Public Life on the Web: Reconciling the Free Flow of Information and Privacy in a Linked World

2 September 2008
Bergen University Department of Information and Media Studies

Daniel J. Weitzner
Decentralized Information Group
MIT Computer Science and Artificial Intelligence Laboratory

These slides: http://dig.csail.mit.edu/2008/Talks/0902-privacy-fx-bergen/

Everyone is a publisher

Talk Overview

  1. Three major public policy challenges of the Web: Freedom of expression, copyright, and privacy
  2. Learning from successes and failures in addressing these challenges
  3. Detailed look at Privacy
    • US Law: sectoral regulation and contracts
    • EU Data Protection Law: Human rights and regulations
    • Crytography to the rescue
  4. Limitations of current privacy approaches
  5. Reminder of the role of Law and Society
  6. Toward clear rules and accountable systems
  7. Conclusion

Policy challenge -- Socially-unacceptable content

Time Magazine, 3 July 1995

A New Approach

"The Internet is 'a unique and wholly new medium of worldwide human communication.'" ACLU v. Reno, United States Supreme Court (June 1997)

"Filters are less restrictive than COPA. They impose selective restrictions on speech at the receiving end, not universal restrictions at the source." Ashcroft v. ACLU, 542 US 654 (2004).

 Google safesearch

Policy challenge -- Intellectual Property Protection: DRM vs. Fair Use

p2p architecture p2p music

Salon Magazine, 30-3-2005

From DRM to Open Source/Open Access

Itunes screenshoot Yahoo Creative Commons search

"Imagine a world where every online store sells DRM-free music encoded in open licensable formats. In such a world, any player can play music purchased from any store, and any store can sell music which is playable on all players. This is clearly the best alternative for consumers, and Apple would embrace it in a heartbeat. If the big four music companies would license Apple their music without the requirement that it be protected with a DRM, we would switch to selling only DRM-free music on our iTunes store. Every iPod ever made will play this DRM-free music,"

Steve Jobs, Thoughts on Music (February 6, 2007)

Experience from Web Policy Challenges

"When We're All Publishers"

Policy Challenge

 Failed Centralized Approach

Successful Decentralized Approach
Freedom of Expression/Inappropriate Content Broadcast-style censorship User-side Filtering
Copyright Digital Rights Management Open source business models
Privacy Secrecy ?

A Privacy Conundruum

Jerrigan and Mistree (2007), unpublished research

Characteristics of Today's Privacy Challenge

  1. Lots of personal information data
  2. held by lots of parties
  3. huge increase in analytic capacity and data integration techniques
  4. little time and attention to manage uses
  5. unclear rules when data crosses boundaries

Web Privacy Challenges From Traditional Perspectives

US Law: Sectoral regulation with contractual freedom in the general case

Targetted Sector-specific Privacy Protections

General right of consumer fairness and reliance on individual negoation ('let the marketplace work')

EU Data Protection: Human rights protected through regulation

Article 6

1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes....

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; .... (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed....

Directive 95/46/EC

The Challenge of Consent and purpose limitations

Can today's privacy model (EU or US) be sufficient going forward?

Key will be purpose limitation, but we have a dilemma...

Dilemma: limited individual and regulatory capacity to control escalating data collection.

Current result of consent dilemma + increased inference power: strict about what's collected but loose about usage

Better result: loose about what is collected and strict about usage

Technical: Cryptographic protection of secrets

Anonymity -- the key to privacy?
anonymity cartoon An anonymity proxy

Recap: Limitations of traditional privacy approaches

Reminder of the Role of Law and Society...

  1. How many believe you are subject to law (any law)?
  2. How many of you follow (most) laws? [exclude speed limits]
  3. How many of you read all the laws to which you believe you are subject?
  4. How many have been to a court of law?

Order without Law

Open vs. Closed Range -- What are the Rules?
sheep grazing Cows grazing behind fence

Robert Ellickson, Order Without Law (1991)

Privacy Re-Defined - Saltzer and Schroeder revisited

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to used by others.

Information Accountability Through Policy Aware Systems

A new approach to Privacy, Copyright and Freedom of Expression

Information Accountability: When information has been used, it should to possible to determine what happened, and to pinpoint use that is inappropriate

Weitzner, Abelson, Berners-Lee, Feigenbaum, Hendler, Sussman, Information Accountability,
Communications of the ACM,
June 2008, 82-87

Accountable Copyright Licensing

and non-compliance

Key Features of Accountable Systems

Goal: Deter rule violation while preserving free flow of information

More Information