One of the most important and unresolved quandaries of First Amendment jurisprudence involves when civil liability for speech will trigger First Amendment protections. When speech results in civil liability, two starkly opposing rules are potentially applicable. Since New York Times v. Sullivan, the First Amendment requires heightened protection against tort liability for speech, such as defamation and invasion of privacy. But in other contexts involving civil liability for speech, the First Amendment provides virtually no protection. According to Cohen v. Cowles, there is no First Amendment scrutiny for [...]]]> I’ve been meaning to announce, but keep forgetting to get around to it, that my article with Neil Richards was recently published — Rethinking Free Speech and Civil Liability, 109 Columbia Law Review 1650 (2009).  Here’s the abstract:

One of the most important and unresolved quandaries of First Amendment jurisprudence involves when civil liability for speech will trigger First Amendment protections. When speech results in civil liability, two starkly opposing rules are potentially applicable. Since New York Times v. Sullivan, the First Amendment requires heightened protection against tort liability for speech, such as defamation and invasion of privacy. But in other contexts involving civil liability for speech, the First Amendment provides virtually no protection. According to Cohen v. Cowles, there is no First Amendment scrutiny for speech restricted by promissory estoppel and contract. The First Amendment rarely requires scrutiny when property rules limit speech.

Both of these rules are widely-accepted. However, there is a major problem – in a large range of situations, the rules collide. Tort, contract, and property law overlap significantly, so formalistic distinctions between areas of law will not adequately resolve when the First Amendment should apply to civil liability. Surprisingly, few scholars and jurists have recognized or grappled with this problem.

The conflict between the two rules is vividly illustrated by the law of confidentiality. People routinely assume express or implied duties not to disclose another’s personal information. Does the First Amendment apply to these duties of confidentiality? Should it? More generally, in cases where speech results in civil liability, which rule should apply, and when? The law currently fails to provide a coherent test and rationale for when the Sullivan or Cohen rule should govern. In this article, Professors Daniel J. Solove and Neil M. Richards contend that the existing doctrine and theories are inadequate to resolve this conflict. They propose a new theory, one that focuses on the nature of the government power involved.

In Columbia Law Review’s Sidebar, Professor Timothy Zick has a very thoughtful response piece entitled “Duty-Defining Power” and the First Amendment’s Civil Domain.

This strikes me as “deceptive” advertising. True, the fine print discloses that the report isn’t free and provides the URL to AnnualCreditReport.com. But Experian seems to be exploiting the FACT Act, which required the credit reporting agencies to provide free credit reports. A statutory responsibility to protect consumers is turned into a money-making opportunity for Experian. This practice strikes me as deeply problematic.

As Bob Sullivan at MSNBC reports:

The singer of those FreeCreditReport.com jingles might sound a bit less peppy now that the Federal Trade Commission is making the company behind the ads — credit bureau Experian — [...]]]>

It’s about time!  Finally, after a protected battle, the FTC is making the credit bureau Experian stop misleading people with its FreeCreditReport.com website. I blogged about this site several years ago:

This strikes me as “deceptive” advertising. True, the fine print discloses that the report isn’t free and provides the URL to AnnualCreditReport.com. But Experian seems to be exploiting the FACT Act, which required the credit reporting agencies to provide free credit reports. A statutory responsibility to protect consumers is turned into a money-making opportunity for Experian. This practice strikes me as deeply problematic.

As Bob Sullivan at MSNBC reports:

The singer of those FreeCreditReport.com jingles might sound a bit less peppy now that the Federal Trade Commission is making the company behind the ads — credit bureau Experian — face the music. Heavy-handed disclosures aimed at ending years-long confusion over free credit reports will begin to appear in the ads next month. The changes are among new consumer protections enacted by Congress in the 2009 Credit Card Accountability Responsibility and Disclosure Act.

In one disclosure viewed by msnbc.com, the top of the FreeCreditReport.com Web site was covered with a large grey block with type that read:  “You have the right to a free credit report from AnnualCreditReport.com … the only authorized source under federal law,”  with an obvious link to the site.  Consumers who still want to sign up with FreeCreditReport.com would have to scroll down and enroll in the paid service offered by Experian. . . .

