Digitally Mediated Surveillance: From the Internet to Ubiquitous Computing

Digitally mediated surveillance (cyber-surveillance) is a growing and increasingly controversial aspect of every-day life in ‘advanced’ societies. Governments, corporations and even individuals are deploying digital techniques as diverse as social networking, video analytics, data-mining, wireless packet sniffing, RFID skimming, yet relatively little is known about actual practices and their implications. It is now over 15 years since the advent of the World Wide Web, and of widespread use of the Internet for electronic commerce, electronic government and social networking. The impending emergence of the ‘Internet of things’ promises (or threatens) to further insinuate digital surveillance capabilities into the fabric of daily life. Media alarmists have fueled a general popular understanding that one’s life is an open book when one goes online, making one increasingly subject to unwelcome intrusions. The reality is more complex and contingent on a variety of technological, institutional, legal and cultural factors.

In an effort to better understand and critique cyber-surveillance practices in the context of the wider theoretical and empirical literature on surveillance, we seek annotated bibliographies exploring a number of key topics, including:

• social networking (practices & platforms)
• search engines
• behavioural advertising/targeted marketing
• monitoring and analysis techniques (facial recognition, RFID, video
• analytics, data mining)
• Internet surveillance (deep packet inspection, backbone intercepts)
  resistance (actors, practices, technologies)

Each annotated bibliography will be 5000 words, and contain about 20 entries of 100-250 words in length. Entries will reflect both canonical and emergent debates and references. Bibliographies will include a clearly stated aim, an introduction with a preliminary discussion of the field. An example may be found here. They will be posted in web-friendly formatting for sharing widely among research and advocacy networks.

Completed bibliographies will serve as a resource for participants in the Cyber-Surveillance in Everyday Life International Workshop, hosted at the University of Toronto, May 12-15, 2011, and be publicly available via The New Transparency: Surveillance and Social Sorting website.

Annotated bibliographies will be guided by a subset of questions that inform the Cyber-Surveillance in Everyday Life Workshop, including:

1. We regularly hear about ‘cyber-surveillance’, ‘cyber-security’, and ‘cyber-threats’. What constitutes cyber-surveillance, and what are the empirical and theoretical difficulties in establishing a practical understanding of cyber-surveillance? Is the enterprise of developing a definition useful, or condemned to analytic confusion?
2. What are the motives and strategies of key DMS actors (e.g. surveillance equipment/systems/ strategy/”solutions” providers; police/law enforcement/security agencies; data aggregation brokers; digital infrastructure providers); oversight/regulatory/data protection agencies; civil society organizations, and user/citizens?
3. What are the relationships among key DMS actors (e.g. between social networking site providers)? Between marketers (e.g. Facebook and DoubleClick)? Between digital infrastructure providers and law enforcement (e.g. lawful access)?
4. What business models are enterprises pursuing that promote DMS in a variety of areas, including social networking, location tracking, ID’d transactions etc. What can we expect of DMS in the coming years? What new risks and opportunities are likely?
5. What do people know about the DMS practices and risks they are exposed to in everyday life? What are people’s attitudes to these practices and risks?
6. What are the politics of DMS; who is active? What are their primary interests, what are the possible lines of contention and prospective alliances? What are the promising intervention points and alliances that can promote a more democratically accountable surveillance?
7. What is the relationship between DMS and privacy? Are privacy policies legitimating DMS? Is a re-evaluation of traditional information privacy principles required in light of new and emergent online practices, such as social networking and others?
8. Do deep packet inspection and other surveillance techniques and practices of internet service providers (ISP) threaten personal privacy?
9. How do new technical configurations promote surveillance and challenge privacy? For example, do cloud computing applications pose a greater threat to personal privacy than the client/server model? How do mobile devices and geo-location promote surveillance of individuals?
10. How do the multiple jurisdictions of internet data storage and exchange affect the application of national/international data protection laws?
11. What is the role of advocacy/activist movements in challenging cyber-surveillance?

Those interested should submit a one page word (500 words max) proposal and initial working bibliography for the chosen area.

Successful proposals will demonstrate a familiarity with the relevant literatures and issues, and clear relation to a specified sub-set of the key topics and guiding questions listed above. The deadline for submissions is September 15 and acceptance notifications will be sent September 30, 2010. The deadline for completed annotated bibliographies is December 31, 2010.

The authors (at least three) invited to prepare annotated bibliographies will each be paid CA$2000, in two equal installments—the first upon acceptance of the assignment, and the balance upon satisfactory completion.

Selected authors will also be invited to participate in the Cyber-Surveillance in Everyday Life Workshop at the University of Toronto May 12-15, 2011, with the possibility of their expenses being covered.

For further information, please contact: cybersurveillanceworkshop@gmail.com.

Other posts you might be interested in:

1. Cyber-Surveillance in Everyday Life
2. The Role of Digital Surveillance in Stopping the Past’s Rebirth
3. Deep Packet Inspection and the Confluence of Privacy Regimes

I wanted to let readers know that the New Transparency Project is hosting an international workshop on the theme of Cyber-surveillance in everyday live May 12-15, 2011 at the University of Toronto. Given that topics to be explored in the workshop include social networking, search engines, behavioural advertising/marketing, internet surveillance somewhat generally, and modes of resistance I thought readers here might be interested. Below is the full call for papers, with abstracts due by Oct 1.:

Digitally mediated surveillance (DMS) is an increasingly prevalent, but still largely invisible, aspect of daily life. As we work, play and negotiate public and private spaces, on-line and off, we produce a growing stream of personal digital data of interest to unseen others. CCTV cameras hosted by private and public actors survey and record our movements in public space, as well as in the workplace. Corporate interests track our behaviour as we navigate both social and transactional cyberspaces, data mining our digital doubles and packaging users as commodities for sale to the highest bidder. Governments continue to collect personal information on-line with unclear guidelines for retention and use, while law enforcement increasingly use internet technology to monitor not only criminals but activists and political dissidents as well, with worrisome implications for democracy.

This international workshop brings together researchers, advocates, activists and artists working on the many aspects of cyber-surveillance, particularly as it pervades and mediates social life. This workshop will appeal to those interested in the surveillance aspects of topics such as the following, especially as they raise broader themes and issues that characterize the cyber-surveillance terrain more widely:

• social networking (practices & platforms)
• search engines
• behavioural advertising/targeted marketing
• monitoring and analysis techniques (facial recognition, RFID, video analytics, data mining)
• Internet surveillance (deep packet inspection, backbone intercepts)
• resistance (actors, practices, technologies)

A central concern is to better understand DMS practices, making them more publicly visible and democratically accountable. To do so, we must comprehend what constitutes DMS, delineating parameters for research and analysis. We must further explore the way citizens and consumers experience, engage with and respond to digitally mediated surveillance. Finally, we must develop alliances, responses and counterstrategies to deal with the ongoing creep of digitally mediated surveillance in everyday life.

The workshop adopts a novel structure, mainly comprising a series of themed panels organized to address compelling questions arising around digitally mediated surveillance that cut across the topics listed above. Some illustrative examples:

1. We regularly hear about ‘cyber-surveillance’, ‘cyber-security’, and ‘cyber-threats’. What constitutes cyber-surveillance, and what are the empirical and theoretical difficulties in establishing a practical understanding of cyber-surveillance? Is the enterprise of developing a definition useful, or condemned to analytic confusion?
2. What are the motives and strategies of key DMS actors (e.g. surveillance equipment/systems/ strategy/”solutions” providers; police/law enforcement/security agencies; data aggregation brokers; digital infrastructure providers); oversight/regulatory/data protection agencies; civil society organizations, and user/citizens?
3. What are the relationships among key DMS actors (e.g. between social networking site providers)? Between marketers (e.g. Facebook and DoubleClick)? Between digital infrastructure providers and law enforcement (e.g. lawful access)?
4. What business models are enterprises pursuing that promote DMS in a variety of areas, including social networking, location tracking, ID’d transactions etc. What can we expect of DMS in the coming years? What new risks and opportunities are likely?
5. What do people know about the DMS practices and risks they are exposed to in everyday life? What are people’s attitudes to these practices and risks?
6. What are the politics of DMS; who is active? What are their primary interests, what are the possible lines of contention and prospective alliances? What are the promising intervention points and alliances that can promote a more democratically accountable surveillance?
7. What is the relationship between DMS and privacy? Are privacy policies legitimating DMS? Is a re-evaluation of traditional information privacy principles required in light of new and emergent online practices, such as social networking and others?
8. Do deep packet inspection and other surveillance techniques and practices of internet service providers (ISP) threaten personal privacy?
9. How do new technical configurations promote surveillance and challenge privacy? For example, do cloud computing applications pose a greater threat to personal privacy than the client/server model? How do mobile devices and geo-location promote surveillance of individuals?
10. How do the multiple jurisdictions of internet data storage and exchange affect the application of national/international data protection laws?
11. What is the role of advocacy/activist movements in challenging cyber-surveillance?

