27 total posts
Welcome! Let's talk privacy
Lots of things are happening, so it's a good time to have this conversation.
On the political front, there are new reports about the extent of the NSA and FBI surveillance (of dubious legality) that I wrote about earlier in the week:
Today we have new reports about the FBI from the Justice Department's inspector general (our article will be up soon). And a vote on FISA is expected this evening:
And then there's the threat of snoopy border agents looking through your laptop. Check our our laptop security guide:
I'm happy to answer (or at least try to answer) any questions you might have. Type away!
Easy way around?
Since anyone entering the country can easily transport all electronic data from their laptop over the network and into the U.S. and wipe it from their hard drive before they arrive, and then reload the data after they've passed through customs, it seems pointless to hassle people entering the country by searching their laptops. That is how I intend to operate from now on, and I have no illegal content on my system -- I simply do not want my medical and account information being collected and possibly compromised by my own government. Maybe it will net a few child pornographers, but is it really worth it? And given that data can be transported into the country over the 'Net, is that an argument for making it illegal for your data to be searched?
It's a good point. When physically-stored data can be searched at the border but electronically-stored data isn't, looking through laptops seems a bit futile. Then again, futility never stopped the government in the past.
It's still worth paying attention to this for a few reasons:
- If you have gigabytes of data you need to access, a slow hotel WiFi/DSL connection may not be good enough and you may need to bring it with you.
- You may be traveling to an area without Internet connectivity.
- Not everyone reads CNET or will take steps to protect themselves, so we still need to have greater public awareness and better, more privacy-protective legal rules. A laptop is like a cross between a filing cabinet and a personal diary; allowing border agents to peruse it for no reason at all other than they're bored seems a bit wrongheaded.
Spitzer and privacy
Declan, we've been reading about Gov Spitzer's problems of late. It started with suspicious bank funds movement. I would submit that Gov Spitzer was collateral damage to laws like the Patriot Act, which were certainly been designed to catch "terrorists" but also wind up catching others for non-terrorist actions.
Spitzer and bank privacy
Well, yes and no. The reporting-suspicious-cash-movements idea goes back to the 1970 Bank Secrecy Act, which in a nice bit of linguistic legerdemain should actually be called the Bank Anti-Secrecy Act. It created a legal obligation for banks to file suspicious activity reports (whatever that means) and currency transaction reports for cash movements of over $10,000.
Then, in the 1990s, the Know Your Customer proposal for banks came along, which I wrote about at the time:
The Patriot Act was just the most recent expansion; the idea of monitoring American citizens' financial activities has been around for decades. You can imagine the justifications over the years: detecting drug dealers, money laundering, tax evasion, etc. Terrorism is just the latest.
And yes, I would agree with your suggestion that Gov. Spitzer fell prey to the same kind of aggressive government tactics that he practiced himself. There's plenty of schadenfreude to be had in this.
Searches and government aquisition of same
Declan, last q from me today. I read the other day that the NSA is now focusing on e-mail and web searches. The government, of course, isn't the biggest provider of web search services - it's private companies. That said, my rights exist mainly against the government - the 4th Amendment. We're seeing a bit of this play out with the telecom immunity stuff in DC. For me, what stops a search company from providing close to PII search data to the government if it wanted it?
Government acquisition of searches
cmwendy: This is another complex question worth unpacking.
The Fourth Amendment binds just the government, of course. Your privacy relationship with Google etc. is governed by contract and the company's reputation and desire to retain it; I believe Google generally pledges to protect your privacy unless it receives a court order or other lawful request.
So what stops Google/Yahoo/AOL/MS/Ask.com from providing close-to-PII search data to the government? (It's actually not just those; any website that keeps logs or has a search box could also turn over information to the Feds. I'm sure they might be interested to know what readers on nytimes.com or health.com or concealyourassets.com are reading and searching for.)
