InfoAdvocate

The FCC has issued two major Notices of Inquiry. One asks several questions about the Future of Media, and begins:

The objective of this review is to assess whether all Americans have access to vibrant, diverse sources of news and information that will enable them to enrich their lives, their communities and our democracy. The Future of Media project will produce a report providing a clear, precise assessment of the current media landscape, analyze policy options and, as appropriate, make policy recommendations to the FCC, other government entities, and other parties.

Another asks about “Empowering Parents and Protecting Children in an Evolving Media Landscape“:

The evolving electronic media landscape presents parents with both tremendous opportunities and critical challenges. On the one hand, electronic media technologies present many benefits for children, such as offering an almost unlimited potential for educational avenues and providing the technological literacy needed to compete in a global economy. On the other hand, the technological developments that produce these benefits also present risks for children. With this Notice of Inquiry (“NOI”), we seek to develop a record that will help us answer the question of how to empower parents to help their children take advantage of these opportunities, while at the same time protecting children from the risks inherent in use of these platforms.

Both of these will lead to reports to the public which reflect the information the FCC has gathered.

This is apparently too much for Ken Ferree, who blogs at the Progress and Freedom Foundation (PFF), concerning the first inquiry:

The problem is that the very act of initiating such an inquiry will chill protected speech; government inquiries into what is and is not working in the area of news, information, and media is itself an affront to the First Amendment. And it is no answer that the Commission has embarked on this journey with beneficent motives, it has no power to derogate from the protections of the First Amendment in the name of what one group of bureaucrats may think are important government interests.

Further, some of the PFF staff promise to  “question this ‘questioning‘” that the FCC is engaging in when it asks about about “empowering parents.”

Why stop there? Maybe we should forbid the FCC and the rest of the government from watching TV, listening to the radio, going online, or reading newspapers as well.

Bookmark to

In a Federal Register notice, the Homeland Security Privacy office announces the publication — for a limited time — of four Privacy Impact Assessments:

SUMMARY: The Privacy Office of the Department of Homeland Security is
making available four Privacy Impact Assessments on various programs
and systems in the Department. These assessments were approved and
published on the Privacy Office’s Web site between January 1, 2009, and
March 31, 2009.

DATES: The Privacy Impact Assessments will be available on the DHS Web
site until July 6, 2009, after which they may be obtained by contacting
the DHS Privacy Office (contact information below).

(emphasis added).

Why the time limitation? Why can’t the DHS website provide an archive of Privacy Impact Assessments?  More government information online means more information is easily accessible. During the campaign some discussed the potential for a more machine readable government:

But the big part of this is a commitment to making data about the government (as well as government data) publicly available in standard machine readable formats. The promise isn’t just the naive promise that government websites will work better and reveal more. It is the really powerful promise to feed the data necessary for the Sunlights and the Maplights of the world to make government work better. Atomize (or RSS-ify) government data (votes, contributions, Members of Congress’s calendars) and you enable the rest of us to make clear the economy of influence that is Washington.

This is the stuff of the “naive promise” of websites that reveal more. But at least  it is a start. And it is a start towards government reports on their privacy impacts being online, indexed by search engines, and easily found by individuals.

Bookmark to

Today the Supreme Court released its opinion (pdf) in FCC v. Fox Television Studios. The case concerns the FCC’s change in 2004 to enforce a ban on even single uses of profanity on the air. More background on the case is here. The opinion contains this amazing quote (page 24) provided by Justice Scalia:

We doubt, to begin with, that small-town broadcasters run a heightened risk of liability for indecent utterances. In programming that they originate, their down-home local guests probably employ vulgarity less than big-city folks; and small-town stations generally cannot afford or cannot attract foul-mouthed glitteratae from Hollywood.

This is a basic culture war salvo of the sort you might find from Rush Limbaugh or a random right wing blogger.  And there it is, in a Supreme Court opinion, provided by the Harvard educated judge from New York city, with no citations to outside sources or to facts in the record of the case.

