Thanks to my friend Rebecca Herold for pointing out this infographic on How RapLeaf Spies On Your Online Habits
There has been a lot of press recently about RapLeaf.
Jessica Bennett in Newsweek reveals ‘What the Internet Knows About You’
Eric Goldman in his blog, Technology and Marketing Law ‘My RapLeaf Profile is Amusingly Mistaken. This is What the Fuss is All About?’ refers to the WSJ article, ‘A Web Pioneer Profiles Users by Name‘
After all, should we conclude that ‘Rapleaf is Not a Tracking Company: Tracking versus Relevance‘: ‘Jim Dempsey, a privacy advocate at the Center for Democracy and Technology, said he resigned from RapLeaf Inc.’s privacy advisory board after being contacted by the Wall Street Journal about his role at the Internet tracking company.‘
Here is Rapleaf’s own guide on Cookies 101.
Yesterday, we had our first Twitter privacy chat where all privacy interest Twitters were invited by PrivacyCamp and the Center for Democracy for an hour and 6 tweets questions. The quizz game went fast pace and questions were simply brain stimulation and a context for more interaction I guess.
The rules were: ‘CDT New Media Manager Mark Stanley — will ask a #privacy question every 10 minutes for discussion. The chat will be an hour. #PrivChat’ (for some reason my own Tweets @clarinette02 do not appear neither on the #privchat log nor on the transcript!) I will reproduce them here with some more developments:
Question 1 – What is the greatest challenge/s to online?
– Cross border regulation is one challenge for any regulation. Beyond the traditional debate exceptionalism of not, regulating online activities in a multinational environment is a major challenge.
– Transparency and consent are another challenge to keep control over the flow of private information. You might give consent to the first layer of data collection and procession, the lack of transparency take control over further data sharing for the purpose of profiling. The storage of these data is subject to security concern and eventual leak. The recent case of Google’s employee access to data is a demonstration of the sort of abuse to expect.
legislating a fast evolving tech area is an illusion where transparency/ adequate sanction combined with class action, awareness and education a reality.
Very much agree with ‘@repdef: The issue is control. There’s so much data available, and so few mechanisms for consumers to control that data.‘
This of course included the questions evoked by @ericanewland : ‘…cookies? toolbars? social networks? databases? referring URL? no SSL encryption?’
during the #OECD30. ‘Omer Tene talks re failure of existing #anonymization mechanisms 2 protect #privacy. this is a huge issue 4 clients.‘
@privacyfocused thought it ‘would it be useful to use @danielsolove’s taxonomy of privacy as a means to structure privacy discussion more broadly?‘ Interesting although broad a philosophical view hard to debate in 140 characters.
@bnmeeks asked: ‘What’s biggest challenge for reporters covering priv issue?‘ – we know the existing tension between privacy / transparency and the freedom of Speech and freedom of expression. Reporters freedom of speech and news reporting have been turned down for privacy (the case of Max Molsey in the UK) as well as defense of copyright (the Ashdown case).
The traditional dichotomy private / public is challenged online. Their should be an expectation of privacy even in public. For this reason, I am wondering if we are not using the wrong terminology. I suggest talking ‘control’ instead or ‘privacy’.
Even in a ‘public’ place such as Twitter, shouldn’t we expect our conversations or ‘tweets’ not be taken out of context without our consent to be published elsewhere?
For @mediablawg they are ‘Two big challenges: Applying old laws to new/changing technologies, and privacy issues in social media‘.
Is self-regulation on its own a better alternative?
For @AlexanderHanff objects: ‘when you add to the mix government surveillance, which is increasing year on year, it seems privacy is always an afterthought‘.
@ericanewland agrees with @alexanderhanff on self-regulation and adds: Self-reg is important but insufficient when used alone. It’s why we need‘
@bnmeeks: to object: ‘but U.S. privacy laws are fractured; scattered, no comprehensive privacy law‘ yes, laws differ online!
He then added: ‘lobbying is also a huge issue. With security vendors pushing national security policy and private sector pushing for self reg‘.
@repdef considers that ‘self-regulation keeps the good guys who care about reputation honest, but what about the others?‘ Maybe more consumer power, sanctions and class actions could help to wake them up?
Later, @AlexanderHanff added: ‘it has been clear for some time now that self-regulation with regards to commercial actions does not and can not work‘
And yes, the objection to education is the funding of course.
Ideally, as mentioned by @repdef, we should aim to ‘Finding a way to give consumers control over their data w/o impeding the economy of the Web. Also, privacy awareness‘
Surely, as add @free_styler: ‘It’s a lot of work to figure out the so-called security options on various platforms. ‘.