Part #1 is their contractual guarantee to their users. They could be sued if they violate it. Part #2 is privacy torts under state law that could come into play. Part #3 is their fiduciary obligation to their owners (shareholders). Part #4 is the desire to keep their employees happy and secure in the knowledge that they're working at a privacy-protective company. Part #5 is the massive bad publicity that would immediately result.
There's also a different corporate culture -- thank goodness -- than with the telcos. AT&T's biggest customer, I suspect, is the U.S. government. Should we be surprised if it does what the Feds want? Silicon Valley firms don't have that decades-long cozy relationship.
Privacy in general is under attack ...
The fundamental problem or "cause" of the erosion of our privacy rights and civil liberties, I think, is the asymmetry in power between the group and the individual. Corporations and governments have enormous resources to prosecute (persecute?) individuals, but the reverse is rarely true.
An example: Companies are able to essentially coerce their workers into signing binding arbitration agreements -- if they don't, they are liable to be fired. This is coercion in the large since most people have bills to pay and cannot afford being laid off.
Another example: Any company can sell my information to any other company without my consent -- I have to actively opt out, and in many cases even that hasn't worked. What individual has the resources to invest in opting out of everything?
We are essentially told that in order to use products or services, we are giving away our privacy rights, but what individual can live in the modern world without buying a car, paying for gas, or using a credit card?
Question 1: What are your thoughts on this, on how to attack this problem of asymmetry? Legislation is not likely in the US due to commercial lobbying efforts, so how can we ever get to where the Europeans are in regard to individual rights to privacy?
Question 2: Since we give corporations legal entity status and the rights afforded to being a separate legal entity much like an individual, shouldn't they also be treated as such in cases like the Sony rootkit fiasco? If I had, as an individual, released such a product, I would be in the federal penitentiary. This asymmetry allows corporations to take risks with legality that are much smaller when done as a corporation than when done as an individual.
privacy under attack: responses
Egads. That's a long question and a lot of smaller questions in there. Let me try to answer it this way:
1. Agreed that governments have enormous power to prosecute/persecute individuals. Look at Spitzer's rise and fall. I disagree that companies do. If Charmin wants me to buy its toilet paper, all it can do is send me some brochures or maybe a coupon or lower its prices. That's it. I don't consider this to be a cause of concern. In terms of coercion, I don't think that entering into an arbitration agreement is "coercion" -- nobody's forcing me to take the job, and companies have "bills to pay" as well. And the government court system is so painful and expensive that arbitration may be good for both parties.
2. You say a company can sell your information to any other company without your consent. How many companies do you deal with that have your personal information? Charmin doesn't. Retailers don't. You're probably talking about a bank and credit card company, but you can choose to opt out of those. Besides, they can't sell details about your purchases and bank account balances; the most they might do is give your name to an affiliate so you get junk mail. Annoying, but not the worst privacy violation I can think of.
3. I'm not sure I agree with your characterization of asymmetry as the problem, but I think you may agree with my suggested answer: anonymity. If I'm buying a car with cash or verified funds, there's no reason the dealer needs to know anything about me beyond what's required for state DMV registration. I'd like to see stored-value Visa/MC/Amex cards and prepaid calling cards and mobile service plans be easier to come by.
4. The rootkit fiasco was a stupid, stupid idea by Sony, but I'm not sure that it should rise to the level of a criminal offense. Nor do I think it should for an individual either. Didn't the terms of service permit Sony to do this? It's been a while and my memory may be hazy; feel free to correct me if I'm wrong. But if the TOS said Sony could do it, and nobody bothered to read the TOS, that's bad corporate management but not a criminal violation.
One more point on Spitzer
cmwendy: I think I read your point a little too quickly the first time.
You are of course correct to say that laws like the Patriot Act are sold to the public as a way to "stop terrorists" and then in reality are used against American citizens.
The data out today (in the DOJ IG's report) show that the FBI has sent nearly 200,000 secret requests under its National Security Letter authority to banks, telecom companies, ISPs, etc. over a four-year period. Most of those were related to U.S. citizens, not foreigners.