Bookmark to

The Department of Justice, Bureau of Justice Statistics last week reported on its survey: “Stalking Victimization in the United States.” The survey was composed of 65,000 responses, and led to a total estimate of 5.8 million victims: 3.4 million stalking, and 2.4 million for harassment. The study covers victimization occurring mostly in 2005: the responses were collected during the first half of 2006, and inquired about events in the previous 12 months. Of these 5.4 million victims, two hundred thousand were victimized by identity theft.

Significantly, the survey also showed that 23% of victims suffered some form of cyberstalking, and 6% suffered electronic monitoring such as spyware, bugging or video surveillance.

The estimated 138 thousand victims of spyware were probably victimized by the type of stalker spyware that EPIC complained to the FTC about.  I doubt that stalkers are writing their own software or using vulnerability scripts. I also suspect that the numbers have gone up in the 3 — now entering 4 — years since 2005.  The FTC has only now begun to look at stalker spyware, and the only previous action on it was DOJ’s prosecution of Loverspy.

I’m not surprised by the numbers showing cyberstalking using email, IM, or blogs. But I do find it interesting that 8.8% of  victims had Internet sites created about them. I suspect the cyberstalking numbers have also only increased — blog usage and providers are proliferating, and so are the ways that one can make a website about another. I’ve worked with two individuals who had false online dating profiles created, one repeatedly. In these and in other cases of cyberstalking, it’s important that lawyers representing them be aware of the victimization, can present it to the court in a manner that aids their case, and can craft remedies that address the victimization.

Bookmark to

Two end of the year cases found privacy rights for individuals in intimate settings. In Iowa, a man who recorded his wife in the marital home was ordered to pay damages. Significantly, in Wisconsin, a man had his felony conviction upheld for secretly videotaping his nude girlfriend in his presence.  In both cases, the losing parties attempted to argue that their victim had no “expectation of privacy.”

In the Iowa case, it didn’t matter that the parties shared the home. When she was alone, the wife had a ‘reasonable expectation of privacy’:

We conclude, however, the question of whether Jeffrey and Cathy were residing in the same dwelling at the time of Jeffrey’s actions is not dispositive on this issue. Whether or not Jeffrey and Cathy were residing together in the dwelling at the time, we conclude Cathy had a reasonable expectation that her activities in the bedroom of the home were private when she was alone in that room. Cathy’s expectation of privacy at such times is not rendered unreasonable by the fact Jeffrey was her spouse at the time in question, or by the fact that Jeffrey may have been living in the dwelling at that time.

The court cites a Texas case, Clayton v. Richards, 47 S.W.3d 149 (Tex. App. 2001), where the wife hired a third party to install video equiptment in the bedroom. That court had noted what makes videotaping particularly invasive — permanence — even without later exposure:

As a spouse with equal rights to the use and access of the bedroom, it would not be illegal or tortious as an invasion of privacy for a spouse to open the door of the bedroom and view a spouse in bed. It could be argued that a spouse did no more than that by setting up a video camera, but that the viewing was done by means of technology rather than by being physically present. It is not generally the role of the courts to supervise privacy between spouses in a mutually shared bedroom. However, the videotaping of a person without consent or awareness when there is an expectation of privacy goes beyond the rights of a spouse because it may record private matters, which could later be exposed to the public eye. The fact that no later exposure occurs does not negate that potential and permit willful intrusion by such technological means into one’s personal life in one’s bedroom.

The Wisconsin case is much more significant. Wisconsin law made it a felony to record someone in the nude, without their knowledge and consent, in circumstances where they have a reasonable expectation of privacy. Jahnke concealed a video camera and recorded her while she was nude in his presence and during their relationship. He contends that she had no reasonable expectation of privacy because she exposed himself to him. The court disagrees, pointing out that the privacy expectation here is bound up with recording:

the prohibited act is “[c]aptur[ing] a representation.” By placing limits on the ability of others to record, the statute protects a person’s interest in limiting, as to time, place, and persons, the viewing of his or her nude body. It follows that the pertinent privacy element question is whether the person depicted nude had a reasonable expectation, under the circumstances, that he or she would not be recorded in the nude.

