Privacy Papers, Part 21 – 2.0 Onward?

The PrivacyPapers was released over a two week period of emails by Michael Kasdan, who has generously given us permission to post it in its entirety over several posts.

You can search Twitter: #PrivacyPapers, for the content and to share comments.

21. Privacy Papers – 2.0 Onward?

From: Kevin
Sent: Tuesday, August 27, 2013 12:14 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.0 Onward?

Back in 1997 I started work on my “A” paper at NYU Law.  For the uninitiated, to graduate from NYU law at the time, students had to write both a “B” and an “A” paper.  The “B” had to be 20-30 pages, the “A” had to be 40+.  Unfortunately they had to be on a legal topic, include proper citations and be somewhat coherent (I think I got 1 out of 3 on mine).  Already a real internet junkie, first BBS, then mIRC and chat rooms (yeah, hope none of those college age transcripts of late night chats show up anywhere) and early VOIP user, my topics were of course going to be focused on tech.

About that time Lawrence Lessig had gone from constitutional scholar at the University of Chicago to special master for the DOJ at the Microsoft trial and then to Harvard and he’d started talking about how programming code was a bit like setting the law within those programs.  I exchanged some e-mail with him at the time, because I was exploring the idea that the standards that set the boundaries of what code can do were a type of meta-law and the ones being set for the internet were being set by private or quasi-governmental groups and they were going to essentially become the defacto laws in this new interconnected world.  When finished I think I even sent Lessig a copy, something that’s a bit embarrassing now that I go back and realize how bad I was at writing back then (I’m not claiming to be great now, so yeah, it was bad). Anyway, Lessig was thinking about a lot of this at the same time and ended up writing a great book called Code and Other Laws of Cyberspace.

What has that to do with Privacy Papers 2.0?  Well, some of what could be done to give users absolute control of their data would have to be done by changing the architecture of the internet and that is in the hands of private groups with little to no government insight. You think it’s a challenge to get congress to agree to anything in the public interest, try getting competing companies and individuals with their own agendas to agree on changing protocols to help consumers control their data when they know that it may be to their detriment.

For a good laugh I’ll post my article, which was titled “Internet Standardization: Who Should Control the Code of Cyberspace?”  Yeah, the term “Cyberspace” dates it…

From: privacy-papers@googlegroups.com [mailto:privacy-papers@googlegroups.com] On Behalf Of Michael Kasdan
Sent: Tuesday, August 27, 2013
To: privacy-papers@googlegroups.com
Subject: RE: Privacy Papers – 2.0 Onward?

Kevin-

Very interesting.  (I like how you’re procrastinating from offering your solution(s) or answering “Question No. 3”, but we’ll have to be patient, I suppose.)

Would love to see the article!  Oooh “Cyberspace” . . . . The Great Digital Frontier . . . . (Some fun little history on The Internet circa 1997)

By the way, on my book pile at the moment is Lessig’s Code 2.0, under a mountain of other unread stuff.  But its there.  So there’s a chance.  (He’s a very interesting thinker.)

Best,
Mike

From: privacy-papers@googlegroups.com [mailto:privacy-papers@googlegroups.com] On Behalf Of Michael Kasdan
Sent: Wednesday, August 28, 2013
To: privacy-papers@googlegroups.com
Subject: RE: Privacy Papers – 2.01 Onward?

Well, that’s one way to kill a conversation.  Asking for solutions.  The nerve!

To spur conversation, when you search in Google: Solutions to Privacy Issues, this is the first thing that comes up.  So it must be good.  Either that, or its paid content, like it says in the URL.

By the way, the author lists five solutions: (1) class action lawsuits/courts [not exactly the most efficient and fast-moving way of effecting societal change]; (2) technology to control our own data – this runs headlong into Question No. 3 – how does this square with the economics of social media and the internet?; (3) have Federal Government step in (Yay NSA!); (4) Leave Privacy Issues to the Market (“embrace that privacy has become a commodity”); and (5) industry self-regulation.

Anyway, I’m only including this link here in a now-hopelessly-transparent effort to spur some Week 2 #PrivacyPapers conversation.

Or at least get Kevin to send around his ancient Cyberspace Paper.

As they said in Battlestar Galactica:

Captain Lee ‘Apollo’ Adama: “I thought we were sparring.”
Commander William Adama: “That’s why you don’t win.”

#winning

Mike

From: John
Sent: Wednesday, August 28, 2013 5:06 PM
To: privacy-papers@googlegroups.com
Cc: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

Am I right in thinking of those five solutions, only #2 provides a way for an average citizen to take control in some way of their data?

If personal clouds/vaults catch on, to be clear, things will get messy in certain regards. We’ll still deal with the government needing to/trying to access that data (via warrants etc). And private companies will fight this idea of course. But I don’t see the need for an adversarial relationship. I actually would prefer either paying Google for their services, or having a weekly/monthly sense of what brands/whoever might want access to my data.

