Privacy

This post is part of the Disruptive Competition Policy Forum recap series.

Details below. MORE »

{ 0 comments }

This post is part of the Disruptive Competition Policy Forum recap series.

Details below. MORE »

{ 0 comments }

If you think competition between companies drives innovation, what might happen when they also have to go up against autonomous pieces of software running distributed across millions of computers through the Internet and around the world? It sounds like something out of a Singularity obsessed science fiction novel, but if you know where to look, the bones of this idea are already beginning to be seen today. The results might look pretty strange still, but there are some fascinating things happening in the “Distributed Autonomous Corporation” (DAC) area.

A DAC is a (so far) hypothetical construction that could perform at least some of the same functions as a corporation, non-profit organization, or other grouping of humans without the centralized legal or physical trappings of those organizations. This could be accomplished by creating a blockchain-type system (similar to that running Bitcoin) in which the code that makes up the DAC runs. DACs are simply algorithms tied to payment accounts that pay for their own computing cycles used, are paid for the services they provide, and can modify their own code.

DACs as an idea have been tossed around the Bitcoin community for a few years, and were somewhat codified in a series of blog posts by Stan Larimer beginning with “Bitcoin and the Three Laws of Robotics”. Larimer posits that the Bitcoin system itself is a DAC, suggesting that much of the network’s value comes from “performing a trustworthy confidential fiduciary service,” much like a Swiss bank would do. Unlike a Swiss bank, however, Bitcoin is open source and thus anyone can look at the code and be relatively assured that the network itself will act as designed and is worthy of trust. Of course, as we’ve seen time and again since the launch of the Bitcoin software, the same cannot be said of the human beings that may provide any related services.

MORE »

{ 0 comments }

When we talk about competition in the cloud services marketplace, we’re usually thinking of Google’s services, Amazon’s AWS, Dropbox’s storage, or VMWare’s large-scale virtualizations. But those types of cloud offerings are coming up against some unique competition lately: personal cloud offerings that are open source and meant to be run from inexpensive computers within the home such as the credit-card-sized $40 Raspberry Pi. For online services that are aimed at consumers, such as web mail, document storage, calendaring, and others, these personal cloud projects aim to help give users a privacy protective alternative if they want one. How well do they work? I spent my free time over the past week setting one up for myself and it turns out the biggest challenge actually comes from the broadband providers.

I started out by buying a Raspberry Pi computer and a 16GB SD card off Amazon and installing ArkOS on the SD card. ArkOS is an open source linux server management console that, once installed, gives the user the ability to install web, mail, file storage, and other services with the click of a mouse. At least, that’s the idea. ArkOS is still very much in alpha, and there isn’t yet a plugin to run an email server (though plans for such are very much on the todo list). Fortunately for me, however, I have a little bit of experience in Linux administration and I managed to get email up and running. ArkOS does have a personal file storage and sync plug in, called OwnCloud, which I also set up.

The most immediate problem facing a personal cloud user, however, isn’t the alpha nature of the software or a lack of familiarity with the arcane inner workings of Linux; it’s a domain name. Or, more specifically, the IP address connected to the domain name. The domain name system is one of the magical underpinnings of the Internet that turns the URL you know, like facebook.com, into the series of numbers that the routers and switches use to let you communicate with a server far away.

It’s those numbers that are the problem. Called IP addresses, each ISP has a certain number of them to hand out to their users. Without one, you’re not on the Internet. Oh, and we’re running out of them as more and more people bring more and more devices online (a point that I’ll come back to in just a second). Getting all of their users to properly configure their computers to use an assigned IP address is a hassle, so ISPs generally use Dynamic Host Configuration Protocol (DHCP) to automatically assign computers to an IP address.

All well and good, except that with DHCP you can’t guarantee that you’re going to get the same IP address every time you start up (in practice, with most ISPs, you actually do, but you can’t be sure). Without static IP address, it is hard to set up a domain name to point to your brand new server, as you would have to notice that the address had changed then update the DNS every time. While the use of DHCP is a matter of convenience for most ISP customers, some ISPs do provide users with the option of getting a static IP. My Internet access is through Verizon FiOS, who will let their business customers purchase a static IP for a monthly fee. In the end it would have ended up costing me around $50 additional per month. Fortunately there are technological solutions, including running a program every once in a while that will check to see if your address has changed and automatically update your DNS records.

MORE »

{ 0 comments }

Today President Obama gave a speech and issued a Presidential Policy Directive (PPD) surrounding the reforms he is making to the National Security Agency and international intelligence gathering in general. In the PPD, the President recognized that collection of signals intelligence poses risks to “our commercial, economic, and financial interests, including a potential loss of international trust in U.S. firms.” While it was gratifying to see the President grappling with the issues that we’ve been exploring for months, the actual policy changes proposed were high level and the devil, as they say, will be in the details.