More or less everyone seems to agree that ‘Privacy policies are a threat to consumer understanding. I’m working on http://bit.ly/dpjSoX
@kaniea considers ‘A major issue is trust. Consumers are starting to loose trust in groups like FB to honor the privacy settings that consumers make‘
For @PrivacyPug the ‘Flow of data is so complex, changing that even companies aren’t aware of how data moves internally/externally‘
Question- 2: What privacy problems should receive more attention? Are there privacy issues that have been overblown, and if so, why?
I personally consider more attention should be put on aggregation that allows profiling. Each piece of innocuous information is piece together to reveal the entire profile of users. Search Engines play a crucial role on that. users have no knowledge of technology abilities and inabilities resulting on erroneous profiles (See the above Janet Barnnett’s article on RapLeaf). The lack of transparency take advantage of the very large scope of data flow and spread online. Transparency of the information structure and data mapping could bring healthier behavior and give sens to users’ consent. In addition, it makes the data subject request of information easier to imply.
I think @ashk4n goes to the same direction by saying that the challenge is ‘unwanted linking of online activity to my ‘identity’. Should not collect or make it impossible to identify‘
@JustinBrookman: believes absolutely that ‘merging of identities/personas should get much more attention
Where @PrivacyWonk added: ‘FB and Google’s domination on the privacy scene have detracted from the overall. The data broker industry never gets poked‘.
And yes, I join @rjlar to agree with @CenDemTech, ‘Offline data sharing and the data broker industry needs more attention.‘
Yes, @privacyfocused is correct by observing that ‘nothing that is happening w/our data today has not happened in the past, diff now is speed and reduced costs of doing so.’ We can add to the speed and the cost, the SCOPE. Never in the history of humanity have anyone been able to broadcast with such a wide audience. I was always amazed by the story of Napoleon exiled on the Ile d’Elbe, only recognised by his profile on a coin! And speed means also more ‘spontaneous’ behaviour, less reflected.
Apart from privacy stricto senus, this is a reputation issue more developed by Daniel Solove in THE FUTURE OF REPUTATION: GOSSIP, RUMOR, AND PRIVACY ON THE INTERNET.
@repdef reminded: Privacy as it relates to reputation is something people should understand. To a stranger (or advertiser) your online data is YOU‘.
@privacypug and @ghostery seem to share the same view that ‘Companies need to invest in privacy staff to get a hold of it and put internal controls in place.’ They might need some extra incitement if not strong sanctions with deterrent effect.
@AlexanderHanff replied: ‘I don’ think the laws are really the issue – many are suitable but private/public sector not following spirit of those laws.‘
@ericanewland and @danielg280 agree that ‘privacy policies are hard to write! Maybe it’s why we need a new model.‘
I fully agree with @prefcentral: ‘consumer control does not have to be complex. we need to give consumers meaningful choices over ads/advertisers v. ad networks‘
@aarontitus and @econwriter5 seems to share the idea that ‘Privacy and Intellectual Property law should be permanently divorced. http://bit.ly/9kvygm‘ This is difficult one. A balance of rights and respect of hierarchy of norms having the fundamental rights, including privacy and freedom of speech at the top above copyright would be my solution.
@privacyfocused: asked: ‘what are the boundaries and grants of ownership (no diff than issues w/copyright or property rights)?‘
@aarontitus added: ‘Can’t own personal information: We are data. If we are data, and data is property then we may become property.‘
@aarontitus strongly believes that ‘Personal Information cannot/should not be regulated as IP.‘
I tend to agree with him as well as with @econwriter5: ‘If we may become property, then I want 10% of each sale of my data.‘ if I take the risk of being profiled, then AT LEAST I should expect the profit to be shared.
@JustinBrookman: thinks consumer trust ‘is a major reason we need a privacy law. Our lack of rules is becoming an economic disadvantage‘
Just could be one reason of the issue, but difficult to give it a ‘democratic’ answer: ‘@_pidder_:…Users are accustomed to receive services for free these days. There is no free ice cream, though. ‘
@aarontitus reminds ‘The False Notion that one can ? Own ? Personal Information‘ as well as ‘ The Failed Notice and Consent Legal Regime‘ and ‘3. Erosion of the Definition of Privacy ‘ for @aarontitus: ‘4. The Two Mortal Enemies of Privacy are Convenience and Fear’.
@EUdiscovery echoed Marc Rotenberg @OECD30 : ‘notice & choice are used today as disclaimers, almost opposed 2 essence of a data protection regime‘
@micshasan considers we should ‘start with transparency.. 3rd parties can build consumer tools, but only if data becomes transparent‘.