Jahnke attempts to analogize to an exotic dancer, saying that it would be absurd to conclude a professional nude dancer in a club would have an expectation of not being recorded. But the court has a good response, noting the fact-specific nature of the expectation of privacy:

the fact-specific nature of the inquiry means that some exotic dancers may have a reasonable expectation that they will not be recorded. For example, while not dispositive, a particular club may have a well known and enforced prohibition on recording. We discern no reason why it is absurd to provide protection to an exotic dancer who, under the circumstances, has an objectively reasonable expectation that he or she will not be recorded in the nude.

Bookmark to

The media and blogosphere are reporting the story of the break-in at Sarah Palin’s yahoo email account. Information is filtering in about who is responsible and how it was done, but it appears like there is also a lot of speculation based on lack of knowledge of Internet subcultures.

My guess is that this was done with Yahoo’s password reset feature. When you forget your password, you can retrieve it by giving some biographical details such as date of birth, zip code. Further they usually require that you answer a  question (“what is the make of your first car,” “what is your high school mascot,” etc…).  A recent article discusses the vulnerability: ‘Forgot your password?’ may be weakest link:

Almost everyone forgets a Web site password once in a while. When you do, you click on the familiar “Forgot your password?” link and, after entering your pet’s name, identifying your high school mascot or answering some other seemingly obscure questions, you can get back into your account.

But there’s a problem: A criminal can do that, too. With the help of social networking sites like Facebook and MySpace, personal trivia is getting less obscure all the time. You’d be surprised how easily someone can uncover Fido’s name or your alma mater with a little creative searching.

The break-in has been disclosed by and linked to individuals who participate in an anonymous web forum, 4chan (link goes to Wikipedia, not 4chan). Items on 4chan exist only temporarily, and its youthful audience has been linked to attacks on feminist blogs, among others. At a panel at the Computers, Freedom and Privacy conference, blogger and law professor Ann Bartow discussed these attacks.

Paul Ohm at Concurring Opinions makes a great point — expect the Sarah Palin Email Privacy Act of 2009.  We got a Video Privacy Protection Act after Robert Bork’s video rental records were leaked. And now we can expect more email privacy laws. Further legal analysis comes from Orin Kerr at Volokh.com. The short answer? The break in is a federal crime, possibly a felony. However, reposting the material by people not involved with the break-in is likely not criminal and will be protected by the First Amendment.

Federal law enforcement officials are involved.

Feds Everywhere?

But here’s the thing. I think this activity is actually quite common. In a short career representing domestic violence survivors, I’ve represented a client in a protection order hearing whose account was broken into in this manner.  The client and opposing party used to date, and the opposing party knew my client’s high school mascot — the question the webmail service asked. Thus he accessed her webmail account easily.  I prepared for the court a brief memorandum on how this was a crime, and thus should entitle my client to a protection order — in DC you need to show by a preponderance of evidence that an intrafamily offense occured.

The Feds aren’t involved, and no-one is going to jail. The other party did consent to a protection order, however, so we never had a hearing. He has to stay away from her, and not contact her. I added to the order we negotiated that he is to not break into her email accounts again. Maybe if he does it again, the court would order him jailed — courts do not like their orders violated. But I do not think the feds would get involved. And it may take quite a bit to convince this court that a violation occurred. The court is familiar with other allegations — threats, physical abuse, the presence of children — and not so much with Internet abuse.

So what do I hope comes out of this? What’s my hope for the as of now fictional “Sarah Palin Email Privacy Act of 2009″? I hope this leads to webmail providers  beefing up their security and cooperation with victims when breaches occur. I hope this leads to more awareness of this crime.  I hope this leads to more enforcement of this crime. Not necessarily more Feds putting more people in jail, but the use of protection orders and other intervention as happens in many other cases of abuse.  Not all of us  get headline treatment when our email is broken into. But we should all be entitled to justice and protection.

Bookmark to

Last week I heard of a web-based service for divorced or separated families, Our Family Wizard:

Secure, shared communication, schedules and information management for families. We help parents who are separated, divorced or living apart and the family law professionals who work with them manage communication, parenting time schedules, children’s’ activities, expenses and other important information using our website.

