Site Meter

Category: Privacy

5

Notice of Privacy Practices

privacy-policy1.jpgA friend recently asked why we don’t have a privacy policy for this blog. We have a registration statement, after all, so why not a privacy policy? So without further ado, I present to you our shiny new privacy policy:

Notice of Privacy Practices

1. Our Commitment to Your Privacy. We at Concurring Opinions respect your private information deeply, which is why we want to gather and use every last bit of it. By visiting www.concurringopinions.com, you are accepting the practices described in this Privacy Notice. Moreover, even by hearing about this site, thinking about this site, or attempting to forget about this site, you hereby fully consent to everything described hereinafter in this Privacy Notice.

2. Our Promise to You. You hereby agree to be unilaterally bound by all terms stated in this Privacy Notice. However, this Privacy Notice is not binding on us in any way. We reserve the right to change, amend, or revoke this Privacy Notice at any time, without providing notice to you beforehand or in the future. Indeed, our privacy practices may currently be entirely different from those stated herein.

3. The Data We Collect and Share. Concurring Opinions gathers the maximum possible information about you to better understand you and to provide you with the content you so enjoy. We harvest your email addresses, track your IP addresses, and we provide them to numerous commercial data brokers in exchange for further information about you. We construct extensive dossiers about all of our visitors. We use this information to better customize Concurring Opinions so that we can deliver content suited to your interests, hobbies, and needs. We also share your information with our trusted as well as our non-trusted business partners. We do, however, take steps not to sell the data to identity thieves unless they pay us a higher rate. In the event of bankruptcy, we will sell your personal data to the highest bidder.

Read More

3

Symmetrical Privacy and Musings on Site Meter

friendster.jpg

Lior Strahilevitz (law, Chicago), has an interesting post at the Chicago Faculty Blog on what he calls “symmetrical privacy.” He begins by discussing Friendster, a social networking website where individuals post profiles and look up the profiles of others. Strahilevitz’s post was inspired by a post by Tara Wheatland at Boalt.org, who wrote:

Friendster suddenly and without notice changed a fundamental assumed feature of the community–that you could look at anybody’s profile you wanted to, while remaining anonymous yourself. Before this change, people who did not want random people to look at their profiles could change their settings accordingly. To apply this new feature retroactively and without notice really feels like a serious invasion of privacy. I don’t like it. . . .

As Strahilevitz notes: “Now Friendster users could quickly satisfy their curiosity by finding out who had viewed their profiles, but were mortified to learn that other users could do the same thing to them. Friendster was deluged with outraged user emails.”

Strahilevitz agrees that Friendster made a big gaffe by not informing people in advance, but he applauds Friendster’s “initial instincts” for devising a system of symmetrical privacy, which is a kind of privacy tit-for-tat. If you access my data, I get to access yours:

If an employer, identity thief, health insurer, or credit card company wants to access my credit report, at least let me know about it. If someone makes a FOIA request for government documents that reveal something about me, I should be notified of this request by the government. If someone goes to Fundrace.org or a similar site to see which political candidates I have donated to, I have no right to stop them from doing so, but I ought to have the right to be informed of their snooping. Symmetrical privacy might or might not be a solid foundation for a social networking site, but it seems to me that it is an excellent starting point for the law’s treatment of private information.

This is an interesting idea. We have something like that here, and so do many blogs. It’s called Site Meter. We can see how many of you are visiting and learn information about you. It’s quite interesting. Although we don’t learn your names, we can see what institutions you belong to, where you’re located, how many pages you’ve viewed, and more. Is this “symmetrical privacy” – we give you information on this blog and we get to see information about you? Actually, everybody can see this information at our Site Meter. You can too by clicking here. We’re all in a big fishbowl, and visits to this blog (and many blogs) are not totally private. Now, that’s symmetrical! I’ve always felt ambivalent about Site Meter. I am fascinated by the information about the visitors to this site, but it has always made me feel a bit like a voyeur.

I generally agree with Strahilevitz that people should be more aware of who is accessing their data. But the devil’s in the details. How far should this go? For example, I just posted about Harriet Miers’ donations to political candidates. Indeed, people can look up anybody’s contributions. Should Miers get a notice anytime somebody looks up this information?