In conjunction with the workshop there will be a combination of public events on the theme of cyber-surveillance in everyday life:

• poster session, for presenting and discussing provocative ideas and works in progress
• public lecture or debate
• art exhibition/installation(s)

We invite 500 word abstracts of research papers, position statements, short presentations, works in progress, posters, demonstrations, installations. Each abstract should:

• address explicitly one or more “burning questions” related to digitally-mediated surveillance in everyday life, such as those mentioned above.

• indicate the form of intended contribution (i.e. research paper, position statement, short presentation, work in progress, poster, demonstration, installation)

The workshop will consist of about 40 participants, at least half of whom will be presenters listed on the published program. Funds will be available to support the participation of representatives of civil society organizations.

Accepted research paper authors will be invited to submit a full paper (~6000 words) for presentation and discussion in a multi-party panel session. All accepted submissions will be posted publicly. A selection of papers will be invited for revision and academic publication in a special issue of an open-access, refereed journal such as Surveillance and Society.

In order to facilitate a more holistic conversation, one that reaches beyond academia, we also invite critical position statements, short presentations, works-in-progress, interactive demonstrations, and artistic interpretations of the meaning and import of cyber-surveillance in everyday life. These will be included in the panel sessions or grouped by theme in concurrent ‘birds-of-a-feather’ sessions designed to tease out, more interactively and informally, emergent questions, problems, ideas and future directions. This BoF track is meant to be flexible and contemporary, welcoming a variety of genres.

Timeline:

2010:

Oct. 1: Abstracts (500 words) for research papers, position statements, and other ‘birds-of-a-feather’ submissions

Nov. 15: Notification to authors of accepted research papers, position statements, etc. Abstracts posted to web.

2011:

Feb. 1: Abstracts (500 words) for posters

Mar. 1: Notification to authors of accepted posters.

Apr. 1: Full research papers (5-6000 words) due, and posted to web.

May 12-15 Workshop

Sponsored by: The New Transparency – Surveillance and Social Sorting.

International Program Committee: Jeffrey Chester (Center for Digital Democracy), Roger Clarke (Australian Privacy Foundation), Gus Hosein (Privacy International, London School of Economics), Helen Nissenbaum (New York University), Charles Raab (University of Edinburgh) and Priscilla Regan (George Mason University)

Organizing Committee: Colin Bennett, Andrew Clement, Kate Milberry & Chris Parsons.

University of Toronto & University of Victoria.

Other posts you might be interested in:

1. Call for Cyber-Surveillance Annotated Bibliographies
2. Reflections: Day Zero of ‘Life in a Digital Fishbowl’
3. Deep Packet Inspection and the Confluence of Privacy Regimes

After the post, and quotations turned up on P2Pnet, folks at Feeva quickly got ahold of me. I’ve since had a few conversations with them. It turns out that (a) there were factual inaccuracies in the Wired article; (b) Feeva isn’t the privacy-devastating monster that they came off as in the Wired article. Given my increased familiarity with the technology I wanted to better outline what their technology does and alter my earlier post’s conclusion: Feeva is employing a surprising privacy-protective advertising system. As it stands, their system is a whole lot better at limiting infringements on individuals’ privacy for advertising-related purposes than any other scalable model that I’m presently aware of.

Before I get into the post proper, however, I do want to note that I am somewhat limited in the totality of what I can speak about. I’ve spoken with both Feeva’s Chief Technology Officer, Miten Sampat, and Chief Privacy Officer, Dr. Don Lloyd Cook, and they’ve been incredibly generous in sharing both their time and corporate information. The two have been incredibly forthcoming with the technical details of the system employed and (unsurprisingly) some of this information is protected. As such, I can’t get into super-specifics (i.e. X technology uses Y protocol and Z hardware) but, while some abstractions are required, I think that I’ve managed to get across key elements of the system they’ve put in place.

The Feeva system is designed to avoid the privacy concerns associated with behavioural online advertising (such as those that emerged with NebuAd, Phorm, and DoubleClick) whilst also ensuring that individuals are not susceptible to opt-out problems associated with cookie opt-outs. (The problem with any cookie-based opt-out scheme is that opting-out requires your computing hosting a unique cookie. After deleting cookies that opted you out of the behavioural advertising, you find yourself opted back into the ad network again!) Feeva’s approach sees ISPs scrub out clearly identifiable personal information (name, account number, etc.) and passes to Feeva a unique number (representing the customer) and geolocation information (ZIP/ZIP+4) about the number. This scrubbing means that Feeva is unaware of what numbers would correlate to what people; members of the company repeatedly stated to me that they don’t want to know who individuals are, and keeping their hands clean of personal information is seen as a selling feature of their approach. Where the geolocation information could likely identify specific individuals the company flips from ZIP+4 to ZIP geographical or neighborhood demographics and characteristics. Barnes and Jennings summarize this technical process in their paper, “Why the end-to-end principle matters for privacy,” thusly: Feeva’s ISP partners will install a HTTP proxy that will receive, “location information from the ISP’s network management infrastructure in the form of mappings between an IP address and an “anonymized token”, effectively a random value that Feeva can map back to a location value using information provided off-line.”

Feeva’s system of attaching tags, or adding information into HTTP headers, does not include actual geographic information. It is not using a one-way hash (as I had previously suggested might be the case) but a method through which an attacker that successfully captures header information would be no wiser as to the individual’s location. Reverse engineering the tag would not reveal geographical information. Further, not all headers have data injected; Feeva uses a whitelist of partners to whom information can be provided. Given that the company is aiming to generate revenue through partnerships it lacks a business interest in making this information freely available. Once partners receive packets with Feeva’s tags they contact Feeva to have appropriate derived data for the visitor, such as household income in the neighbourhood, and display an ad. The tag system is such that it would be incredibly challenging to extract any useful, identifying, information from the tags should protections around them be breached. Moreover, partners will be contractually prevented from trying to hack the system; partners are not to try to identify individuals with information provided through Feeva. Feeva can update their whitelist, enabling them to ‘turn off’ any particular ad-partner found performing malpractices.

Individuals can opt-out of the advertising system, and Feeva has insisted that ISPs provide meaningful opt-out solutions. In speaking with members of the company, I would say that they are being entirely earnest in their drive to implement Ann Cavoukian’s privacy by design, where privacy is baked into companies’ technologies and business plans. The benefit to this opt-out approach is that once you’ve opted-out, you’re out forever. Clearing your cookies won’t result in being re-drawn into the advertising system. This is clearly a good thing.

A well framed privacy out-out is important and something that the company genuinely believes in. They believe it is critically important that ISP customers are provided with meaningful opt-out opportunities, and it’s key to their business approach that individuals are given opportunities to step away from Feeva’s practices if customers are uncomfortable with the advertising practices. It does have to be noted, of course, that opt-in systems are better for individuals. As recently noted in the New York Times’ recent post, “The Economics of Privacy Pricing,” in cases where individuals already believe they possess privacy they are more likely to pay to retain it than they are willing to give up some benefits to regain privacy. In the Times’ piece, customers that already had received a benefit ($2) for having lost their privacy were less likely to ‘pay’ $2 to regain it; with Feeva it’s less clear that customers would have already received an equivalent benefit and thus the economic calculus against their working to ‘regain’ privacy might work out differently. Regardless, we know from other studies that opt-ins are better for consumers, and opt-out for companies.

Barnes and Jennings also caution that, due to the configuration of Feeva’s infrastructure, individuals are unlikely to know whether they are in a Feeva-enabled network. I agree with Barnes and Jennings, but only to a point. Few consumers know when they are on a site that uses DoubleClick, Flash-based Cookies, Omniture, or more silent/smaller advertising and analytics organs. In many cases there are plugins for web browsers (such as Ghostery for Firefox) and tricks that various programmers have developed to identify when a site utilizes an analytics or advertising system, and it’s not outside the realm of possibility that a plugin will detect Feeva-partnered sites. Moreover, the shift away from behavioural advertising towards demographic advertising obviously comes with its own worries and challenges, but from my own perspective it’s behavioural advertising that most worries me in the online marketplace. Not all individuals may agree with this position, but I’m personally far less comfortable with my behaviour’s being tracked and used for advertising purposes than being targeted with ads based on information my ISP has, presuming that the information is used responsibly. This position is unlikely to be shared by all. A certain amount of this attitude might derived from a callousness on my own part: I’m bombarded with ads every weekday when I open my mailbox and so I’m just more used to this kind of demographic advertising. It’s important to note that I’m distinguishing between the use of demographic information for advertising and for broader ‘life’ issues (e.g. where urban infrastructure is deployed, where police deploy patrol cars more regularly, etc); Feeva is invested in the former, not the latter, uses of demographic information.

