By Ninja M.

An increasing percentage of Western society is carrying a computer with them, everyday, that is enabled with geo-locative technology. We call them smartphones, and they’re cherished pieces of technology. While people are (sub)consciously aware of this love-towards-technology, they’re less aware of how these devices are compromising their privacy, and that’s the topic of this post.

Recent reports on the state of the iPhone operating system show us that the device’s APIs permit incredibly intrusive surveillance of personal behaviour and actions. I’ll be walking through those reports and then writing somewhat more broadly about the importance of understanding how APIs function if scrutiny of phones, social networks, and so forth is to be meaningful. Further, I’ll argue that privacy policies – while potentially useful for covering companies’ legal backends – are less helpful in actually educating end-users about a corporate privacy ethos. These policies, as a result, need to be written in a more accessible format, which may include a statement of privacy ethics that is baked into a three-stage privacy statement.

iOS devices, such as the iPhone, iPad, Apple TV 2.0, and iPod touch, have Unique Device Identifiers (UDIDs) that can be used to discretely track how customers use applications associated with the device. A recent technical report, written by Eric Smith of PSKL, has shed light into how developers can access a device UDID and correlate it with personally identifiable information. UDIDs are, in effect, serial numbers that are accessible by software. Many of the issues surrounding the UDID are arguably similar to those around the Pentium III’s serial codes (codes which raised the wrath of the privacy community and were quickly discontinued. Report on PIII privacy concerns is available here.).

Application developers can combine the device identifier with the following attributes: authenticated login information (e.g. a banking application can link the UDID with a full banking consumer profile), (nick)name of iOS device owner, type of connection (e.g. wifi versus 3G), model type (version of iPhone, iPad, iPod Touch), home address, phone number, and geolocation information (both GPS and Skyhook/Apple collected information). Significantly, there are no popups or warnings alerting users that this data is being collected – the actual API facilitates a level of data collection far exceeding what most consumers would expect, and stands in direct contrast with Steve Jobs’ statement at the most recent All Things D conference, which I’ve previously transcribed as follows:

We’ve always had a very different view of privacy than some of our colleagues in the Valley. We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal data and suck it up into the cloud. Privacy means people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking if they get tired of your asking them. Let them know precisely what you’re going to do with their data.

Unless I’ve missed an entire regime of collection notices, I had no idea such information was being harvested by application developers until I’d read Smith’s report. Arguably of equal significance, where SSL encryption is used to transmit data Smith can determine the receiving host, but not what is actually transmitted to that host. Where traffic terminates at qwapi.com, the receiver is responsible for iAds, but it is less obvious who other receivers are, their need/desire for data, or their long-term data retention and processing policies. In essence, there’s no clear way of knowing what information is being hoovered up or what’s being done with it. ‘Free’ applications, in particular, are guilty of collecting UDID information, proving once again that if you’re not paying for a product – if you’re not a paying customer – you (and your personal information) are likely the actual product.

Also of interest in Smith’s report is that cookies are being placed in applications’ folders, and not Safari’s Cookies folder. This prevents end-users from easily removing the cookies using the iDevice’s options to do so (Settings>>Safari>>Clear History/Cookies/Cache). Combined with the incredible duration of these cookies – sometimes expiring only after 20 years – application developers can determine when an individual switches devices; when you switch (upgrade, use multiple iDevices, etc) the company puts a cookie with the same ID on the device as soon as you login, and adds the new device information to their customer databases. Given that the cookies have such excessive durations, it’s unlikely that new cookies will ever be issued to a user unless they create a separate, brand new, account. The ‘cookie problem’ is made even worse in light of Mobile Safari permitting the creation of client-side storage databases. These are often used by advertisers – Ars Technica has a walk through of Ringleader Digital’s system – to track users as they move around the Internet. Such databases are, for almost all intents and purposes, impossible to remove. The only way to ‘opt-out’ of them is to (a) realize what’s going on; (b) go to Ringleader’s website and have them place a unique identifier in the database they create on your device that indicates you’ve chosen to opt out of the tracking. After demonstrating technical ingenuity and a willingness to (in effect) exploit HTML 5 and Safari Mobile, you just have to trust them to do the right thing after you opt-out. Few users will likely ever know that these databases exist, let alone where and how to opt-out, and likely even fewer trust Ringleader to follow through with their privacy promises.

Requiring a unique identifier to avoid surveillance is less than promising, and lacks transparency from the end-user’s perspective. Moreover, Apple almost implies that this kind of behaviour is permissible, given that has developed its own opt-out system relying on similar mechanisms for their iAd advertising ecosystem. Further, Apple’s willingness to bury locational tracking information in the newest iteration of iOS – accessed through Settings >> General >> Location Services >> (Settings for applications) – shows that while Steve might talk about privacy, Apple certainly isn’t integrating an ethos of privacy by design in their products themselves, nor are they shaping the application ecosystem to respect privacy. In this way, Apple and Facebook appear to be closely aligned in how they ‘address’ privacy in their respective third-party application ecosystems.

Of course, the developers using UDIDs, setting near-permanent cookies, and deploying ‘zombie’ databases are all taking advantage of existing APIs. Such APIs are required to develop applications, and the application marketplaces are (arguably) what drive so much of iDevices’ desirability. The potentialities of APIs themselves, however, are reflections of a set of value decisions made by Apple (and by developers of APIs more generally). The UDID is not provided for nefarious reasons; arguably it is there so that developers have some kind of unique identifier that they can take advantage of instead of spending hundreds of hours creating a secured login and authentication system for each applications they produce. By making the UDID available Apple is reducing the ‘friction’ individuals experience when they actually use an application, which enhances the likelihood that individuals will actually try out the application in question. There are substantial costs entailed by field registration forms; each field significantly reduces the likelihood that a customer will actually go through with an identity-related transaction. Friction promotes consciousness about privacy and/or an awareness of the customer’s limited temporal resources.

In the process of developing a wider ecosystem – one that is dominantly intended to fuel the sales of hardware and secondarily to enhance revenue streams in the various iStores – Apple has a responsibility associated with their APIs. The ‘privacy’ policy that Apple makes available to users of iDevices is absurd; the last one was 57 pages long, on the iPhone screen, and has various buried clauses. Admittedly, I think that Apple is trying to do what their lawyers are telling them is right – if you read the privacy policy it broadly permits many of the surveillance processes discussed above (e.g. collection of locational information and other information) – but without a knowledge of the actual APIs an end-user is entirely unable to contextualize the policy. It is patently unreasonable to expect your end-users to be developers (or lawyers), with access to developer tools and time to competently play with them, just to understand your corporation’s privacy policy.

So, what is the solution then? In an ideal world Apple would genuinely adhere to what Steve Jobs stated in his All Things D interview: when an application on an iDevice wants any kind of personal information – and a unique signifier should constitute such information as soon as combined with information that can identify an individual – it will ask you. When the UDID, your mobile phone number, address, type of wireless connection used, and so forth is harvested, developers should be required to ask permission before grabbing it, and this requirement should be hardcoded into the developer API. Perhaps the Europeans will be able to force Apple (and other API developers whose APIs enable privacy invasive practices) to add this ‘friction’ to their ecosystem. Maybe there are grounds for a formal complaint to the Privacy Commissioner of Canada, on grounds that individuals cannot give meaningful consent to these collections of personal information, nor can they necessarily revoke this consent after having once given it. Both situations seems to demand the attention of Canadian regulators.

If you’re an application developer – today – what is the solution? Ideally, you implement an opt-in system but, failing that, developers should be required to adopt a three-layer privacy agreement with their end users, one that is prominently displayed at the first launch of the program and with each reinstallation/update. The first ‘layer’ should have understandable, actionable, privacy statements. We do X, we do not do Y and we believe in Z would all make good ‘privacy principle’ statements. These statements should be guided by an actual formal ethics of privacy – one that is embedded into the API, the code of the application, and the ecosystem more broadly – that when instantiated would curtail privacy invasive possibilities during the development stage.