9

Airport Screening Stories

Cartoon-SecFlt.jpg

Once upon a time, in an airport far far away, some people had problems with passenger screening. Nice people found themselves on lists of naughty people. Some called or emailed their complaint to the TSA Contact Center, in the hopes of fixing their problems or getting off the naughty lists (the Selectee or No Fly lists). The Electronic Privacy Information Center obtained the logs of their complaints, which contain many interesting tales.

From the call logs:

Consumer called and stated that

she was on a no fly list.  She would like to know what she would have to do or

who do [sic] she have to talk to to get off the list.  She stated that she was

informed at the airport that she was on a list.  I informed Mrs.

******* that since she’s allowed on the

plane after secondary screening, she isn’t on the No Fly List.  Mrs.

******* spoke to local detectives

stationed at FLL.  They informed her that she may be on the No Fly List.  But

the case is out of their jurisdiction.  She was referred to Homeland Security. 

Info has been forwarded to the appropriate source.  No accurate timeframe for

response.

* * * * * * *

Dr. ******* complains that every time he tries to fly commercial airlines, especiall United and Continental, he is “submitted to the most embarrassing and humiliating security checks at the counter even before they take my luggage.  It takes up to 25 minutes standing up.”

From the email logs:

I would like to know why my name is on the No Fly List and how I can get it removed. When I fly Continental for business, I have to have an airline representative check my identification and a TSA representative clear the reservation so my ticket can be issued for me to fly. This seems to only happen at Continental Airlines, but frequently I have had to go through the additional search at other airlines. The Continental agent did tell me that my name was on the No-Fly List and that it would be next to impossible to get if off, but I shall try anyway. I have not had any run-ins with the law or nor the airline, so I do not understand the reason for being on this list and subject to additional security when I fly for business or personal reasons. . . .

* * * * * * *

Read More

4

The USA-PATRIOT Act: A Fraction of the Problem

usa-patriot1.jpgOver at Legal Affairs Debate Club, Geoffrey Stone and Judge Richard Posner are debating the USA-PATRIOT Act. The focus of the debate thus far is on Section 215 of the USA PATRIOT Act, which states:

The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.

Further, this section requires that the person ordered to turn over the materials shall not “disclose to any other person . . . that the Federal Bureau of Investigation has sought or obtained tangible things under this section.”

Stone calls for curtailing Section 215 and Posner comes out in favor of a modified version of it.

The problem with this debate, as with many debates over the USA-PATRIOT Act, is that it is focused only on the USA-PATRIOT Act. Many of the issues that people are debating about already existed in federal electronic surveillance law before the USA-PATRIOT Act.

Read More

18

California’s Tougher Anti-Paparazzi Law and the First Amendment

paparazzi2.jpg

Recently, Governor Arnold Schwarzenegger signed a law that toughened California’s Anti-Paparazzi Act, Cal. Civ. Code §1708.8. The original act was passed in 1998 in response to Princess Diana’s death, which was caused when her car was fleeing aggressive paparazzi.

Paparazzi photos can fetch a lot of money. A photo of Princess Diana and Dodi al-Fayed sold for over $3 million.

Arnold Schwarzenegger is not stranger to paparazzi. In one instance, they chased him and his wife, Maria Shriver, off the road to take photos of him.

The Anti-Paparazzi Act creates heightened penalties when a person commits a trespass “in order to physically invade the privacy of the plaintiff with the intent to capture any type of visual image, sound recording, or other physical impression of the plaintiff engaging in a personal or familial activity and the physical invasion occurs in a manner that is offensive to a reasonable person.” A person can also be liable even if there is no trespass if he “attempts to capture, in a manner that is offensive to a reasonable person, any type of visual image, sound recording, or other physical impression of the plaintiff engaging in a personal or familial activity under circumstances in which the plaintiff had a reasonable expectation of privacy, through the use of a visual or auditory enhancing device.”