Then – Google could likely make more money than they do now in terms of paid search, etc. engage and empower consumers to seek out brands in hopes of selling/leveraging their data. Google is still a trusted intermediary, but trust is increased because people decide when to make data available.

The only people I see suffering in this model are a certain group of data brokers, the ones that aggregate publicly available data they don’t make available to the people who they’re reporting about, which is what the FTC is dealing with.

When a data broker, or agent, works with a person to give them options on how to use their data in an informed manner, we have a new economic model. This could work like a trusted banker telling you where to invest. The difference here is with a personal data cloud you can “kill” data that is accessed by non trusted sources. Right now, people don’t have this option.

Hope that helps. I’m not here to Google or FB bash. Quite the opposite. I use these services often and daily. I just wish they’d change their core data collection mindset and brace the value/profit from this type of model. Trying to maintain ultimate control over data, information, or the rights that come with them is fodder for business disruption or revolution.

On Thu, Aug 29, 2013, Michael Kasdan <mkasdan@arelaw.com> wrote:

So admittedly I don’t quite understand the ins and outs of data vaults and personal clouds and how they would really work.  But my immediate thought is that one reason that the lack of privacy/collection and use of peoples information – both for benefits and for monetization – works so well, is because it is so EASY.  We don’t have to DO anything, except not read a Terms and Conditions and click “Accept.”

I fear that the transaction costs involved in implementing something like a data vault and choosing what brands and companies I share information with and for what purposes and how much I will charge are simply way too high to be practical.
MK

From: privacy-papers@googlegroups.com [mailto:privacy-papers@googlegroups.com] On Behalf Of Michael Kasdan
Sent: Thursday, August 29, 2013
To: privacy-papers@googlegroups.com
Subject: RE: Privacy Papers – 2.01 Onward?

So admittedly I don’t quite understand the ins and outs of data vaults and personal clouds and how they would really work.  But my immediate thought is that one reason that the lack of privacy/collection and use of peoples information – both for benefits and for monetization – works so well, is because it is so EASY.  We don’t have to DO anything, except not read a Terms and Conditions and click “Accept.”
I fear that the transaction costs involved in implementing something like a data vault and choosing what brands and companies I share information with and for what purposes and how much I will charge are simply way too high to be practical.

MK

From: John
Sent: Thursday, August 29, 2013 7:29 AM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

I don’t disagree that implementation will be hard.  I think the need will become more immediate when Augmented Reality comes into play and people start to literally see data about themselves and others.  I think once people get a sense of the volume of data about themselves and loved ones that’s out of their control will provide incentive to try the vault methodology.

Also, vaults typically do one thing that is a huge time saver – they eradicate the need for passwords as we have them now.  Personal.com is making a brilliant move into this space where their first product is a tool that auto-populates passwords on various sites so you don’t have to remember 48 of them.  But it’s done with the vault mentality.

Also, once the methodology is widespread, I see the time that it would take you to even click an “I agree” button for a standard T&C to also have a “Metracker” button or whatever it’s called.  You click it, and per your automatically set up data-vault privacy preferences, the site determines how you’d like to be (safely) tracked and then sets up where micropayments will be made and when.

But your concerns make total sense.  But so far I haven’t heard other actual options to change the system as it stands.  The fact that it’s entrenched, the fact that people are cavalier, the fact that the Titans will fight against it, are simply facts.

Who else has options?  I’m not interested in being right or whatever.  I would just love not to hear, in one way or another, “the status quo we have now is inevitable.”

From: Lisa
Sent: Thursday, August 29, 2013 12:18 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

I’m not familiar with either public or private sector solutions for collecting personal data but I’m very interested in both since my thesis about our global economy suggests that transparency is imperative for our long term solvency (both the economic and emotional well-being kind). I’d vote for solutions that give the user the most autonomy, are easy to understand and easy to use, and not an economic hardship (what are the price points? will only the wealthy be able to keep and protect their data and “poor” folk have to sell their data, like kidneys, on some black market, to data extortionists?). But John, I do wonder about any single provider, like Personal.com as my savior — because I’m handing that entity enormous power. That seems like going from the frying pan to the fire. My first, sincere question is: how would I (right now) go about collecting all my data (my usernames, passwords, cookies, footprints, and posts) from the web? The first step has to be in claiming all your data, before you can protect it. Are their companies / apps that do that now?

From: John
Sent: Thursday, August 29, 2013 12:28 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

Those are all great points.  Personal.com and Reputation.com offer those services.  There’s a growing field of other companies that do as well.