The second layer may be more detailed, better integrating the principles and ethics with clear legal accountability. Whereas layer one might be a single page, layer two might be two or three pages, in a readable font and written at an accessible level of language; get a readability expert to go through it: if a child of thirteen years of age can’t understand it, you need to re-write the first layer, and if a seventeen year old can’t understand layer two, it needs a rewrite/edit.

The final layer will be the typical legalese, but contextualized by layers one and two. This should mean that individuals can actually frame some of the more obscure clauses should they read layer three…and if those individuals can’t, it should at least give opposing counsel and regulators grounds to argue that developers are(n’t) misleading their users.

Privacy policies are largely garbage from an end-user perspective: they’re almost entirely unreadable, unclear, and demand careful amounts of time and high degrees of education to parse. API developers need to adopt ethics of privacy, instil it throughout their code, and cut off those abusing the API in manners that clearly violate both the terms and spirit of the privacy ethic and policy. APIs should be run past privacy-minded technologists prior to being rolled out, and be modified where it is clear that the API permits and encourages invasive surveillance without the end-user’s consent. Ideally we’d see mass opt-in requirements for this kind of surveillance but I fear that this is unlikely, at least in the short term. Developing an ethic of privacy, combined with accessible three-layer privacy policies, might at least keep application and API developers honest at best, and give grounds for suit in front of the FTC, OPC, and EU Commission at worst.

Other posts you might be interested in:

1. iPhone Promiscuity
2. Mobile Security and the Economics of Ignorance
3. IPv6 and the Future of Privacy

After the post, and quotations turned up on P2Pnet, folks at Feeva quickly got ahold of me. I’ve since had a few conversations with them. It turns out that (a) there were factual inaccuracies in the Wired article; (b) Feeva isn’t the privacy-devastating monster that they came off as in the Wired article. Given my increased familiarity with the technology I wanted to better outline what their technology does and alter my earlier post’s conclusion: Feeva is employing a surprising privacy-protective advertising system. As it stands, their system is a whole lot better at limiting infringements on individuals’ privacy for advertising-related purposes than any other scalable model that I’m presently aware of.

Before I get into the post proper, however, I do want to note that I am somewhat limited in the totality of what I can speak about. I’ve spoken with both Feeva’s Chief Technology Officer, Miten Sampat, and Chief Privacy Officer, Dr. Don Lloyd Cook, and they’ve been incredibly generous in sharing both their time and corporate information. The two have been incredibly forthcoming with the technical details of the system employed and (unsurprisingly) some of this information is protected. As such, I can’t get into super-specifics (i.e. X technology uses Y protocol and Z hardware) but, while some abstractions are required, I think that I’ve managed to get across key elements of the system they’ve put in place.

The Feeva system is designed to avoid the privacy concerns associated with behavioural online advertising (such as those that emerged with NebuAd, Phorm, and DoubleClick) whilst also ensuring that individuals are not susceptible to opt-out problems associated with cookie opt-outs. (The problem with any cookie-based opt-out scheme is that opting-out requires your computing hosting a unique cookie. After deleting cookies that opted you out of the behavioural advertising, you find yourself opted back into the ad network again!) Feeva’s approach sees ISPs scrub out clearly identifiable personal information (name, account number, etc.) and passes to Feeva a unique number (representing the customer) and geolocation information (ZIP/ZIP+4) about the number. This scrubbing means that Feeva is unaware of what numbers would correlate to what people; members of the company repeatedly stated to me that they don’t want to know who individuals are, and keeping their hands clean of personal information is seen as a selling feature of their approach. Where the geolocation information could likely identify specific individuals the company flips from ZIP+4 to ZIP geographical or neighborhood demographics and characteristics. Barnes and Jennings summarize this technical process in their paper, “Why the end-to-end principle matters for privacy,” thusly: Feeva’s ISP partners will install a HTTP proxy that will receive, “location information from the ISP’s network management infrastructure in the form of mappings between an IP address and an “anonymized token”, effectively a random value that Feeva can map back to a location value using information provided off-line.”

Feeva’s system of attaching tags, or adding information into HTTP headers, does not include actual geographic information. It is not using a one-way hash (as I had previously suggested might be the case) but a method through which an attacker that successfully captures header information would be no wiser as to the individual’s location. Reverse engineering the tag would not reveal geographical information. Further, not all headers have data injected; Feeva uses a whitelist of partners to whom information can be provided. Given that the company is aiming to generate revenue through partnerships it lacks a business interest in making this information freely available. Once partners receive packets with Feeva’s tags they contact Feeva to have appropriate derived data for the visitor, such as household income in the neighbourhood, and display an ad. The tag system is such that it would be incredibly challenging to extract any useful, identifying, information from the tags should protections around them be breached. Moreover, partners will be contractually prevented from trying to hack the system; partners are not to try to identify individuals with information provided through Feeva. Feeva can update their whitelist, enabling them to ‘turn off’ any particular ad-partner found performing malpractices.

Individuals can opt-out of the advertising system, and Feeva has insisted that ISPs provide meaningful opt-out solutions. In speaking with members of the company, I would say that they are being entirely earnest in their drive to implement Ann Cavoukian’s privacy by design, where privacy is baked into companies’ technologies and business plans. The benefit to this opt-out approach is that once you’ve opted-out, you’re out forever. Clearing your cookies won’t result in being re-drawn into the advertising system. This is clearly a good thing.

A well framed privacy out-out is important and something that the company genuinely believes in. They believe it is critically important that ISP customers are provided with meaningful opt-out opportunities, and it’s key to their business approach that individuals are given opportunities to step away from Feeva’s practices if customers are uncomfortable with the advertising practices. It does have to be noted, of course, that opt-in systems are better for individuals. As recently noted in the New York Times’ recent post, “The Economics of Privacy Pricing,” in cases where individuals already believe they possess privacy they are more likely to pay to retain it than they are willing to give up some benefits to regain privacy. In the Times’ piece, customers that already had received a benefit ($2) for having lost their privacy were less likely to ‘pay’ $2 to regain it; with Feeva it’s less clear that customers would have already received an equivalent benefit and thus the economic calculus against their working to ‘regain’ privacy might work out differently. Regardless, we know from other studies that opt-ins are better for consumers, and opt-out for companies.

Barnes and Jennings also caution that, due to the configuration of Feeva’s infrastructure, individuals are unlikely to know whether they are in a Feeva-enabled network. I agree with Barnes and Jennings, but only to a point. Few consumers know when they are on a site that uses DoubleClick, Flash-based Cookies, Omniture, or more silent/smaller advertising and analytics organs. In many cases there are plugins for web browsers (such as Ghostery for Firefox) and tricks that various programmers have developed to identify when a site utilizes an analytics or advertising system, and it’s not outside the realm of possibility that a plugin will detect Feeva-partnered sites. Moreover, the shift away from behavioural advertising towards demographic advertising obviously comes with its own worries and challenges, but from my own perspective it’s behavioural advertising that most worries me in the online marketplace. Not all individuals may agree with this position, but I’m personally far less comfortable with my behaviour’s being tracked and used for advertising purposes than being targeted with ads based on information my ISP has, presuming that the information is used responsibly. This position is unlikely to be shared by all. A certain amount of this attitude might derived from a callousness on my own part: I’m bombarded with ads every weekday when I open my mailbox and so I’m just more used to this kind of demographic advertising. It’s important to note that I’m distinguishing between the use of demographic information for advertising and for broader ‘life’ issues (e.g. where urban infrastructure is deployed, where police deploy patrol cars more regularly, etc); Feeva is invested in the former, not the latter, uses of demographic information.