From the perspective of ‘does Feeva ever have personally identifiable information’ I’m admittedly somewhat torn. On the one hand they lack name, date of birth, absolute specific point of residence, and so forth, and as I understand American law the company should be in the clear. I’m not certain, however, whether the lack of these specific elements of a person’s identity necessarily means that they are without personal information under a Canadian definition of the term. Specifically, they have a number that is associated with locational information and I don’t know whether this would be a sufficient link to constitute personal information in the Canadian context. With RFID devices the association of a number with fairly specific locational information constitutes personal information, regardless of being aware of who the holder of the RFID chips is, but I don’t know what kind of absolute proximity would be required for an approach like Feeva’s to be considered holding ‘personal information’. Obviously this is something that Canadian privacy lawyers will think through and when/if the company comes to Canada I’m sure that we’ll see this issue dealt with in detail.

Of course, one cannot avoid this: Feeva is looking to deploy an advertising platform. For those absolutely opposed to advertising, then it doesn’t matter what the company does – it’s corporate products will always been seen in a poor light. I’m admittedly not a fan of advertising but, of the scalable advertising systems that I’m aware of, Feeva is employing practices and demonstrating a sensitivity to the collection and retention of personal information (or, better put, the lack of collection and retention of personal information) that sets them aside from competitors in the advertising sphere. This is especially true when juxtaposing Feeva against NebuAd, Phorm, or Doubleclick. Further, advertising is a part of the online ecosystem and is unlikely to go away as long as we want to enjoy ‘free’ content. The company is genuinely leveraging privacy as a competitive advantage and tying it with more traditional marketing at the same time. The latter means that there are more resources to understanding how the system will impact individuals and groups – we can leverage existing information and research – and the former is to be commended.

Privacy advocates and academics alike push for privacy to be seen as a driver of business practices, and here we have an instantiation of privacy driving a business model. This is rare, and indicates just how pervasive privacy has become as an issue in Silicon Valley, even in highly-competitive business environments that have historically thrived on exploiting every piece of information that can be collected. Feeva’s adoption of privacy as a cornerstone  of their business indicates a (rare) success for privacy advocates who have advocated for stronger privacy protections online; whether you agree with the success resting on the technology (where I think a success can be read), at the very least least it should be agreed that baking privacy into Feeva’s advertising-based business model is a success. We would be better off if more companies similarly engrained privacy into their technological infrastructure and business models alike.

Other posts you might be interested in:

1. Packet Headers and Privacy
2. Thoughts: Google and ‘Interest Based’ Advertising
3. UK Government Responds to Phorm Petition

Ole asserts that there are two key infotainment revenue streams that content providers, such as ISPs, maintain: the $150 Cable TV stream and the $50 Internet stream. Given that content providers are required to redistribute some of the $150/month to content creators (often between 0.40-0.50 cents of every dollar collected), Ole argues that ISPs should be similarly required to distribute some of the $50/month to content creators that make the Internet worth using for end-users. Unstated, but presumed, is a very 1995 understanding of both copyright and digital networks. In 1995 the American Information Infrastructure Task Force released its Intellectual Property and the National Information Infrastructure report, wherein they wrote;

…the full potential of the NII will not be realized if the education, information and entertainment products protected by intellectual property laws are not protected effectively when disseminated via the NII…the public will not use the services available on the NII and generate the market necessary for its success unless a wide variety of works are available under equitable and reasonable terms and conditions, and the integrity of those works is assured…What will drive the NII is the content moving through it.

Of course, the assertion that if commercial content creators don’t make their works available on the Internet then the Internet will collapse is patently false. As written about by Middleton in “What if there is no killer application?“, an early study in Littleton about how individuals use high-speed networks in the mid-90s found that customers were most engaged with amateur content production (i.e. that of their neighbours) and entranced by the communicative possibilities made available through broadband (i.e. e-mail and mailing lists). In essence, from this we can suggest that the empirical study demonstrated that the ideological and financial values placed on commercial cultural artifacts by bureaucrats and commercial content producers is less obvious than they (loudly) state. Further, the value of commercial content is arguably diminished even more in an environment where people spend increasing amounts of time engaging with the generative elements of the Internet, often referred to as amateur-dominated social media environments. In essence, the undertone that ISPs can only sell their data transmission services because of commercial content is at the very least shaky, and more likely to be empirically unsupportable if posed as a strong correlation between the value of transmission capabilities and commercial content availability.

Depressingly, Ole believes that a broadcast-based (historical) business model should be imposed on ISP transmission-based companies in an effort to regenerate the value of their (now somewhat devalued) intellectual properties. Specifically,

The ISP business model for the Internet could and should mimic that of Cable/ TV. Modern technology allows the ISP to identify what content is being used and then they can allocate the appropriate share to the creator or supplier of that content.

This would put ISPs in the situation of somehow being liable to the collection societies, and also require substantial telecommunications investment in labour and sunk capital to establish an (ineffective) network surveillance policy designed to monitor the amount of copywritten content flowing across Canada’s networks. Most likely, such a proposal would turn ISPs into content police and require the use of some kind of packet inspection equipment to survey Canadians’ data traffic, pick out that which is believed to be infringing, and pay some kind of monthly tax for the transport of customers’ content. This amounts to a suggestion that ISPs become content police on the basis that only by doing so would they evade being identified as encouraging copyright infringement. Ole is intimating that ISPs must implement surveillance one the networks if they are to avoid third-party liability.

There are systems on the market that claim they can analyze data traffic to develop ‘piracy’ indexes. CView is used by Virgin in the UK (though we’ve no idea how effective it is) and Audible Magic has been successful in forcing some ISPs and campuses to adopt their technology. In most cases, such content analysis technologies require the offloading of data traffic suspected of being infringing in high-traffic networks, doing a one-way hash of the data, checking the hash against known copywritten files’ signatures, and then aggregating the overall amount of infringement and particular cases of infringement on a per-file basis. This is substantial overhead for any party, especially one that is just trying to move data from one place to another. Moreover, any such massive dragnet analysis of content raises real questions of whether ISPs could then be considered ‘transport’ facilities; while presently there is substantial monitoring for particular protocol types, Canadian ISPs are not searching for particular content-types. This is an important distinction, insofar as ISPs can understand what application-types are generating traffic on their networks but not what those application-types are actually being used to transmit and receive. For all Canadian ISPs know, Canadians might have some strange obsession with massive downloading and sharing of Linux .ISO files and the entire Canadian population actually avoids downloading copywritten music.

There continue to be doubts concerning whether any kind of massive copyright-analysis engine could work – prominently by companies that actually sell the solutions and those that would be responsible for deploying these fears – and further whether such engines could ever competently detect fair use/fair dealing of some material. YouTube’s algorithms are relatively notorious for censoring uses of copywritten material falling under fair use and fair dealing provisions; what guarantee do citizens have that any algorithmic surveillance and monitoring system deployed on communicative networks would avoid the YouTube problem? Should the content creator-owner get restitution for fair dealing of works? How would this be adjudicated – by determining where the data was to and from (i.e. if to an educational institution, we must assume that it’s for fair dealing research purposes) or on a case-by-case challenge basis? Moreover, doesn’t the provision of funds for fair dealing uses modify the provisions of fair dealing, insofar as content creator-owners would receive a fiscal benefit even for fair dealing whereas presently fair dealing falls outside of their revenue traps?

Of course, even the suggestion that Canadian ISPs should be required to cough up money to content creator-owners is absurd in the face of a recent Federal Court of Appeals ruling that asserted that ISPs are not broadcasters. The question of ISPs’ status was punted to the Court by the CRTC, who wanted judicial guidance before it proceeds to determine whether ISPs can be legally required to establish copyright levies. Since ISPs fall under the Telecommunications, and not Broadcasting Act, they are seen as solved involved in providing,

the mode of transmission, they have no control or input over the content made available to Internet users by content producers and as a result, they are unable to take any steps to promote the policy described in the Broadcasting Act or its supporting provisions. Only those who “transmit” the “program” can contribute to the policy objectives.

Under this decision, so long as ISPs are not involved in discriminating against any particular content and thus making an input into the content made available on the Internet to and by users (i.e. so long as Canadian ISPs adhere to a form of network neutrality), any levy-based system is dead. The very system that Ole is advocating for has already fallen before the Court of Appeals.

Now, out of all of this, we might be expected to feel poorly for the content creator-owners that depend on selling and licensing content for their commercial success. I think that if we look at the history of these companies’ digital involvement, however, we quickly disenchant ourselves of this position. Major labels refused to license recordings to Napster and subsequently engaged in what Jessica Litman refers to as a process of “suing upstart new businesses into bankruptcy” to try and stem the Internet as a disruptive factor in their businesses. This saw content creator-owners financially assassinate Napster, Scour.com, iCraveTV, RecordTV, mp3.com, Aimster, Grokster, Streamcast, KaZaA, and others. Authors have gone after Google for the mere action of scanning books for search index purposes, a purpose that would enable authors to sell additional texts when the texts appeared through a Google book search. That the copying a text, even for fair-use purposes, is grounds for massive legal obstruction speaks volumes of content creator-owners general willingness to genuinely deal with the digital reality they are immersed in. Broadly, instead of working to establish a marketplace for digital manifestations of content creator-owner works there have been, and continue to be, mass efforts to shut down marketplaces that don’t grant total control to content owner-creators and their associated companies. As such, customers have become used to going to illicit sites that offer superior selection with fewer restrictions than label offerings. This indicates a failure in big content’s rent-seeking business model and the truth that modern customers are rational economic actors. It does not indicate that ISPs are somehow required to prop-up a rent-seeking model, nor a moral deficit on the part of customers.

