article misses some points.  Consider this:

Arguably, there is a difference between the data mining these companies are guilty of and what the NSA has been up to. If Google knows that you’re more likely to buy a cookbook than a bicycle tire, and send advertising to you accordingly, little harm is done. But if the government tracks who you know and what you do, that’s a far more serious invasion of our privacy.

First off, the limit of Google’s knowledge is not what you tell them, it extends to what Google can infer from what you tell them, and they can infer a lot. As Eric Schmidt once said:

We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.

So that pretty much puts Google into the “government tracks who you know and what you do” zone.

To give credit where it is due though, the article also says:

Of course, the private sector’s data mining and the government’s vast collecting aren’t really separate. The first provides massive information to the second, sometimes with the companies’ knowledge and sometimes without it.

That is true. 

We need the media to seriously challenge these companies.  As we’ve noted in the past, we must avoid the trap these companies hope we fall into – focusing on the government and ignoring them.

The media has to step up and confront these companies with their own data practices and to point out the hypocrisy.

Of course, we also need changes in the law to address those practices.   That’s for another day.

 

 

Posted in Big Data, NSA, Privacy | Tagged , , , , , , , , , , , ,

Privacy, Poverty and Perspective

The largest encampment of homeless people in the United States is in the Silicon Valley.  Given the level of homeless in the area, perhaps that shouldn’t be too much of a surprise.

The proximity of that homeless camp to Sand Hill Road, and to the Google’s of the Silicon Valley tells a story that can get lost in statistics.  But let’s look at some anyway.

Here are some stats and illustrative graphs about who does and does not have Internet access in the United States.  Note the relationship among income, education and Internet access.

Here’s a view of the picture in New York. 

Here’s some information about poverty in the United States; specifically about Supplemental Nutritional Assistance Program (SNAP).  The article notes that:

In 2013, the average participation rate for SNAP was 19.4 percent of the U.S. population, serving 47.7 million individuals each month

But, about half of Americans will rely on SNAP at some point between the ages of twenty and sixty-five.

These are all U.S. stats.  We (a lot of us anyway) have it pretty good.

My point:

As I’ve watched the discussion on Twitter about privacy in general and the NSA thing in particular, at some point I came to the conclusion that a lot of it is self indulgent.  I’m reminded of pictures of Occupy Wall Street activists and the iPhones.

Certainly privacy is an important issue. but is it the issue?  What percentage of the U.S. population has the time, money and energy necessary for privacy to become a first order priority? 

What would Maslow say?

Let’s see if we can channel 5% of the outrage energy into something more concretely beneficial to people who need help.

If that doesn’t work for you, and you want to be all outraged about stuff, and you just can’t let the whole privacy go for a minute, go here to EPIC’s website.  Take note of the special privacy concerns of the poor.  As EPIC says:

Poor people have less of everything–less autonomy, less social mobility, and less privacy. State interests in fraud prevention and the structure of privacy law itself have worked to the disadvantage of the poor.

Maybe you can help address those issues.

Two last points.

First, although we’re having our Thanksgiving holiday here in the United States tomorrow this is not intended to be a special holiday Big Data and the Law post.  But Happy Holidays if you are having a holiday.  Have a good day if you’re not. 

Finally, the purpose of Big Data and the Law is, of course,  Shameless Self Promotion.  However, the secondary purpose of Big Data and the Law to be a platform for venting.

This is venting.

Posted in Big Data, Diatribe, Poverty, Privacy | Tagged , , , ,

Google Wins Book Scanning Suit – Don’t Get Too Excited

A quick and necessarily imprecise summary of the Google case is (i) Google indexes books and gives the public access to the indexes, and (ii) copyrights have expired with respect to some of the indexed books, but not all of them.  Copyright holders sued Google for infringement of their copyright in books indexed by Google.  Google’s defense to the infringement claims is that Google’s actions were a fair use under copyright law, and thus not an infringing activity. 

The case is not as simple as some of the press coverage suggests.

The fair use defense is very fact specific.  That means one has to be careful about relying too much on any one case.  Here’s how it works.

There are four different factors courts consider in evaluating the fair use defense.  Here they are, straight from the statute:

(1)       the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;

(2)       the nature of the copyrighted work;

(3)       the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and

(4)       the effect of the use upon the potential market for or value of the copyrighted work.

Each factor is evaluated individually and then weighed together in making a final determination of whether the fair use defense applies.  So one shouldn’t make assumptions based on how any one of the factors applies to a particular situation.  For example, fair use does not necessarily apply to situations involving “nonprofit educational purposes.”  On the other hand, fair use isn’t always inapplicable just because the “use is of a commercial nature.”

MOOC makers in particular need to be careful about this.  It’s easy for an educator to assume that an educational purpose is a get-out-of-copyright-infringement-free card.  Don’t assume your good intentions will save you from an infringement claim.  As they say, the road to hell is paved with good intentions. 

One last thing, this isn’t over if the decision is appealed – which seems likely.

You can find the court’s opinion here.  It’s in plain English, so there is no point in summarizing it here.  Reading the decision will give you more detailed and accurate information than you’ll get from the press coverage.

 

Posted in Big Data, Copyright, Fair Use, Google Books | Tagged , , , ,