From the perspective of ‘does Feeva ever have personally identifiable information’ I’m admittedly somewhat torn. On the one hand they lack name, date of birth, absolute specific point of residence, and so forth, and as I understand American law the company should be in the clear. I’m not certain, however, whether the lack of these specific elements of a person’s identity necessarily means that they are without personal information under a Canadian definition of the term. Specifically, they have a number that is associated with locational information and I don’t know whether this would be a sufficient link to constitute personal information in the Canadian context. With RFID devices the association of a number with fairly specific locational information constitutes personal information, regardless of being aware of who the holder of the RFID chips is, but I don’t know what kind of absolute proximity would be required for an approach like Feeva’s to be considered holding ‘personal information’. Obviously this is something that Canadian privacy lawyers will think through and when/if the company comes to Canada I’m sure that we’ll see this issue dealt with in detail.

Of course, one cannot avoid this: Feeva is looking to deploy an advertising platform. For those absolutely opposed to advertising, then it doesn’t matter what the company does – it’s corporate products will always been seen in a poor light. I’m admittedly not a fan of advertising but, of the scalable advertising systems that I’m aware of, Feeva is employing practices and demonstrating a sensitivity to the collection and retention of personal information (or, better put, the lack of collection and retention of personal information) that sets them aside from competitors in the advertising sphere. This is especially true when juxtaposing Feeva against NebuAd, Phorm, or Doubleclick. Further, advertising is a part of the online ecosystem and is unlikely to go away as long as we want to enjoy ‘free’ content. The company is genuinely leveraging privacy as a competitive advantage and tying it with more traditional marketing at the same time. The latter means that there are more resources to understanding how the system will impact individuals and groups – we can leverage existing information and research – and the former is to be commended.

Privacy advocates and academics alike push for privacy to be seen as a driver of business practices, and here we have an instantiation of privacy driving a business model. This is rare, and indicates just how pervasive privacy has become as an issue in Silicon Valley, even in highly-competitive business environments that have historically thrived on exploiting every piece of information that can be collected. Feeva’s adoption of privacy as a cornerstone  of their business indicates a (rare) success for privacy advocates who have advocated for stronger privacy protections online; whether you agree with the success resting on the technology (where I think a success can be read), at the very least least it should be agreed that baking privacy into Feeva’s advertising-based business model is a success. We would be better off if more companies similarly engrained privacy into their technological infrastructure and business models alike.

Other posts you might be interested in:

1. Packet Headers and Privacy
2. Thoughts: Google and ‘Interest Based’ Advertising
3. Agenda Denial and UK Privacy Advocacy

Should ISPs adopt Juniper’s add-on, we will be witnessing yet another instance of repugnant ‘innovation’ that ISPs are regularly demonstrating in their efforts to enhance their revenue streams. We have already seen them forcibly redirect customers’ DNS requests to ad-laden pages, provide (ineffective) ‘anti-infringement’ software to shield citizens from threats posed by three-strikes laws, and alter the payload content of data packets for advertising. After touching the payload – and oftentimes being burned by regulators – it seems as though the header is the next point of the packet that is to be modified in the sole interest of the ISPs and to the detriment of customers’ privacy.

Advertisers that have been gathering demographic information on citizens for decades are looking to harness their existing databases with the services offered through Juniper and Feeva to target ads at the neighbourhood level. As noted by a recent Wired article detailing Juniper’s integration;

IP-address detection is only accurate within 25 miles or so, and cookies that track users’ surfing habits don’t tell marketers about users’ location. Neither system meshes directly with all the demographic data marketers gathered about neighborhoods in the offline world…Feeva claims its software doesn’t tell marketers anything about web surfers except for their nine-digit zip codes. All their other personal information remains safe with their ISP.

The information that is included in the packet header is encoded in such a way that only ‘trusted third parties’ can translate the packet data to correlate it with geographical locations. Neither Feeva or Juniper are giving any indication that individuals will be able to opt-out of this information disclosure to third-parties. While one of Feeva’s VPs insists that their approach to advertising is privacy protective – on grounds that they “never see any personally identifying information, we don’t track online usage like behavioral [advertising does], and we only aggregate at the neighborhood level” – I have to question just how ‘protective’ any system is that lets advertisers link cookie information, IP information, and geographic information. Both Feeva and Juniper seem to be portraying the technology as an entirely discrete advertising system, but in reality any partners will likely be using the tried-and-true cookie surveillance practices that are widespread online. Now the data contained in cookies will be supplemented by certified-accurate information by the ISP. Moreover, I’m doubtful that geographic information will be limited to ‘trusted third parties’ forever: while the information might be kept from relatively uninterested attackers, a dedicated attacker/hacker should be able to reverse engineer the random data to geographic information in relatively short order. I trust the masses of curious hackers to defeat any corporate system that is meant to massively integrate with corporate systems than those corporations – who have no real reason, save for market exclusivity reasons, to do everything in their power to prevent the sharing of this information – to genuinely do everything in their power to secure individuals geo-locational privacy.

We should recognize that this kind of ISP ‘innovation’ is exactly the opposite of what most customers actually want. The cool stuff that customers genuinely enjoy on the ‘net has largely been produced by over-the-top services, not ISPs. While there are high returns in the Canadian telecommunications industry and abroad, even in times of recession, the present returns are seemingly insufficient: ISPs want into Google and Apple’s marketing pie and will use their monopoly power over data pipes to take ‘their fair share’. The problem, of course, is that most customers don’t want their ISPs to monetize data traffic beyond selling particular data speeds and capacity. They are happy when ISPs innovate in a manner that improves network efficiency, security, and customer service, but are far from pleased when they integrate packet-sniffing technologies for copyright enforcement purposes, packet modification services for advertising, or onerous packet delay systems.

Moreover, while individuals in a privileged position in society are less likely to be terribly nervous about the association of their geographic location with data packets, anyone who has even glancingly studied the impacts of demographic advertising and targeting realizes that the underprivileged are often disproportionately disadvantaged on the basis of their residency location(s). The underprivileged ‘enjoy’ food deserts, systemic discrimination at the hands of the state (see: Gilliom’s Overseers of the Poor), and limitations on their capacity to operate as fully integrated social participants (see: Curry’s Digital Places: Living with Geographic Information Technologies). In each of the above cases, additional surveillance technologies were not necessarily created with the intentions of harming underprivileged members and communities of societies, but simultaneously the technologies (arguably) lacked a genuine analysis of the responsibilities and potential harms accompanying them. It is critical that before we release new technologies into the wild that we both bake in privacy and reflect on the possible consequences for democratic social organization.

The ability to put something on a map is incredibly powerful. It locates, marginalizes, fixes, and focuses. Humans have gone to war over maps, over the power contained in depicting the world. Visual manifestations of the world-as-such carry philosophical, societal, religious, civil, racial, and ethnic overtones and thus must be treated with respect. While Juniper’s technology only draws on the customer database (and individual’s residence) to provide information to marketers, might this map-to-packet technology become integrated with mobile products in the future? Can the geographic location of a customer on a mobile device be transmitted using this technology to facilitate true proximity-based advertisements?

As concerned citizens and consumers, we should also ask: is the linking of previously separate database records (those of the ISP and those of the advertisement agencies) constitute a breech of the privacy agreements between end-users and their ISPs? Can any ISP unilaterally modify their privacy and business practices – can they extend to whom data is shared and conditions under which data packets are treated – or should they be held to account by the FTC and related national and international regulatory organizations?

Unlike the usage of deep packet inspection technologies, which ostensibly are used for security, billing, and traffic management purposes, the modification of packet headers for advertising purposes clearly falls well outside of the activities that are permitted by Canadian regulators. Attempting to integrate this technology into the Canadian telecommunications infrastructure should, and presumably would, be challenged by the Office of the Privacy Commission of Canada, civil and customer advocates, and the CRTC. Perhaps ISPs might attempt to fend off the CRTC by claiming that no content is inspected – the routers would only be adding a bit of information to the packet header itself – but the companies would presumably run afoul of the CRTC’s obligations to protect consumers’ privacy and the fact that a massive material change to contracting terms would have taken place. This is to say nothing of the absolute resistance to the technology that should be projected by advocates and the federal Privacy Commissioner’s Office.