Many Web sites, including FreeCreditReport.com, claim to offer free credit reports, but do so only as a come-on for costly credit monitoring subscriptions services.

Market leader Experian, which owns the coveted FreeCreditReport.com Web address, began advertising heavily in 2003 after Congress mandated that U.S. consumers were entitled to a free copy of their credit reports every year. The FTC has been in a legal battle with the site ever since. Experian has been forced to issue refunds and pay more than $1 million in fines, but that didn’t quiet the crooning of Eric Violette, the star of the FreeCreditReport.com ads.

In “Redrawing the Route to Online Privacy,” the New York Times discusses how law and technology might get help us out of this mess.  The article highlighted several intriguing technical innovations.  A group at Carnegie Mellon University has designed software that will nudge consumers about the privacy implications of sharing certain information.  As [...]]]> As Daniel J. Weitzner recently noted to the New York Times, our current notice-and-choice model of privacy may soon be dead and good riddance.  Since the 1990s, we have relied upon websites’ privacy policies to inform individuals about whether their information would be collected, used, and shared.  Consumers usually don’t read these policies and, if they did, they likely would not understand them.  This leaves us with with much room to do better.

In “Redrawing the Route to Online Privacy,” the New York Times discusses how law and technology might get help us out of this mess.  The article highlighted several intriguing technical innovations.  A group at Carnegie Mellon University has designed software that will nudge consumers about the privacy implications of sharing certain information.  As CMU’s  Lorrie Faith Cranor explains, social network site users often share their birth dates, hoping to receive online greetings from friends yet doing so runs the risk of marketing profiling, identification, and identity theft.  Software could inform consumers of these risks before they share their birth dates.  M. Ryan Calo, a fellow at Stanford Law School’s Center for Internet and Society who has done exciting work on the privacy implications of robots, is exploring voice and animation technology emulating humans that would provide “visceral notice.”  Before someone puts information in a personal health record like GoogleHealth, a virtual nurse could explain the privacy implications of sharing the information.  Calo explains that people naturally react more strongly, in a more visceral way, to anthropomorphic cues.  The think tank Future of Privacy led by Jules Polonetsky and Chris Wolff is testing the effectiveness of using new icons and key phrases to provide web surfers with more transparency and choice about behavioral advertising practices.  Princeton’s Ed Felten (whose important computer science research has rightly preoccupied government and industry) is working on re-engineering the Web browser for greater privacy.  Felten would alter the software’s design so that information about on-screen viewing sessions is kept separate and not routinely passed along so a person’s browsing behavior can be tracked.

As these efforts make clear, code is crucial to the protection of consumer privacy.  To what extent, if at all, should we invoke law to regulate websites’ information practices?  Congress and the Federal Trade Commission is mulling rules that would limit a site’s use of information collected online.  As the New York Times notes, government might ban the use of recorded trails of a person’s web-browsing in employment or health insurance decisions.  It would be worth considering limits on data collection and retention practices too.  Law could require the deletion of certain information after a certain time, in the manner suggested by Viktor Mayer-Schonberger’s work.  All worth pondering.

Thanks, Danielle, for inviting me to expand on my comment yesterday on your post on the Google Buzz story. Google Buzz has been obviously been all over the news lately, in part for various complaints about Google’s privacy practices. Those complaints have focused on the way in which Buzz, enrollment in which was automatic for Gmail users, initially defaulted to effectively sharing users’ email contacts with the public. EPIC has filed a complaint with the FTC arguing that this combination of automatic enrollment and “opt-out” [...]]]> Guest blogger Professor Bruce Boyden has terrific insights on all things technology and law and so I invited him to comment on the Children’s Online Privacy Protection Act and its impact on the Google Buzz phenomenon.  So here is Professor Boyden:

Thanks, Danielle, for inviting me to expand on my comment yesterday on your post on the Google Buzz story. Google Buzz has been obviously been all over the news lately, in part for various complaints about Google’s privacy practices. Those complaints have focused on the way in which Buzz, enrollment in which was automatic for Gmail users, initially defaulted to effectively sharing users’ email contacts with the public. EPIC has filed a complaint with the FTC arguing that this combination of automatic enrollment and “opt-out” of information-sharing was an unfair or deceptive trade practice in violation of Section 5 of the FTC Act.