Labels were, and remain, in a state of ontological insecurity that accompanies their plunging into a decade-long existential crisis: how can they maintain their rent-seeking behaviour in the face of disruptive technologies. Answers to this existential question are out of reach of most companies on the basis that their perception of the world markets preclude taking risks that could see a (necessary) cannibalization of short-term revenue streams for long-term survival. Unfortunately, while adherence to historical models was effective last decade in colonizing their futural existences – in assuring them of how to approach the world and guarantee particular revenue streams – that old model leaves them grasping at new rent-seeking behaviour instead of adopting novel business strategies. While we can all appreciate just how devastating existential crises can be on a personal level, when we consider the multi-billion dollar record industry we tend to have far less sympathy. Just as you or I are unable to let a crisis linger for a decade – we go to a therapist, get straightened out, and get back on our way – neither can these companies. At best we might feel pity as we watch them wallow in their crisis. At worst, we fear what they might crush as they roll around on the ground like starving dinosaurs and demolish other elements of civil society in their throes of panic and fear aimed at extinguishing the generativity seen as endangering their ontological security. They’ve already made a mess of copyright and cultural transmission possibilities; let’s hope they don’t damage the conditions of democratic communication itself while they’re working out their problems.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Update: Associating Canadian ISPs with Anonymized Data Traffic Submissions
3. Deep Packet Inspection: What Innovation Will ISPs Encourage?

First, let me speak to the motivation behind the Bill. Social networking environments are increasingly becoming the places where individuals store key information – contact information, photos, thoughts and reflections, video – and genuinely becoming integrated into the political. This integration was particularly poignantly demonstrated last year when the American State Department asked Twitter to delay upgrades that would disrupt service and stem the information flowing out of Iran following the illegitimate election of President Ahmadinejad. Social networks have already been tied into the economic and social landscapes in profound ways: we see infrastructure costs for maintaining core business functionality approaching zero and the labor that was historically required for initiating conversations and meetings, to say nothing of shared authorship, have been integrated into social networking platforms themselves. Social networking, under this rubric, extends beyond sites such as Facebook and MySpace, and encapsulate companies like Google and Yahoo!, WordPress, and Digg, and their associated product offerings. Social networking extends well beyond social media; we can turn to Mashable’s collection of twenty characteristics included in the term ’social networking’ for guidance as to what the term captures:

Collaboration: Ask not what the Internet can do for you, but what you can do with other Internet users. – Jonny Rose

Network: Social media is a phenomenon which creates a personalized network for sharing digital content among all people in the cyberspace. - Rohan Aurora

Conversation: Tools or platforms that allow anyone/everyone to share information or engage in conversation. – Veena Mathew

Sharing: Social media = Sharing information through conversation. – Scot Chisholm

Relationships: Relationshipping on steroids. – Pat Graham-Block

Multi-dimensional: Social media is a multi-dimensional communication information system connecting people to people. -Peter Feuersenger

Inclusive: It’s a conversation in an instant with anyone, anywhere, anytime that gives control back to the individual & consumer in unpredented ways.” – Charles Ubaghs

Information: Information funneled to users from all angles. – Sarah Thomson

Community: Set of updated communication tools that allow us to build new communities at a time when our local community had almost been lost. – Jerry Daykin

Personalization: It is the ability to connect and see the world in your own way. The personalization of one of the greatest human achievements: communication! – Benjamin Fischbein

Empowering: Social media is an online renaissance empowering people with influence to facilitate conversations around shared ideas. – Mark Blackman

A Radical Shift in Communication: The radical shift from one-way broadcast type communications to dialog and conversation using web based tools. - Joe Buhler

Real-time: “Social Media is on-demand, real time interaction, that uses technology to enable genuine engagement with others around media vs simply sharing data with them.” – Corina Newby

People: Social Media is the instantaneous aggregation and creation of content by the people, of the people, for the people, on the social web. – Eric Pena

Content Distribution: Social media consists of online technologies that facilitate the creation and distribution of content. – David J. Perdue

Self-expression: Social Media’s my friend. I can finally broadcast my belief in God, my likes in music, my emotional state & my dinner all from my fingertips – E. A. Freire

Unity: The never ending drive for humans desire to unite. – Sean Farrell

Dynamic: Social media is dynamic user-generated content coming from the bottom up, which bypasses static media forms through adding a social layer. – Anees Younis

Discovery: Social media is communication, friending, family, media, learning and discovery at one click. – Glenn K. Bolton

Power of the Crowd: Social media is the ability to put out a message and having worldwide responses via email, text, tweet, or whatever form in a matter of seconds. – Lilian Ongelungel

While never specifically stated or enunciated, it was in light of these kinds of characteristics that the Computers, Freedom, and Privacy participants developed the Social Networking Bill of Rights:

1. Honesty: Honor your privacy policy and terms of service
2. Clarity: Make sure that policies, terms of service, and settings are easy to find and understand
3. Freedom of speech: Do not delete or modify my data without a clear policy and justification
4. Empowerment : Support assistive technologies and universal accessibility
5. Self-protection: Support privacy-enhancing technologies
6. Data minimization: Minimize the information I am required to provide and share with others
7. Control: Let me control my data, and don’t facilitate sharing it unless I agree first
8. Predictability: Obtain my prior consent before significantly changing who can see my data.
9. Data portability: Make it easy for me to obtain a copy of my data
10. Protection: Treat my data as securely as your own confidential data unless I choose to share it, and notify me if it is compromised
11. Right to know: Show me how you are using my data and allow me to see who and what has access to it.
12. Right to self-define: Let me create more than one identity and use pseudonyms. Do not link them without my permission.
13. Right to appeal: Allow me to appeal punitive actions
14. Right to withdraw: Allow me to delete my account, and remove my data

Those familiar with data protection policies and laws will recognize that many elements of FIPS, OECD guidelines, and national regulations are latent and/or guiding many of these rights. The point is that these rights are the minimum expectations that companies should guarantee social networking users; dropping any particular right leads to a strong deficiency in what individuals can expect from companies and do to their own data. In light of the use of these systems for democratic organization, to announce illegal or oppressive social conditions, and increasingly use of the networks to replace traditional telephony it is key that the social facet of the bitscape is provided protections from onerous corporate control, manipulation, or aggressive anti-privacy monetization schemes. Now, it may seem somewhat absurd that corporations should be required to mediate how they use data they’ve aggregated, but corporations can either choose to adopt some modicum of reasonableness when it comes to how they aggregate data and clearly inform users of aggregation, utilization, and dissemination policies or else be regulated by government forces. If Facebook had a set of principles that strongly reflected the Bill of Rights, a set of principles they adhered to, then the Office of the Privacy Commissioner of Canada might not have issued a decision concerning Facebook and its (failed) privacy practices. In effect, adopting the Rights denoted above could limit regulatory intrusions while also letting companies compete on the metric of privacy and freedom.

While the user communities could experience positive benefits were social networking companies to adopt the Bill, the process by which the Bill has been created and ratified is itself somewhat problematic. While the conference attracted a diverse set of individuals, those individuals were far from reflective of the world user-community of social networking services. This leads to concerns surrounding the diversity of points of view that were (or, more importantly, were not) included in the drafting and finalization process. Further, no element of the Bill includes a reflexive characteristic that enables modification of stated Rights, nor does the Bill state that Rights can be added or subtracted depending on contributions from others. Instead, there is an up or down ‘vote’ of the Bill: in a conference that regularly noted the challenges surrounding binary access controls we are left with a binary acceptance/refusal metric. We are faced with a ‘dead’ or static Bill: it’s failure to incorporate reflexivity and closedness to the diversity of discursive possibilities emerging as others enter into discussions about the Bill leads to it failing Habermasian and Kantian demands for being a legitimate constitutional document. As such, we are left not so much with a Bill of Rights as a closed Statement of Rights. The former would have been truly exciting, whereas the latter is strategic and useful, but is disingenuously appropriating the term ‘Bill of Rights’ for rhetorical purposes.

