12 November 2007
It's been a bad week for privacy. Several major parties — Facebook, TiVo, MySpace, and a U.S. government official — made some rather ominous moves and statements.
Let's start with the social networking sites. These have always been potential privacy risks: they've been gathering an immense amount of demographic data, personal data, friendship patterns, and more. My assumption has always been that they were going to use this for targeted marketing. This has now happened.
MySpace moved first. They announced that many major advertisers are using their "HyperTargeting" program, which examines user profiles and selects ads to display based on them. This isn't new — news sites have done this for a long time — but MySpace's data is probably more accurate, since users presumably feel more compunction about lying to their friends than to some media conglomerate. Besides, the MySpace demographic skews young, which is more valuable to at least some advertisers.
Facebook is taking a more unusual tack. Rather than using demographic data, they're going to exploit friendship patterns. When a user buys something from a Facebook affiliate, that fact is sent to the user's online friends, along with the purchaser's picture. In other words, users are being told "your friend bought this; wouldn't you like to as well?" (Ironically, the Facebook scheme may run afoul of a New York state law prohibiting use of people's names and photos for commercial purposes without their explicit consent — and that was was enacted after the plaintiff lost in one of the first lawsuits about privacy for precisely that action by an advertiser.)
TiVo is engaging in more conventional data gathering, though with much finer granularity. They're now providing advertisers with detailed information on the age, marital status, ethnicitiy, etc., of who watches various ads instead of skipping them. Fortunately, it's an opt-in program. Still, the existence of that sort of data is troubling. TiVo has always known who watches what; what's new is the addition of demographic data to the mix.
As always, the government's actions are the most worrisome. Leaving out their alleged effort to watch who's eating ethnic foods, Donald Kerr (the principal deputy director of national intelligence) was quoted as saying, "Too often, privacy has been equated with anonymity. But in our interconnected and wireless world, anonymity — or the appearance of anonymity — is quickly becoming a thing of the past." His actual comments are rather more nuanced; some of his attitudes are indeed scary, while others reflect changing reality.
When Kerr notes that
Anonymity results from a lack of identifying features. Nowadays, when so much correlated data is collected and available — and I'm just talking about profiles on MySpace, Facebook, YouTube here — the set of identifiable features has grown beyond where most of us can comprehend. We need to move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment.he's being realistic. No amount of anonymous networking, digital cash, etc., will safeguard the privacy of people who voluntarily post intimate details about themselves on social networking sites or web pages. Where Kerr is dangerously wrong is when he says "privacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured." It just doesn't work, if for no other reason than that the checks and balances are insufficient. Right now, for example, the CIA is investigating its Inspector General. Similarly, oversight committees (and courts) are being told that they lack the necessary clearances to see some of the salient details.
Protecting anonymity isn't a fight that can be won. Anyone that's typed in their name on Google understands that.
What Kerr is saying boils down to "trust us with the same data you're voluntarily giving someone else". Unfortunately, the track record of various government agencies isn't good, ranging from COINTELPRO to abuses of National Security Letters. (Admittedly, in that last case it was an Insepctor General who found the abuses.) Yes, people are giving away data to various web site, but with some intuitive understanding of how it will be used and what the guarantees are. When sites change their behavior, users rebel.
To be sure, there are sometimes explicit guarantees. Facebook, for example, promises
Facebook helps you share information with your friends and people around you. You choose what information you put in your profile, including contact and personal information, pictures, interests and groups you join. And you control the users with whom you share that information through the privacy settings on the My Privacy page.and has committed to independent review:
Facebook is a licensee of the TRUSTe Privacy Program. TRUSTe is an independent, non-profit organization whose mission is to build user's trust and confidence in the Internet by promoting the use of fair information practices. This privacy statement covers the site www.facebook.com and its directly associated domains. Because this Web site wants to demonstrate its commitment to your privacy, it has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe.
If you have questions or concerns regarding this statement, you should first contact our privacy staff at . If you do not receive acknowledgement of your inquiry or your inquiry has not been satisfactorily addressed, you should contact TRUSTe Watchdog at http://www.truste.org/consumers/watchdog_complaint.php. TRUSTe will then serve as a liaison with us to resolve your concerns.
What we have, then, is intuitive understanding and acceptance, responsiveness by the site, and enforcement. Kerr's proposed policies have none of these. He is suggesting new uses for data, and doing so without explicit "popular" — i.e., Congressional — assent.
We could, at least, have enforcement of his new privacy policies. In the U.S., the courts are charged with such oversight, precisely because of their independence. If there is a procedural problem with independent review, that needs to be fixed. We do not need to give up on the principle.
Update: There's an online petition against the new Facebook scheme at Moveon.org.
Second update: Facebook has backed down.
16 November 2007
When we got home last night, there was a message for my wife on the answering machine: "We've seen what may be fraudulent activity on your credit card. Please call 800-955-9060 number, and have your card number handy." For fun, we called it and got an automated prompt: "Please enter your card number." No indication of which credit card, let alone which bank, and the phone number didn't match that printed on the back of any of her cards. Hmm…
I did a Google query for the number and got a number of hits. Some posters said it was Chase's fraud department; others listed it as a telemarketer or scam source. You can find a reasonable sample of opinions here. Of course, I have no idea who the posters are. One claimed to work for the fraud department at Chase — but is the claim true?
All of the folks who claimed it was legitimate specified Chase, so my wife called the number on the back of her Chase card. There was indeed a notation in her record about possible fraud, and it followed a classic pattern: a $1 "probe" charge to see if the number was good, followed by an attempt to purchase some expensive electronics., That charge was declined, because whoever it was didn't have the CVV. So — Chase's fraud detectors are well-tuned, and spotted this one very quickly. That's the good news.
The bad news, of course, is how they handled it. They absolutely should have said which bank they were calling from (and we know they didn't, because we still have the answering machine message). It's by no means authoritative — anyone can claim to be from Chase — but it would at least tell the recipients which credit card is involved, and hence whom to call back. My wife asked about that and got a very unsatisfactory answer: because of their branding agreements — they issue and service a lot of affinity cards — they have to be careful about what name they assert. So? Surely their databases know what group has its name on your card.
The big problem, of course, is that they seemed to expect (and want) consumers to call a strange number left on an answering machine and key in their credit card numbers. Excuse me? Are they trying to teach people to respond to phone phishes? They don't have enough trouble with email solicitations, so they want to cause the same trouble with phones? Or are they so worried about people abandoning Internet banking out of fear that they want people to be just as afraid of the phone? (No, I don't really believe that, and I'm not seriously suggesting that that was their motive.)
A proper phone message would have been "I'm from Chase [calling about your XXX-branded card] whose last 4 digits are numbered WXYZ. We suspect fraud. Please call the number of the back of the card and mention code ABC." What they actually did was totally preposterous.
I suppose I could take some comfort from the fact that in the US, the consumer is not liable for credit card fraud. (More precisely, there's a $50 limit to liability, but as a matter of policy banks don't even try to collect that much.) Still, having a card cancelled (as this one is now) is a hassle, and I don't want more of it. They really should clean up their act.
27 November 2007
A few weeks ago, I alluded to a reported FBI project to detect Middle Eastern terrorists by looking for spikes in consumption of, say, falafel. The FBI has now cateorically denied that such a plan was ever even contemplated. Good.