March 20, 2012

Facebook’s (In)conspicuous Absence From the Do Not Track Discussions

On the heels of President Obama's recent introduction of a Privacy Bill of Rights, the Digital Advertising Alliance (DAA), the latest self-regulatory organization for online advertising, agreed to support widespread implementation of Do Not Track (DNT) browser headers. This is a laudable step, and in the coming months the responsibilities for how websites respond to the signal will be articulated in multistakeholder meetings through the W3C's Tracking Protection Working Group . One conspicuous absence from the Do Not Track discussions is Facebook. As a company that tracks millions of users around the web, Facebook needs to follow in the footsteps of Google, Microsoft, Yahoo!, and others by committing to respect user choice.

There is no denying Facebook's popularity in the online arena. It is consistently ranked in the top five websites visited in the world. In the month of December 2011 alone, users spent more than 9.7 billion minutes per day on Facebook on personal computers, while in the mobile sphere the Facebook app is one of the most downloaded applications across the smartphone ecosystem.1 Facebook is apt to translate this popularity into effective advertising, which is fundamental to its revenue stream. Facebook said as much in its IPO documents, where it stated: "We generate substantially all of our revenue from advertising and payment processing fees."2 Facebook also provided explicit figures. In 2011, they made $3.15 billion of $3.71 billion solely from advertising.3 In combination with Facebook's dominance in social media and its engagement with both Facebook and non-Facebook users outside of Facebook.com, Facebook's reliance on advertising as a major revenue stream is a reason that Facebook should be involved in current W3C discussions about the future of online advertising.

Facebook has a complex relationship with userssometimes it acts like a social network, but other times it acts more like an online tracking company. This tracking takes place without a user ever having to interact with the Facebook "like" or "social plugin" buttons: just seeing the "like" button is enough for Facebook to collect a record of your reading habits. It was third party tracking practices similar to this that inspired the Do Not Track movement. Like other companies that engage in cross-site tracking, Facebook needs to commit to respecting the Do Not Track header.

Facebook's interaction with users is further complicated by Instant Personalization , a system that allows non-Facebook sites to embed interactive Facebook widgets and conversations. Instant Personalization inherently requires tracking. When an individual has "instant personalization" enabled in her Facebook settings and then sets the Do Not Track header, we recommend that Facebook clarify whether or not she is agreeing to opt back in to being tracked while using instant personalization. This could be done with an interstitial explaining the tracking inherent to instant personalization and asking her whether, given her preference to not be tracked, she would still like to see and use instant personalization widgets. This type of transparent privacy control can ensure that Facebook users better understand how Facebook collects data on them. These complications are all reasons for Facebook to further engage in Do Not Track discussions and the Do Not Track mechanism.

It's clear that Facebook wants to be a part of the conversation around advertising and privacy. According to AdAge , when the Commercial Privacy Bill of Rights Act (PDF) was introduced last year, Facebook sent an “army of lawyers” to Washington to convince Senators Kerry and McCain to carve out exceptions to their privacy bill so that Facebook could track its users via social widgets on other sites (dubbed the "Facebook loophole" ). Facebook currently retains two lobbying firms, and it nearly quadrupled its lobbying budget last year to $1.35 million.4 The best Internet policy arises from collaborative efforts with users, advocacy groups, and other technology companiesnot backroom deals on Capitol Hill. This is especially true when many policymakers and the public are watching online advertisers closely to see if they can improve their poor track record when it comes to self-regulation.

Currently, the W3C's Tracking Protection Working Group involves stakeholders that include privacy organizations, tracking companies, the DAA, and academics to refine what Do Not Track means and how it is implemented. Facebook's prominence in the online advertising world, its reliance on advertising as a revenue model, and its activity in Washington make it clear that Facebook should be more involved in the negotiations on advertisers' responsibilities to respect Do Not Track.

After a privacy agreement was reached with the FTC in November 2011, Mark Zuckerburg wrote : "I'm committed to making Facebook the leader in transparency and control around privacy." Do Not Track is the next step for users to control how they can be tracked and what data can be collected. It's time Facebook engage with the larger Internet community and respect the rights of users who opt out of tracking.

  • 1. Data found in Facebook's IPO documents. Documents can be found here .
  • 2. Ibid.
  • 3. Ibid.
  • 4. Data courtesy of the Center for Responsive Politics' Open Secrets. Facebook's lobbying stats can be found here .

