Danny Weitzner's blog

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

Today, the Senate passed a much-debated revision to the Foreign Intelligence Surveillance Act with Lots of different views out there, even amongst the mainstream liberal establishment on the upcoming FISA legislation (’Senate Passes Surveillance Bill With Immunity for Telecom Firms‘, Washington Post, William Branigin, 9 July 2008).

In advance of this vote, there has been much debate, recently because Sen. Obama announced that he would support this compromise bill and not vote in support of filibuster. (Full disclosure, I’m an Obama supporter and have helped the campaign on Internet policy issues.) In thinking about this, I thought I’d survey the range of opinion just on the liberal center. Here’s some of what I found:

Mort Halperin, highly regarded civil libertarian, former head of the ACLU Washington office, and himself a target of unwarranted government wiretapping when he was working for Henry Kissenger in the Nixon White House, writes in a New York Times Op-Ed (’Listening to Compromise‘, New York Times, 8 July 2008):

The compromise legislation that will come to the Senate floor this week is not the legislation that I would have liked to see, but I disagree with those who suggest that senators are giving in by backing this bill.

The fact is that the alternative to Congress passing this bill is Congress enacting far worse legislation that the Senate had already passed by a filibuster-proof margin, and which a majority of House members were on record as supporting.

What’s more, this bill provides important safeguards for civil liberties. It includes effective mechanisms for oversight of the new surveillance authorities by the FISA court, the House and Senate Intelligence Committees and now the Judiciary Committees. It mandates reports by inspectors general of the Justice Department, the Pentagon and intelligence agencies that will provide the committees with the information they need to conduct this oversight. (The reports by the inspectors general will also provide accountability for the potential unlawful misconduct that occurred during the Bush administration.) Finally, the bill for the first time requires FISA court warrants for surveillance of Americans overseas.

As someone whose civil liberties were violated by the government, I understand this legislation isn’t perfect. But I also believe — and here I am speaking only for myself — that it represents our best chance to protect both our national security and our civil liberties. For that reason, it has my personal support.

On the same day, the New York Times Editorial Board wrote against the bill (’Compromising the Constitution‘, 8 July 2008):

The Senate should reject a bill this week that would needlessly expand the government’s ability to spy on Americans and ensure that the country never learns the full extent of President Bush’s unlawful wiretapping.

[..]

Supporters will argue that the new bill still requires a warrant for eavesdropping that “targets” an American. That’s a smokescreen. There is no requirement that the government name any target. The purpose of warrantless eavesdropping could be as vague as listening to all calls to a particular area code in any other country.

The real reason this bill exists is because Mr. Bush decided after 9/11 that he was above the law. When The Times disclosed his warrantless eavesdropping, Mr. Bush demanded that Congress legalize it after the fact. The White House scared Congress into doing that last year, with a one-year bill that shredded FISA’s protections. Democratic lawmakers promised to fix it this year.

[..]

The bill dangerously weakens the 1978 Foreign Intelligence Surveillance Act, or FISA. Adopted after the abuses of the Watergate and Vietnam eras, the law requires the government to get a warrant to intercept communications between anyone in this country and anyone outside it — and show that it is investigating a foreign power, or the agent of a foreign power, that plans to harm America.
Proponents of the FISA deal say companies should not be “punished” for cooperating with the government. That’s Washington-speak for a cover-up. The purpose of withholding immunity is not to punish but to preserve the only chance of unearthing the details of Mr. Bush’s outlaw eavesdropping. Only a few senators, by the way, know just what those companies did.

And today, the Washington Post, often somewhat more centrist on civil liberties matters than the Times editorialized (’FISAs Fetters‘, 9 July 2008):

These are serious concerns, worth taking seriously. We are under no illusion that the measure is perfect; future fine-tuning may well be called for. The classified nature of the surveillance program makes it impossible to assess the implications with anything near certainty. But the legislation reflects, as far as we can tell, a reasonable compromise, worked out over long months of negotiations, between the legitimate needs of intelligence agencies and the legitimate privacy interests of Americans.