There must be at least some hope, however. We have, today, policies regarding when the U.S. government will collect information on foreigners and how it will treat that information when it is collected. People everywhere can begin making decisions about which online services to trust with our data based on the features of the service and their respect for our data — rather than the geographical location of the service itself.

For many months now, the focus of commerce on the Internet has been a connection to the United States. If the U.S. government follows through on some of the privacy protections that everyone deserves, it will be a start that can bring us back to the ideal world where companies from everywhere compete on their products rather than the surveillance performed by governments.

{ 0 comments }

In retrospect, the technology industry must have seemed so trusting of the government just a year ago.

Back then, hardly any big-name firms produced “transparency reports” outlining how many law-enforcement inquiries they received, and many hadn’t even taken the lesser step of publishing the guidelines governing their responses to those queries.

And even when they pushed back against government curiosity, they didn’t bother telling us about it. Google, Yahoo and Microsoft had all decided to require warrants before turning over stored e-mail to law-enforcement investigations—an interpretation of the Electronic Communications Privacy Act’s loose provisions only upheld by one circuit court—but didn’t disclose that until early 2013.

And then the agency charged with cracking the digital security of American adversaries elsewhere found itself thoroughly “p0wned” by contractor Edward Snowden.

Snowden’s exposure of the National Security Agency’s PRISM scheme for data queries and a massive phone-metadata-collection effort soon enough set off a rush to publish transparency reports—FacebookYahoo and most recently Apple have followed the lead of GoogleTwitter and Microsoft.

MORE »

{ 0 comments }

SANTA CLARA–The state of consumer privacy in the digital world is sufficiently scrambled that the security tools in one app introduced at the DEMO Fall conference here came designed to short-circuit the kind of interactive marketing research undertaken by another.

In one corner of this little episode of Spy vs. SpySnoopWall‘s upcoming Android app offers granular control over entire subsystems of a mobile device–for instance, its Bluetooth or NFC wireless–as well as the reach of individual apps to things like the contacts list or the camera. Other future releases from this Las Vegas firm promise a similar array of kill switches for iOS, Windows and Windows Phone.

In another corner, Eyeris Technologies aims to mass-produce focus-group testing with EmoVu. The Mountain View, Calif., firm will invite Web users to opt into granting its site access to their webcams so it can study their facial expressions (in addition to identifying their gender and their approximate age)  as they watch video clips. Is this ad funny enough? Is this horror-movie trailer scary enough? An advertiser will be able to tell.

More often, products launched in four-minute presentations at IDG Enterprise’s annual pitch conference offered a trade of a useful service or feature for information about you. A reasonable trade or a creepy one? That may depend on the user.

MORE »

{ 2 comments }

A warning for everyone: Advertising-supported webmail all over the world will be shutting down in the not too distant future. Since pretty much every single person I know has a webmail account of some kind, I feel like this will be relevant news for pretty much all of our readers.

Ok, so it’s not actually 100% certain that ad supported webmail is shutting down, but that certainly seems to be what some consumer groups and the courts are aiming for given a recent court opinion. A federal court in California ruled that a computer scanning the text of an email was committing a wiretap under the law. If scanning text is a wiretap, say goodbye to the advertising-supported model of the web — which has led to such unprecedented innovation — or even spam filters for that matter.

Last Thursday, Judge Lucy Koh denied a motion to dismiss filed by Google in a case that alleges that because Gmail scans emails in order to serve advertisements, that they are in violation of the Wiretap Act. That holding ushered in a follow-on suit against Yahoo! yesterday, Kevranian v. Yahoo! Inc., making similar allegations. Suits against other online services may follow.

The Wiretap Act, by the way, is a close cousin of the Electronic Communications Privacy Act (ECPA), which the Digital Due Process Coalition has been working on a legislative fix for. The Wiretap Act generally prohibits intercepting “wire, oral, or electronic communications” by anyone, although it is often invoked to prohibit the government from listening in without a warrant.

But the Wiretap Act isn’t about just the phone lines anymore, like it was when it was first written in 1968 (though it has been amended many times since then). It applies to the online world too, where data packets moving over the Internet are routinely inspected for completely legitimate reasons such as routing, combating fraud, spam, and cyber attacks, and advertising. However, Nobody thinks that Nigerian princes looking to move large sums of money should be able to complain about the “wiretapping” that shunts their pleas into a spam box. That isn’t to say that the Wiretap Act doesn’t provide some important protections, but that we have to think carefully about how its provisions apply in the 21st Century.

MORE »

{ 1 comment }

SEATTLE–Your privacy online is menaced by government surveillance, jeopardized by poor defaults and exploitable bugs, and remains the subject of confusion even when things work as designed. But that means things can only get better, right?

