Privacy – Mediactive

Some other media I create…

A few weeks ago I asked my Digital Media Literacy students to write a blog post about the media they create on a routine basis — email, social media, blogs, phone photos, etc. I wrote a post of my own as an example.

What I didn’t mention in my instructions was another kind of media we create: data that we don’t realize we’re creating, and which we largely don’t control. Here’s an attempt to quantify at least some of that.

When we take a photo with a typical mobile phone camera app, a lot more data get created than just the JPEG file that contains the picture itself. The phone, depending on the hardware and settings, stores some or all of the following: the location where the picture was taken; the time and date it was taken; what compass direction the camera was pointing; whether the phone was moving; and more.

Mobile apps in general frequently generate and save — often on remote computers — all kinds of things including location. They copy our contacts’ information. They look at our calendars. They check our phone numbers, the calls we’ve made, duration of the calls, etc.

I consider this kind of collection to be just short of spyware territory. The clock app in my phone has absolutely no legitimate reason to know my phone number and calls, yet it demands that permission. I block that kind of stuff–something I can do because I run an operating system called Cyanogenmod, which has fairly granular permission settings, unlike most mobile operating systems.

I create “cookies” on my computers (laptop, phone, etc.) when I visit other people’s sites and services. Cookies are used for many purposes, including identifying me for return visits, but also to create ways to track what I do.

Using the Web in general is an exercise in being spied on — it’s the fundamental business model for all of the “free” services such as Facebook and Google, as well as countless others. My visits to other people’s sites enables them to create all kinds of usage data on their own servers, not just on my computers.

I can’t prevent the spying entirely, and don’t want to when I’m getting something of high enough value in return. But I use a number of tools to keep the spying to a minimum. They include the permission settings in my mobile phone, and browser plugins that block (at least some of) the tracking. Students in my digital media literacy course are reading about ways to deter the invasion, and I hope they’ll take advantage of them.

People generally are becoming more aware of what we might call unintended data/media creation. That’s a good thing, and perhaps it’ll lead to broader countermeasures.

Wall Street Journal’s (Fail)SafeHouse: Keep Trying

In 2005, intending to innovate, the Los Angeles Times published a “Wikitorial” — an editorial from the paper in a wiki that allowed readers to make changes. The idea was interesting. The execution was a classic in news organization stupidity, because after putting up the piece the news people went home for the night. Naturally, some bad folks took over, and early the next morning they’d thoroughly polluted the thing. One image that found its way onto the wikitorial was an infamously disgusting photograph. Down came the page, and that was that.

The LA Times learned the wrong lesson. Rather than giving up the experiment, it should have tried again.

The failed LA project comes to mind in the wake of the Wall Street Journal’s launch of a WikiLeaks-like experiment, a site called SafeHouse. The page pitches these bullet points:

Help The Wall Street Journal uncover fraud, abuse and other wrongdoing.
Send documents to us using a special system built to be secure.
Keep your identity anonymous or confidential, if needed.

Uh, not really, at least on the second and third points.

Security experts immediately poked holes in the site security. And the site’s Terms of Service contain what might be termed a “Get Into Jail Free Card” — reserving “the right to disclose any information about you to law enforcement authorities or to a requesting third party, without notice, in order to comply with any applicable laws and/or requests under legal process, to operate our systems properly, to protect the property or rights of Dow Jones or any affiliated companies, and to safeguard the interests of others.”

Unlike the LA Times, the Journal isn’t abandoning the experiment and seems to be working to fix at least some of the site’s flaws. That’s good news, even though I’d still advise any whistleblower to steer clear of this for the moment, not least because the notion of trusting a company controlled by Rupert Murdoch is, well, problematic even if one might trust (as I would) many of the Journal’s lower-level editors.

Which raises the larger question in any case: While I tend to believe that every news organization should have a drop-off point for documents from whistleblowers, there’s always going to be a question of how much a leaker should trust any private company on which a government can exert pressure, apart the issue of whether the company itself can always be trusted. Remember, the New York Times has frequently felt obliged to ask permission from the U.S. government before publishing a variety of things.

Still, these experiments are worthwhile. But it’s going to take some time before we can call them successes in any respect.

A do-not-track list? It’s a start

This article was originally published on Salon.com on December 2, 2010.

The FTC’s proposal is a potentially useful improvement in our woefully inadequate online privacy

Americans have become so numb to the relentless erosion of our privacy that we tend to view even small advances with skepticism, if not outright cynicism. Such is the case with yesterday’s Federal Trade Commission proposal for a “do not track” system, whereby people could tell online marketers that they don’t want their online activities to be captured and used by websites or online advertising firms.