But that’s not what caught my attention in Danielle’s post. What really set off alarm bells in my head was Danielle’s recounting how her children and their friends, all under the age of 13, suddenly had their Gmail accounts turned into Google Buzz accounts,  and then proceeded to upload all sorts of information about themselves using the service. That raises the prospect that Google Buzz, by collecting such information without getting the appropriate parental consent, violated the Children’s Online Privacy Protection Act, or COPPA. I haven’t seen any discussion of this issue anywhere else.

COPPA is one of the few privacy statutes with real bite: it has strict rules that require substantial effort to follow, and the FTC has shown itself to be a vigorous enforcer. Indeed, the FTC has gone after two social networking sites for COPPA violations recently, and in one case imposed a fine of $1 million. So is Google violating COPPA? The answer is unclear but there’s definitely risk for Google here.

COPPA regulates the online collection of information from children under the age of 13. It applies to two classes of websites: those that have “actual knowledge” that they are collecting information from children, and those that are “directed to children.” If a website in either category is going to collect personally identifiable information (PII) from children, it first has to get “verifiable consent” from a parent. The FTC uses a “sliding scale” to determine what sort of verifiable parental consent is required; for information that is going to be publicly disclosed, as here, the FTC’s COPPA regulations require something like a mail-in form or a credit card.

It’s clear that Google has been collecting PII from children and that it hasn’t been getting prior verifiable consent. But it doesn’t need to comply with COPPA if it doesn’t either have actual knowledge or if the site is not directed to children. “Actual knowledge” typically comes about because the site asks for an age or birth date in the registration process–whether or not a human actually looks at it, the site will have “actual knowledge” if a user provides a birth date that is less than 13 years ago. This is in fact the most common vector for COPPA violations: a site asks for the user’s age, but doesn’t bar the user or get verifiable consent if the user responds that they are less than 13. But Buzz didn’t ask for an age when its users joined, so Google doesn’t appear to have “actual knowledge” of Buzz’s users’ ages.

Even if Google lacks “actual knowledge,” it might still need to comply with COPPA if Buzz is “directed to children.” Buzz users are Gmail users, and Gmail’s terms appear to bar users under 18:

2.3 You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google . . . .

But the FTC has taken the sensible position that merely stating a rule barring users under 13 is not enough to avoid COPPA compliance if the rule is not enforced. So we need to look at the definition of “directed to children,” According to the FTC regulations, a website is “directed to children” if it is “a commercial website . . . that is targeted to children,” which is not terribly helpful. The FTC looks at the following factors to determine whether a website is “targeted” at children: “its subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children.” The Commission will also consider empirical evidence concerning who’s using the service, and who the intended audience is.

Buzz doesn’t seem to satisfy many of those factors. There’s not much about the site design that screams out “young children.” The short video promoting Buzz I watched had only adult cartoon figures in it. But focusing on the list of factors ignores the fact that we are talking about a social networking site here, which may be inherently “targeted at children.” Children are drawn to such sites like catnip. It’s worth noting that Facebook has made a different choice than Google: it asks for your age on registering, and bars those under 13. Google would be wise to adopt a similar policy.

I’m not certain the FTC has yet brought a COPPA enforcement action against a company that didn’t have any actual knowledge of users’ ages. As a result, there’s not much to go on in terms of deciding when a site might be found to be “directed to children.” And perhaps an enforcement action is unlikely here. But I’m sure Google doesn’t want to be the test case.

As many parents know, Facebook and other social network sites welcome anyone 13 and older to make friends and become fans at their site.  That leaves kids under 13 (at least ones with watchful parents) with a less dynamic [...]]]> Google Buzz thrust itself on the social scene at a particularly auspicious time.  Snow had trapped East Coasters in their homes so kids talked to their friends digitally and watched television (usually at the same time).  Those over 13 likely spent their time on Facebook, which now seems like a privacy haven compared to its newest pesky social network comrade, Google Buzz.  Kids under 13 discovered that Google Buzz hit their Gmail account.  It was, for many, their first social network experience: intoxicating, terrifying, and all theirs.

