Maybe Edward Snowden Works for Google, or Facebook, or Microsoft, or One of those Guys

Ok, probably not. 

But consider who benefits from all the attention the NSA thing is getting.  Answer: all those other organizations that collect information about you.  We discussed this previously here at Big Data and the Law.  The NSA gets some of its information from those folks – in fact the NSA has gotten information from all of these folks:

Microsoft – Yahoo – Google – Facebook – PalTalk – AOL – Skype – YouTube – Apple

Some of them have joined the protest against the NSA.  We here at Big Data and the Law would never question their motives.  But, for the time being the focus on the NSA seems to have taken attention away from them.  So they are benefitting.

Let’s consider what we’re ignoring while there is such an all-consuming focus on the NSA.

Well first of all, our friends in the private sector continue to collect lots of information about us.  Sometimes we agree to give it to them. 

We don’t always want to volunteer our information.  But in some cases our choice is to agree to give up personal information or lose access to technology we want or need.  Sometimes we have to participate in social media (with the consequent need to disclose some of our personal information) or lose timely access to financial information that might affect our investments.

Sometimes our information it collected without any participation from us.  By these guys for example.

There is another way in which our information can be obtained without or disclosing it.  Information that we did not disclose can be discovered through the analysis of information that we did disclose.

And what about the things that are being done with our information? 

No doubt we don’t really know what the NSA does with the information that it gathers.  But, what about the uses of our information that we  do know about and that should also be concerning to us? 

For example, what about using our on-line information in hiring decisions?

Questions about collection, and questions about use. 

What else are we ignoring?

Well one big thing we seem to be ignoring is the exposure of our information to data breaches.  For example, the very concerning data breach at Facebook

And what about public entities other than the NSA?  What about countries other than the United States?

For some reason we seem to have forgotten that the United States is not the only country that gathers personal information. 

Consider this from a former French foreign minister:

“The magnitude of the eavesdropping is what shocked us,” Bernard Kouchner said Tuesday in a radio interview. “Let’s be honest, we eavesdrop too. Everyone is listening to everyone else. But we don’t have the same means as the United States, which makes us jealous. “

We don’t mean to pick on France.  As the man said, “Everyone is listening to everyone else.”  Russia, for example, is expanding Internet surveillance even though many think that new surveillance is not legal under Russian law. 

This week we had “The Day We Fight Back”.  That’s fine. 

We here at Big Data and the Law don’t want to rain on anyone’s parade.  If you have a problem with what the NSA is doing, there is no reason why you shouldn’t make an issue of it. 

But why is it that “The Day We Fight Back” seemed to be focused on only the United States?    Wrong is wrong – yes? 

Protest is easy.  It’s harder reach agreement on some principles and to apply them generally – to both the private sector and to the public sector – and to all governments.  Objective principles – not subjective principles.

One more thing.

Let’s look at ourselves a little.  It’s not only business and government that collects information without the consent of those from whom it is collected.  Sometimes its individuals acting on their own.   

We haven’t heard anything about that yet.

Posted in Big Data, Edward Snowden, NSA, Privacy | Tagged , , , , ,

Senate Continues Data Broker Investigation – Talk of Data Privacy and Security Legislation

Senate Investigation

On December 18, 2013, the US Senate Committee on Commerce, Science and Transportation held a hearing titled, “What Information Do Data Brokers Have on Consumers, and How Do They Use It?”   

Following up, Committee Chair Senator Rockefeller has now sent requests for information to six data brokers. 

As described in a press release from the Committee (referencing the December 18, 2013 hearing):

Rockefeller sent letters today to six companies, including two – NextMark, Inc. and MEDbase200 – that were highlighted in testimony presented at the hearing as data brokers that produce lists of consumers exhibiting certain financial and health characteristics, such as “Empty Wallets,” “African American Pay Day Loan Responders,” and “Dementia Sufferers”. Four other letters were issued to Acxiom, Epsilon, Experian, and Lexis Nexis – companies that were part of Rockefeller’s initial inquiry into data brokers that sell products focused on consumers’ financial circumstances.