At the Privacy Identity Innovation conference here earlier this week, researchers, advocates, developers and journalists gathered to dig through what’s wrong and what could be set right with our collective exposure to services, apps and devices. The takeaway: While the dreaded “privacy Chernobyl” has yet to happen, it still could–and in the meantime, the tech industry should busy itself repairing the dents it has taken from third parties and inflicted upon itself.

The National Security Agency’s sweeping surveillance programs and hitherto-hidden campaign to subvert encryption systems and standards constituted the biggest, blackest cloud over the proceedings. Early on, Lavabit founder Ladar Levison and Silent Circle co-founder Mike Janke described how each felt compelled separately to shut down encrypted e-mail services rather than risk being forced by the NSA to compromise them.

(Levison related how he’s given up e-mail for now in favor of “the electronic equivalent of a methadone clinic”: Facebook and LinkedIn messaging for routine chit-chat, Silent Circle encrypted text messaging for more sensitive communication.)

Small startups like those two shops may not have much political leverage against Washington, but their larger counterparts do. Beyond suing the government for the right to provide more detailed accounts of law-enforcement and national-security demands for user data (LinkedIn joined that litigious contingent on Tuesday), big-name firms can also strengthen their systems against snooping attempts.

MORE »

{ 0 comments }

A few weeks ago I examined how copyright law — like most legal subjects dealing with technology — is lagging behind the fast-moving and disruptive changes wrought by social media to old legal rules for determining rights to Internet content. Part of my critique was that in deciding ownership of user-generated content (UGC), courts have not yet evaluated the difference between posting content “in the clear” and restricting content to “friends” or some other defined class far smaller than the entire Internet community.

Things may at last be getting a bit more settled. A New Jersey federal court ruled recently that nonpublic Facebook wall posts are covered by the federal Stored Communications Act (SCA) (18 U.S.C. §§ 2701-12). The SCA, part of the broader Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2510 et seq.) that addresses both “the privacy expectations of citizens and the legitimate needs of law enforcement,” protects confidentiality of the contents of “electronic communication services,” providing criminal penalties and a civil remedy for unauthorized access. It’s a decades-old 1986 law that was enacted well before the commercial Internet and either email or social media had become ubiquitous. Yet by interpreting the statute, in light of its purpose, to apply to new technologies, District Judge William J. Martini has done Internet users, and common sense, a great service.

Plaintiff Deborah Ehling, a registered nurse, paramedic and president of her local EMT union — apparently a thorn in the side of her hospital employer for pursuing EPA and labor complaints as well — posted a comment to her Facebook wall implying that the paramedics who arrived on the scene of a shooting at the D.C. Holocaust museum should have let the shooter die. Unbeknownst to Ehling, a co-worker with whom she was Facebook friends had been taking screenshots of her profile page and sending them to a manager at Ehling’s hospital.

Ehling was temporarily suspended with pay and received a memo stating that the hospital was concerned that her comment reflected a deliberate disregard for patient safety. After an unsuccessful NLRB complaint based on labor law, Ehling’s federal lawsuit alleged that the hospital had violated the SCA by improperly accessing her Facebook wall post about the museum shooting, contending that her Facebook wall posts were covered by the law because she selected privacy settings limiting access to her Facebook page to her Facebook friends.

Judge Martini concluded that the SCA indeed applies to Facebook wall posts when a user has limited his or her privacy settings. He noted that “Facebook has customizable privacy settings that allow users to restrict access to their Facebook content. Access can be limited to the user’s Facebook friends, to particular groups or individuals, or to just the user.” Therefore, because the plaintiff selected privacy settings that limited access to her Facebook wall content only to friends and “did not add any MONOC [hospital] managers as Facebook friends,” she met the criteria for SCA-covered private communications.

Facebook wall posts that are configured to be private are, by definition, not accessible to the general public. The touchstone of the Electronic Communications Privacy Act is that it protects private information. The language of the statute makes clear that the statute’s purpose is to protect information that the communicator took steps to keep private. See 18 U.S.C. § 2511(2)(g)(i) (there is no protection for information that is “configured [to be] readily accessible to the general public”). [The] SCA confirms that information is protectable as long as the communicator actively restricts the public from accessing the information.

That’s a bold move by a jurist sensitive to the constraints on Congress, especially one as polarized as we have in America today. It reflects a willingness to adapt the law to changing technology by application of the basic principles and purposes of legislation, even if the statutory framework is old and its language somewhat archaic. As Judge Martini observed with a bit of consternation, “Despite the rapid evolution of computer and networking technology since the SCA’s adoption, its language has remained surprisingly static.” Thus, the “task of adapting the Act’s language to modern technology has fallen largely upon the courts.”

MORE »

{ 0 comments }