The measure requires an individualized, court-approved warrant to conduct surveillance targeted at Americans’ communications with those overseas and — in an expansion of existing FISA protections — at Americans abroad. Purely domestic-to-domestic communications, even among foreigners here, would require a warrant as well. Intelligence agencies would be able to target and collect the communications of non-Americans “reasonably believed to be located outside the United States,” even if their phone calls or e-mails passed through or were stored in the United States. But the agencies are required to adopt procedures to “prevent the intentional acquisition” of purely domestic communications and to minimize the retention and dissemination of such information.

more to come…

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

In all the recent uproar (New York Times, “Google Told to Turn Over User Data of YouTube,” Michael Helft, 4 July 2008) about the fact that Google has been forced to turn over a large pile of personally-identifiable information to Viacom as part of a copyright dispute (Opinion), there is a really interesting angle pointed out by Dan Brickley (co-creator of FOAF and general Semantic Web troublemaker). Dan points out in a blog entry today that while the parties before the court are arguing about whether the YouTube ID is, by itself, personally identifiable information, the fact is that the publicly visible part of this ID in the context of other information on the Web is sufficient to identify a lot about a person, not the least of which is their name. Dan explains:

YouTube users who have linked their YouTube account URLs from other social Web sites (something sites like FriendFeed and MyBlogLog actively encourage), are no longer anonymous on YouTube. This is their choice. It can give them a mechanism for sharing ‘favourited’ videos with a wide circle of friends, without those friends needing logins on YouTube or other Google services. This clearly has business value for YouTube and similar ’social video’ services, as well as for users and Social Web aggregators.

Given such a trend towards increased cross-site profile linkage, it is unfortunate to read that YouTube identifiers are being presented as essentially anonymous IDs: this is clearly not the case. If you know my YouTube ID ‘modanbri’ you can quite easily find out a lot more about me, and certainly enough to find out with strong probability my real world identity. As I say, this is my conscious choice as a YouTube user; had I wanted to be (more) anonymous, I would have behaved differently. To understand YouTube IDs as being anonymous accounts is to radically misunderstand the nature of the modern Web.

Dan makes a really important point here. One the on hand, the fact that we are all more identifiable as a result of social networks in which we exist suggests that the judge was just plain wrong (even wronger than others have already said) in saying that the YouTube IDs are not personally-identifiable. But on the other hand, to the extent that Dan is correct about the revealing nature of the social web (true for some of us now, more and more in the future), we have to face the fact that merely limiting disclosure of personal information from one source is less and less unlikely to protect privacy effectively across the Web.

Applying this view to the Viacom v. YouTube case suggests that privacy protection has to focus more limiting how people and institutions can *use* personal information even as we recognize that it is harder and harder to protect privacy by access control alone.

Some of my colleagues and I have written about this view of privacy as Information Accountability in last month’s Communications of the ACM.

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

A little transparency would go a long way toward helping keep online political discourse open, especially in the particular corner of the blogosphere run by Google (ie. blogger.com). The Herald Tribune (Bloggers take aim at Google - International Herald Tribune) reports on a controversy involving pro-Clinton blogs that might have been blocked as spam due to what we might call a PDOS (Political Denial of Service Attack) in a skirmish between Obama and Clinton partisans. The IHT asks:

Was Google’s network of online services manipulated to silence critics of Barack Obama? That was the question buzzing on a corner of the blogosphere over the past few days, after several anti-Obama bloggers were unable to update their sites, which are hosted on Googles Blogger service.

It is alleged that some pro-Clinton blogs were blocked after a number of pro-Obama users marked them as ’spam’ on blogger.com. A Google spokesperson explained:

“It appears that our anti-spam filters caused some Blogger accounts to be blocked from creating new posts,” a Google spokesman, Adam Kovacevich, said in a statement. “While we are still investigating, we believe this may have been caused by mass spam e-mails mentioning the ‘Just Say No Deal’ network of blogs, which in turn caused our system to classify the blog addresses mentioned in the e-mails as spam.”

Kovacevich said that Google had restored posting rights to the affected blogs and that it was “very important” to Google “that Blogger remain a tool for political debate and free expression.” He gave no further details about Google’s spam-monitoring techniques or how they relate to the Blogger service.