Permalink • Print • Comment

February 28, 2012

Government Pressures Twitter to Hand Over Keys to Occupy Wall Street Protester’s Location Data Without a Warrant

February 21, 2012 | By Hanni Fakhoury

On October 1, 2011, over 700 Occupy Wall Street protesters were arrested on the Brooklyn Bridge. Most of the protesters, including Malcolm Harris, were charged with the mundane crime of disorderly conduct, a "violation" under New York law that has a maximum punishment of 15 days in jail or a $250 fine

And yet on the basis of a charge no more consequential than speeding ticket, the New York City District Attorney's office sent a poorly worded subpoena to Twitter requesting "any and all user information, including email address, as well as any and all tweets posted for the period of 9/15/2011-12/31/2011" regarding Mr. Harris' Twitter account, @destructuremal. Unsurprisingly, the government wanted to keep it quiet, but thankfully Twitter didn't listen. Instead, as it has consistently warned law enforcement, Twitter notified Mr. Harris, who through his lawyer, Martin Stolar of the National Lawyers Guild, has moved to challenge the subpoena in court.

The subpoena is astonishing not only for its poor grammar, but also for the breadth of information the government wants for a trivial crime that hardly requires it. The government's request that Twitter hand over Tweets is unlikely to succeed because consistent with the Stored Communications Act, Twitter releases "contents of communication" (effectively Tweets and private messages between Twitter users) only with a search warrant. In any event, Mr. Harris' account is "public", meaning the government could obtain Tweets simply by checking out Mr. Harris' Twitter feed. Plus, requesting Tweets only highlights the absurdity of the entire situation: why would the government need Tweets from both before and after the October 1 protest to prove he was obstructing traffic on the bridge? Government fishing expeditions like this raise serious First Amendment concerns. Mr. Harris was very outspoken about his support of and involvement in the Occupy Wall Street movement. With this overbroad subpoena, the government would be able to learn about who Mr. Harris was communicating with for an extensive period of time not only through Tweets, but through direct messages. And with the government's request for all email addresses associated with @destructuremal, they could subpoena Mr. Harris' email provider to get even more information about who he communicated with. The First Amendment shouldn't be trampled with only an expansive subpoena in a case that barely registers as "criminal."

Given that much of Mr. Harris' Twitter information (like Tweets and followers) is already public, it's very likely that the government was really after something else: location data. By attempting to subpoena these records, the government can get around the Fourth Amendment's prohibition against warrantless searches by requesting information that includes IP addresses. Twitter keeps track of IP address information regarding every time a person logged into Twitter, as well as the IP address information related to a Twitter user's direct messages to other users, and the date and time information related to these log ins and direct messages. Armed with IP addresses, the government — without a warrant — can go to an ISP to determine who was assigned that particular IP address. And if that person connected on a mobile device — which is where the majority of Twitter users access their accounts — the ISP will hand over to the government the specific cell tower (and its corresponding geographic location) which that person used to access Twitter. This allows the government to piece together a map of where a person physically is when he opens Twitter on his smartphone, sends a direct message to a friend, or Tweets. And with that information, the government could get a record of Mr. Harris' movement over the three months it requested from Twitter. It's no surprise then that the government singled out Mr. Harris for this request: he currently has over 1,500 followers and 7,200 Tweets. 

Allowing the government to gets its hands on this data with nothing more than an administrative subpoena renders the Fourth Amendment meaningless. Only with the protection of a search warrant, and the heightened judicial supervision that comes along with it, can the voracious appetite of law enforcement be curbed. As we've consistently argued, the Fourth Amendment protects this information. But another way to impose privacy protection from the prying hands of law enforcement is through Congressional reform of the badly outdated Electronic Communications Privacy Act ("ECPA"). As part of the Digital Due Process coalition, EFF has been calling for Congress to update ECPA to conform with the realities of the 21st century. 

It looks like judicial momentum may finally be on our side. In January of this year, the United States Supreme Court issued a landmark decision in United States v. Jones (PDF), ruling that law enforcement could not physically install a GPS device on private property without a search warrant. The majority opinion resolved the Fourth Amendment issue by looking exclusively at the physical installation of the GPS device. Importantly, however, in a concurring opinion, Justice Sotomayor warned that "physical intrusion is now unnecessary to many forms of surveillance." Collecting IP addresses of a prolific Tweeter, and matching it with other easily obtainable information from other service providers, demonstrates this problem. In writing that society is unlikely to accept extensive warrantless surveillance as "reasonable", Justice Sotomayor called into question "the appropriateness of entrusting to the Executive, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent 'a too permeating police surveillance.'” Similarly, Justice Alito's concurring opinion noted that with "dramatic technological change, the best solution to privacy concerns may be legislative." 