@danielg280 points to a practical issue: ‘How can you be transparent in a way that consumers will actually take notice of? they don’t read web TOU’s, just like paper terms‘
@kaniea added: ‘There have been some attempts to make privacy policies easier to understand http://cups.cs.cmu.edu/privacyLabel/
On the question of education, @ericanewland asked @_pidder_ ‘but how to educate? Most think the value prop is ‘see ads, get service,’ not ‘give private info, get service.‘
@AlexanderHanff: ‘problem with “privacy staff” is they are often hired for “risk assessment” with re corp risk not consumer/privacy risk‘. for whom ‘Behavioural Profiling and trading of personal data are serious issues, also location sharing is a huge personal safety concern‘
END OF PART – I
Question 3- : Which is more effective in safeguarding personal data: Privacy protections or transparency on what data is being collected?
What about clarifying the definition of Personal Identifier/Personal data as suggest by @aarontitus who wishes ‘we could all come up with a better replacement concept for PII. PII is so broad that it’s meaningless… Solution=context ‘ ??
@iglazer said : ‘differently there is very little that cannot be transformed into PII‘.
@PrivacyCamp wishs he had ‘the solution to PII. Real privacy demands context-specific risk assessment. That is far more difficult.‘
@privacyfocused prefers, ‘before getting to privacy, the online identity issue needs 2 be resolved. it should support anonymity, but we need entity 2 protect.‘
@danielg280: reminded that ‘people don’t read TOUs or privacy policies, just as they don’t read paper disclosures. there need to be prohibitions‘
@AlexanderHanff: considers ‘neither are effective historically. Transparency defined differently in corp dictionary and safeguards don’t exist ‘
As neither regulation can keep pace with technology, I optimistically believe combining current regulation better harmonised with stronger sanctions, adding more power to consumer representatives with right to class action and ultimately transparency, awareness and education could make a good ‘ragout’ to protect/control over privacy.
@micshasan: agreed with @ericanewland: considering that ‘Transparency is necessary b insufficient!’ adding: ‘but it’s an essential building block .. can’t downplay.
@EUdiscovery on Privacy Protection asked: ‘Who enforces transparency anyways?‘
Enforcement, civil and criminal sanctions according to specific cases, is another factor to put in balance.
Enough to write an exhaustive essay, most of the essential points are their.
Now, what are my right over these data collected? does any one the participants have any IP right on these tweets?
How much would I have been ‘respectful’ to the spirit of the authors and what our my rights and duties to publish these tweets out of their contexts? I have done few light editorial touches, I hope no one would take grief for it.
@aarontitus is bringing out a fundamental question: ‘I wish we could all come up with a better replacement concept for #PII. PII is so broad that it’s meaningless‘
While @repdef thinks ‘Privacy as it relates to reputation is something people should understand. To a stranger/advertiser your data is YOU‘, @privacyfocused added: ‘before getting to privacy, the online identity issue needs 2 be resolved. it shld support anonymity, but we need entity 2 protect.
Certainly, as @danielg280 said: ‘The challenge is to create meaningful restrictions that protect privacy but don’t stifle commerce. needs to be a balance‘
It’s all question of balance, isn’t not that justice? @aarontitus: ‘Focusing on education within the Notice and Consent legal regime is like giving swimming lessons in a rip tide.’
Legitimately, @repdef considers ‘It has to be a combo of the two. Consumers have shown willingness to share, if they KNOW what it is they are sharing and why.‘
@Londyn2005 thinks ‘they need to stop relying on privacy policies as the a end all. If no one is reading them, they aren’t agreeing
Yes @rivacypug, internet activities have a lot of analogies with driving car: ‘privacy protections need to be built in (air bags/anti-lock brakes) as opposed to notice/consent (e.g. seatbelts)
And the wise man @AlexanderHanff said : ‘It is all really a question of ethics and when public/private sector will start to behave ethically, shouldn’t be complex‘. Could this be an encouragement for healthy behavior?
@AlexanderHanff:considers ‘Simple and Ethical solution is simply to obtain informed consent if you wish to trade in personal data but industry don’t like
@meitweet: reminded that ‘Transparency = bigger challenge & would be more effective. Impossible for user to know how far and wide a company “shares” info …’
Question 4-: What specific practices by online companies or websites best exhibit effective means to protect consumers ?
…………. en cours de construction.
Have we mentioned the ‘Droit a l’oubli’ – the right to oblivion?
Most of the main question were their, remains the question of how to implement the right balance.
To adjust regulation to new technologies we need to understand how the two interact. For doing so, we first need lawyers and technicians to understand each other.
To understand how IP address can be the link between the digital identity and the real life identity. To understand how tracking peer to peer infringement can cause harm to privacy.
Twitter List of #privchat members, open to whoever wishes to join and participate to the debates organised by the Center for Democracy and Technology in collaboration with Privacy Camp. ON TUESDAYS NOON.