This might sound familiar.  You might have seen the recent incident when a man received some junk mail from OfficeMax that was addressed to “Mike Seay, Daughter Killed in Car Crash.”  Mike Sheay’s daughter was in fact killed in a car crash.  (To make things worse, the letter was also addressed to “Or Current Business.”)

Hope for Privacy and Data Security Legislation?

There are rumors of momentum toward something getting done this year on data privacy and security legislation.

According to The Hill:

Several lawmakers in Congress are optimistic that a new law to protect consumers’ data from being stolen can be passed quickly, weeks after major hacks dominated the headlines.

So it appears that the interest is there in data privacy issues in Congress.

On the other hand, in the very next sentence in the same article, The Hill notes:

The retail and banking industries have begun to face off over potential new legislation, with each worried that new provisions could unduly affect their businesses.

It’s always something.

Strangely though, The Hill brings hope in the form of Republican Congressman Joe Barton:

“It’s one of the few issues in the next 10 months that the House and the Senate can work with the president on,” he said. “I’ll go out on a limb here and predict that we’ll actually do that.”

Can those three work together on anything though?  Certainly it seems that data privacy hasn’t been one of those “few issues” they can get resolved.  For evidence, I note the failure to enact bills for:

Data Security and Breach Notification Act of 2011

Data Security and Breach Notification Act of 2012

Data Security and Breach Notification Act of 2013

A definite pattern.

But that was before the Target incident.  Maybe that’s enough to get things moving.  Already this year we have proposals for:

Personal Data Privacy and Security Act of 2014

Data Security Act of 2014

Data Security and Breach Notification Act of 2014

Commercial Privacy Bill of Rights

That’s just the Senate stuff, and that’s just as of this writing.

So maybe something can happen.  But then ….

The Problems are the Problem

As we know, there are a lot of privacy and data security problems to solve.  Data breach notification is a problem.  It’s a pretty simple problem though, as privacy and data security problems go.  No doubt that simplicity will make data breach notification a focus (probably the focus) of any successful privacy and data security legislation.

What about all the other data privacy problems?  Here at Big Data and the Law, we’re betting those problems are too hard for Congress to deal with.

Look at the 2011, 2012 and 2013 bills (below).  Note how simple (and similar) they are, and ask yourself why such simple legislation couldn’t get passed.  Then ask yourself whether anything more complex could possibly get passed.

Additional Information on the Senate Data Broker Investigation

You can see an archived webcast of December 18, 2013 hearing.

This is the Majority Report presented at the hearing:

This is Senator Rockefeller’s letter to Acxiom:

In a post here at Big Data and the Law you can see an example of the scope of personal information that data brokers collect.  In this case, at Versium Analytics – a company with “…billions of records with billions of real life attributes on consumers and businesses.”

Background on the Privacy and Data Breach Legislation

2011, 2012 and 2013 bills

2014 Bills

 

Posted in Big Data, Data Brokers, Data Security, Policy, Regulation | Tagged , , , , ,

A Marketing Expert Thinks Business should Take Privacy Seriously – and that You Don’t Understand how Your Privacy is Being Violated

I don’t know enough about marketing to know who is a real marketing expert, but Jonathan Salem Baskin seems to be a big deal in the marketing business.  He writes for Forbes and Advertising Age and consults a lot.  Look at his website.  Impressive stuff.  He must be an expert.

In this article in Advertising Age, Mr. Baskin says that business should:

Figure out how to do a better, more proactive job of telling consumers what we know about them, what we do with that information and why. What we’re doing now isn’t enough, and we know it. We should prepare for — if not proactively prompt — a better, more-informed conversation about privacy before we get hit over the head with it.

We here at Big Data and Law agree. 

It’s in the best interest of the business community to assert some leadership on privacy matters, and the business community hasn’t been doing it. 