Perhaps, however, the Canadian regulatory environment is well-enough established following the traffic management hearings that Juniper’s new add-on technologies will be unable to establish a hold amongst Canuck telcos and cablecos. In turning our gaze to the US, however, the FTC might be the best suited to protect consumers by way of enforcing existing privacy policies (and, I will note, that American technology companies such as Microsoft and Yahoo! are worried that FTC might begin doing just this) and preventing ISPs from actually rolling out this anti-privacy, anti-consumer networking technologies. As nations around the world mount regulatory meetings about how data packets can and cannot be handled over the coming months and years we will see whether technology add-in’s like those proposed by Juniper will be left to wither or blossom on the ISP-advertising vine.

Other posts you might be interested in:

1. Privacy Advocates and Deep Packet Inspection: Vendors, ISPs, and Third-Parties
2. Draft – Deep Packet Inspection: Privacy, Mash-ups, and Dignities
3. Deep Packet Inspection and the Confluence of Privacy Regimes

In this post I’m going to first give a brief background on iAd and some of the broader issues surrounding Apple’s deployment of their advertising platform. From there, I want to recap what Steve Jobs stated in a recent interview at the All Things Digital 8 concerning how Apple approaches locational surveillance through their mobile devices and then launch into an analysis of Apple’s recently changed terms of service for iOS4 devices as it relates to collecting, sharing, and retaining records on an iPhone’s geographic location. I’ll finish by noting that Apple may have inadvertently gotten itself into serious trouble as a result of its heavy-handed control of the iAd environment combined with modifying the privacy-related elements of their terms of service: Apple seems to have awoken the German data protection authorities. Hopefully the Germans can bring some transparency to a company regularly cloaked in secrecy.

Apple launched the iAd beta earlier this year and integrates the advertising platform into their mobile environment such that ads are seen within applications, and clicking on ads avoids taking individuals out of the particular applications that the customers are using. iAds can access core iOS4 functionality, including locational information, and can be coded using HTML 5 to provide rich advertising experiences. iAd was only made possible following Apple’s January acquisition of Quattro, a mobile advertising agency. Quattro was purchased after Apple was previously foiled in acquiring AdMob by Google last year (with the FTC recently citing iAd as a contributing reason why the Google transaction was permitted to go through). Ostensibly, the rich advertising from iAds is intended to help developers produce cheap and free applications for Apple’s mobile devices while retaining a long-term, ad-based, revenue stream. Arguably, with Apple taking a 40% cut of all advertising revenue and limiting access to the largest rich-media mobile platform in the world, advertising makes sense for their own bottom line and its just nice that they can ‘help’ developers along the way…

Regardless of the larger economic strategies Apple is involved in, what is key for our purposes is that the iAd system and its partners can utilize the smartphone’s locational awareness to deliver more customized applications. In the pre-iOS4 days, whenever an application wanted to access the GPS or wifi locational APIs users were presented with a very large warning offering notification that the application was trying to use the GPS/wifi. You had the option of touching OK or cancelling the request to the API. It was, as far as I was concerned, one of the best privacy-protective features of the phone.

Steve Jobs, in his most recent appearance at the All Things Digital conference, was asked by Walt Mossberg and Kara Swisher whether or not privacy was looked at differently in Silicon than in the rest of the world. Jobs responded,

We’ve always had a very different view of privacy than some of our colleagues in the Valley. We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal data and suck it up into the cloud. Privacy means people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking if they get tired of your asking them. Let them know precisely what you’re going to do with their data.

Quite bluntly, this was a stellar response and were it being actualized in Apple’s present business practices it would cause the company to be one of the shining stars amongst technology companies looking to secure their customers’ privacy. Unfortunately, with the release of the iOS4 and iAd Apple seems to have significantly departed from the statements made by Jobs just a few weeks earlier. In order to install the most recent version of the mobile operating system on Apple’s devices, users must agree to a 45 page terms of service agreement. Buried within the agreement is the following:

To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

While the data is claimed to be ‘anonymous’ one has to ask: how anonymous is a data stream that identifies where a person is regularly browsing the web to be served ads to late at night, in a residential area? I have extreme doubts that it’s going to be particularly challenging to link up geographic information with actual residences, and by extension names of people that can be presumed to be using the phone.

As noted by Daily Tech, while customers can prevent third-parties from collecting locational information there isn’t a similar way of preventing Apple itself from collecting locational data. Apple does not have a clear system that users can use to prevent such data collections, nor has Apple made it clear how often they will be collecting personal information or the full range of internal uses of the information. There is not presently a process in place that would reveal this information to customers or regulators. Further, opting out of third-party surveillance entails customers learning that they are being tracked and then visiting an Apple website and choosing to opt-out using the smart device.  Significantly, “[t]his opt-out applies only to Apple advertising services and does not affect interest-based advertising from other advertising networks.” The ‘granular’ opt-out approach demonstrates that we are against dealing with the worst-practices privacy regime that is prevalent in the US, where customers must track down all of the advertisers collecting personal information and then choose to opt-out to each advertiser. Given Jobs’ earlier comments, we should expect Apple to adopt an opt-in approach to advertising if Apple were to genuinely differentiate themselves from the rest of Silicon Valley in the privacy domain.

As noted earlier, we presently have no real understandings of what exactly will be collected and delivered to third parties – anonymous data sets is unclear, and what is required is a granular depiction of what specific individuals may/will be sharing out to iAd partners and Apple itself. While we presently have no information about what is shared, how long it is retained, and the full range of uses of the data, this might be changing soon. Apple’s rising market share combined with the popular appeal of their products has made them a target for regulators, which arguably has influenced the amount of attention the company has recently received from German authorities. The German Justice Minister stated that “users of iPhones and other GPS devices must be aware of what kind of information about them is being collected.” As part of this, the Minister expects Apple to open its databases to German data protection authorities and clarify its data collection and retention policies. It is possible that the shield of secrecy usually surrounding Apply may be breached by the Germans, and we can hope that other privacy authorities around the world will similarly put pressure on Apple to increase their transparency on the collection, storage, and transference of deeply personal locational information.

It’s important to note that with the recent iOS4 updates there are no longer any notifications when either Apple or a third-party attempts to capture your location for collection and service provision purposes; instead of a clear notice of this change individuals are left to their own devices to find the new settings. If you’re not particularly savvy, or aware of the change (I wasn’t: for several days I was surprised that no location information was been collected or used by the various applications that I use), then you’d have no idea that to modify location settings individuals would have to:

1. Open the ‘Settings’ panel;
2. Open the ‘General’ sub-panel;
3. Open the ‘Location Services’ sub-sub-panel;
4. Modify what applications can access locational data discretely, or locational settings as a whole.

The problem with this new approach is that there are times when I have no issues broadcasting my location to one of these third-parties and other times that I see absolutely no reason to share this information. Without any indication of when my device is having its location data polled I’m entirely unable to know when, for example, the Google Maps application is collecting my location data. Does it do so even when I’m just seeing the distance between two locations on a continent I’m not on? Only when I’m actively trying to sync my location with a Google Map? The same issue – a binary ‘locational tracking is on or off’ option – pervades the entire iOS4. Previously individuals were actually given control over what third-parties could gain access to locational data. The degree of this control, and by extension the ability of individuals to limit the transmission of personal information to third parties, has significantly degraded.

Further, we are forced to ask: has Apple always collected some location data without asking the user’s permission (and just noted this behaviour as happening in their Service Agreement as of now) or is this genuinely a novel practice? Should companies be permitted to massively reshape how they deal with private information, moving from what visually appears as a terrific opt-in system to a woefully inadequate opt-out system, without very clearly communicating the restructuring of company privacy principles and legal extensions of those principles? Burying changes in a 45 page service agreement, and several layers into the operating systems settings, does not constitute such a clear communication.