Hopefully with the public breathing down its neck, Congress can finally act to fix a antequated set of laws. Malcolm Harris, like Birgitta Jonsdottir before him, took a stand to protect our privacy rights. You can too by telling Congress that its time to update ECPA and tell law enforcement once and for all that in order to get a person's location data, it needs to come back with a warrant. 

Permalink • Print • Comment

White House, Google, and Other Advertising Companies Commit to Supporting Do Not Track

February 23, 2012 | By Rainey Reitman

When Stanford researcher Jonathan Mayer uncovered a Google workaround to circumvent the default privacy settings on Safari, EFF called on Google to change their tune on privacy by respecting the Do Not Track flag and building it into the Chrome browser. We specifically praised the World Wide Web Consortium (W3C) multi-stakeholder process, which for a year has been convening consumer advocates, Internet companies, and technologists to craft how companies that receive the Do Not Track signal should respond. Today, in conjunction with the White House’s new publication Consumer Data Privacy in a Networked World (PDF), the Digital Advertising Alliance (DAA) announced (PDF) that it will embrace Do Not Track. (The DAA is the latest self-regulatory organization for online advertising companies.) This is a big step in the right direction for securing user privacy rights in the digital environment, but we’ve still got a long way to go. And, unfortunately, it looks like online advertisers are already working to water down the Do Not Track protections.

There are two parts to Do Not Track: technology and policy. The technology, a simple HTTP header (“DNT: 1”), allows a consumer to signal her privacy preference. The policy specifies what companies can and can’t do when they receive the signal. Read more.

Today’s announcements are great news for the Do Not Track technology. Google, a member of the DAA, has committed to add the feature to Chrome. While we haven’t seen the user interface, presumably it’ll be a one-click check box easily accessible through your browser settings, similar to what other browsers offer. Even better, Google and other members of the DAA — including Yahoo!, Microsoft, and AOL — are committing to adding support for the Do Not Track technical signal.

Today also brought good news for enforcing Do Not Track. The White House recognized that user privacy protections are nearly useless without a method of enforcement, so it has reaffirmed that companies that commit to respecting Do Not Track will be subject to Federal Trade Commission (FTC) enforcement.

Time to celebrate? Should we declare February 23rd V-DNT Day? Not quite. While today was a great advancement on the Do Not Track technology, it did not meaningfully move the ball forward on the Do Not Track policy. Even as Google and the other giant advertisers make strong gestures toward giving users meaningful choice when it comes to online tracking, portions of today’s two announcements are also undermining some of the most powerful consumer protections. Specifically:

Favoring industry-crafted standards

The W3C is a long-respected Internet governance body that brings together a wide range of stakeholders — including civil liberties advocates, engineers, and industry representatives — to reach accord about standards affecting the future of the Internet. EFF and lots of other consumer groups are involved in the process, and anybody can read up on what’s happening through the publicly available meeting notes. For a year, W3C has been working to pin down how various websites should respect the Do Not Track header. Internet companies, including Google, have been actively participating.

The DAA, on the other hand, is an industry group for online advertisers. It includes no consumer advocates or regulators and it doesn’t offer an opportunity for public participation in their decision-making process. Historically, the DAA has eschewed providing users with powerful mechanisms for choices when it comes to online tracking. The self-regulatory standards for behavioral advertising have offered consumers a way to opt out of viewing behaviorally targeted ads without actually stopping the online tracking which is the root of the privacy concern.

While we appreciate that DAA is interested in respecting the Do Not Track flag, it’s important that they engage with the larger Internet community in doing so. DAA should use the W3C for the purposes of defining Do Not Track and determining how websites that receive this signal should react. And the White House, similarly, should turn to the well-established W3C multi-stakeholder process for addressing these issues.

Chipping away at Do Not Track’s simplicity

If you’re using the most recent version of Firefox, you can turn on Do Not Track by going into your preferences and checking the box that says “Tell websites I do not want to be tracked.”  Pretty straightforward, from a user’s standpoint. But DAA is trying to tamper with this simplicity. In its statement, the coalition of online advertisers say that they'll respect Do Not Track where a consumer "has been provided language that describes to consumers the effect of exercising such choice including that some data may still be collected." Then they noted their intention to “begin work immediately with browser providers to develop consistent language across browsers.”

The most skeptical interpretation of this statement is that the straightforward language for turning on Do Not Track might turn into some slippery legalese that doesn’t promise to do much of anything about tracking. We hope that’s not the case; much of Do Not Track’s power came from its straightforward, human-readable format.