Maybe Mr. Baskin’s advice is based on the poor showing of the business community in this regard.  Consider the reaction to the California mobile privacy initiative last year from these groups:

    • American Association of Advertising Agencies
    • American Advertising Federation
    • Association of National Advertisers
    • Direct Marketing Association
    • Interactive Advertising Bureau
    • National Business Coalition on E-Commerce and Privacy
    • Association of Magazine Media

They wrote a letter to the California Attorney General in which the strongly complained about, among other things, not being included in the process of developing California’s policies about mobile device privacy.

You can find their letter here

On the other hand, some in the business community appear to have taken a leadership role on occasion.  Perhaps most conspicuous among those activities has been the National Telecommunications and Information Agency “stakeholder” process intended to create a Short Form Notice Code of Conduct to Promote Transparency in Mobile App Practices.

We here at Big Data and the Law consider that effort a failure.  One principal reason is that the business community participants decided not to adopt to the code they developed.  Seriously.  So much for the stakeholder process and the business community taking a leadership role.

So we have further evidence that Mr. Baskin is correct in his unstated assumption that the business community needs to step and get involved in this privacy thing. 

All good, but we must now part company with Mr. Baskin.  Unfortunately, it appears that one reason for his concern is that he believes the public doesn’t know that their personal information is being gathered and used – and that the public might find out about that.

In short, he thinks we’re ignorant.  Consider these comments in his article, in which we means marketing professionals or business generally and they means the rest of us:

Only we don’t really know if our scrutiny matters to consumers, because they don’t really know what we’re doing. 

Sure, they tolerate it, but that’s mostly out of ignorance, not informed choice.

If they ever figured out what giving away all the free information about themselves gets them, even the most publicly exposed millennial might think otherwise.

Unfortunately, Mr. Baskin is not alone in his low opinion of us.  That’s a problem. 

Privacy issues are complicated. You know that even if some people think you don’t know it.  Those issues will not be resolved if the public in general is considered important only when the very smart and important people think that we might get wise to what  are up to.

Posted in Big Data, Privacy | Tagged , , ,

NSA Loses One, Wins One – Interesting Differences in the Courts’ Reasoning

After the NSA’s loss in the D.C. District court, the NSA has a win in the Southern District of New York.  Here at Big Data and the Law we’ve dialed it back for the holidays, so haven’t yet spent much time reviewing the two decisions. 

A cursory review does reveal one interesting fact though.  In the D.C. District Court opinion, Judge Leon makes frequent mention of not only the data that the NSA collects, but the analysis that the NSA conducts using that data.  For example:

The threshold issue that I must address, then, is whether plaintiffs have a reasonable expectation of privacy that is violated when the Government indiscriminately collect their telephony metadata along with the metadata of hundreds of millions of other citizens without any particularized suspicion of wrongdoing, retains all of that metadata for five years, and then queries, analyzes, and investigates that data without prior judicial approval of the investigative targets.

In contrast, in Judge Pauley’s opinion in the Southern District of New York case, there is relatively little mention of that analysis.

As we’ve discussed here before, how you can use data to discern other data is a big deal.  The courts will need to consider how data is (or can be) used – every bit as much as where it comes from.

 

More on this soon.

Posted in Big Data, NSA, Policy, Privacy | Tagged , , ,

Google, Facebook, AOL, Twitter, Apple, Microsoft and Yahoo to U.S. Government: Stop Collecting Personal Information – That’s Our Job

As you likely know, Google, Facebook, AOL, Twitter, LinkedIn, Apple, Microsoft and Yahoo are suddenly concerned about our privacy.  They have all signed on to an open letter to the President and Congress, in which they say:

We understand that governments have a duty to protect their citizens. But this summer’s revelations highlighted the urgent need to reform government surveillance practices worldwide. The balance in many countries has tipped too far in favor of the state and away from the rights of the individual — rights that are enshrined in our Constitution. This undermines the freedoms we all cherish. It’s time for a change.

For our part, we are focused on keeping users’ data secure — deploying the latest encryption technology to prevent unauthorized surveillance on our networks and by pushing back on government requests to ensure that they are legal and reasonable in scope. 

We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight. To see the full set of principles we support, visit ReformGovernmentSurveillance.com

It gets better.  On the ReformGovernmentSurveillance.com website these guys created, Mark Zuckerberg says:

Reports about government surveillance have shown there is a real need for greater disclosure and new limits on how governments collect information. The US government should take this opportunity to lead this reform effort and make things right.