But a Washington Post article shows that terrorism convictions were virtually nonexistent:
"An analysis of the Justice Department's own list of terrorism prosecutions by The Washington Post shows that 39 people -- not 200, as officials have implied -- were convicted of crimes related to terrorism or national security."
So we have two possible conclusions:
1. It's necessary to secretly investigate tens of thousands of people, mostly American citizens, to get convictions against a few dozen.
2. Most of the Patriot Act's surveillance authority (and other FBI authority) is being used for investigations having nothing to do with terrorism.
I work on the go and I've been looking to by a new laptop. I have been asking around and I have heard that I should buy a laptop with Intel's new VPro processor.
What does this processor offer for added security?
Discount Grocery Cards (Safeway, Kroger, etc)
Many grocery stores use buyer cards to track purchasing trends, while offering significant discounts that you wouldn't get any other way. Obviously they are using this data to help decide what products to purchase, advertise, and to sell the demographics to marketing companies and others.
Customers are essentially told if they don't let the store keep track of their purchases, they are not eligible for these discounts (which could also simply be mark-ups to further convince the buyer). What are your thoughts on this practice and the privacy implications that go with it?
Well, there are two ways this can work. The first is for some stores to use discount cards to track what sales/promotions/prices work and don't; I'd expect those to be more efficient and offer lower prices. The second is that a store uses no discount cards and their owners rely on guesswork.
Is there a privacy violation? I'd say no, because if you're shopping at one of the discount card stores, it's your own choice.
My own preference is to swap discount cards with friends so the store doesn't know who is who.
Here's something from a Reason magazine cover story I wrote a few years ago:
When Safeway or Giant offers you a supermarket discount card, it's not because their executives are making value judgments about whether it's appropriate for you to nosh on mocha fudge ice cream instead of wheatgerm
Bringing privacy home
When explaining to someone how much their privacy has been eroded, I have to use generalities like "someone's shopping habits on their club card" and "someone's EZ-Pass records" being combined with "someone's cell phone location." Inevitably the responses are "well, those things aren't secret anyway" or "I'm not doing anything wrong, so why should I care?"
If everyone cold see their compiled dossier from just a few of those sources -- show someone a printout of the last months card purchases, cell phone calls & location, toll purchases, grocery lists, direct mail marketing profiles, credit reports, a few "mug shots" from ATM uses -- and watch someone walk them through the last 30 days of their life by walking through the connections of all that data-- the "shock" effect would be considerably greater and more people would realize just how creepy and pervasive this process is.
What can I do as a privacy advocate to best illustrate the average person I speak with how these things personally affect them in a way that really brings it home?
kc2aei: I'm with you in broad principles here, but some of this information is actually _useful_ to us. Information that banks and employers exchange with credit reporting bureaus means our credit card rates and fees aren't as high as they would be otherwise. Same with mortgages; I remember writing that mortgages in the U.S. are two percentage points cheaper than in Europe because of this data exchange (so much for following the European model, which someone else earlier suggested).
Also, your targets may have different privacy preferences than you. They simply may not care as much about what other people see or know about them; individuals are unique in this respect.
That said, it's still useful to build awareness. Toll records and credit card statements can, in theory, be subpoena'd in divorce cases. Government data-mining projects can access them and draw the wrong conclusions. And so on.
In my writing, I've found it useful to cite examples from history of how information has been abused. The FBI's illegal activities are one. I'm sure you can think of some from the private sector. And the ACLU's pizza video is a real classic:
what do you think of the new alienware area-51 m15x? I want to buy a gaming laptop and I don't know if it is a good choice
In terms of protecting your privacy, I suspect it will do as good a job as the Alienware m17x.
MAG628 -- in regards to gaming laptop
The topic for this live event is Protecting your privacy online.
I would recommend that you post your question in the CNET Laptops forum and allow our members to discuss and give their take on it.
Here's the link:
We also will be having a laptop live chat event in a couple of weeks, so if you can wait till then ask when that event comes around. Here is the calendar for events:
Good answers ...