As many parents know, Facebook and other social network sites welcome anyone 13 and older to make friends and become fans at their site.  That leaves kids under 13 (at least ones with watchful parents) with a less dynamic online life.  Before last week, my kids and their pals communicated via email and Gmail chats, happy to wait until their 13th birthday when they might get a chance to create profiles and network on Facebook (parent approval pending).  Then came the Buzz.  As parents busied themselves shoveling or trying to work, kids found their Gmail inboxes transformed into garden of online delights.  They could post pictures and videos for their contacts (their contacts’ contacts and their contacts’ contacts) to see, and they gained access to everyone’s email list.  Status updates from contacts appeared in an endless stream along with wall-like postings.

Aside from the obvious privacy problems that advocates such as Marc Rotenberg make stunningly clear, see here, another arose, one that has received less press.  Those under 13 had, and may continue to have, a powerful taste of social networking that they may be ill-equipped to handle.  Online communications have a powerful disinhibiting effect.  As a result, people do and say things online that they would never do or say offline.  This is particularly tricky for young children who have much emotional intelligence to learn.  Although I had only a small sample to watch, my friends tell a resoundingly similar story: kids under 13 got swept into a nasty free for all, a melange of bullying, shaming, and privacy-busting disclosures that would make a more emotionally mature crowd cringe.  As the recent story of 15-year old Phoebe Prince’s suicide illustrate and that of Megan Meier, online bullying can escalate into serious harassment, inflicting mental distress so serious as to drive the emotionally vulnerable to suicide.

Google Buzz did parents a favor with its shocking jump into social networking, foisted on Gmail users.  Since the snow storm has abated for the moment, parents are now probably paying attention to what is going on with their kids.  Hopefully, this turns into a crucial teaching moment for families who need to talk about acting responsibly online, to treat others as ends in themselves, worthy of respect, not as objects that we can shame and demean.  I know that our house took that opportunity.  So should yours.

Hat Tip: Citron gang, Tea Carnell, and Ray Cha

Some of the survey’s findings:

* Even when they are told that the act of following them on websites will take place anonymously, Americans’ aversion to it remains: 68% “definitely” would not allow it, and 19% would “probably” not allow it. (p. 2)

* 69% of American adults feel there should be a law that gives people the right to know everything that a website knows about them. (p. 2)

* 92% agree there should be a law that requires “websites and advertising companies to delete all stored information about an individual, if requested [...]]]> Joseph Turow, Chris Hoofnagle, Jennifer King, Amy Bleakley, and Michael Hennessy have just issued a very interesting consumer survey on privacy and behavioral marketing entitled, Americans Reject Tailored Advertising and Three Activities that Enable It.

Some of the survey’s findings:

* Even when they are told that the act of following them on websites will take place anonymously, Americans’ aversion to it remains: 68% “definitely” would not allow it, and 19% would “probably” not allow it. (p. 2)

* 69% of American adults feel there should be a law that gives people the right to know everything that a website knows about them. (p. 2)

* 92% agree there should be a law that requires “websites and advertising companies to delete all stored information about an individual, if requested to do so.” (p. 2)

* Signaling frustration over privacy issues, Americans are inclined toward strict punishment of information offenders. 70% suggest that a company should be fined more than the maximum amount suggested ($2,500) “if a company purchases or uses someone’s information illegally.” (p. 3)

* Our survey did find that younger American adults are less likely to say no to tailored advertising than are older ones. Still, more than half (55%) of 18- 24 year-olds do not want tailored advertising. And contrary to consistent assertions of marketers, young adults have as strong an aversion to being followed across websites and offline (for example, in stores) as do older adults. 86% of young adults say they don’t want tailored advertising if it is the result of following their behavior on websites other than one they are visiting, and 90% of them reject it if it is the result of following what they do offline. (p. 2)

These are just a few of the many findings in this fascinating survey.  The New York Times has coverage of the survey here.

Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front.  The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer.  Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor [...]]]> During the 2008 election, Democrats effectively used Web 2.0 platforms to garner interest in the campaign and win supporters.  President Obama has been widely hailed as the first “Tech President,” and he seems to have trounced the Facebook landscape.  To date, President Barack Obama has over 6.6 million Facebook friends, while Sarah Palin only has 848, 614 Facebook pals and Mitt Romney has 70, 130.

Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front.  The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer.  Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor now that they are in the minority.  AMERICAblogs’ John Aravosis worries that Democrats have ceded their online advantage.

No matter the current political victor in this social media landscape, Government 2.0 is here to stay.  It surely has great potential to shine light on government policymaking and to marshal public participation, especially from people who otherwise wouldn’t bother getting involved with government policymaking.  Adding the President as a friend on MySpace and joining live chats may seem to be a relatively costless endeavor as compared to writing letters or commenting on agency rulemakings.  But Government 2.0 also poses privacy risks: social media sites not only give government access to people’s policy insights but also access to all of individuals’ social media data, such as their videos, photos, walls musings, “Top 25 things you don’t know about me” lists, and the like.  Soon, I will be posting on SSRN a draft of my essay “The One-Way Mirror: Enhancing Participation and Securing Privacy for Government 2.0″ (forthcoming George Washington Law Review) and hope to get your feedback.

* The Facebook-Fandango Connection: Invasion of Privacy?

* Facebook’s Beacon: News Feeds All Over Again?

* Facebook and the Appropriation of Name or Likeness Tort

* The New Facebook Ads — Starring You: Another Privacy Debacle?

* Facebook — the New DoubleClick?

* Facebook Listens and Responds

* Facebook’s Beacon, Blockbuster, and the Video Privacy Protection Act

A class action suit was initiated against Facebook, and recently, a settlement agreement has been reached.  According to the WSJ:

Facebook Inc. said Friday it settled a class-action lawsuit related to its Beacon Web product, a controversial service that displayed actions that users took on other Web sites back on Facebook.

As part of the settlement, which is pending approval [...]]]> A while ago, I wrote a lot about Facebook’s Beacon on this blog:

* The Facebook-Fandango Connection: Invasion of Privacy?

* Facebook’s Beacon: News Feeds All Over Again?

* Facebook and the Appropriation of Name or Likeness Tort

* The New Facebook Ads — Starring You: Another Privacy Debacle?

* Facebook — the New DoubleClick?

* Facebook Listens and Responds

* Facebook’s Beacon, Blockbuster, and the Video Privacy Protection Act

A class action suit was initiated against Facebook, and recently, a settlement agreement has been reached.  According to the WSJ:

Facebook Inc. said Friday it settled a class-action lawsuit related to its Beacon Web product, a controversial service that displayed actions that users took on other Web sites back on Facebook.

As part of the settlement, which is pending approval in the U.S. District Court of the Northern District of California, the social-network concern will shut down the Beacon service, which it has been phasing out but which is still being used by a small number of Web sites, according to a Facebook spokesman.

The company will also pay $9.5 million to create a foundation to fund products that promote online privacy, safety and security, the spokesman said. The settlement was submitted to the court late Friday evening.

Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.

During the MACO conference, a gubernatorial staffer posted 115 party pics on Facebook, documenting the Governor, Mayor, county executives, and staffers having drinks during the event.  It took little time for the pictures to leak: they now reside on the blog Maryland Politics Watch despite the staffer’s delection of the pictures from his Facebook page.

Why would the staffer post the party pics given the Governor’s admonition for a [...]]]> Every summer, the Maryland Association of Counties (MACO) sponsors a networking bonanza where pols solidify contacts over drinks.  With the budget disaster, Maryland Governor Martin O’Malley promised a “sober” MACO outing.  Surely, partying on the state’s dime would seem in poor taste given the state’s continued layoffs and furloughs.  Well, that was the plan, at least in theory.

During the MACO conference, a gubernatorial staffer posted 115 party pics on Facebook, documenting the Governor, Mayor, county executives, and staffers having drinks during the event.  It took little time for the pictures to leak: they now reside on the blog Maryland Politics Watch despite the staffer’s delection of the pictures from his Facebook page.

Why would the staffer post the party pics given the Governor’s admonition for a sober event and given the dour economic outlook in the state?  Guest blogger James Grimmelmann’s important “Saving Facebook” article, just published in the Iowa Law Review, explains why.  Social network site users have a powerful sense of privacy.  Facebook’s design produces the sense that users engage in private conversations.  Users see their friends’ pictures and names when they send messages and post wall missives, pictures, and videos.  They sense that users are “just like them” and thus would be unlikely to betray them.  We also trust others because double nuclear annihilation lurks.  If we publicize our friends’ pictures and videos beyond the Facebook walls, we can expect the same in turn.  As Grimmelmann convincingly develops, social network site users cannot appreciate the real privacy risks of sharing on Facebook: we are cognitively limited in that way.  Grimmelmann’s piece develops a strategy for addressing these issues and is a must read.