Advertisers have long-opted for incredibly poor modes of alerting customers of data collection, sharing, and usage. Steve Jobs, and by extension Apple, had previously asserted a set of privacy principles intended to set them ahead of their peers – Apple was to be the guardian of privacy by advocating opt-in privacy practices. Unfortunately, it seems that the hint of advertising dollars has led Apple to cast aside privacy principles in the hopes of making a quick buck at the expense of citizens’ privacy. While not necessarily surprising or even disappointing (Apple is, after all, a publicly traded company that is purely motivated to return profits to their shareholders) the high-profile company’s bait and switch on its privacy principles will hopefully attract regulatory attention and establish more ‘guidance’ so that other companies are less willing to sell out customers on behalf of the balance sheet.

BACKDATE:

It would seem that the co-chairmen of the House Bi-Partisan Privacy Caucus sent a letter to Steve Jobs on June 24th to address Apple’s new locational sharing policies. The letter included the following questions:

1. Which specific Apple products are being used by Apple to collect geographic location data?
2. When did Apple begin collecting this location data, and how often is data collected from a given consumer?
3. Does Apple collect this location data from all consumers using Apple products? If the answer is no, please explain which consumers Apple is collecting information from and the reasons that these consumers were chosen for monitoring.
4. How many consumers are subject to this collection of location data?
5. What internal procedures are in place to ensure that any location data is stored “anonymously in a form that does not personally identify” individual consumers? Please explain in detail why Apple decided to begin collecting location data at this time, and how it intends to use the data.
6. Is Apple sharing consumer location information collected through iPhones and iPads with AT&T or other telecommunications carriers?
7. Who are the unspecified “partners and licensees” with which Apple shares this location data, and what are the terms and conditions of such information sharing?
8. How does this comply with the requirements of Section 222 of the Communications Act, which mandates that no consumer location information be shared without the explicit prior consent of the consumer?
9. Does Apple believe that legal boilerplate in a general information policy, which the consumer must agree to in order to download applications or updates, is fully consistent with the intent of Section 222, and sufficient to inform the consumer that the consumer’s location may be disclosed to other parties?
10. Has Apple or its legal counsel conducted an analysis of this issue? If yes, please provide a copy. If not, why not?

Apple has until July 12 to reply.

Other posts you might be interested in:

1. Solved: Apple SATA II 1.7 Firmware Problems
2. Comment: Apple, encryption, and being uber-lame
3. Review: Apple iPad

Linksys has adopted a horrible approach to further monetizing the digital ecosystem; some of their routers now hijack 404 pages to deliver advertising! This leads me to ask: when customers are sold automatic advertising + networking gear should they really be required to pay for the router? It seems like most users (i.e. those who won’t go any further than running the default system to set up their wireless networks) are going to be in a situation where they pay cash for a device AND subsequently have to put up with obnoxious advertisements.

While a freemium model for the sale of hardware (i.e. get the router for free + advertising, and evade advertising with either a one-off or monthly payment plan) is interesting, setting defaults so that people are both paying for a piece of hard and increasing third-parties’ revenue streams by being forced to view ads is just wrong.

Other posts you might be interested in:

1. Funny: Cisco and Valentines

In the course of this post, I begin by outlining what constitutes personal information and then proceed to outline DoubleClick’s method of collecting personal information. After providing these outlines, I argue that online advertising systems do collect personal information and that the definitions that Google offers for what constitutes ‘personal information’ are arguably out of line with Canadian sensibilities of what is ‘personal information’. As a result, I’ll conclude by asserting that violations may in fact be occurring, with the argument largely emerging from Nissembaum’s work on contextual integrity. Before proceeding, however, I’ll note that I’m not a lawyer, nor am I a law student: what follows is born from a critical reading of information about digital services and writings from philosophers, political scientists, technologists and privacy commissioners.

Central to the claim that personal information is collected and used in ways that individuals do not anticipate or desire is identifying what the term ‘personal information’ refers to. Also, we have to consider the degrees of surveillance that individuals should expect experience in ‘public’ environments. These environments should be taken to include not just city parks and commercial stores, but also non-passworded/registration-free websites. The Information and Privacy Commissioner of Ontario (IPC), in their lengthy analysis of privacy and video surveillance in mass transit systems, argues that:

While the expectation of privacy in public spaces may be lower than in private spaces, it is not entirely eliminated. People do have a right to expect the following: that their personal information will only be collected for legitimate, limited, and specific purposes; that the collection of their personal information will be limited to the minimum necessary for the specified purposes; and that their personal information will only be used and disclosed for the specified purposes.

Moreover, there are socially-construed norms that ought to be recognized; humans are cognitively designed for the analogue world – this is one of the reasons why long-term storage of digitally externalized memory is so problematic – and as such analogue norms ought to carry over into the digital domain. In carrying over such norms, and considering the nature of information sharing in the analogue world, we need to focus on “not simply restricting the flow of information but ensuring that it flows appropriately,” [1] with “appropriately” a reference to making sure that data flows accord with contextualized social norms. In the social world there are finely calibrated sets of norms that govern the flow of personal information in distinct social contexts; such norms ought to be drawn into the digital instead of being repudiated in favour of an entirely novel set of norms that (negatively) rebalance power-relationships away from information/data holders in favour of data-aggregation bodies.

In thinking of a shopping environment that I physically walk into, precious little information is collected about me until I am involved in making a purchase (barring the introduction of high-tech analysis systems, such as behavioural recognition software tied to cameras, RFID scanners monitoring when shopping items are picked up, etc). Even where I am involved in multiple interactions with sales staff these are discrete, and not collated in a format that can be processed by a computer nor indexed to my name or a unique identifier. I am likely quickly forgotten about – retention of ‘collected’ data is incredibly limited, limited for the contextual needs of the sales situation. This is obviously different in a digital environment, where each page that is opened is logged, time on pages noted, entry and egress points monitored. The data collected in the digital environment is only ‘forgotten’ after a set period of time by the website administrator. This induces novel notion of ‘appropriate’ data durations; Daniel Solove in his book The Digital Person speaks to the dangers built into these data-drive dossiers that are compiled about individuals, and Viktor Mayer-Schonberger speaks to the risks of not forgetting in the digital era. In both authors’ texts, a resonating theme is that ‘appropriate’ data retention periods in a digital environment are radically, and often unnecessarily, different from their analogue precursors.

In the former sales situation, we have an instance of personal information (perhaps they ask your name) being retained for a limited period of time and for a legitimate, specific purpose (e.g. developing a relationship with an individual for sales purposes whilst in the store). It is subsequently disposed of following the conclusion of the transaction in most cases. This is directly at odds with the data collected in the server-based situation, where the smallest action is often recorded and used for extensive marketing and enhanced surveillance purposes.

Thus far, all that I have asserted is that more information is collected in a digital, and specifically sales, environment online than offline and that socially-construed norms from analogue contexts ought to be drawn to digital situations. As part of this, there is a recognition that ‘public’ online actions should not expect total privacy, but a lowered expectation of privacy does not equal an absolute dearth, or absence, of privacy. Let’s now move to outline what might constitute personally identifiable information.

In the interests of maintaining consistency (and avoid accusations of ‘cherry-picking’ from different government reports) we can turn to definitions of personal information in section 2(1) of Ontario’s Freedom of Information and Protection of Privacy Act that are prominently drawn on in the IPC’s analysis of the legitimacy of video surveillance. Personal information refers to recorded information about an identifiable individual and includes:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual;
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
• any identifying number, symbol or other particular assigned to the individual (emphasis added);
• the address, telephone number, fingerprints or blood type of the individual;
• the personal opinions or views of the individual except if they relate to another individual;
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence (emphasis added);
• the views or opinions of another individual about the individual, and;
• the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

The two boldfaced sections, above, are the domains within which personal information is most likely to be collected and used over the course of online transactions.

DoubleClick, an advertising company that is owned by Google, operates by depositing small persistent cookies (which contain unique alphanumeric codes) on individuals’ computers. Persistent cookies remain on your computer after you close it – and can be juxtaposed against session cookies that are deleted with the closure of the browser – and used to trace users as they move about the web and deliver targeted ads with the additional assistance of web beacons. Such beacons are usually 1×1 pixels in size and designed to blend into a website so that the end user never notices their existence. This cookie-beacon-advertising system is intended to be transparent to the consumer.