Limits on how information is collected?  Really?

Let’s review some facts:

1.         There is no evidence that, before it became public, any one in this group has objected to the government’s eavesdropping activity.

2.         As to their true motivations, these companies have an economic interest in raising the government surveillance issue, as they stand to lose business outside the United States because of concern about the actions of the NSA. 

3.         The courts haven’t been particularly friendly to individuals making privacy related claims.  These companies have vigorously and successfully defended their privacy practices.  For example, in a recent Google case here and a LinkedIn case here. 

4.         Perhaps, most damning, Google has been accused of collecting communications itself – as summarized in this quote from a New York Times article:

In addition to photographs, Street View vehicles secretly collected e-mail, passwords, images and other personal information from unencrypted home computer networks.     

This nonsense is obviously not a serious attempt to change anything.  But there hasn’t been enough media coverage that is critical of it. 

For example, while it does make some critical points, this PC World article misses some points.  Consider this:

Arguably, there is a difference between the data mining these companies are guilty of and what the NSA has been up to. If Google knows that you’re more likely to buy a cookbook than a bicycle tire, and send advertising to you accordingly, little harm is done. But if the government tracks who you know and what you do, that’s a far more serious invasion of our privacy.

First off, the limit of Google’s knowledge is not what you tell them, it extends to what Google can infer from what you tell them, and they can infer a lot. As Eric Schmidt once said:

We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.

So that pretty much puts Google into the “government tracks who you know and what you do” zone.

To give credit where it is due though, the article also says:

Of course, the private sector’s data mining and the government’s vast collecting aren’t really separate. The first provides massive information to the second, sometimes with the companies’ knowledge and sometimes without it.

That is true. 

We need the media to seriously challenge these companies.  As we’ve noted in the past, we must avoid the trap these companies hope we fall into – focusing on the government and ignoring them.

The media has to step up and confront these companies with their own data practices and to point out the hypocrisy.

Of course, we also need changes in the law to address those practices.   That’s for another day.

 

 

Posted in Big Data, NSA, Privacy | Tagged , , , , , , , , , , , ,

Privacy, Poverty and Perspective

The largest encampment of homeless people in the United States is in the Silicon Valley.  Given the level of homeless in the area, perhaps that shouldn’t be too much of a surprise.

The proximity of that homeless camp to Sand Hill Road, and to the Google’s of the Silicon Valley tells a story that can get lost in statistics.  But let’s look at some anyway.

Here are some stats and illustrative graphs about who does and does not have Internet access in the United States.  Note the relationship among income, education and Internet access.

Here’s a view of the picture in New York. 

Here’s some information about poverty in the United States; specifically about Supplemental Nutritional Assistance Program (SNAP).  The article notes that:

In 2013, the average participation rate for SNAP was 19.4 percent of the U.S. population, serving 47.7 million individuals each month

But, about half of Americans will rely on SNAP at some point between the ages of twenty and sixty-five.

These are all U.S. stats.  We (a lot of us anyway) have it pretty good.

My point:

As I’ve watched the discussion on Twitter about privacy in general and the NSA thing in particular, at some point I came to the conclusion that a lot of it is self indulgent.  I’m reminded of pictures of Occupy Wall Street activists and the iPhones.

Certainly privacy is an important issue. but is it the issue?  What percentage of the U.S. population has the time, money and energy necessary for privacy to become a first order priority? 

What would Maslow say?

Let’s see if we can channel 5% of the outrage energy into something more concretely beneficial to people who need help.

If that doesn’t work for you, and you want to be all outraged about stuff, and you just can’t let the whole privacy go for a minute, go here to EPIC’s website.  Take note of the special privacy concerns of the poor.  As EPIC says:

Poor people have less of everything–less autonomy, less social mobility, and less privacy. State interests in fraud prevention and the structure of privacy law itself have worked to the disadvantage of the poor.

Maybe you can help address those issues.

Two last points.