Last month, Government Technology had an article entitled “Blurring the Line,” which discussed the increasingly public nature of online social networking sites.  Employers now “friend” employees, leaving the employed likely to accept those friendships out of fear for losing their jobs.  The article discusses the problems attendant to the convergence of of our work, social, and family worlds and asks whether this phenomenon will alter the nature of those spaces from a sharing free-for-all to a more buttoned-down, “not afraid for the boss to see” experience.

In reading the article, I wondered if the story will play out in a different way, one that will meet employers’ desire to harness the connectivity of social networking sites without compromising its current incarnation.  As we have seen in [...]]]>

Last month, Government Technology had an article entitled “Blurring the Line,” which discussed the increasingly public nature of online social networking sites.  Employers now “friend” employees, leaving the employed likely to accept those friendships out of fear for losing their jobs.  The article discusses the problems attendant to the convergence of of our work, social, and family worlds and asks whether this phenomenon will alter the nature of those spaces from a sharing free-for-all to a more buttoned-down, “not afraid for the boss to see” experience.

In reading the article, I wondered if the story will play out in a different way, one that will meet employers’ desire to harness the connectivity of social networking sites without compromising its current incarnation.  As we have seen in the government sector with internal wikis like Intellipedia, we may see employers increasingly adopt in-house social networking sites, say a [Name] Company Connect.org, just as we have seen employers wade into the Twitter space.  We may already be doing this (and it would be really interesting to learn about it), but perhaps such sites would nip in the bud employers/managers/supervisors’ desire to friend their underlings.  This may detract from the goal of monitoring employees, but we surely have enough of that in the workplace already (as well as the ability to view employees’ profiles for the very many people who fail to set rigorous privacy settings, as ACM studies show).  And it may save employers from having looked at employees’ damning wall musings and pictures and figuring out just what to do about it.

This development has much significance.  It tells [...]]]> As I noted in a blog post late last year, Mark Zuckerberg, chief executive of Facebook, has predicted that “next year, people will share twice as much information as they share this year, and that next year, they will be sharing twice as much as they did the year before.”  He explained that “people are ever more willing to tell others what they are doing, who their friends are and even what they look like as they crawl home from a college party.  Recent statistics support his optimism (and then some).  Yesterday, Zuckerberg announced that his social networking site now has 250 million active users, up from 200 million users just three months ago and 150 million in January.

This development has much significance.  It tells us that social networking is no passing fad — it is deeply embedded in our daily lives and will likely remain so despite many parents’ dismay.  It suggests that we are more connected personally (and perhaps more distracted professionally).  And it means that we entrust Facebook with an exponentially increasing amount of data.  Facebook’s information security practices and privacy policies are thus worth watching carefully.  No doubt, this development will have other far-reaching impacts so your comments are most welcome.

Wikimedia Commons Image

Information about an individual’s place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals’ SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration’s Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences [...]]]> Alessandro Acquisti and Ralph Gross have recently published their provocative article, Predicting Social Security Numbers from Public Data in the Proceedings of the National Academy of Sciences.  According to the abstract:

Information about an individual’s place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals’ SSNs and their birth data and found that for younger cohorts the correlation allows statistical inference of private SSNs. The inferences are made possible by the public availability of the Social Security Administration’s Death Master File and the widespread accessibility of personal information from multiple sources, such as data brokers or profiles on social networking sites. Our results highlight the unexpected privacy consequences of the complex interactions among multiple data sources in modern information economies and quantify privacy risks associated with information revelation in public forums.

Acquisti and Gross’s study has generated significant media attention.  Here’s an article by Bob Sullivan for MSNBC and by Hadley Leggett for Wired.  As Sullivan writes:

The two say they can guess the first 5 digits of the Social Security number of anyone born after 1988 within two guesses, knowing only birth date and location. The last four digits, while harder to guess, can be had within a few hundred guesses in many situations — a trivial hurdle for criminals using automated tools.