It certainly would be useful if Google could provide some transparency into what they block and why. That way, either Google or the possibly malicious spam-flaggers could be help accountable for their behavior. (In a recent CACM piece on Information Accountability we explain why accountability is so important on the Web and how we might have more of it through additions to the architecture of the Web.)

Google does a very good job of giving transparent explanations when their search results contain information that has been blocked for legal reasons such as copyright takedown notices. I hope they can find a way to bring similar transparency to their part of blogosphere.

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

The New Jersey Supreme Court (State of New Jersey v. Shirley Reid (A-105-06)) has issued an important decision on Internet users’ right to privacy. The case involves a dispute about whether an ISP violated a user’s privacy rights by turning over subscriber information (name, address, billing details) associated with a particular IP address. It ends up the that subpoena served on the ISP was invalid for a variety of reasons. As the user had a ‘reasonable expectation of privacy’ in her Internet activities and identifying information, and because the subpoena served on the ISP was invalid, the New Jersey court determined that the ISP should not have turned over the personal data.

The important aspect of this case in the evolving understanding of privacy on the Internet is the court’s recognition that we must look at privacy from the broad perspective of what can actually be discovered about people online. In this way, the ruling has significant strengths and weaknesses from a privacy perspective. On the one hand, the court finds that there is, today, an expectation of privacy in IP addresses because they are currently hard to link to personal identity. There have been lots of disputes in the US and the EU about whether IP addresses are ‘personally identifying information.’ (”PII” in the jargon of privacy.) This court takes a pragmatic view of this question and finds that IP addresses should be considered private for now, but that this may change. The court finds:

the reasonableness of the privacy interest may change as technology evolves. A reasonable expectation of privacy is required to establish a protected privacy interest…. Internet users today enjoy relatively complete IP address anonymity when surfing the Web. Given the current state of technology, the dynamic, temporarily assigned, numerical IP address cannot be matched to an individual user without the help of an ISP. Therefore, we accept as reasonable the expectation that one’s identity will not be discovered through a string of numbers left behind on a website.

The availability of IP Address Locator Websites has not altered that expectation because they reveal the name and address of service providers but not individual users. Should that reality change over time, the reasonableness of the expectation of privacy in Internet subscriber information might change as well. For example, if one day new software allowed individuals to type IP addresses into a “reverse directory” and identify the name of a user — as is possible with reverse telephone directories — today’s ruling might need to be reexamined.

Others have written about the legal details of this case and have suggested that it is a big win for privacy. Given the reliance on the shifting state of identity technology, I’m a little less sanguine.

This case is yet another reason why I believe (as I’ve explained elsewhere) that meaningful privacy on the Web requires rules the govern how personal information is used, not just what can be collected. Under the court’s reasoning, as our lives become more and more transparent, that would justify increasing harmful use of personal data. While it’s pretty hard to control how exposed we are all become, we still can limit how powerful institutions (governments, etc.) use personal data about us.

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

Ethernet inventor, journalist and now venture capitalist Bob Metcalfe speaks on the lessons from the Internet community for the global warming arena. In looking at how to accelerate technical innovation to address climate change, Metcalfe asserts that:

“… the place to do research is in university labs. “The best vehicle for technology innovation is not patents, it’s students.”

Of course, Bob also manages to express is distain for monopoly, Bell Labs, and even Al Gore. (See report by Martin LaMonica.) I’m not sure about those but think he’s right on with respect to patents.

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

Ever the astute observer of the various features and bugs of our collective behavior, a longtime mentor of mine, Mitch Kapor, has coined a new defintion:

Meetingboarding: (n) the sensation of being unable to breathe arising from continuous immersion in meeting after meeting

I’d add to this a characterization of email that I learned from Mitch many years ago:

The problem with email is that it has low emotional bandwidth.
-Mitch Kapor, circa 1991

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

National Public Radio’s Science Friday program will feature a discussion of online privacy with Alessandro Acquisti of CMU and yours truly a little later today. It’s live from 3:00 - 4:00 pm Eastern/US, rebroadcast at various times depending on where you live, and streamed on the Web.