First, although we’re having our Thanksgiving holiday here in the United States tomorrow this is not intended to be a special holiday Big Data and the Law post.  But Happy Holidays if you are having a holiday.  Have a good day if you’re not. 

Finally, the purpose of Big Data and the Law is, of course,  Shameless Self Promotion.  However, the secondary purpose of Big Data and the Law to be a platform for venting.

This is venting.

Posted in Big Data, Diatribe, Poverty, Privacy | Tagged , , , ,

Google Wins Book Scanning Suit – Don’t Get Too Excited

A quick and necessarily imprecise summary of the Google case is (i) Google indexes books and gives the public access to the indexes, and (ii) copyrights have expired with respect to some of the indexed books, but not all of them.  Copyright holders sued Google for infringement of their copyright in books indexed by Google.  Google’s defense to the infringement claims is that Google’s actions were a fair use under copyright law, and thus not an infringing activity. 

The case is not as simple as some of the press coverage suggests.

The fair use defense is very fact specific.  That means one has to be careful about relying too much on any one case.  Here’s how it works.

There are four different factors courts consider in evaluating the fair use defense.  Here they are, straight from the statute:

(1)       the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;

(2)       the nature of the copyrighted work;

(3)       the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and

(4)       the effect of the use upon the potential market for or value of the copyrighted work.

Each factor is evaluated individually and then weighed together in making a final determination of whether the fair use defense applies.  So one shouldn’t make assumptions based on how any one of the factors applies to a particular situation.  For example, fair use does not necessarily apply to situations involving “nonprofit educational purposes.”  On the other hand, fair use isn’t always inapplicable just because the “use is of a commercial nature.”

MOOC makers in particular need to be careful about this.  It’s easy for an educator to assume that an educational purpose is a get-out-of-copyright-infringement-free card.  Don’t assume your good intentions will save you from an infringement claim.  As they say, the road to hell is paved with good intentions. 

One last thing, this isn’t over if the decision is appealed – which seems likely.

You can find the court’s opinion here.  It’s in plain English, so there is no point in summarizing it here.  Reading the decision will give you more detailed and accurate information than you’ll get from the press coverage.

 

Posted in Big Data, Copyright, Fair Use, Google Books | Tagged , , , ,

That Nondisclosure Agreement Just Cost You Your Business

There are a lot of nondisclosures signed every day.  How many are read before they are signed?  Not all of them.  When they are read, how often do the readers think through how the terms of the nondisclosure relate to their business practices?  Apparently not often enough.

Here is a cautionary tale.

Convolve, Inc. entered into a nondisclosure agreement with Compaq (remember them?).  Convolve entered into a similar nondisclosure agreement with Seagate.  Each nondisclosure included a provision that disclosed information would be considered confidential only if the information was:

1.         marked as confidential at the time of disclosure; or

2.         if unmarked at the time of disclosure, was treated as confidential at the time of disclosure and subsequently identified in writing as confidential.

Convolve made disclosures of Convolve confidential information without meeting either of those conditions.  Convolve sued to keep the information it disclosed confidential.  The court said:

1.         Convolve’s failure to meet either of the two conditions meant the nondisclosure agreement did not apply to the Convolve’s information; and

 2.         as a result that information was no longer a Convolve trade secret.

Very unfortunate for Convolve. 

Other courts in other places, under different circumstances have come to the opposite conclusion.  But why take the chance?

Here’s some additional language that might have saved Convolve:

or that the receiving party knows, or should reasonably be expected to know, is confidential to the disclosing party

The kind of thing that happened in the Convolve case can happen for a lot of reasons.  Sometimes the people reading or drafting the nondisclosure agreement don’t communicate the requirements to the people making the disclosures.  Another is the unthinking use of form agreements.  (Don’t get me started about people who get their legal forms from the Interwebs.)    

Finally, there are lots of other pitfalls with nondisclosure agreements.  In particular, watch out for limitations of liability.  Be careful out there.