DoubleClick asserts that personal information includes (but is not limited to) “name, address, telephone number, email address, social security number, bank account number or credit card number.” Sensitive information – information the company does not share or collect – “categorically includes but is not limited to data related to an individual’s health or medical condition, sexual behavior or orientation, or detailed personal finances, information that appears to relate to children under the age of 13 at the time of data collection; and PII otherwise protected under federal or state law (for example, cable subscriber information or video rental records).” It’s key to note that in this latter reference, what the sensitive information protected by federal and state law, is solely in reference to American privacy laws.

If you will permit a brief detour, the federal Office of the Privacy Commissioner acknowledges that personal information is collected with RFID system when locational data is associated with an RFID chip’s unique identifier. I argue that the unique number associated with the RFID chip and the unique alphanumeric string associated with a cookie an analogous, and further that movement across the web constitutes digital “movement” paralleling physical movements that can be detected by proximity RFID readers. Just as a sales company tracking information in their ‘private’ space would be seen as collecting personal information, so should any web company that tracks users as they move through the company website.

On this basis, the association of where a customer moves online with a unique number constitutes the collection of personal information; DoubleClick’s assertion that they are simply collecting “non-personally identifiable information” in their daily business activities doesn’t hold water. Moreover, from the perspective of the IPC’s understanding of personal information, an identifying number or symbolic representation is being correlated with a distinct computer moving across the ‘net, and it is entirely possible that “private correspondence” is being identified insofar as what are (from a social-norms perspective) private data surfing actions are surveilled and included in a DoubleClick database for the purposes of advertising.

There are two immediate responses that come to mind after asserting the DoubleClick is collecting personal information. On the one hand, someone opposing this position might argue that no person is identified, but a computer represented by an IP address (and perhaps a host of computers that are sitting behind a NAT-enabled router) is instead identified. Alternately, one might maintain that on the basis that online advertising systems are widespread the usage of DoubleClick’s (and other advertising agencies’) services is thus legitimate. I’ll address these in turn.

To the first, the Office of the Privacy Commissioner of Canada has asserted that where there is an association of personal information with an IP address that the address constitutes personal information. To put it another way, the IP address itself, on its own, isn’t ‘personally identifiable information’ but when it is mashed together with other data sources then it can be seen as personal information and thus deserving protection. For those individuals who have opted out of receiving a DoubleClick cookie they are still targeted with ads, in part based on their IP address as well as the name of the site they are visiting, specific web page they are visiting, key values, operating system type, windows version, user’s local time, and the ‘non-personally identifiable’ information sent by the website itself. This involves a collection of information and associating it with an IP address, and this information in a unique configuration may constitute the collection of personal information, regardless of DoubleClick’s assertions otherwise.

To the second, social norms dictate that certain modes of surveillance are to be genuinely ‘expected’ but such norms do not mean that individuals entirely abandon their rights to privacy as soon as they leave their home(s). What is critical in determining whether a surveillance practice is being performed in such a way that it constitutes a privacy violation is whether or not “its use in a particular context, in a particular way is not overly unusual. One cannot generalize from the observation that certain installation in certain contexts are commonplace, accepted, and supported to the conclusion that all installations irrespective of contexts will not violate expectations of privacy.”[2] To put this in context, it can be read to say that simply because the installation and use of DoubleClick cookies is permissible under the context of American privacy norms (assuming that this is even the case) it cannot subsequently be asserted that these cookies are also permissible under the social contexts of Canadian or European privacy norms. Given that Canada and Europe have significantly stronger privacy protections that the United States – and if we suppose that the laws that are established are reflective of the dominant socio-political norms of a citizenry – it seems key that a normative needs to analysis be conducted to determine whether, after translating their analogue surveillance norms to a digital domain, Canadians and Europeans are would see the deposition of tracking cookies on their computer as normatively permissible.

So what is the takeaway from all of this? First, that it’s key to not just read how third-party groups that you may be working with (such as DoubleClick for advertising purposes) define and collect personal information. You have to go at least one more step to ensure that how these definitions are made and collections occur are in accordance with the laws and social norms of your nation. Second, that from the point of view of managing flows of information that end-users are interested in ensuring that their information flows in accordance with with their social norms, norms that are emergent from their analogue experiences and lives. Discounting such norms and demanding the individuals (for some reason…) simply adopt ‘digital norms’ misses the fact that humans remain analogue creatures, with analogue modes of dealing with the work as a key part of their social and biological characteristics. The failure of a web environment to recognize both of these points – that you need to check that collections of data are permissible and in accordance with social norms – and act on them threatens to undermine user trust, and even Google recognizes that in the absence of their end-users’ trust their business models would collapse.

[1] Nissembaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life, p. 2.

[2] Nissembaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life, p. 235.

Other posts you might be interested in:

1. Doubleclick + Adblock = I’m a Moral Monster?
2. Ontario Information and Privacy Commissioner, and DRM
3. Aggregating Information About CView

When you hear social-media enthusiasts talk about their media environment, authenticity (i.e. not pretending to be someone/something you’re really, absolutely, not) is the key thing to aim for. Ignoring the amusing Heideggerian implications of this use of authenticity (“How very They!), I think that we can take this to mean that there is a ‘currency’ in social media called ‘authenticity’. There are varying ways of gauging this currency.

• On Facebook, the Whopper Sacrifice identified the authenticity of the relationships between friends. In effect, it measured whether or not a friendship was ‘strong enough’ to be kept in the face of a free burger, and also actually performed a valuation of Facebook by putting dollar values to links between friends.
• On Twitter, various companies and performers are finding interesting ways of monetizing the service. Most interesting, for me right now, is how companies will give Twitter users free goods if they Tweet some message or another.

It is Twitter that I want to spend just a few minutes thinking about. In this social networking space, authenticity is ‘measured’ through the willingness to self-craft/authenticate messages. Where individuals are found to not be writing their own messages then they are (implicitly or explicitly) adding their weight to whatever message they are Tweeting on behalf of other parties (e.g. a commercial) or forwarding through their own network (e.g. a ReTweet). When an individual is developing an online reputation, however, how do we think about the economics of authenticity? Is it worth a certain amount of (ether-like) ‘reputation’ to receive some product, which is often digital and thus costs the company providing it (effectively) nothing?

I ran into this last night (which motivated this post), where a band that I’ve recently found demanded that I Tweet some advertising on their behalf before I could download a new music video for their forthcoming album. I didn’t comply, and found an alternate way of getting the video, and in fact now refuse to promote the band. This isn’t because I dislike the band (I think they’re doing interesting and recombinant work) or the video (it matched the diverse and eclectic audio I’ve come to expect from the band), but because I resent being put in a situation where receiving a freely hosted good requires me to first, blindly, lend my reputational-weight to their product. I don’t like software that I can’t try before buying, and the same goes for cultural products.In effect, I found the cost of the (economically) free transaction to access a music video be too high when contrasted against my perceived valuation of authenticity. Authenticity ‘costs’ were too high compared to the economic costs.

This said, recent advertising efforts that required individuals to tweet particular messages to receive fixed products, such as new MacBook Pros, raced across Twitter and become trending topics. This certainly suggests that my own approach/uses for Twitter diverge from many others on Twitter (though I’ll note that I rarely see ad-Tweets from people I follow). I’d be curious to read whether or not my more ‘conservative’ approaches to online reputation and Twitter stem from the duration of time that individuals are on the service, ‘types’ of user (e.g. for fun, professional networking, broadcast, etc), or some other categorization schema. Such a distinction in user-types could be subsequently used to develop alternate economies of authenticity, where I would presume that ‘conservative’ users like myself who also have a large follower base (which I do not have) would have more to ‘lose’ in trading authenticity for product than a ‘fun’ user with a similarly large follower-base.