Does this mean that the Bill/Statement is necessarily doomed? Of course not, though even participants at the conference recognized that the Bill will likely operate more as a point for subsequent regulatory filings and rhetorical turns than a binding agreement that social networks will consent to. Further, another Bill of Rights for Users of the Social Web was produced three years ago and, despite the attention that document received in the blogosphere, I don’t think that it ever really entered either the public mind or that of major social networking companies. I have doubts that the most recent Bill/Statement will be any more successful. To move it forward will require buy-in from major social networks and, to date, Facebook is the largest and only company to respond to the Bill/Statement proper (and in a lukewarm manner, at best). Nothing (that I know of) has been heard from other social networking companies in anything more than a ‘we support privacy, and have privacy policies available on our websites.’ As a result the prospects for moving the Bill/Statement forward seem dim, though perhaps another person or group will successfully convince companies to adopt the document and thus extend its range of possible uses beyond filings and rhetorical spins.

Other posts you might be interested in:

1. Social Networking: The Consumption?
2. Social Networking – Why We Need to Educate Youth
3. Continuums of Social Media?

Should ISPs adopt Juniper’s add-on, we will be witnessing yet another instance of repugnant ‘innovation’ that ISPs are regularly demonstrating in their efforts to enhance their revenue streams. We have already seen them forcibly redirect customers’ DNS requests to ad-laden pages, provide (ineffective) ‘anti-infringement’ software to shield citizens from threats posed by three-strikes laws, and alter the payload content of data packets for advertising. After touching the payload – and oftentimes being burned by regulators – it seems as though the header is the next point of the packet that is to be modified in the sole interest of the ISPs and to the detriment of customers’ privacy.

Advertisers that have been gathering demographic information on citizens for decades are looking to harness their existing databases with the services offered through Juniper and Feeva to target ads at the neighbourhood level. As noted by a recent Wired article detailing Juniper’s integration;

IP-address detection is only accurate within 25 miles or so, and cookies that track users’ surfing habits don’t tell marketers about users’ location. Neither system meshes directly with all the demographic data marketers gathered about neighborhoods in the offline world…Feeva claims its software doesn’t tell marketers anything about web surfers except for their nine-digit zip codes. All their other personal information remains safe with their ISP.

The information that is included in the packet header is encoded in such a way that only ‘trusted third parties’ can translate the packet data to correlate it with geographical locations. Neither Feeva or Juniper are giving any indication that individuals will be able to opt-out of this information disclosure to third-parties. While one of Feeva’s VPs insists that their approach to advertising is privacy protective – on grounds that they “never see any personally identifying information, we don’t track online usage like behavioral [advertising does], and we only aggregate at the neighborhood level” – I have to question just how ‘protective’ any system is that lets advertisers link cookie information, IP information, and geographic information. Both Feeva and Juniper seem to be portraying the technology as an entirely discrete advertising system, but in reality any partners will likely be using the tried-and-true cookie surveillance practices that are widespread online. Now the data contained in cookies will be supplemented by certified-accurate information by the ISP. Moreover, I’m doubtful that geographic information will be limited to ‘trusted third parties’ forever: while the information might be kept from relatively uninterested attackers, a dedicated attacker/hacker should be able to reverse engineer the random data to geographic information in relatively short order. I trust the masses of curious hackers to defeat any corporate system that is meant to massively integrate with corporate systems than those corporations – who have no real reason, save for market exclusivity reasons, to do everything in their power to prevent the sharing of this information – to genuinely do everything in their power to secure individuals geo-locational privacy.

We should recognize that this kind of ISP ‘innovation’ is exactly the opposite of what most customers actually want. The cool stuff that customers genuinely enjoy on the ‘net has largely been produced by over-the-top services, not ISPs. While there are high returns in the Canadian telecommunications industry and abroad, even in times of recession, the present returns are seemingly insufficient: ISPs want into Google and Apple’s marketing pie and will use their monopoly power over data pipes to take ‘their fair share’. The problem, of course, is that most customers don’t want their ISPs to monetize data traffic beyond selling particular data speeds and capacity. They are happy when ISPs innovate in a manner that improves network efficiency, security, and customer service, but are far from pleased when they integrate packet-sniffing technologies for copyright enforcement purposes, packet modification services for advertising, or onerous packet delay systems.

Moreover, while individuals in a privileged position in society are less likely to be terribly nervous about the association of their geographic location with data packets, anyone who has even glancingly studied the impacts of demographic advertising and targeting realizes that the underprivileged are often disproportionately disadvantaged on the basis of their residency location(s). The underprivileged ‘enjoy’ food deserts, systemic discrimination at the hands of the state (see: Gilliom’s Overseers of the Poor), and limitations on their capacity to operate as fully integrated social participants (see: Curry’s Digital Places: Living with Geographic Information Technologies). In each of the above cases, additional surveillance technologies were not necessarily created with the intentions of harming underprivileged members and communities of societies, but simultaneously the technologies (arguably) lacked a genuine analysis of the responsibilities and potential harms accompanying them. It is critical that before we release new technologies into the wild that we both bake in privacy and reflect on the possible consequences for democratic social organization.

The ability to put something on a map is incredibly powerful. It locates, marginalizes, fixes, and focuses. Humans have gone to war over maps, over the power contained in depicting the world. Visual manifestations of the world-as-such carry philosophical, societal, religious, civil, racial, and ethnic overtones and thus must be treated with respect. While Juniper’s technology only draws on the customer database (and individual’s residence) to provide information to marketers, might this map-to-packet technology become integrated with mobile products in the future? Can the geographic location of a customer on a mobile device be transmitted using this technology to facilitate true proximity-based advertisements?

As concerned citizens and consumers, we should also ask: is the linking of previously separate database records (those of the ISP and those of the advertisement agencies) constitute a breech of the privacy agreements between end-users and their ISPs? Can any ISP unilaterally modify their privacy and business practices – can they extend to whom data is shared and conditions under which data packets are treated – or should they be held to account by the FTC and related national and international regulatory organizations?

Unlike the usage of deep packet inspection technologies, which ostensibly are used for security, billing, and traffic management purposes, the modification of packet headers for advertising purposes clearly falls well outside of the activities that are permitted by Canadian regulators. Attempting to integrate this technology into the Canadian telecommunications infrastructure should, and presumably would, be challenged by the Office of the Privacy Commission of Canada, civil and customer advocates, and the CRTC. Perhaps ISPs might attempt to fend off the CRTC by claiming that no content is inspected – the routers would only be adding a bit of information to the packet header itself – but the companies would presumably run afoul of the CRTC’s obligations to protect consumers’ privacy and the fact that a massive material change to contracting terms would have taken place. This is to say nothing of the absolute resistance to the technology that should be projected by advocates and the federal Privacy Commissioner’s Office.

Perhaps, however, the Canadian regulatory environment is well-enough established following the traffic management hearings that Juniper’s new add-on technologies will be unable to establish a hold amongst Canuck telcos and cablecos. In turning our gaze to the US, however, the FTC might be the best suited to protect consumers by way of enforcing existing privacy policies (and, I will note, that American technology companies such as Microsoft and Yahoo! are worried that FTC might begin doing just this) and preventing ISPs from actually rolling out this anti-privacy, anti-consumer networking technologies. As nations around the world mount regulatory meetings about how data packets can and cannot be handled over the coming months and years we will see whether technology add-in’s like those proposed by Juniper will be left to wither or blossom on the ISP-advertising vine.

Other posts you might be interested in:

1. Update: Feeva, Advertising, and Privacy
2. Privacy Advocates and Deep Packet Inspection: Vendors, ISPs, and Third-Parties
3. Deep Packet Inspection and the Confluence of Privacy Regimes

In this post I’m going to first give a brief background on iAd and some of the broader issues surrounding Apple’s deployment of their advertising platform. From there, I want to recap what Steve Jobs stated in a recent interview at the All Things Digital 8 concerning how Apple approaches locational surveillance through their mobile devices and then launch into an analysis of Apple’s recently changed terms of service for iOS4 devices as it relates to collecting, sharing, and retaining records on an iPhone’s geographic location. I’ll finish by noting that Apple may have inadvertently gotten itself into serious trouble as a result of its heavy-handed control of the iAd environment combined with modifying the privacy-related elements of their terms of service: Apple seems to have awoken the German data protection authorities. Hopefully the Germans can bring some transparency to a company regularly cloaked in secrecy.

Apple launched the iAd beta earlier this year and integrates the advertising platform into their mobile environment such that ads are seen within applications, and clicking on ads avoids taking individuals out of the particular applications that the customers are using. iAds can access core iOS4 functionality, including locational information, and can be coded using HTML 5 to provide rich advertising experiences. iAd was only made possible following Apple’s January acquisition of Quattro, a mobile advertising agency. Quattro was purchased after Apple was previously foiled in acquiring AdMob by Google last year (with the FTC recently citing iAd as a contributing reason why the Google transaction was permitted to go through). Ostensibly, the rich advertising from iAds is intended to help developers produce cheap and free applications for Apple’s mobile devices while retaining a long-term, ad-based, revenue stream. Arguably, with Apple taking a 40% cut of all advertising revenue and limiting access to the largest rich-media mobile platform in the world, advertising makes sense for their own bottom line and its just nice that they can ‘help’ developers along the way…

Regardless of the larger economic strategies Apple is involved in, what is key for our purposes is that the iAd system and its partners can utilize the smartphone’s locational awareness to deliver more customized applications. In the pre-iOS4 days, whenever an application wanted to access the GPS or wifi locational APIs users were presented with a very large warning offering notification that the application was trying to use the GPS/wifi. You had the option of touching OK or cancelling the request to the API. It was, as far as I was concerned, one of the best privacy-protective features of the phone.