Read More

2

The DHS Privacy Office

dhs-nuala.jpg

Nuala O’Connor Kelly left the DHS privacy office last week. I have mixed reviews of her performance. On the good side, she did not rubber stamp DHS policies. She criticized the TSA, for example, for improperly gathering airline passenger records from Jet Blue Airlines. But on the negative side, she acted more as an internal facet of DHS than as an external overseer. Her role was more akin to an in-house privacy counsel who would advise behind the scenes than to an independent agent.

This wasn’t necessarily O’Connor Kelly’s fault. The DHS privacy office lacks essential powers, like the ability to subpoena documents. It lacks the independence to rebuff the DHS. It lacks any real teeth to enforce sanctions when the DHS violates the law. Although it produces public reports about its activities, the privacy office could do more to ensure greater public accountability for DHS, which often operates in manner that isn’t transparent.

We need a privacy agency, one that has teeth. For a good proposal for such an entity, see Robert Gellman, A Better Way to Approach Privacy Policy in the United States: Establish a Non-Regulatory Privacy Protection Board, 54 Hastings L.J. 1183 (2003). As Gellman notes: “The failure of the United States to have a national privacy agency is, perhaps, the single most important difference in approach to data protection between the United States and most other industrialized countries.”

3

When Clacks Squawk: The New Keystroke Surveillance

keyboard1.jpg

You thought keyboard clacking was just annoying noise. Little did you know your clacking is broadcasting what you’re typing!

Berkeley researchers have developed a way to monitor your keystrokes without installing a device into your computer. Thus, far, keystrokes can be monitored via special software or other devices installed into people’s computers (either directly or via a virus or spyware). This new technique relies on the clacking of your keyboard. According to the AP:

If spyware and key-logging software weren’t a big enough threat to privacy, researchers have figured out a way to eavesdrop on your computer simply by listening to the clicks and clacks of the keyboard.

Those seemingly random noises, when processed by a computer, were translated with up to 96 percent accuracy, according to researchers at the University of California, Berkeley.

“It’s a form of acoustical spying that should raise red flags among computer security and privacy experts,” said Doug Tygar, a Berkeley computer science professor and the study’s principal investigator.

Researchers used several 10-minute audio recordings of people typing away at their keyboards. They fed the recordings into a computer that used an algorithm to detect subtle differences in the sound as each letter is struck.

On the first run, the computer had an accuracy of about 60 percent for characters and 20 percent for words, said Li Zhuang, a Berkeley graduate student and lead author of the study. After spelling and grammar checks were deployed, the accuracy for individual letters jumped to 70 percent and words to 50 percent.

The software learned to improve as researchers repeatedly fed back the same recordings, using results of spelling and grammar checks as a gauge on correctness. In the end, it could accurately detect 96 percent of characters and 88 percent of words.

0

Internet Shaming Redux: The Case of the Stolen Cell Phone

cellphoneshame2.jpgThis post was originally published at PrawfsBlawg on August 31, 2005.

A story from Wired describes the latest Internet shaming episode:

A New York stock clerk who had his camera phone swiped from his car this month says he was able to peer into the life of the gadget’s new owner. The thief evidently didn’t realize the copious photos and videos he was taking with the hot phone were accessible through a web account. . . .

Because the camera phone can only hold a limited number of images, Sprint lets subscribers upload photos from the device to a web account. “I decided to go and check out the web space and see if there were any pictures uploaded to it, and he had taken almost 40 pictures and five movies and uploaded them all,” says Clennan [the theft victim].

Most of the images show the same young man, flexing for the camera in various states of dress, kissing a young woman, posing with apparent friends and family members, and generally having a good time with a new toy.

When Clennan checked the account’s e-mail outbox, he found the new owner had forwarded some of the photos to a particular Yahoo e-mail account.

Clennan sent his own message: “Like to steal cell phones and use them to take pics of yourself and make videos…. HA! (G)uess what pal … (I) have every pic you took and the videos. I will be plastering the town with pics of your face.”

The article continues:

Far from chastised, the man fired back a taunting one-line note, apparently with his own name in the header, dropping the name of a woman Clennan had been dating, and who’d sent text messages to the stolen phone.