While Anderson has talked about the economics on Free as it pertains to social networking, I think that the generalization of all users as identical (e.g. all friend relationships on Facebook can be seen as equivalent to each other, in dollars and cents terms) is problematic and limits an accurate valuation of social networking environments. I think that real valuation needs to understand the variations in the economics of authenticity to determine effective whole-scale monetization strategies. Such a comprehensive understanding demands a genuine investigation into the distinctions in user-types to base subsequent monetization and ad-driven models on; lumping all users into the same category will leave social marketers with an overly opaque and inaccurate valuation of online digital relationships. They are, of course, ‘free’ to adopt overly simplistic economic models, but I expect that they do this at their peril when thinking of the long-term implications of adopting simplistic versus nuanced models.

Other posts you might be interested in:

1. Twitter and Statutory Notions of Privacy
2. Twitter, Mobile Browsers, and Metadata Privacy
3. Twitter and Privacy in Social Context

ICO is an independent body, and it would not be appropriate for the Government to second guess its decisions.  However, ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology.  They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected (Source).

The Prime Minister’s office is unwilling to ‘second guess’ the ICO, and instead refers petitioners (there were about 21,000) to the ICO’s public statement about Phorm. In that publication (dated April 8, 2009), the ICO stated that that:

Indeed, Phorm assert that their system has been designed specifically to allow the appropriate targeting of adverts whilst rigorously protecting the privacy of web users. They clearly recognise the need to address the concerns raised by a number of individuals and organisations including the Open Rights Group (Source).

It worries me when a Prime Minister’s office redirects someone to a report that, as written, suggests that a company will take complaints on good faith and try to effect changes in their system, especially when said company then resorts to negative PR to try and discredit the individuals and organizations launching those complaints. In this case, Phorm has established their StopPhoulPlay website, which targets those who offer negative comments of Phorm by declaring them ‘privacy pirates’ in an effort to discredit their advocacy work. In effect, we are seeing the Prime Minister’s office state that Phorm will listen to criticism, but it appears as though Phorm’s response has been to try and diminish the respect and credence of privacy advocates.

I’ll admit that seeing only 21,403 people sign the petition is kind of sad, especially when you consider that this is an online petition that is easy to disseminate and almost as easy to sign up for. At the same time, by stating that the ICO is independent Downing Street is effectively washing their hands of responsibility for any ill effects or fallout of Phorm. I’m not suggesting that as a result of the petition that the independence of the ICO should have been overturned, but it is interesting to see that this particular issue was responded to on a day where a variety of other events were happening in the UK, and the world more broadly. While I’ve heard that this is the equivalent of ‘burying’ the petition, I would want to walk back from that a bit and say that the government is, at least, not wanting to publicize their lack of engagement with this potential privacy problem. In separating government business and privacy business, the government is (if only implicitly) stating that as soon as the ICO makes a ruling that the government cannot discuss or overturn their decision.

In Canada, at least, we do routinely see the government comes at odds with various commissioners. When the government disagrees with a commissioner, this isn’t ‘influencing’ the commissioner, but instead is a moment where you see a very public discussion over particular matters. It’s a shame that we didn’t see the UK government try to initiate a similar discussion in relation to Phorm and behavioural advertising; it’s absolutely disappointing when we see more rigorous consumer protection discussions in the US about behavioural advertising (which lacks a privacy commissioner) than in the UK with it’s ICO.

Other posts you might be interested in:

1. Agenda Denial and UK Privacy Advocacy
2. Update: Feeva, Advertising, and Privacy
3. Web 2.0, Facebook, Government, and Business

Towards a Statutory Notion of Privacy

Whereas Warren and Brandeis explicitly built a tort claim to privacy (and can be read as implicitly laying the groundwork for a right to privacy), theorists such as Alan Westin attempt to justify a claim to privacy that would operate as the bedrock for a right to privacy. Spiros Simitis recognizes this claim, but argues that privacy should be read as both an individual and a social issue. The question that arises is whether or not these writers’ respective understandings of privacy capture the normative expectations of speaking in a public space, such as Twitter; do their understandings of intrusion/data capture recognize the complexities of speaking in public spaces and provide a reasonable expectation of privacy that reflects people’s interests to keep private some, but not all, of the discussions they have in public?

Westin asserts that privacy is “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin 1970: 7). Each relationship is judged on its own merits, with individuals potentially providing different information to their various communicative partners. Within the range of social relationships that individuals are caught within there are ongoing adjustments to ‘balance’ one’s sociality and reclusiveness. Westin argues that claims to balancing sociality and reclusiveness are manifest throughout the natural world, from relationships between wild animals, to primitive societies, to contemporary modern societies. While there are differences in the particular instantiations of privacy norms in each human society, such norms are broadly captured across all societies as:

1. Individual and group norms.
2. Norms that differentiate between privacy and the total absence of other presences.
3. Normative understandings of what constitute appropriate curiosity for understanding reality and appropriate degrees of surveillance for maintaining social order.
4. Norms that demonstrate increasingly sophisticated expectations of anonymity that correspond with the shift from thick to thin social bonds.

The common mode of realizing when a privacy claim is being contested is when we experience an unwarranted or undesired intrusion on our sensory fields (Westin 1970: 30). Such intrusions occur when we unsuccessfully try to make one of the claims listed below, and instead find ourselves subject to forced disclosure(s) of personal factoids, to intrusive surveillance, or to having our communications republished without our consent. The claims to privacy that we make are:

1. Solitude – where we try to separate ourselves from our social group.
2. Intimacy – where we act in small groups to experience mental release.
3. Anonymity – where we enter large groups without providing our identity to engage in self-reflection in a space free of surveillance and identification.
4. Psychic reserve – where we limit communications with others to provide a claim to privacy even in an intense relationship.

Individuals and organizations alike make these four claims, and each is subject to the aforementioned modes of intrusion. Within a public domain, we might expect to enjoy intimacy by secluding a group from the larger public (e.g. a table in a bar), anonymity by crossing into a digital space using a pseudonym to learn and reflect on choices, and psychic reserve by not disclosing our full life-history in a public space, such as a grocery store. In terms of a public communicative space, what would it mean to enjoy privacy when using Twitter?

Presumably, members of such public environments would not be attempting to seclude themselves from others. They could be engaging in an intimate conversation similar to a discussion in a bar and, given the high noise-to-signal ratio, they might have an expectation of talking without likely being unduly disturbed or surveyed. Despite this hope for intimacy, however, Twitter emphases sharing/reposting other people’s comments, which makes it dubious that an unwarranted republication/retweeting would constitute a substantive infringement on an intimacy-based claim to privacy. At the same time, we might wonder if it is possible for an individual to realize another party is paying more attention to a conversation occurring in public than is socially acceptable without them retweeting a comment.

Without full recourse to the sensory fields we have depended on to notice contestations of our claims to privacy we may not register moments of identification and surveillance, though per Westin’s categories identification and surveillance would infringe on claims to anonymity. While Westin is trying to carve out a claim or right to privacy (he asserts a claim at the beginning of the text, but this claim seems to shift towards a right to privacy in the third chapter) grounded in historical and anthropological evidence, we are left wondering how exactly we would register a challenge to a privacy claim where our centuries-honed senses are of minimal assistance in determining whether someone has invaded our fields. Ultimately, while Westin does note what conditions we would base a reasonable expectation of privacy on, we are left without a clear idea of how to recognize when our expectations are not being met in a digital communicative domain such as Twitter. His work seems well suited for developing a statutory claim to privacy, but less suited for digitized public environments where identifying privacy breeches is largely possible only when another person engages with the norms of the same environment (i.e. reposting another person’s comment(s)).

Turning to Simitis, a former German data protection commissioner, we can learn how a regulator may want to instantiate Westin’s claim to privacy in law. By approaching privacy as the right to control one’s personal data, Simitis transforms the issue from an abstract theoretical argument that is true across time to one that is better “aware of the political and social background” motivating privacy debates (Simitis 1987:709). Privacy is not only something of value to the individual, but is critical to healthy democracies as well. To contextualize the contemporary privacy discussion, he notes three differences born of technology that differentiate contemporary privacy discussions from those of Warren and Brandeis.