The FTC’s report is just that: a document with no regulatory power. But FTC Chairman Jon Leibowitz told reporters in a conference call that the commission will urge Congress to act if the industry doesn’t “step to the plate.” I take the need for congressional action as a given, since the online industry’s self-regulation has ranged from weak to bogus.

Continue reading A do-not-track list? It’s a start

Feds: No crime spying on kids via webcams

This article was originally published on Salon on August 18, 2010.

District loaned laptops to students, then used spyware to take pictures of them. Prosecutors: No “criminal intent”

Federal prosecutors are showing uncommon sympathy for some Pennsylvania school officials who spied on students via webcams in their school-owned laptop computers: They’ve decided not to prosecute.

The reason? “For the government to prosecute a criminal case, it must prove beyond a reasonable doubt that the person charged acted with criminal intent,” the U.S. Attorney’s office said in a statement. “We have not found evidence that would establish beyond a reasonable doubt that anyone involved had criminal intent.”

Let’s leave aside the fact that people are charged all the time for criminal offenses despite having no idea they’re committing crimes. And since when did ignorance of the law confer immunity?

Let’s focus instead on the fundamental creepiness in what happened at the Lower Merion School District in suburban Philadelphia. A lot of the facts and fuller context in this privacy debacle remain murky. Let’s hope that the discovery process in the several civil suits results in a more complete disclosure, but we do know this:

The district loaned laptop computers to students and then, under a program the district said was aimed at recovering lost or stolen machines, used spyware to capture tens of thousands of images of kids. Some of those images, it emerged in civil suits filed against the officials, were taken in students’ homes — and some of those in their bedrooms. Oh, just a terrible mistake, said the district.

Some 38,000 images from six computers alone, not to mention video chats and IMs in at least one case? If this is an oversight, a mere mistake, yike. But if so, the people who were that sloppy shouldn’t be trusted to teach elementary arithmetic or anything else.

There’s apparently no state law against this kind of thing. That’s outrageous by itself. And while the feds have concluded that they can’t pursue criminal charges, no one should even consider letting the school district off the hook in any moral way for its reprehensible behavior.

The case also reminds us that civil lawsuits play a vital role in our society. Yes, some plaintiffs’ lawyers launch meritless lawsuits and cause wide harm. But sometimes, as in this case, they are the last line of defense when powerful institutions beat up on individuals. We forget that at our peril.

Body scanning images being banked

This article was originally published on Salon on August 4, 2010.

When officials claim limited goals and strong privacy guarantees with security technology, don’t believe them

When government officials launch new security technologies, they always promise that the devices and methods will A) not unnecessarily invade people’s privacy; B) have strong policies in place to prevent abuse; and C) not go beyond their initial mandate. Then they break the promises.

The latest case in point involves the full-body scanners that are being installed in airports and some other federal installations: As CNETreports:

For the last few years, federal agencies have defended body scanning by insisting that all images will be discarded as soon as they’re viewed. The Transportation Security Administration claimed last summer, for instance, that “scanned images cannot be stored or recorded.”

Now it turns out that some police agencies are storing the controversial images after all. The U.S. Marshals Service admitted this week that it had surreptitiously saved tens of thousands of images recorded with a millimeter wave system at the security checkpoint of a single Florida courthouse.

It’s an example of “mission creep” — the pervasive tendency to expand original goals or tactics beyond supposedly narrow original goals. It’s how laws supposedly aimed solely at crime lords end up being used against average folks. The only surprise in this case is that anyone would be surprised.

The misrepresentations about the body scanners have been a key feature of the machines’ rollout. First we were told that no images could be stored because they’d be automatically deleted. Whoops, not true. In fact, these machines are specifically designed to store the images.

Now the Department of Homeland Security has done what everyone paying attention knew was coming: It’s mandating the rollout of the body scanners nationwide. Soon, everyone who flies will be invited to bare all for the sake of security.

But you don’t have to actually go through the scanner, right? Isn’t there an option to be checked in some other way? There sure is, but be prepared for a serious hassle if you do.

Be prepared for some other upcoming realities. Even though lots of celebrities make sex tapes, there are at least a few movie stars and other public figures who have retained some old-fashioned modesty. Think any of these folks, however they regard their own privacy, won’t be targets? Think again.

And watch as the full body scan becomes less and less optional if you want to actually catch your flight. Either it’ll be mandatory, or the alternative will be hugely time-consuming and/or physically invasive. So if you find yourself shocked one day that yet another vestige of your liberty and dignity has been taken away, you won’t have been paying attention.

Facebook’s Partial Anti-Privacy Retreat

Under entirely justified attack from people who care about preserving what’s left of their privacy online, Facebook is modifying the unilateral changes it recently made in the service — changes that have exposed much more information by default than users have either understood or, in many cases, wanted.