Bear in mind, however, that groups like ID3 who we’re working with for Happathon are developing something they call Open Mustard Seed.  The whole point with them is that they’re giving YOU the power of your data.  The logic is they’re just creating the infrastructure/tech for you to claim, own, and manage your data.  You can “kill” data at any time that’s accessed from untrusted sources.

In terms of people selling data on the black market, etc, that will certainly happen.  Sadly, I think a lot of visual imagery will be stolen from people for porn, etc.  And in terms of poor people, you have a point there as well.  People who don’t have access to Internet, mobile phones, etc wouldn’t get to use data banking as much, at least at first.

But the alternate solution is that Google with blimps providing Internet to sub-saharan Africa or Facebook’s new free Internet project means the existing model goes into emerging countries as a completely accepted practice.  Giving Internet access, mind you, is awesome – the benefits are amazing, and Google and FB should be commended for the work they’re doing.  But let’s also not think for a MOMENT that the primary purpose is for economic gain.  In the next five-ten years, slums are going to offer some of the biggest economic opportunities when people have Internet services.  So while there are amazing philanthropic benefits to supplying Internet everywhere, if data collection practices don’t change, it simply means power stays in the hands of the Internet giants.

From: Lisa
Sent: Thursday, August 29, 2013 12:32 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

John, if anyone turns me into a porn star using my horrible web photos I’ll send them a note of congratulations. But I do want residuals. Ugh. I just imagined the Internet equivalent of Coke and cigarettes flooding poor communities around the world. Double ugh.

On Thu, Aug 29, 2013 at 1:23 PM, Lisa wrote:

LOL! I meant Star Trek, but that’s wayyyy better.

From: privacy-papers@googlegroups.com [mailto:privacy-papers@googlegroups.com] On Behalf Of Michael Kasdan
Sent: Thursday, August 29, 2013
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

…and connecting themes ‘n threads:

On Facebook we mentioned Battlestar Galactica.  And “real” science fiction like Isaac Asimov.

My favorite Asimov quote:

“Nothing interferes with my concentration.  You could put an orgy in my office and I wouldn’t even look up.  Well, maybe once.”

Eyes on the prize people.  Solutions. . . .

Carry on…

🙂

Your friendly neighborhood moderator.

From: Brian
Sent: Thursday, August 29, 2013 2:29 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

I really don’t have much faith in data vaults solving the problem.

First, there would be the technical issue for transfer of information to the applications and services we want to use.   Obviously we wouldn’t want to give every application/service access to all the information in the data vault, but how much control would we really want to have.   This reminds me of a horrible proposal made during the NTIA multistakeholder process where the user would be presented with a checklist of every type of personal information that the application wants to use and the user could uncheck individual boxes.  It would be so onerous users would just say “accept all”.   So if you don’t give that type of detail, you end up with the facebook authentication model where you have to agree to a bucket of information.

Second, if you aren’t going to allow the service provider to store the information on their servers, there would be latency and/or uptime issues.   Companies have whole teams trying to figure out how to speed up delivery of data from their own services.  If you now add a new data storage location and its security protocols it will add time.  While possibly unnoticeable for most uses, it could add up.  And what if the connection to the data storage location fails (hello AWS).  That means all your services are unusable.

Third, log files.   Probably the main reason that the “right to delete” doesn’t work in actuality is because somewhere your info may be stuck in a log file where it isn’t easy to just remove the info of one person.  Under this data vault proposal, would we have to tell companies that they can no longer keep logs of service usage, even though those logs files are what the company uses improve the service, remedy errors etc.

From: John
Sent: Thursday, August 29, 2013 2:52 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

These are all great points.

Alternatives? Solutions? While onerous, I’d choose to deal with all the issues you mention in lieu of the system we have now.

From: Lisa
Sent: Thursday, August 29, 2013 3:20 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

Might be the right moment to evoke the Time Warp solution, Mike. What’s pre-data? Let’s go back to 1945 and start over…crap, no. That’s a bad year.

Total ignorant and tangential, but kind of related, question to follow my bad joke: can I have a personal bank server now? Why do I have to depend upon a third party to keep my personal P&L data?

From: privacy-papers@googlegroups.com [mailto:privacy-papers@googlegroups.com] On Behalf Of Michael Kasdan
Sent: Thursday, August 29, 2013
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

The Time Warp Solution.

…like Rocky Horror Picture Show.  Ah…a simpler time…


Narrator:
It’s just a jump to the left.
All:
And then a step to the right.

Narrator:
Put your hands on your hips.

All:
You bring your knees in tight.
But it’s the pelvic thrust
That really drives you insane.
Let’s do the time-warp again.
Let’s do the time-warp again.