Steve Jobs, in his most recent appearance at the All Things Digital conference, was asked by Walt Mossberg and Kara Swisher whether or not privacy was looked at differently in Silicon than in the rest of the world. Jobs responded,

We’ve always had a very different view of privacy than some of our colleagues in the Valley. We take privacy extremely seriously. That’s one of the reasons we have the curated apps store. We have rejected a lot of apps that want to take a lot of your personal data and suck it up into the cloud. Privacy means people know what they’re signing up for. In plain English, and repeatedly, that’s what it means. Ask them. Ask them every time. Make them tell you to stop asking if they get tired of your asking them. Let them know precisely what you’re going to do with their data.

Quite bluntly, this was a stellar response and were it being actualized in Apple’s present business practices it would cause the company to be one of the shining stars amongst technology companies looking to secure their customers’ privacy. Unfortunately, with the release of the iOS4 and iAd Apple seems to have significantly departed from the statements made by Jobs just a few weeks earlier. In order to install the most recent version of the mobile operating system on Apple’s devices, users must agree to a 45 page terms of service agreement. Buried within the agreement is the following:

To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

While the data is claimed to be ‘anonymous’ one has to ask: how anonymous is a data stream that identifies where a person is regularly browsing the web to be served ads to late at night, in a residential area? I have extreme doubts that it’s going to be particularly challenging to link up geographic information with actual residences, and by extension names of people that can be presumed to be using the phone.

As noted by Daily Tech, while customers can prevent third-parties from collecting locational information there isn’t a similar way of preventing Apple itself from collecting locational data. Apple does not have a clear system that users can use to prevent such data collections, nor has Apple made it clear how often they will be collecting personal information or the full range of internal uses of the information. There is not presently a process in place that would reveal this information to customers or regulators. Further, opting out of third-party surveillance entails customers learning that they are being tracked and then visiting an Apple website and choosing to opt-out using the smart device.  Significantly, “[t]his opt-out applies only to Apple advertising services and does not affect interest-based advertising from other advertising networks.” The ‘granular’ opt-out approach demonstrates that we are against dealing with the worst-practices privacy regime that is prevalent in the US, where customers must track down all of the advertisers collecting personal information and then choose to opt-out to each advertiser. Given Jobs’ earlier comments, we should expect Apple to adopt an opt-in approach to advertising if Apple were to genuinely differentiate themselves from the rest of Silicon Valley in the privacy domain.

As noted earlier, we presently have no real understandings of what exactly will be collected and delivered to third parties – anonymous data sets is unclear, and what is required is a granular depiction of what specific individuals may/will be sharing out to iAd partners and Apple itself. While we presently have no information about what is shared, how long it is retained, and the full range of uses of the data, this might be changing soon. Apple’s rising market share combined with the popular appeal of their products has made them a target for regulators, which arguably has influenced the amount of attention the company has recently received from German authorities. The German Justice Minister stated that “users of iPhones and other GPS devices must be aware of what kind of information about them is being collected.” As part of this, the Minister expects Apple to open its databases to German data protection authorities and clarify its data collection and retention policies. It is possible that the shield of secrecy usually surrounding Apply may be breached by the Germans, and we can hope that other privacy authorities around the world will similarly put pressure on Apple to increase their transparency on the collection, storage, and transference of deeply personal locational information.

It’s important to note that with the recent iOS4 updates there are no longer any notifications when either Apple or a third-party attempts to capture your location for collection and service provision purposes; instead of a clear notice of this change individuals are left to their own devices to find the new settings. If you’re not particularly savvy, or aware of the change (I wasn’t: for several days I was surprised that no location information was been collected or used by the various applications that I use), then you’d have no idea that to modify location settings individuals would have to:

1. Open the ‘Settings’ panel;
2. Open the ‘General’ sub-panel;
3. Open the ‘Location Services’ sub-sub-panel;
4. Modify what applications can access locational data discretely, or locational settings as a whole.

The problem with this new approach is that there are times when I have no issues broadcasting my location to one of these third-parties and other times that I see absolutely no reason to share this information. Without any indication of when my device is having its location data polled I’m entirely unable to know when, for example, the Google Maps application is collecting my location data. Does it do so even when I’m just seeing the distance between two locations on a continent I’m not on? Only when I’m actively trying to sync my location with a Google Map? The same issue – a binary ‘locational tracking is on or off’ option – pervades the entire iOS4. Previously individuals were actually given control over what third-parties could gain access to locational data. The degree of this control, and by extension the ability of individuals to limit the transmission of personal information to third parties, has significantly degraded.

Further, we are forced to ask: has Apple always collected some location data without asking the user’s permission (and just noted this behaviour as happening in their Service Agreement as of now) or is this genuinely a novel practice? Should companies be permitted to massively reshape how they deal with private information, moving from what visually appears as a terrific opt-in system to a woefully inadequate opt-out system, without very clearly communicating the restructuring of company privacy principles and legal extensions of those principles? Burying changes in a 45 page service agreement, and several layers into the operating systems settings, does not constitute such a clear communication.

Advertisers have long-opted for incredibly poor modes of alerting customers of data collection, sharing, and usage. Steve Jobs, and by extension Apple, had previously asserted a set of privacy principles intended to set them ahead of their peers – Apple was to be the guardian of privacy by advocating opt-in privacy practices. Unfortunately, it seems that the hint of advertising dollars has led Apple to cast aside privacy principles in the hopes of making a quick buck at the expense of citizens’ privacy. While not necessarily surprising or even disappointing (Apple is, after all, a publicly traded company that is purely motivated to return profits to their shareholders) the high-profile company’s bait and switch on its privacy principles will hopefully attract regulatory attention and establish more ‘guidance’ so that other companies are less willing to sell out customers on behalf of the balance sheet.

BACKDATE:

It would seem that the co-chairmen of the House Bi-Partisan Privacy Caucus sent a letter to Steve Jobs on June 24th to address Apple’s new locational sharing policies. The letter included the following questions:

1. Which specific Apple products are being used by Apple to collect geographic location data?
2. When did Apple begin collecting this location data, and how often is data collected from a given consumer?
3. Does Apple collect this location data from all consumers using Apple products? If the answer is no, please explain which consumers Apple is collecting information from and the reasons that these consumers were chosen for monitoring.
4. How many consumers are subject to this collection of location data?
5. What internal procedures are in place to ensure that any location data is stored “anonymously in a form that does not personally identify” individual consumers? Please explain in detail why Apple decided to begin collecting location data at this time, and how it intends to use the data.
6. Is Apple sharing consumer location information collected through iPhones and iPads with AT&T or other telecommunications carriers?
7. Who are the unspecified “partners and licensees” with which Apple shares this location data, and what are the terms and conditions of such information sharing?
8. How does this comply with the requirements of Section 222 of the Communications Act, which mandates that no consumer location information be shared without the explicit prior consent of the consumer?
9. Does Apple believe that legal boilerplate in a general information policy, which the consumer must agree to in order to download applications or updates, is fully consistent with the intent of Section 222, and sufficient to inform the consumer that the consumer’s location may be disclosed to other parties?
10. Has Apple or its legal counsel conducted an analysis of this issue? If yes, please provide a copy. If not, why not?

Apple has until July 12 to reply.

Other posts you might be interested in:

1. Comment: Apple, encryption, and being uber-lame
2. Online Data Storage and Privacy
3. Some Data on the Skype iPhone Application

In the course of this post, I begin by outlining what constitutes personal information and then proceed to outline DoubleClick’s method of collecting personal information. After providing these outlines, I argue that online advertising systems do collect personal information and that the definitions that Google offers for what constitutes ‘personal information’ are arguably out of line with Canadian sensibilities of what is ‘personal information’. As a result, I’ll conclude by asserting that violations may in fact be occurring, with the argument largely emerging from Nissembaum’s work on contextual integrity. Before proceeding, however, I’ll note that I’m not a lawyer, nor am I a law student: what follows is born from a critical reading of information about digital services and writings from philosophers, political scientists, technologists and privacy commissioners.

Central to the claim that personal information is collected and used in ways that individuals do not anticipate or desire is identifying what the term ‘personal information’ refers to. Also, we have to consider the degrees of surveillance that individuals should expect experience in ‘public’ environments. These environments should be taken to include not just city parks and commercial stores, but also non-passworded/registration-free websites. The Information and Privacy Commissioner of Ontario (IPC), in their lengthy analysis of privacy and video surveillance in mass transit systems, argues that:

While the expectation of privacy in public spaces may be lower than in private spaces, it is not entirely eliminated. People do have a right to expect the following: that their personal information will only be collected for legitimate, limited, and specific purposes; that the collection of their personal information will be limited to the minimum necessary for the specified purposes; and that their personal information will only be used and disclosed for the specified purposes.