No privacy-protective default settings

The DAA added another exception into their promise to respect Do Not Track: they won’t respect the setting unless a user affirmatively chooses Do Not Track and won’t respect it if “any entity or software or technology provider other than the user exercises such a choice.” This seems geared toward preventing a privacy-protective browser from turning Do Not Track on by default.

It’s important that advertising companies remember that users can express a preference simply by choosing a privacy-protective browser. In the same way many users may have chosen the Safari browser because of its privacy-protective policies regarding third-party tracking, many users in the future might affirmatively choose a browser that has Do Not Track enabled by default. 

While there remain serious concerns about attempts to water down enforceable tracking protection for consumers, one thing is clear: Today represents a powerful step forward in helping users protect their online privacy. We applaud Google’s decision to implement Do Not Track in the Chrome browser, and we’re looking forward to collaborating with the DAA and other stakeholders in the W3C to communicate the concerns of users and advocates in online tracking issues.

Permalink • Print • Comment

UK Police Agency Takes Over Popular Music Website

February 17, 2012 | By Maira Sutton

News broke Tuesday that a British police agency called the Serious Organised Crime Agency (SOCA), had taken control of the popular music blog RnBXclusive and arrested one of the site’s creators for fraud. The normal content from the site was completely unavailable, replaced with a new splash page: a notice from SOCA stating that it had taken control of the domain. Initial reports claimed that that the RnBXclusive.com domain had been seized by the UK government agency — bringing to mind images of a post-SOPA fractured Internet — but it turned out that the website takeover was done with the cooperation of the UK-based hosting company, Rackspace’s UK arm. For its part, Rackspace claimed that the music site was taken down for breaching its Terms and Conditions.

The initial splash page that the site displayed after the takedown was replete with exaggerations and misstatements of law. Techdirt’s Mike Masnick ripped the notice apart, explaining the problems with the way that SOCA handled the situation. The original SOCA notice has since been taken down and replaced with a more accurately worded statement, but an image of the original is viewable here.

The baseless claims in the original notice included the statement that a majority of the music files previously available via the site had been stolen, and that:

As a result of illegal downloads young, emerging artists may have had their careers damaged. If you have illegally downloaded music you will have damaged the future of the music industry.

Most disconcertingly, the notice stated that visitors who had downloaded music from RnBXclusive may have committed a crime with a penalty of 10 years imprisonment and an unlimited fine. It also stated that SOCA has "the capability to monitor and investigate you, and can inform your Internet service provider of these infringements."

Then, in a move that could only be described as intimidating, it went on to display the visitor’s operating system and IP address with a statement below that read, "The above information can be used to identify you and your location."

This situation is alarming on several levels. It is unknown whether there was a court order that directed the hosting provider to take down this site, or whether the hosting company voluntarily removed the previous content. Open Rights Group is reporting that Rackspace’s UK arm is hosting the holding page. Why would it allow SOCA to put up the holding page without a court order?

We initially feared that this was a domain seizure, as when last year the domain registrar for .uk domains, Nominet, admitted to helping police authorities seize 3,000 websites and proposed new rules to expedite domain takedowns so that police authorities would not need court orders to do so. Whether this proposal was actually enacted remains unclear, but the chilling effect that both these cases have on free expression is undeniable.

Technology writer Glyn Moody reports that SOCA charged fraud because the music blog had allegedly been sharing pre-release works somehow obtained without authorization from music industry sites. If that’s true, SOCA’s involvement may not be quite as surprising as it initially appeared. But as SOCA has released no evidence in support of its allegation, it will be interesting to see how this proceeds.

In any case, this week’s takeover sets a dangerous precedent for copyright enforcement measures in the UK. If the hosting provider took down this site voluntarily without any court oversight, it raises the prospects of future cases being dealt with in a similar extrajudicial manner. Though the Internet blacklist legislation which would have facilitated similar takedowns in the U.S. has been stopped for now, we must keep a close eye on these sorts of alternative methods of online censorship that are implemented in the name of copyright enforcement.

~

For more updates on this story visit Open Rights Group or follow them on twitter at @Openrightsgroup

Permalink • Print • Comment

EU Court of Justice: Social Networks Can’t Be Forced to Monitor and Filter to Prevent Copyright Infringement

February 17, 2012 | By Gwen Hinze

In another important victory for Internet users’ fundamental rights and the open Internet, the highest court in Europe ruled yesterday that social networks cannot be required to monitor and filter their users’ communications to prevent copyright infringement of music and movies.  The European Court of Justice (ECJ) found that imposing a broad filtering obligation on social networks would require active monitoring of users’ files in violation of EU law and could undermine citizens’ freedom of expression.