Posted in Big Data, Confidentiality, Contracts, Trade Secret | Tagged , , , , , ,

We Need a Code of Ethics for Data Professionals

This isn’t one:

Don’t be evil. We believe strongly that in the long-term, we will be better served-as shareholders and in all other ways-by a company that does good things for the world even if we forgo some short-term gains. This is an important aspect of our culture and is broadly shared within the company.

 A Code of Ethics isn’t subjective blather.

By the way, Eric Schmidt admitted that Don’t Be Evil is totally subjective, having said this in 2003:

Evil is what Sergey says is evil.

Later Mr. Schmidt became a bit more thoughtful, as evidenced in this from a Reuters article:

In an on-stage interview with writer Ken Auletta of the New Yorker magazine, Schmidt said “Don’t be evil” is meant to provoke internal debate over what constitutes ethical corporate behavior, rather than representing an absolute moral position.

“We don’t have an ‘Evilmeter’ we can sort of apply — you know — what is good and what is evil,” Schmidt said before an audience of media industry professionals at an event sponsored by Syracuse University’s Newhouse School in San Francisco.

“It is like a bomb goes off in the room. Everything stopped. Everyone had a moral and ethical conversation, which by the way, stopped the product,” Schmidt said.

“So it is a cultural rule, a way of forcing a conversation, especially in areas which are ambiguous,” he said of how the mission statement works in practice at Google.

Debate is good, but the debate should be one in which a code of objective standards is developed, not a case-by-case reaction. 

Google has gotten better, having enacted a detailed Code of Conduct with some objective criteria.

But what about everyone else?   We need a Code of Ethics for the profession and not just for employees – a Code of Ethics with objective provisions.   Here’s an example of the kind of thing I’m talking about:

“Harm” means injury or negative consequences, such as undesirable loss of information, loss of property, property damage, or unwanted environmental impacts. This principle prohibits use of computing technology in ways that result in harm to any of the following: users, the general public, employees, employers. Harmful actions include intentional destruction or modification of files and programs leading to serious loss of resources or unnecessary expenditure of human resources such as the time and effort required to purge systems of “computer viruses.”

This is from the Association for Computing Machinery Code of Ethics and Professional Conduct, which can be found here.

But why is this necessary?  The increasing power that data professionals have in their hands makes it crucial that some standards be established.  Those of us who aren’t data professionals have legitimate concerns about this.

We can’t rely on individual, personal and subjective standards.  One reason why is the false consensus effect. 

No doubt you’ve had the experience in which someone talks to you about an issue with the apparent assumption that you agree with them – and you don’t.  That’s the false consensus effect.  People have a tendency to overestimate how many people agree with them.

You and I might have different opinions about what is appropriate and what is not.  For example, look at the comments to this article on The Huffington Post, which we discussed here.  Some people think using other people’s computers to make an interesting graphic is perfectly acceptable, even without permission from the owners of the computers.  Others disagree.

Some people who think this is acceptable don’t just think it is acceptable.  The fact that they are not shy about publicly stating they’ve done it suggests they assume other agree it’s OK.

And there’s your problem.  Some people think they have permission to do stuff like this.  (I also suspect the false consensus effect is one reason behind many of the problems in the tech industry – like the well documented sexism.)

Challenging people’s assumptions is a necessary step in addressing this.  Establishing a Code of Ethics is one way to do that.  A Code of Ethics drafted and debated in public view with broad participation can have the effect of challenging assumptions about what is appropriate. 

Far from perfect, but it’s a start.

Posted in Big Data, Data Professionals, Ethics | Tagged , , , , ,

The Internet of Things Strikes Again – FTC Settles with Rent-to-Own Spies

So these rent-to-own businesses were using the computers rented to their customers to spy on the customers.  See the FTC notice of settlement here.  Not just the webcam, as was the case in situations we discussed earlier.  In this case we also have keystroke logging. 

We recently talked about this people problem being lost in the discussion of the NSA thing.  Perhaps people don’t focus on it because it’s easier to focus on institutions rather than individuals.  But we can’t let it go at that.

At some point this type of thing has to end in some serious jail time.

Posted in Big Data, Data Security, Federal Trade Commission, Privacy | Tagged , , , , ,