Moreover, there are socially-construed norms that ought to be recognized; humans are cognitively designed for the analogue world – this is one of the reasons why long-term storage of digitally externalized memory is so problematic – and as such analogue norms ought to carry over into the digital domain. In carrying over such norms, and considering the nature of information sharing in the analogue world, we need to focus on “not simply restricting the flow of information but ensuring that it flows appropriately,” [1] with “appropriately” a reference to making sure that data flows accord with contextualized social norms. In the social world there are finely calibrated sets of norms that govern the flow of personal information in distinct social contexts; such norms ought to be drawn into the digital instead of being repudiated in favour of an entirely novel set of norms that (negatively) rebalance power-relationships away from information/data holders in favour of data-aggregation bodies.

In thinking of a shopping environment that I physically walk into, precious little information is collected about me until I am involved in making a purchase (barring the introduction of high-tech analysis systems, such as behavioural recognition software tied to cameras, RFID scanners monitoring when shopping items are picked up, etc). Even where I am involved in multiple interactions with sales staff these are discrete, and not collated in a format that can be processed by a computer nor indexed to my name or a unique identifier. I am likely quickly forgotten about – retention of ‘collected’ data is incredibly limited, limited for the contextual needs of the sales situation. This is obviously different in a digital environment, where each page that is opened is logged, time on pages noted, entry and egress points monitored. The data collected in the digital environment is only ‘forgotten’ after a set period of time by the website administrator. This induces novel notion of ‘appropriate’ data durations; Daniel Solove in his book The Digital Person speaks to the dangers built into these data-drive dossiers that are compiled about individuals, and Viktor Mayer-Schonberger speaks to the risks of not forgetting in the digital era. In both authors’ texts, a resonating theme is that ‘appropriate’ data retention periods in a digital environment are radically, and often unnecessarily, different from their analogue precursors.

In the former sales situation, we have an instance of personal information (perhaps they ask your name) being retained for a limited period of time and for a legitimate, specific purpose (e.g. developing a relationship with an individual for sales purposes whilst in the store). It is subsequently disposed of following the conclusion of the transaction in most cases. This is directly at odds with the data collected in the server-based situation, where the smallest action is often recorded and used for extensive marketing and enhanced surveillance purposes.

Thus far, all that I have asserted is that more information is collected in a digital, and specifically sales, environment online than offline and that socially-construed norms from analogue contexts ought to be drawn to digital situations. As part of this, there is a recognition that ‘public’ online actions should not expect total privacy, but a lowered expectation of privacy does not equal an absolute dearth, or absence, of privacy. Let’s now move to outline what might constitute personally identifiable information.

In the interests of maintaining consistency (and avoid accusations of ‘cherry-picking’ from different government reports) we can turn to definitions of personal information in section 2(1) of Ontario’s Freedom of Information and Protection of Privacy Act that are prominently drawn on in the IPC’s analysis of the legitimacy of video surveillance. Personal information refers to recorded information about an identifiable individual and includes:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual;
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
• any identifying number, symbol or other particular assigned to the individual (emphasis added);
• the address, telephone number, fingerprints or blood type of the individual;
• the personal opinions or views of the individual except if they relate to another individual;
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence (emphasis added);
• the views or opinions of another individual about the individual, and;
• the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

The two boldfaced sections, above, are the domains within which personal information is most likely to be collected and used over the course of online transactions.

DoubleClick, an advertising company that is owned by Google, operates by depositing small persistent cookies (which contain unique alphanumeric codes) on individuals’ computers. Persistent cookies remain on your computer after you close it – and can be juxtaposed against session cookies that are deleted with the closure of the browser – and used to trace users as they move about the web and deliver targeted ads with the additional assistance of web beacons. Such beacons are usually 1×1 pixels in size and designed to blend into a website so that the end user never notices their existence. This cookie-beacon-advertising system is intended to be transparent to the consumer.

DoubleClick asserts that personal information includes (but is not limited to) “name, address, telephone number, email address, social security number, bank account number or credit card number.” Sensitive information – information the company does not share or collect – “categorically includes but is not limited to data related to an individual’s health or medical condition, sexual behavior or orientation, or detailed personal finances, information that appears to relate to children under the age of 13 at the time of data collection; and PII otherwise protected under federal or state law (for example, cable subscriber information or video rental records).” It’s key to note that in this latter reference, what the sensitive information protected by federal and state law, is solely in reference to American privacy laws.

If you will permit a brief detour, the federal Office of the Privacy Commissioner acknowledges that personal information is collected with RFID system when locational data is associated with an RFID chip’s unique identifier. I argue that the unique number associated with the RFID chip and the unique alphanumeric string associated with a cookie an analogous, and further that movement across the web constitutes digital “movement” paralleling physical movements that can be detected by proximity RFID readers. Just as a sales company tracking information in their ‘private’ space would be seen as collecting personal information, so should any web company that tracks users as they move through the company website.

On this basis, the association of where a customer moves online with a unique number constitutes the collection of personal information; DoubleClick’s assertion that they are simply collecting “non-personally identifiable information” in their daily business activities doesn’t hold water. Moreover, from the perspective of the IPC’s understanding of personal information, an identifying number or symbolic representation is being correlated with a distinct computer moving across the ‘net, and it is entirely possible that “private correspondence” is being identified insofar as what are (from a social-norms perspective) private data surfing actions are surveilled and included in a DoubleClick database for the purposes of advertising.

There are two immediate responses that come to mind after asserting the DoubleClick is collecting personal information. On the one hand, someone opposing this position might argue that no person is identified, but a computer represented by an IP address (and perhaps a host of computers that are sitting behind a NAT-enabled router) is instead identified. Alternately, one might maintain that on the basis that online advertising systems are widespread the usage of DoubleClick’s (and other advertising agencies’) services is thus legitimate. I’ll address these in turn.

To the first, the Office of the Privacy Commissioner of Canada has asserted that where there is an association of personal information with an IP address that the address constitutes personal information. To put it another way, the IP address itself, on its own, isn’t ‘personally identifiable information’ but when it is mashed together with other data sources then it can be seen as personal information and thus deserving protection. For those individuals who have opted out of receiving a DoubleClick cookie they are still targeted with ads, in part based on their IP address as well as the name of the site they are visiting, specific web page they are visiting, key values, operating system type, windows version, user’s local time, and the ‘non-personally identifiable’ information sent by the website itself. This involves a collection of information and associating it with an IP address, and this information in a unique configuration may constitute the collection of personal information, regardless of DoubleClick’s assertions otherwise.

To the second, social norms dictate that certain modes of surveillance are to be genuinely ‘expected’ but such norms do not mean that individuals entirely abandon their rights to privacy as soon as they leave their home(s). What is critical in determining whether a surveillance practice is being performed in such a way that it constitutes a privacy violation is whether or not “its use in a particular context, in a particular way is not overly unusual. One cannot generalize from the observation that certain installation in certain contexts are commonplace, accepted, and supported to the conclusion that all installations irrespective of contexts will not violate expectations of privacy.”[2] To put this in context, it can be read to say that simply because the installation and use of DoubleClick cookies is permissible under the context of American privacy norms (assuming that this is even the case) it cannot subsequently be asserted that these cookies are also permissible under the social contexts of Canadian or European privacy norms. Given that Canada and Europe have significantly stronger privacy protections that the United States – and if we suppose that the laws that are established are reflective of the dominant socio-political norms of a citizenry – it seems key that a normative needs to analysis be conducted to determine whether, after translating their analogue surveillance norms to a digital domain, Canadians and Europeans are would see the deposition of tracking cookies on their computer as normatively permissible.

So what is the takeaway from all of this? First, that it’s key to not just read how third-party groups that you may be working with (such as DoubleClick for advertising purposes) define and collect personal information. You have to go at least one more step to ensure that how these definitions are made and collections occur are in accordance with the laws and social norms of your nation. Second, that from the point of view of managing flows of information that end-users are interested in ensuring that their information flows in accordance with with their social norms, norms that are emergent from their analogue experiences and lives. Discounting such norms and demanding the individuals (for some reason…) simply adopt ‘digital norms’ misses the fact that humans remain analogue creatures, with analogue modes of dealing with the work as a key part of their social and biological characteristics. The failure of a web environment to recognize both of these points – that you need to check that collections of data are permissible and in accordance with social norms – and act on them threatens to undermine user trust, and even Google recognizes that in the absence of their end-users’ trust their business models would collapse.

[1] Nissembaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life, p. 2.

[2] Nissembaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life, p. 235.