The SABAM v. Netlog decision follows a landmark ruling by the ECJ in the SABAM v. Scarlet Extended case in November 2011, where the Court held that a Belgian ISP (Scarlet) could not be required to adopt a system to filter and block the transfer of potentially copyright infringing music files on its network. In that case, the Belgian copyright collective management organization SABAM had obtained an injunction (a court order) against the ISP, requiring it to install a system that would filter all of its users’ communications for potential copyright-infringing material.

Yesterday’s ruling also involved SABAM. It had sought a similarly broad injunction against Belgian social media platform Netlog.  The 2001 EU copyright directive mandates that copyright holders be able to obtain injunctions against intermediaries whose services are used by third parties to infringe copyright, but that is bounded by other EU obligations, including protection of citizens’ fundamental rights. The ECJ was asked to rule on the permissible scope of these injunctions, given their impact on Internet users’ fundamental rights and online service providers’ businesses.

The ECJ found that forcing Netlog to install a filtering system that would identify and prevent its users from making available any potentially copyright infringing files would require “active observation” of Netlog’s users. Following the 2011 SABAM v Scarlet decision, it held that implementing such a system would fall afoul of the key principle in Article 15 of the EU e-Commerce Directive, which prohibits EU member states from imposing a general obligation on ISPs and hosting services to monitor information they transmit or store, or to actively seek facts or circumstances that indicate illegal activity.

The Court also criticized the injunction on a second basis. In the 2011 Scarlet ruling and the 2008 Promusicae v. Telefonica decision, the ECJ held that in adopting measures to protect copyright holders, EU member states and courts must strike a fair balance between the protection of copyright, and the protection of the fundamental rights of individuals and businesses who are affected by those measures. The Court found that the filtering system being sought by SABAM required the identification, systematic analysis, and processing of information connected with the profiles of Netlog’s users. This would violate Netlog’s users’ right to protection of their personal data, enshrined in Article 8 of the Charter of Fundamental Rights of the EU. In addition, because the filtering system could not effectively distinguish between lawful and unlawful content, it could block lawful content, and undermine Netlog users’ right to receive and impart information protected under Article 11 of the Charter.

Given the protection required of citizens’ fundamental rights under the Charter of Fundamental Rights, the ECJ concluded that courts in EU countries can’t issue injunctions against hosting service providers that require them to install a filtering system with features as broad as the one in this case which (a) was directed at information stored on the hosting platform’s servers by its users, (b) applied indiscriminately to all its users, (c) was installed as a preventative measure (requiring hosting services to decide whether content is infringing), (d) was at the sole expense of the hosting provider, and (e) for an unlimited period of time.

So what does all this mean? Here’s a couple of our thoughts.

The ECJ ruling is directed at EU member countries, but it will have significant implications for the future of the global Internet. Injunctions are one of several strategies that intellectual property rightsholders have been pursuing to force Internet intermediaries to become copyright police. In countries around the world, IP rightsholders have used injunctions to impose filtering, blocking and user termination obligations on Internet intermediaries. These efforts are likely to expand under ACTA, because it requires signatory countries to make available broad injunctions to IP rightsholders, including temporary injunctions while a case is pending. By precluding pre-emptive filtering and blocking injunctions, the SABAM v. Scarlet and SABAM v. Netlog rulings set an important limit on this strategy for EU countries.

Because injunctions are issued by courts, usually after a process of weighing up all affected parties’ interests, measures imposed in this way theoretically provide better protection for Internet users than those adopted in private party voluntary agreements such as those we’ve seen in Ireland and Belgium. As we’ve noted elsewhere, Internet intermediaries are not competent to make legal determinations about whether particular content or conduct infringes copyright. Copyright holders’ efforts to require Internet intermediaries to take on this role under the guise of greater “co-operation” raise serious concerns about due process, transparency and accountability, and online free expression. In that respect, we welcome the ECJ’s clarification on the scope of injunctions available under EU law.

At the same time, we recognize that the ECJ’s Scarlet and Netlog decisions will now lead to increased lobbying pressure from rightsholder groups to change EU law, perhaps as part of the European Commission’s review of the 2004 Intellectual Property Rights Enforcement Directive. Let’s hope that EU policymakers approach this in as thoughtful and balanced a way as the ECJ.

Permalink • Print • Comment
« Previous PageNext Page »
Made with WordPress and the Semiologic theme and CMS • Sky Gold skin by Denis de Bernardy