1. Privacy considerations express conflicts affecting everyone, not just individuals.
2. Exceptionally high-quality surveillance has become normal.
3. Personal information is increasingly used to enforce standards of behavior (Simitis 1987: 709-10).

Simitis focuses on the exchange of personal information as the source of privacy problems and, as a result of behavioral analysis and vast data gathering instruments, whole populations are now typically targeted instead of just specific individuals. In the face of this vast data collection assemblage, privacy violations can be limited by establishing regulatory controls which govern how and why personal information is disseminated (Simitis 1987: 737). Given the capacity of government and business alike to shape citizens’ interests, and his concern that such shaping undermines individuals’ abilities to independently make decisions and take actions (Simitis 1987: 733), we would expect Simitis to agree with Daniel Solove’s argument that a set of data points can be used to develop the equivalent of a digital Seurat painting, with the individual citizen as the painting’s subject. Unlike Solove, however, Simitis is working from the position that sufficient regulation along with an independent data commissioner might actually limit the free-flowing retransmission of personal data and thus limit who can legitimately generate such digital paintings. A strong regulatory body with the following characteristics must be established if individuals’ privacy is to be secured, and this will also preventing infringements on citizens’ constitutional rights and thus shield the nation-state’s constitutional foundations from damages. The regulatory body must:

1. Recognize the unique nature of personal information.
2. Ensure that data collectors explicitly note what collected personal data will be used for.
3. Interpret existing regulations fluidly and can quickly develop new regulations in order to keep up with changes in technology.
4. Operate independently of the legislature and be able to rapidly respond to data transmission and retention problems.

In terms of speaking in public, when surveillance assemblages capture personal data and transmit it automatically there is a danger the social actors will regulate their actions in accordance with popular norms and thus stymie the growth or maintenance of the democratic state. While a network such as Twitter does recognize that individuals ‘control’ their own data, it is now an accepted norm of the Internet that web spiders from major search engines categorize particular pages based on their apparent content and keywords. Contextualized advertising systems may inspect tweets to identify keywords and deliver advertisements based on those words. In both of these cases, there is a collection/observation of personal data accompanied by a transmission of elements of that data to a foreign server. As a result of categorizing the web content it is possible that a particular group of people may be more likely to find your tweets, or delivered particular advertising. In both cases it is possible, and common, for spiders and advertising systems to misidentify keywords, miscategorize web content, and potentially embarrass individuals based on the categories their content is found in and the advertising delivered alongside their content. In the face of these ‘risks’ should data collectors be required to clearly note what any collected data will be used for and, if so, how is this notification performed? Is agreeing to an End User License Agreement (EULA) sufficient to waive your privacy claims in relation to particular third-party data collection and use? These are the kinds of questions that Simitis’ regulatory body would be pressed to engage with.

Furthermore, do individuals have a reasonable expectation to privacy over the entirety of what they tweet, or only on particularly revealing tweets that clearly contain personal data? If someone tweets “loving Ouch,” this is practically meaningless unless a data collector can associate ‘Ouch’ with the DJ N-Dubz. At the same time, “feeling lost after my abortion” is both revealing, arguably addresses a very personal matter, and could be used to injure the person’s reputation if the information were captured, analyzed, and transmitted in inappropriate ways. Given the vast quantities of information divulged in public discourse on Twitter, what heuristic would effectively identify personal information versus noise? How could a regulatory body hope to monitor the enormous amount of personal data that is placed online every day and how individuals and groups subsequently survey and analyze the data?

Effectively, the challenge with Westin’s claim to privacy and Simitis’ regulatory instantiation of it is that privacy becomes something that we have and is affected by the outside – surveillance ‘takes away’ one’s privacy and it is up to a data regulatory to limit how much privacy an individual loses. Further, these regulators are expected to identify appropriate reparations when invasions have taken place, both to compensate the individual and to associate costs with infringements or violations of core democratic rights. We are left wondering, however, whether capturing personal information without any intent to use it to damage a person’s reputation – data may just be collected as part of a data accumulation project (e.g. the Internet Archive) – constitutes an infringement on an individual’s privacy. Given the sheer quantity of surveillance instruments that watch what individuals do in their virtualized lives in Cyberspace, and these instruments’ key role in structuring digital environments, should we be quick to restructure the very foundation of how the ‘net has evolved to work to facilitate the ownership or control of personal space and data? Given the norms of digital networks such as Twitter, which emphasis sharing and collective knowledge development, is a control metaphor accompanied by a strong regulatory body well suited for developing a ‘reasonable expectation of privacy’ in Cyberspace? I would suggest that they are not, at least not as presented by these texts. As we will see in subsequent sections, contextualized understandings of social relationships and privacy norms facilitate nuanced understandings of what individuals expect o remain private online – the challenge for theorists such as Nissenbaum will be translating these insights into actionable principles and guidelines that data and privacy commissioners can use to perform their tasks.

References

Westin, Alan (1970). Privacy and Freedom. Chs. 1-3.

Spiros Simitis, “Reviewing Privacy in the Information Society,” 1987.  University of Pennsylvania Law Review 135: 707-46.

Other posts you might be interested in:

1. Twitter and Privacy in Social Context
2. Privacy, Dignity, Copyright and Twitter
3. Deep Packet Inspection and the Confluence of Privacy Regimes

nice piece Chris! I have a follow up question.

is investigative journalism on the net in the spaces Simon characterized as amateur. I am thinking of reports like a Bob Woodward breaking of Watergate. A Seymour Hersh breaking of Abu Ghraib. This type of investigative reporting.

Do you see the type of investigative journalism (on political matters) coming from blogs and internet media? If not, could it come from there? It certainly requires a system of professional training (gathering and putting together information not necessarily available on the internet), resources and social capital (contacts).

Re-reading what I’d posted, I can see that these are questions that needed to be asked and responded to. Below is my response to Tim.

I’m not trying to suggest that all ‘big media’ journalism is bad. At the same time, few editors (now) want to actually spend the money on deep investigative reporting (or, alternately, have the budgets to afford such investigative work) – most reporting is a quick noting of facts at a surface level. The problem (as I see it) is that when news sites close themselves off from the world they are asserting that they will rely on a business model that, at this point, has failed them.

You can pay for journalists to work, but doing so means that you need to develop new revenue streams – find a way to work your community. News aggregators aren’t going away and are really useful in driving people to a website. When you have a business mogul and journalist who both say ‘people just read the headline and a few words, and don’t go into the paper itself’ I say ‘people have ALWAYS just read the headline, a few words, and not bought your paper.’ Rather than focusing on the people that you *don’t* attract, you need to focus on servicing the individuals who *do* read your paper and develop an environment where they want to invite their friends to talk about the news on your site. (This is the kind of stuff that Techdirt is regularly talking about in their discussions of monetizing content, by the by.) You don’t beat a blog by refusing to adopt any elements of their business model, you do it by outdoing what blogs do by better resourcing your staff.

At the same time, depending on the topic ‘regular’ journalists aren’t actually terribly useful or informative. I point to niche areas, toys, games, tech, security, etc. Effectively, anything that is particularly demanding to understand and requires a very strong grasp of intricacies tends to elude most journalists because they’re not supposed to write many ‘depth’ pieces – short and sweet is usually the name of the game. A great technique that a few war journalists use now is this: they write ‘fluff’ pieces for major papers (i.e. 500-750 words) and then put up a separate blog post with the full story (often upwards to 5x as long). They charge people to get the ‘full story’ and it works – you don’t capture the whole readership, but you capture enough on a per-story basis that you develop income for content plus superior advertising revenue in those ‘full story’ environments because of better keyword analysis by search engines.

What are your thoughts? Am I totally off base, or is the proposed model I’m sketching make sense?

(Thanks to Tim for letting me post his questions!)

Other posts you might be interested in:

1. Newspapers: Effects of Closing their Content Ecosystem?
2. Web 2.0, Facebook, Government, and Business
3. The Business of Infringing Content