Naturally, the corporate spin has tried to disguise the harsh reality. Under the name of Facebook founder and CEO Mark Zuckerberg we read this blog post, which includes this paragraph:

The number one thing we’ve heard is that there just needs to be a simpler way to control your information. We’ve always offered a lot of controls, but if you find them too hard to use then you won’t feel like you have control. Unless you feel in control, then you won’t be comfortable sharing and our service will be less useful for you. We agree we need to improve this.

It’s impossible for anyone other than Facebook to say if this is the truth; only the company can count the communications it has received from users. I don’t believe this spin, because the criticism I’ve heard has not just been about simpler control. It’s been about the constant encroachments on people’s privacy that Facebook has been making for several years now. As IBM’s Matt McKeon brilliantly illustrated in his visualization, the default settings have exposed vastly more personal information:

Look at the original visualization to see how profoundly and systematically Facebook has made these encroachments on privacy as the years passed. These were systematic violations of trust.

To be sure, the latest changes will help. They do not go far enough, however, and along with the company’s obfuscation of the issues they only reinforce my strong belief that Facebook has a long, long way to go before it’ll re-earn any of my faith or trust.

I’m still not planning to delete my account entirely. I need to understand what goes on inside Facebook in order to do my work properly. As noted earlier on this blog, I made a pretty drastic change myself a few months back: deleting my account and restarting it in a much-reduced way. For now I’ll stay with this arrangement.

Which reminds me: If you friend me on Facebook, please only do so if you’re an actual friend. If you want to connect with me in a business or professional context, please use LinkedIn.

Facebook: Starting Over

Like many other people, I have a Facebook account. One reason is to keep track of what’s happening in the planet’s largest social network, including what application developers and users are doing there.

Another is that some of my friends — actual friends — are using the site. Facebook helps me stay in touch.

But the privacy fiasco of the past few days has left me feeling that I really can’t entirely trust Facebook, even with the limited amount of things I’ve said and done on the site since I got an account several years ago. Maybe I’m over-reacting — and I continue to admire the company’s accomplishments in many other ways — but that’s just the way it is.

Why don’t I feel safe and sound in their benevolent hands? Because although some of the changes they’ve made in their privacy settings are actually helpful, they are suggesting that users share much more of their data and other information, much more widely than ever. Facebook’s extremely smart leaders know perfectly well that the majority of users are likely to accept these suggestions, because most people say yes to whatever the default settings are in any application.

I wasn’t very happy with my Facebook situation in any case. Early on, I said yes to just about everyone who asked me to “friend” them, including people barely knew and some I didn’t know at all.

The privacy changes — and my continuing uncertainty, given the number of pages you have to look at to modify your settings — made me realize I’d rather take fewer chances. So I’ve made a fairly drastic change.

This morning, I deleted my account. Then I started a new one.

Actually, I scheduled the old one for deletion several weeks from now, which is all Facebook allows. The company figures, perhaps correctly, that some people will have made this decision rashly and wants to give them a way to reconsider. And it’s clearly in Facebook’s interest to avoid as many cancellations as possible for business reasons.

It wasn’t easy to figure out how to delete the account, which no doubt is part of the company’s strategy, too. If you go to your Settings page, the only option in this realm is to “deactivate,” not delete.

But a little searching on the site turns up this Facebook Group called “How to permanently delete your facebok account” (more than 35,000 members) — which in turn reveals this link to a delete-account form.

Before I did the actual deletion, however, I went to my Account Settings and opened up the Username option. I’d previously set my username to “dangillmor” so my Facebook URL would be facebook.com/dangillmor, and wanted to be able to use that again. I changed the username to something else, and only then did I delete the account.

Then I started a new account, using a different email address, and set the username to match the old one.

Next up was a check of the default privacy settings for new users. They’re pretty un-private, in my view, sharing way too much with people you don’t know. I systematically went through the various screens — Facebook makes this chore both annoying and obscure, perhaps on purpose — to ratchet down the settings to something I can live with.

Look, we all know what is Facebook’s best interest: exposing to search engines and advertisers the largest possible number of pages by among the largest number of people willing to create stuff and make it all public. Marketers drool at what they can do at Facebook if the company will only let them, and Facebook’s entirely rational goal, like almost every other Internet company’s, is to make profits in almost any way it can. What’s in the corporate interest, however, doesn’t necessarily match what’s in my interest, or yours.

So I’m still at facebook.com/dangillmor — though my real Web homebase is dangillmor.com — with just two Facebook friends at the moment. I’ll be adding more, but not in any hasty way.

UPDATE: Wired News explains How to UnFacebook Yourself.

And Jason Calacanis asks, “Is Facebook Unethical, Clueless or Unlucky?” I vote mainly for the first.