Other posts you might be interested in:

1. Doubleclick + Adblock = I’m a Moral Monster?
2. Ontario Information and Privacy Commissioner, and DRM
3. Twitter and Statutory Notions of Privacy

Abstract:

Across the Internet, an arms race between agents supporting and opposing network-based surveillance techniques has quietly unfolded over the past two decades. Whereas the 1990s might be characterized as hosting the first round of the encryption wars, this paper focuses on the contemporary battlescape. Specifically, I consider how ISPs “secure” and “manage” their digital networks using contemporary DPI appliances and the ramifications that these appliances may have on the development, and our understanding, of the code-body. DPI networking appliances operate as surveillance devices that render the digital subject constituted by data packets bare to heuristic analyses, but, despite the ingenuity of these devices, some encryption techniques successfully harden otherwise soft digital flesh and render it opaque. Drawing on Kant and Derrida, I suggest that ISPs’ understanding of the Internet as one of packets arguably corresponds with a Kantian notion of reality-as-such and offers a limited and problematic conception of the code-body. Turning to Derrida, we move beyond protocol alone to consider the specters that are always before, and always after, the code-body; Derrida provides a way of thinking beyond Kantian conceptions of space and time and the reality-as-such code-body and lets us consider the holistic identity of the code-being. Further, Derrida lets us interrogate the nature of DPI networking appliances and see that they resemble thrashing zombie-like code-corpses that always try, but perpetually fail, to become fully self-animated. While Derridean insights suggest that ISPs are unlikely to be successful in wholly understanding or shaping code-bodies, these corporate juggernauts do incite identity transformations that are inculcated in cauldrons of risk and fear. Not even Derridean specters can prevent the rending of digital flesh or act as a total antidote to ISPs’ shaping of consumers’ packet-based bodily identity.

Link to article.

Other posts you might be interested in:

1. Comment: Canadian ISPs and Internet Traffic Management
2. Deep Packet Inspection and Law Enforcement
3. Digital Crises and Internet Identity Cards

Last Friday, Google announced that they had been inadvertently collecting some data packets sent via unencrypted wireless access points for the past three years. This admission came after the Street View program (again) came under criticism from German data protection authorities following Google’s (original, and earlier) admission that they had only been collecting information about wireless routers as they drove their cars around towns. Specifically, the original admission saw Google reveal they had collected the SSID and MAC addresses of routers. In layman’s terms, the SSID is the name of the wireless network that is usually given to the device during configuration processes following the installation of the device (e.g. Apartment 312, Pablo14, or any of the other names that are shown when you scan for wireless networks from your computer). The MAC address a unique number that is associated with each piece of Internet networking equipment; your wireless card in your computer, your LAN card, your router, and your iPhone all have unique numbers. After collecting both the SSID and MAC address of a wireless router the company identified the physical location of the device using a GPS system.

Google collects information about wireless networks and (almost more importantly) their physical location to provide a wifi-based geolocation system. Once they know where wireless routers are, and plot them on a map, you don’t need GPS to plan and trace a route through a city because a wireless card and low-powered computer will suffice. There are claims that this constitutes a privacy infringement, insofar as the correlation of SSID, MAC address, and physical location of the router constitute personal information. I’m not sure that I agree with this, as the Google service stands now.

Google’s collection does not generate information about an identifiable individual that could otherwise be understood as ‘private’, save for in cases where individuals sought to suppress their SSID and had that information collected by Google regardless of the individual’s intentions. We don’t know if Google did this or not; if they did then that might constitute a privacy violation. So far as we know, the information collected is not used to assign a unique number to an individual nor is there an effort to collate information around particular wifi access points. Also, as far as we know, Google is not taking the information provided by a wireless router to ‘track’ people as they move around; were this performed then that might constitute some form of tracking of individuals by proxy, and thus fall under the realm of a privacy infringement. Google’s unwillingness to perform this degree of surveillance is confirmed by Peter Fleischer, Google’s Global Privacy Council, who has effectively stated that such surveillance is impossible given how data has been gathered: “…we do not collect any information about householders, we cannot identify an individual from the location data Google collects via its Street View cars.” Given that privacy law tends to be driven by actual instantiations of violation – not the possibility of a violation following the aggregation of data – it doesn’t appear that a clear violation occurs with the collection of the SSID and MAC address alone.

The collection of the public information that a wireless router transmits, while creepy to some, doesn’t strike me as an actual privacy violation. If I stand on the street and take pictures of every car and person who walks up the street this might be seen as creepy, but it doesn’t constitute a privacy violation under Canadian privacy law (barring Quebec). Nor does the act of taking pictures of homes from the street; Google Street View wasn’t shut down because it didn’t clearly violate (non-Quebec) privacy regulations. While the wireless spectrum is less ‘visible’ than the shots we see in Street View it’s a very open question as to whether this spectrum’s invisibility to the human-eye means that wifi access point information is thus somehow private. As far as I can tell, the central issue with Google’s actions (in the Canadian situation) is that the company didn’t inform Canadian officials about this ‘added-feature’ of the Street View program on the basis that Google saw it as an entirely different process that was unrelated to Street View. To some this is going to be seen as a cop-out or lie, but it doesn’t strike me as necessarily untrue. Bell Canada ran into a similar experience with their deployment of Deep Packet Inspection; Bell saw the technology as used purely for billing and traffic management purposes and thus saw no underlying privacy issues with its usage. It should be noted that following the complaint against Bell that very little of the technology itself could be seen as privacy invasive: the most significant change to Bell’s operations included a minor addition to their online documentation.

Google’s most recent revelation, however, exits the ‘creepy’ stage and tentatively enters the ‘privacy invasive’ domain. While collecting information about wireless routers strikes me as OK (or, at least not bad), the collection of data packets while getting wifi information could be read as wiretapping of some ilk. The company has publicly declared that this collection was the accidental result of old code that was recycled for the wifi-collection program and that they will be bringing in outside consultants to confirm that the excess data is entirely removed from Google’s databases. Assuming that the company is telling the truth – and, to date, we have no reason to see them as lying – then this seems like a truly massive-scale error that is being corrected far later than it should. There are varying reasons for why this might not have been corrected previously: challenges in issuing new code to the Street View cars, poor cross- and inter-team communications (i.e. the groups actually dealing with the data sets just ignored the excess data instead of reporting its collection), or pure laziness. In effect, I would maintain we should avoid attributing to malice what we can more easily attribute to ignorance, laziness, and stupidity. This said, Alexander Hanff of Privacy International has a very different read on the collection of data packets transmitted on unencrypted wireless channels that is reasonably convincing. Even if he is right, however, I doubt that Google will ever admit that they were purposefully collecting the full data packets that were made available over unencrypted wifi routers.

In the best case scenario, the outcome of the accidental collection of payload data would include the following: a full accounting of the amount of data that was collected (i.e. are we talking about a packet or two of data, or thousands of packets per wireless access point, with the latter arguably being a very real and substantial privacy invasion regardless of the information being transmitted in the clear); the raising of public awareness of what it means to broadcast data in an unencrypted fashion. While the former might happen, the latter is almost certain to not. Raising awareness would mean that the public would understand that transmitting data over unencrypted channels is like choosing to send out private correspondence and responses to billing inquiries using postcards instead of envelopes. If someone happens to read your postcards then there hasn’t been an infringement of personal information, insofar as the transmitted of the information choose to correspond in an open fashion instead of using sealed envelops. Envelopes, in this example, means using some mode of encryption to demonstrate to those listening to data traffic that the packets are intended to be ‘private’ from external observation. It doesn’t matter if someone uses WEP, WPA, WPA2 (personal), WPA2 (enterprise) or alternate encryption system: if you aren’t encrypting your data, you’re transmitting your data on the equivalent of postcards. It’s not a violation for someone to read the content of your postcards, though it certainly may be ‘creepy’.

There have been some efforts to compare Google’s collection of wifi-based information with their (disastrous!) roll-out of Buzz, but I don’t think that that’s really an apples-to-apples comparison. Buzz leveraged already existing information – information that we knew Google had about particular individuals – to make it more publicly available. This went over poorly. In the case of the collection of wifi information, assuming that Google is telling the truth about their inability and unwillingness to map SSID information and MAC addresses to particular locations to follow people around, then this doesn’t constitute a form of surveillance and arguably doesn’t constitute a privacy violation given that the SSID and MAC are made publicly available whenever a wireless router broadcasts its name and status. If people have issues with this information ‘being public’ then I suggest that they go back to wired routers and disable their wifi access points. (And, I will note, that this just makes good security sense: there is almost no way to perfectly secure a wireless transmission – you can only make it more challenging to defeat the security – whereas wired communications are almost inherently more secure by nature of their design.) As for the data packets that the Street View cars were picking up, whether that genuinely constitutes a violation will be seen when the specific information that was collected is made available to the public, or at least announced in the consultant’s report.

Other posts you might be interested in:

1. IPv6 and the Future of Privacy
2. Facial Blurring = Securing Individual Privacy?
3. Cisco Brings Targeted Ads Home