Clennan retaliated by posting the story and some of the photos to a Long Island web board, where it immediately began gathering the kind of interest that accumulates to photo-driven internet phenomena like the Korean Dog Poop Girl and the New York subway flasher.

Urged on by netizens, Clennan says he finally took the trove of evidence to the Suffolk County, New York, police last week, and they’re considering filing petty theft charges in the case. “The detective actually laughed,” says Clennan. . . .

Contacted by e-mail, the camera phone’s new owner told Wired News he didn’t steal the device, but merely found it on a street corner. The young man says he’s 16 years old, and Wired News has elected not to report his name.

The case provides another instance of Internet shaming to discuss and debate. In recent posts, I’ve been critical of Internet shaming. One of the problems with this incident is that the facts are still unsettled about how the teenager acquired the camera.

In this case, the theft victim placed online many pictures of the person — as well as images of other people who appeared in the pictures. These pictures were then copied by netizens, morphed into “Wanted” posters, and plastered about the Internet. I’ve included an example in this post, but have blocked out the person’s face and name, both of which appear in the original version. I checked the website where the theft victim placed the photos and here’s his latest update:

[EDIT]

THE PICTURES HAVE BEEN REMOVED TO PROTECT THE PRIVACY OF MINORS. WHEN I FIRST POSTED THIS STORY I DID NOT REALISE THE PERSONS IN QUESTION ARE MINORS. I ENCOURAGE ALL OTHERS WITH PHOTOS OF THESE PEOPLE TO DELETE THEM FROM THEIR WEBSITES AS WELL. [EDIT]

The pictures, however, still float around the Internet. Despite the theft victim’s change of heart, it’s too late to take the pictures back.

0

Of Privacy and Poop: Norm Enforcement Via the Blogosphere

Dog Poop Girl 4.jpgThis post was originally posted at Balkinization on June 30, 2005.

By way of BoingBoing comes this fascinating incident in Korea. A young woman’s dog pooped inside a subway train. Folks asked her to clean it up, but she told them to mind their own business. A person took photos of her and posted them on a popular Korean blog. Another blogger, Don Park, explains what happened next:

Within hours, she was labeled gae-ttong-nyue (dog-shit-girl) and her pictures and parodies were everywhere. Within days, her identity and her past were revealed. Request for information about her parents and relatives started popping up and people started to recognize her by the dog and the bag she was carrying as well as her watch, clearly visible in the original picture. All mentions of privacy invasion were shouted down with accusations of being related to the girl. The common excuse for their behavior was that the girl doesn’t deserve privacy.

While the girl clearly behaved badly, those Korean netizens’ behavior is even worse and inexcusably so. Abuse by the mob is indistinguishable from abuse by dictators yet they just don’t see it in the heat of righteousness.

I posted a while ago about how norm enforcers can be valuable in promoting social norms of etiquette and civility. These norm enforcers police norms for free, sometimes even doing so at a cost to themselves. According to the article I discussed, the “tendency to sanction breaches of social norms is the key to human cooperation.”

But norm-enforcement also has a dark underbelly. As Richard McAdams argues, certain norms are unnecessary and undesirable; and even desirable norms can be enforced to an undesirable degree. See Richard H. McAdams, The Origin, Development, and Regulation of Norms, 96 Mich. L. Rev. 338, 412 (1997).

The dog-shit-girl case involves a norm that most people would seemingly agree to – clean up after your dog. Who could argue with that one? But what about when norm enforcement becomes too extreme? Most norm enforcement involves angry scowls or just telling a person off. But having a permanent record of one’s norm violations is upping the sanction to a whole new level. The blogosphere can be a very powerful norm-enforcing tool, allowing bloggers to act as a cyber-posse, tracking down norm violators and branding them with digital scarlet letters.

And that is why the law might be necessary – to modulate the harmful effects when the norm enforcement system gets out of whack. In the United States, privacy law is often the legal tool called in to address the situation. Suppose the dog poop incident occurred in the United States. Should the woman have legal redress under the privacy torts?