Listen it. Call and challenge other listeners to think about the privacy questions raised by the Semantic Web!

Update: the broadcast is streamed at this link.

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

Behavioral targeting is pervasive on the Web. As documented by a very nicely-researched New York Time story today (’To Aim Ads, Web Is Keeping Closer Eye on You,’ NYT, by Louise Story, 10 March 2008.) it’s now clear that each of us who use popular search engines and portals are the subject of thousands of individual data collection events per month of Web usage.

I’m glad to see some clear analysis of the practice out there but would like to see an additional level of transparency. If it is the case that profiling is benign, then why not tell uses what aspect of their profile triggered the placement of a particular ad. The ad delivery systems all make decisions about which ads to place for a given user from some properties of that user that are either known or inferred. Why not just tell us what those properties are along with the add placement. This would go a long way toward eliminating the feeling that we’re being ’spied on’ because it would eliminate any sense of secrecy about what is learned in the course of the behavioral monitoring. My guess is that many people would ignore the profile data, but some would check it, and we’d all have piece of mind from knowing that whatever is being done is happening out in the open.

According to the Times, data is collected on which web pages we look at and is then combined with other data (demographics, browsing history, purchases on partner sites, etc.). Right on cue traditional privacy advocates declare that profiles developed in this way (based on our behavior) do (or should) make us feel uneasy:

“When you start to get into the details, it’s scarier than you might suspect,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a privacy rights group. “We’re recording preferences, hopes, worries and fears.”

No doubt people (as least some people) feel alarmed about this and probably others are either implicitly or explicitly happy to have the right ads targeted to them. As an online ad agency exec said in the article:

“Everyone feels that if we can get more data, we could put ads in front of people who are interested in them,” he said. “That’s the whole idea here: put dog food ads in front of people who have dogs.”

Unless were going to require an outright ban on this sort of behavioral targeting, the question what to do about it. Is the goal to allay people’s fears? To limit the use of the profiles? Or to help people avoid incorrect targeting?

The statistics developed by comScore for the New York Times article do a nice job of illustrating the magnitude of data collection that happens. Jules Polonetsky, AOL’s Chief Privacy Officer, is launching a new consumer education campaign to explain the mechanics of data collection and tracking to users. The light that both the Times stories and the AOL campaign shed on marketing practices is valuable.

Many people are going to far more interested in how this profiling actually effects them, than on the overall magnitude of the practice. Is there any reason not to be upfront with people about the basis for delivering an ad? If there is, then there is reason to feel that we’re being deceived or maniplated, not assisted, by the behavior tracking techniques.

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

It’s pretty amazing what a little bit of structured computer power can do when deployed on the Web. Slate’s Delegate Calculator puts in the hands of Web-enabled citizens some simple computing power that helps us to understand how the delegate counts in the upcoming Democratic primaries may effect the final outcome for Obama and Clinton over the next hours, weeks and months. The knowledge about which states have how many delegates, how they might be apportioned, etc., is information that used to be a closely guarded secret of the political intelligencia and the press. How, it’s out there for all of us to see. It’s such a useful tool that many reporters from other publications are actually writing about it:

Jonathan Alter, Hillary’s Math Problem, Newsweek (4 March 2008)

Peter Baker, Clinton Down, but not Out, for the Count, Washington Post.

Jason Tuohey, Delegate Counter, Boston Globe

Carol Lockhead, Obama Wins Vermont, But Look at the Math, San Francisco Chronicle.

Granted, Slate has a relationship with some of those new outlets, but it’s still striking to see computing make the political news.

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

I’d encourage anyone in or around the Boston, MA area to come to the Federal Communications Commission’s field hearing on Broadband Network Management Practices. I’ll be testifying along with a range of witnesses, Dave Clark and David Reed (colleagues from MIT), representatives from various commercial groups, and a number of advocacy organizations such as Free Press. I understand Congressman Ed Markey, a longtime champion of the Internet and the Web, will also be appearing.

Here are the logistical details:

Monday, Feb 25, 2008
11:00 a.m. to 4:00 p.m.
Harvard Law School, Ames Courtroom, Austin Hall
1515 Massachusetts Avenue, Cambridge, Mass.