Sure, much information giving is voluntary (I chose to use product X or buy car Y), but the burden of privacy protection is on the individual to prevent sharing of data, instead of on the commercial organization to get my opt-in. As we tie databases of information together, it will be fairly trivial to tie my credit card use to product purchase at a retail location and eventually to my name and address, and then aggregate that data and sell it to other businesses.
Are you seriously saying that it is feasible for me to read all the fine print before any purchase? Do you think it right that my purchase or use of a product should automatically give the producer rights to share my information? Assuming I have the time to do so and the ability to understand all the fine print, why should that burden be placed on me and not the commercial organization?
I've worked for the Federal Government for almost 20 years, in the IT field. Maybe I'm not the smartest twig on the branch, but dammit, I really don't want to spend a significant portion of my time reading fine print and opting out every time I buy a product or use a service, or dealing with the daily junk mail (yes, I've gone to every opt-out service I can find, including the DMA and credit bureau opt-out services). It seems your response is "suck it up and carry cash or don't buy stuff." Hardly enlightening.
borderguard: There are two general approaches we can take in terms of privacy protection in the private sector.
The first is that we treat Americans as responsible citizens and let them make their own choices. The second is that we have largely-unaccountable federal bureaucrats dictate what privacy policies may or may not say. (These are the same federal bureaucrats and politicians who other posters in this conversation have said are terribly privacy-insensitive.)
I'm not saying you have to read the fine print on everything. I don't. But you should read the fine print on important things in life, like credit card applications and mortgage applications. Those people who didn't for mortgages have found that their payments have doubled, and they had no idea it was coming.
You're also speaking in generalities. What "fine print" is involved in buying Charmin toilet paper? I think you're also laboring under the misconception that your retailer is able to sell your data to "other businesses" -- which is actually not the case under its contract with Visa/MC/Amex. In other words, life is a little more privacy-protective already than you might think.
Thanks for the questions!
I appreciate you taking the time to join us here today on this Ask the Editors segment.
Check out News.com for daily updates on privacy, surveillance, and related topics. See you there!
I agree with your answers
And I'm not a privacy expert so I don't know what retailers can and can't do with my information. But that's exactly my point -- why should I need to know that VISA/MC/Amex have those protections in their contracts with retailers? I just think it would make much more sense to prevent sharing of information up front so I don't have to wonder if there's some law or contract I haven't read between the two parties I'm involved with: the credit card company and the retailer.
I absolutely agree with you about the feds dictating privacy policies -- I don't want them interfering at a low level of detail, but why not at a global level with privacy protections that require my opt-in before information can be shared?
Thanks for joining us!
Last question! (I mean it this time.)
borderguard: Credit cards offer convenience at a cost. If you want the convenience, you should investigate what costs, if any, there are. This is simply part of living in modern society. Be responsible for your own actions.
If you had a law prohibiting the sharing of information, you would outlaw a business model that, say, gave people incredibly cheap interest rates or even _paid_ them to have a credit card in exchange for being able to sell their purchase data. If someone paid me $100 a year to do this, I wouldn't, but if someone paid me $100 a month, I might. There have been ad-supported ISPs that have relied on this model.
Two other thoughts: You're relying on the same Feds who are tech- and privacy-impaired to protect your privacy. Seems a bit odd.
And finally, you're discounting that most businesses act ethically and responsibly. They want to _please_ their customers, not alienate them. The Enrons are the aberration, not the norm.
I'm happy to continue this conversation in email or on the pages of News.com. I'm at firstname.lastname@example.org.
Hi -- what are the rules with USB drives. You suggested flash memory in the camera, what about the search parameters on a USB drive or an iPod? Do you think we will see more and more "steath" devices that have USB or other storage built in to get around this type of invasion of Privacy?
I spoke too soon--okay, two more!
When you're crossing a border, current rules say that the police can inspect everything. That includes USB drives and iPods. But for now, there's no evidence they are, so this may be one way to protect your privacy a bit.
It's a game of measures and countermeasures, with no short-term end in sight.