SSNs are currently used by numerous businesses and organizations to allow access to accounts – they function as a kind of password. They are also used to verify identity when people sign up for a new credit card or other account. They are thus a very useful tool for identity thieves and fraudsters who want to impersonate people to improperly access their accounts or obtain credit cards in their name.

The current focus of policymakers has been to provide better protections against the disclosure of SSNs.

Acquisti and Gross’s paper provides a powerful demonstration that protecting against the disclosure of SSNs is not providing enough protection to consumers.  The article shows that no matter how much protection against the disclosure of SSNs, SSNs can be determined with other public information.

Congress or the FTC should prohibit companies from using SSNs as a means to verify identity. Companies, organizations, and government entities should be prohibited from using SSNs as a means of verifying identity to provide access to accounts or to create new accounts. Merely protecting against the disclosure of SSNs is insufficient since Acquisti and Gross demonstrate they can readily be predicted.

The government and businesses are at fault here.  Too many business and organizations use the SSN improperly as a means to verify identity.  And the government is at fault for creating the SSN and allowing it to be used improperly in ways that harm people.

computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients’ behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, the analysis of encrypted information can yield the same detailed results [...]]]> According to Help Net Security, Craig Gentry, a researcher at IBM, appears to have found a way to allow “the deep and unlimited analysis of encrypted information – data that has been intentionally scrambled – without sacrificing confidentiality.” The solution involves a an “ideal lattice.” I’ll leave the explanation of all the math to the math/computer science folks. As the Help Net article notes, the solution seems to enable some great advantages for anyone providing cloud computing for:

computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients’ behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, the analysis of encrypted information can yield the same detailed results as if the original data was fully visible to all.

It all sounds wonderful. One could have encrypted data and let others data mine while maintaining anonymity or privacy. Yet, something seemed odd to me. So I did what lawyers do, I called someone who knew more about computer science and asked for some help. That person explained that yes this could mean one could query an encrypted database without decrypting the data. The example to consider is a database of book purchases. One could ask how many people bought both book A and book B and see that result without ever seeing what a specific person purchased. Great, right? Not so fast.

As this person reminded me, with other sources of information one can figure out what a specific person did. That reminded me of the AOL debacle. With a little work, people were able to figure out who the anonymous subjects were.

All of which highlights that privacy is not binary. The cluster of information and the ability to analyze it seems often, if not always, to lead to problems about the use of information. So if this breakthrough allows a company or the government to claim that we should remain calm and all is well, we may want to remain clam but show how all may not be well. A few regulations about the use of the data even if supposedly anonymous, might allow the beneficial aspects of the solution to thrive while limiting the harms that can occur.

Image: WikiCommons
By: Gwenda; License: Public Domain
(My apologies to CS folks if the image does not match the breakthrough’s area of encryption)

Here are some practical concerns: the personal information on MySpace pages could be collected and joined with other data gathered from private data mining companies, public sector databases, etc.  (Oftentimes, data about us collected by third parties is often faulty).  All together, the information could suggest (albeit falsely) that we constitute a threat to society.  Law enforcement could be informed and our names could be put on watch lists.  This is not a hypothetical problem, see here.  [...]]]> Yesterday, I wrote about the public’s expectations regarding privacy when interacting with government on social networking sites such as Facebook, MySpace, Flickr among others.  Why should we care if agencies collect our musings, videos, and pictures that we have willingly shared with online “friends,” both real and imaginary ones?

Here are some practical concerns: the personal information on MySpace pages could be collected and joined with other data gathered from private data mining companies, public sector databases, etc.  (Oftentimes, data about us collected by third parties is often faulty).  All together, the information could suggest (albeit falsely) that we constitute a threat to society.  Law enforcement could be informed and our names could be put on watch lists.  This is not a hypothetical problem, see here.  If federal agencies collected and maintained that data in their systems, it would be covered by the Privacy Act of 1974.  Nonetheless, you would still appear on a watch list or assigned another ignominious fate by an automated government system.