From: Bill
Sent: Thursday, August 29, 2013 4:58 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

I haven’t had a chance to reply.  So I’m gonna bulk up my responses…

Google (and Facebook, etc.) don’t want you to pay for their services.  It is in their economic interest to keep their current business model.  For example, if Google figures out how to better target ads to a user and increases click-through-rate, they make more money.  This economic interest doesn’t exist when your end users are paying you a fixed rate each month (plus they will bitch when you raise your rates).

I also agree with Brian that end-users won’t’ be able to make reasoned decisions about protecting their information.  These are the same people that go into the voting both and just choose the “Party Line” button.  They don’t care, or are overwhelmed with the choices (The Android Permission model is yet another example where it was attempted to give users control, but in the end most people just end up hitting “OK” and install Candy Crush anyway).

I recently went digital with my bills and stuff.  I’ve got a scanner and scan them all in (well, the wife does).  We store them in Google drive, so they can be indexed and searchable.  And we have built-in offsite backup.  I’m not concerned about Google seeing my banking statements or my credit card statements.  I don’t really see the harm.  Worst case, they figure out how to mine that data (without going over the creepy line, “Google policy is to get right up to the creepy line and not cross it.”) and present me with useful information.

Let’s also be clear here.  At no times does Google sell the information they collect on you to a 3rd party.  That would be a breach of trust, and remember “Competition is just one click away”, so they gotta keep the users trust.  Not to mention that if you have a mine of data, you’re not just going to give it away, especially if you can improve your own products based off it.

From: John
Sent: Thursday, August 29, 2013 5:36 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

I’m troubled by your thoughts.  “End users won’t be able to make reasoned decisions about protecting their information?” That’s what they’re asked to do with existing privacy/terms & conditions language with Google or anyone else.  I get that people get overwhelmed, but does that mean if there is a concern about privacy or whatever we shouldn’t try to inform the general public so they can make reasoned decisions?

In terms of seeing your banking statements, that’s your call, although the “creepy line” is in the eye of the beholder.  I think cars filming the planet and stealing IP addresses falls pretty squarely under the “creepy” line.  I also think breaking the law (according to the FTC) would be violating the “do no evil” idea.

Lastly, I don’t think Google cares about competition to a large degree.  I think that’s the danger of any organization growing to the size they have.  Even the FTC violation was no more than a slap on the wrist.  It didn’t keep them from moving the Street View program forward.

But I’m in the minority I realize.  I recently wrote a piece on Mashable about artificial intelligence touching on some of these issues and got eviscerated in the comments by a number of google fans.  I don’t understand why my challenging aspects of what the company does while praising other things they do means I’m a luddite.

From: Bill
Sent: Thursday, August 29, 2013 10:29 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

responses inline

From: John
Sent: Thursday, August 29, 2013 10:54 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

NYT: http://www.nytimes.com/2013/03/13/technology/google-pays-fine-over-street-view-privacy-breach.html?pagewanted=all

“SAN FRANCISCO — Google on Tuesday acknowledged to state officials that it had violated people’s privacy during its Street View mapping project when it casually scooped up passwords, e-mail and other personal information from unsuspecting computer users.”

-How is this accidental? And why can’t people just admit Google was trying to get people’s info, whether or not they were google users? Google admitted it! I’m flabbergasted at how people are fine with Google’s Street View’s brazenly invading privacy. Whether people know how to encrypt and saying they have less than average intelligence doesn’t mean you get to violate privacy or break the law. Tech being awesome does not give carte blanche for violating privacy in the name of innovation. Google screwed up, plain and simple. Mainly because they showed their hand. Nobody will ever convince me that “the lone engineer” theory, with Google and their resources, makes any sense. One engineer made a decision that led to this? Nope. They got caught.

But, to your point, nobody cares. They paid the fine and most people I know defend their actions which I can’t fathom. Not the street view part – while I’m not a big fan of people tracking when my car is in the driveway if they want, I can live with that. It’s the precedent set by the violations mentioned above and people’s lack of concern over it.

From: Bill
Sent: Thursday, August 29, 2013 11:17 PM
To: privacy-papers@googlegroups.com
Subject: Re: Privacy Papers – 2.01 Onward?

ok, we should probably drop it at this point, as I think we are getting pretty far astray and I don’t think we’ll ever see eye-to-eye on it, but let me get my last point in.  😉

There are two things going on here.  What Google was trying to do (collecting Wifi AP information for use in improving phone geolocation without GPS), and what Google ended up also collecting (plaintext payload data).

Was #1 wrong?  I don’t know.  It’s publically available to anyone walking down the street.  I don’t need to build a fancy car to do it, there’s an app for my phone.  And I know this is a weak argument, but there are other companies doing it (Skyhook Wireless, for an example).  This information is akin to your street address (something else street view could collect based on photos).

#2 was definitely clearly wrong.  And this is where I think a single engineer messed up. He either did it unwittingly (very possible in these large complex systems), or on purpose (probably to work around some bug and save him a few days of work).

more »