Their privacy policy tells us that they won’t sell your information, but also adds that:

The OurFamilyWizard website also receives and records information on our server logs from your browser including your IP address, OurFamilyWizard cookie information and the page you requested. . . .

The OurFamilyWizard website will send personally identifiable information about you to other companies or people when (1) we have to respond to subpoenas, court orders or legal process. . . .

This sort of information collection presents some risks. Your IP address may disclose your location. Or it may not lead directly to you, but it may instead lead to you via subpoena to your ISP. It will at least reveal the subscriber of the ISP. It will also lead to any other computers you used to access the website, whether at work, a shelter, or other safe place. The privacy policy does say that they will respond to subpoenas (and they have to) but it does not promise that they will give you notice of subpoenas, before or after they make that disclosure.

Second, I’m concerned about how the records of the interaction of this website will be used. A spouse with more tech savvy, or even just more abusive motivation, can create more records of interaction with the website. If I’m understanding the operation of the website correctly, they can make more requests — thus showing the other to more often deny requests — or show more availability. These records may be relied on by judges or other decisionmakers in divorce or custody to determine which person is being more cooperative. The records will be rather simple — how many hits, how many times logged in, how many requests accepted / denied — simple and decontextualized from any abuse or other malfeasance. The temptation exists for a court to use these because they are so simple, and perhaps because since they are easily quantifiable may acquire a patina of objectivity.

Lastly it appears that they show ads which place third party cookies on your browser. This means that other websites, other parties, will be able to track your visit to the website. Welcome to being profiled as a divorced parent as your browse the rest of the Internet — some third party cookie companies are quite big and can track you in many places on the Internet.

Bookmark to

Professor Solove questions whether people’s political donations should be so public:

Pursuant to the Federal Election Campaign Act (FECA), people’s campaign contributions must be accessible to the public. I’ve long found this to be problematic when applied to the campaign contributions of individuals. Certainly, information must be reported to the government to ensure that campaign contribution limits aren’t exceeded. But I don’t know why it is the public’s business to know what candidates I’ve given money to and how much.

The discussion that follows in in the comments is quite interesting.

I tend to agree that the system does sometimes appear to be upside down. Surely this data is used as the raw material for important political discussions such as McCain’s receipt of oil money after changing his mind on oil drilling. But I also often see it being used to vet or appraise individuals, not to watch the politicians that receive money.   When Bob Novak struck a pedestrian in downtown DC, the cyclist that chased him down was reported to be an Obama supporting lawyer. Does that fact add much to the story, besides give it a possible partisan taint? Delaware’s Republican Senate candidate has been disciplined for being an Obama supporter — a fact that came out in part because his donations were published.

This data is quite a goldmine for profiling and direct marketing. One can usually identify high income individuals, and then make some good guesses about their business (their employers are listed) and political interests. Addresses are listed, not just zip codes.

The chilling effects on donating are real. Conversely, the donation pages on the McCain and Obama campaigns do not make clear that the records are going to be publicly available. At most they mention reporting. Individuals trying to maintain address privacy will have to abstain from contributing, or not report their real address. That’s only if they know about the reporting and disclosure of information.

But there are some interesting tales to be told from the individual level data. An example:

It turns out that Hess executives aren’t the only ones who gave such huge sums to elect McCain — generosity towards McCain apparently extends down into lower levels of Hess staff. A lower level employee gave the same, too, and so did her husband, even though he works for Amtrak.

The FEC filings show that Alice [...], who’s identified as a Hess office manager, and her husband, Pasquale [...], who’s described as an Amtrak “track foreman,” each separately donated $28,500 to the RNC-McCain fund, which is called McCain Victory 2008. They gave the money on June 24th, the same day that eight other Hess execs and family members each shelled out the same amount.

This looks suspicious because it would be inappropriate to funnel money via some other member of the corporation, and its unlikely that people with those job titles would have 57K to give.  I should add that it appears that other public records come to their rescue in an update:

In fairness, the [...]’s may be better off than initial appearances would suggest. Real estate records show they purchased a North Carolina property in 2006, and in 2007 took out a loan to buy another property in Scottsdale, Arizona.