As a normative matter, the absence of privacy vis-a-vis government on online social networking sites is unappealing.  It would likely have an impact on our willingness to friend government agencies.  We would be less likely to join online conversations that the Open Government directive hopes to generate.  Or if we friend a government agency because we want to peer inside its operations, we may edit what we include on our profiles.  As Julie Cohen has elegantly developed in her work, the lack of privacy would chill our creativity and desire to experiment with different aspects of our personalities.  And Patricia Sanchez Abril has a superb piece entitled “A (My)Space of One’s Own: On Privacy and Online Social Networks” that discusses the social implications of a “no privacy” presumption in information we share with our friends on social networking sites.  Justice Douglas’s remark that “monitoring, if prevalent, certainly kills free discourse and spontaneous utterances” should not be lost to us here.

Wikimedia Commons Image

What [...]]]> Since I last wrote about President Obama’s Facebook friends, Government 2.0 has  steadily progressed.  Since early May, our Commander-in-Chief has added more than 150,000 new friends.  The FDA has initiated its Transparency Blog and will soon add a Twitter feed and Facebook page.  More state agriculture agencies reach the public through social networking sites.  Of course, the government social-networking phenomenon is not brand new:  since 2007, the Commerce Department’s National Oceanic and Atmospheric Administration has maintained a virtual island in Second Life  and the CDC has had a MySpace page.   Nonetheless, it is a particularly auspicious time to think about this trend’s privacy implications especially in light of the GSA’s recent agreement with video-sharing and social networking sites to permit agencies to use their services.

What are the public’s privacy expectations when using government social media?  It is surely too early to identify a clear sense of our expectations, at least in any well-studied way.  But the Obama Administration has provided some sense of what we should expect when we join a future Facebook group sponsored by OMB or engage in virtual conversations with agency officials in Second Life.  How so?  The current push for agencies to use Web 2.0 platforms stems from President Obama’s January 21, 2009 Open Government memorandum.  The memorandum urges executive departments and agencies to be more transparent, participatory, and collaborative.  Agencies “should harness new technologies to put information about their operations and decisions online and readily available to the public.”  They should “offer Americans increased opportunities to participate in policymaking and to provide their Government with the benefits of their collective expertise and information.”  And they should use “innovative tools, methods, and systems to cooperate” and collaborate with the public and private sectors in making policy.  USA.gov’s Sheila Campbell has explained that agencies will appoint directors of new media to determine how they can use social networking tools to meet mission goals and comply with President Obama’s Open Government directive.  As White House CIO Vivek Kundra has noted, public comment on programs will hopefully be a “two-way interaction between government and its citizens.”  White House spokesperson Moira Mack clarified the point:  “we are focused on opening government to the people (and not the other way around), and like with any other online friends, the individual users can still choose to keep information private using their privacy settings.”

So what does all of this signal about our privacy when interacting with government agencies via Facebook, MySpace, Twitter, You Tube, etc.?  The Open Government directive tells us that government wants to shine light on its activities and get our opinions and expertise on policy matters.  It says nothing about government’s interest in our personal lives, i.e., what we write on our friends’ walls, the 25 things you don’t know about us, our network of friends, etc.  Our personal lives seem downright out of place in any discussion of the Open Government directive.  This seems to create a presumption of openness as to policy-related matters and a presumption of privacy as to individuals’ personal matters.

In other words, the Government has created a one-way mirror: the public can peer into agency workings, data, and policymaking but the agency behind the mirror cannot glance back into our personal lives.  And why would we even think that President Obama, the CDC, or NASA has the time or policy-driven motive to see the movies we love, the albums we bought, or the amount of money we spent at a bar?  As a commentator on eParticipation noted: “While the UK Home Office is planning to gain access to social networking sites to snoop on its citizens, the Obama administration seeks to use the same technology to engage with voters and find out what they want.”  Agencies’ recent forays into Facebook environment reflect this intuition.  Agencies have created Facebook “fan pages” that allow Facebook users to join, receive updates (transparency), and conduct discussions on the wall or in forums (participatory/collaborative).  Agencies, however, cannot peer inside the lives of their fans: it is a one-way mirror of sorts.

Tomorrow I will discuss the normative implications of the one-way mirror and would love your feedback on my intuitions.

H/T to the ever-insightful Paul Ohm who shared with me his insights on the one-way mirror.