Some commentators to Don Park’s blog contend that the behavior of these cyber norm-enforcers is justifiable because that the woman was in public and thus had no privacy:

The initial blogger. Do I think he had every right to post her? Yep. She was in public, and it really doesn’t matter if she was in front of 100 or 1,000,00 people, she was willing to act that way in the public sphere. So an upset person chose to mention how upset he was to others. I agree with the earlier poster’s mention of a college newspaper doing something along the same lines: it is a minor issue, but sometimes we have power to change behavior with our voices. In this case, I’d bet that many other people are suddenly more conscious of their dog poop and are more likely to serve the public good by cleaning it up.

Yet another commentator writes:

I really don’t think it matters that it came out on the internet. It happened in a public place so it is excusable to discuss it in a public forum. This isn’t going to ruin her life, it might make her clean up her dog’s mess for a month though while the story goes around. We are a fickle bunch and she will be forgotten before the end of the season.

But this comment is wrong. She will not be forgotten. That’s what the Internet changes. Whereas before, she is merely remembered by a few as just some woman who wouldn’t clean up dog poop, now her image and identity are eternally perserved in electrons. Forever, she will be the “dog-shit-girl”; forever, she will be captured in Google’s unforgiving memory; and forever, she will be in the digital doghouse for being rude and inconsiderate.

Consider the famous incident involving the “Star Wars Kid,” a sad tale of a nerdy 15-year kid who filmed himself waving a golf ball retriever around as if it were a lightsaber. To tease him, some other kids digitized it and posted on the Internet along with his name. It was downloaded by millions around the world, and new versions of it quickly emerged replete with special effects and music. Forever, this person will be known as the Star Wars Kid. There’s even a Wikipedia entry for him!

Another tale involves involves a person whose private email to her friends was spread around cyberspace. James Grimmelmann has a wonderful essay about this email incident and social norms on LawMeme.

The easy reaction is to steel ourselves and chalk it up to life in the digital age. But that’s just giving up. The stakes are too high to do that. Consider the thoughts of another commentator to Don Park’s blog:

It reminds me of the struggles that editors face when deciding about what pictures to run in the newspaper. Those editors need to make a judgement call based on the value of the picture and its relevance to the story. But here, the person was outraged and ran the picture of the girl. That’s totally different. It shows the dangerous flip side of citizen media. Moral outrage is easy to flame. But the consequences can be mortal. Will the ease in inciting moral outrage create a mob driven police state? It may be when the powerful realize how they can use citizen “reporters,” to influence mobs. That seems to be one of the real dangers of citizen journalism. . . .

Compounding the problem is the fact that the norms of the blogosphere are just developing, and they are generally looser and less well-defined than those of the mainstream media. Thus, cyberspace norm police can be extremely dangerous – with an unprecedented new power and an underdeveloped system of norms to constrain their own behavior. Remember the famous saying about police surveillance: Who will watch the watchers? In the blogosphere, we might ask: Who will norm the norm police?

I believe that, as complicated as it might be, the law must play a role here. The stakes are too important. While entering law into the picture could indeed stifle freedom of discussion on the Internet, allowing excessive norm enforcement can be stifling to freedom as well.

All the more reason why we need to rethink old notions of privacy. Under existing notions, privacy is often thought of in a binary way – something either is private or public. According to the general rule, if something occurs in a public place, it is not private. But a more nuanced view of privacy would suggest that this case involved taking an event that occurred in one context and significantly altering its nature – by making it permanent and widespread. The dog-shit-girl would have been just a vague image in a few people’s memory if it hadn’t been for the photo entering cyberspace and spreading around faster than an epidemic. Despite the fact that the event occurred in public, there was no need for her image and identity to be spread across the Internet.

Could the law provide redress? This is a complicated question; certainly under existing doctrine, making a case would have many hurdles. And some will point to practical problems. Bloggers often don’t have deep pockets. But perhaps the possibility of lawsuits might help shape the norms of the Internet. In the end, I strongly doubt that the law alone can address this problem; but its greatest contribution might be to help along the development of blogging norms that will hopefully prevent more cases such as this one from having crappy endings.