Given that it is unlikely that we will be able to keep this data completely confidential, I suggest we come up with limitations on how it can be used. Of course, journalism, investigative and research uses are going to continue. But perhaps we can limit commercial uses? Or even more interestingly — find a way that people know when their donations have been accessed?

Bookmark to

Many people have been critical of how the Democratic leadership handled the recent FISA deal.  Blogger Glenn Greenwald notes some of the reactions. There have even been quotes that the administration got “a better deal than they hoped to get.”  I commented on the radio (KPFA, 19 minutes in) that this was not a “compromise” but a give-away.

Given all of that, it was interesting to find this piece in the Politico — How Hoyer got the deal done:

In a tense moment during negotiations over the Foreign Surveillance Intelligence Act, Sen. Kit Bond — the ranking Republican on the Senate Intelligence Committee — said that his side of the aisle could never accept one of the proposals the Democrats were pushing.

According to Democratic insiders, House Majority Leader Steny H. Hoyer abruptly stopped the meeting and said that, if a deal was made, no one would get more grief than he would.

…
According to several Democratic insiders, Hoyer was able to keep the talks going by pointing out that he, more than anyone else in the room, was taking a huge political risk by trying to reach a deal.

Hoyer is the majority leader — is there a chance he’ll lose that position? He also seems safely in his seat — he soundly defeated his last primary challenger.

James Patrick Cusick, Sr.	Steny H. Hoyer(Won)
19,067 (17.4%)	90,513 (82.6%)

Hoyer also soundly won the general election — the Republicans did not enter a candidate and Hoyer defeated the Green Party candidate getting 84% of the vote.

So my question is: What is the “huge political risk” Hoyer was facing?  It actually looks like he had a lot of leeway here. He had a strong position to negotiate from, and true he gave that up, but I don’t think he’s in a position to pay a price for it.

Finally, I do not get this reaction from Politico:

Hoyer knew it was coming, and he persevered anyway. That he did so speaks volumes about who he is: a master of cloakroom politics who can use his friendships across the aisle to strike deals, even if others demand that his party hew closer to the positions that put it in power in 2006.

It does not take “master[y] of cloakroom politics” to be in a safe position and then give in to the other side. I have never engaged in “cloakroom” anything, but sounds like a rookie mistake, rather than “mastery.” Politico goes on:

Hoyer said that if House Democratic leaders failed to reach a FISA deal with the White House and GOP leaders, as many as “30 Blue Dogs and another 20 to 30 members” could have signed onto a Republican discharge petition calling for a floor vote on the Senate version of the FISA bill, which was even more anathema to House Democrats than what eventually passed.

It would take a “master of cloakroom politics” to have kept that from happening. But that is not what Hoyer did.

Bookmark to

Today’s Washingon Post has an A1 story about Facebook Application privacy:

Facebook fanatics who have covered their profiles on the popular social networking site with silly games and quirky trivia quizzes may be unknowingly giving a host of strangers an intimate peek at their lives.

Those mini-programs, called widgets or applications, allow users to personalize their pages and connect with friends and acquaintances. But they could pose privacy risks. Some security researchers warn that developers of the software have assembled too much information — home town, schools attended, employment history — and can use the data in ways that could harm or annoy use.

I’ve previously blogged on the privacy issues of Facebook Apps such as the civil liberties problems when law enforcement agencies create Facebook apps.

It’s good to see this issue gaining mainstream attention, because it means that people will start thinking differently about threats to privacy online. EPIC recently testified at a hearing on spyware. The testimony included social networking applications as a possible vector for spyware.

People at the hearing talked about the need to have any legislation in this area not be technology dependent. The bill being discussed, S. 1625, included some language that was focused on PCs, but ignored other threats. The bill had sections making unlawful certain behavior. It used language like “caus[ing] the installation on [a] computer of software that” did several prohibited things, like improperly collect information or display too many popups. But that language is focused on the idea that people keep their data on their computer. With social networking, people are keeping their data online, with social networking services. This data should also be protected from new types of spyware, and we should think of improper data collection from social network services in the same way we think about improper data collection from our home computers.

Bookmark to