A recent blog posting by Louise Story of the NY Times demonstrates why we at CDT have had trouble writing about Facebook’s latest privacy dust-up, best explained by the examples of Facebook users who unwittingly had their Christmas purchases exposed to their entire gift list.

When CDT originally discussed the Facebook “beacon” with the company, we were told that notice and consent would be clear. However, we believed from the beginning that this would be a difficult task for Facebook and the implementation would be key to getting it right. This week has been a slog in that direction as the company posted and re-posted subsequent versions of notification and consent boxes. It is clear that Facebook is moving in the right direction, but only the Facebook community is going to be able to decide whether they’ve gotten it right, and whether Santa’s secrets remain at the North Pole.

This privacy mess is an example of how hard it is to get notice and consent right. Facebook had a strong incentive to make it work from the beginning, but they have already clearly failed several times. Trust is the currency of social networking; ill-spent, that currency is hard to regain. That’s why testing for privacy concerns, and working with the community before pushing out possibly intrusive new features, is imperative. Such practices help build a community of trust; get it wrong and the user base becomes spooked, always waiting for the “next wrong thing” to be revealed.

And there is a deeper lesson here: the conventional wisdom that social network users don’t care about their privacy is just wrong. While they may post personal information about themselves on the Web, they still want to control their own information. When decisions are made on their behalf, they will rebel.

Yesterday, the FBI announced success in its efforts to shut down Bot Nets, going after a bunch of different “botherders” based in the US. In the process, the Bureau identified more than 1 million botnet crime victims. The FBI also has been working internationally with its counterparts to shut down botnets around the world. This is an important and encouraging story on the role of law enforcement in preventing major Internet crime such as identity theft and spyware installation.

Some residential Verizon Internet subscribers have recently noticed a curious result when they accidentally mistype a Web site address in their Web browsers: rather than receiving an error message, or being re-directed to a search engine page that has been configured by the browser to handle misspelled URLs, they end up at a Verizon search page. This occurs because Verizon has changed the way it uses the Domain Name System (DNS) to translate misspelled user-typed URLs; the company essentially creates a new default setting that overrides functionality at the network endpoints, and re-directs the user to its own site.

Most users will likely find this to be a fairly minor issue since they will eventually find the site they were looking for regardless of what their browsers return when a DNS look-up fails. But there are some problems with what Verizon is doing: the departure from agreed-upon DNS technical standards may impair the functionality of certain network-based applications, and Verizon is overriding consumer choices without providing meaningful alternatives.
(more…)

I have nothing against the French. I never ordered “Freedom Fries” with my hamburger; the French Foreign Legion helped fuel my adolescent fantasies of adventure and wanderlust; and much later Brigitte Bardot helped fuel my… well, you get my drift. But I admit to being peeved at them for the hubris contained in the recent announcement of a three-way pact among the French government, Internet Service Providers, and the entertainment industry to try and crack down on illegal file sharing.

The agreement puts ISPs at the forefront of a scheme requiring the companies to monitor each citizen’s online activity on the chance that illegal file sharing might be happening, an act that instantly turns ISPs into a de facto cyber-police force.
(more…)

Today’s Verizon Wireless announcement that it will open its network to third party devices represents a major shift with tremendous potential to spur innovation. The likely eventual result is a wide variety of new devices taking advantage of wireless connectivity over Verizon’s mobile network — and not just phones with cool new features or designs, but potentially devices with entirely novel functions, like, say, networked automobiles, shipping packages, or even refrigerators. Combining the ubiquitous nature of the wireless network with the creativity and imagination of the broad technology developer community may yield any number of innovative ways to incorporate network-based functions into non-telephone devices. In response to a question during a press briefing, a Verizon Wireless official expressly said that if an innovator in his garage can develop a device that meets the basic technical specs, the device can connect to the Verizon network. This is precisely the kind of openness that’s allowed small innovators to turn the Internet into such a dynamic platform, but has been lacking on U.S. mobile networks to date.

What prompted the groundbreaking announcement? I suspect it was partly competition with AT&T and Apple’s iPhone. The iPhone, available in the U.S. only on AT&T’s network, is showing that people will switch carriers to get a cool new device. Verizon Wireless may have decided that the best way to compete with AT&T’s iPhone advantage is not to try to build a new blockbuster phone of its own in-house, but rather to let a thousand flowers bloom — and let innovators across the country create applications and devices that Verizon hopes will drive users to its network.

But Verizon’s decision was also likely related to the recent policy debate over openness. Early in 2007, Columbia law professor Tim Wu released a paper highlighting problems with the more closed model the mobile phone companies were following. VoIP provider Skype filed a petition with the FCC advocating the application of “Carterfone” rules — the rules that decades ago forced AT&T to allow use of third party phone equipment with the traditional telephone system — to mobile carriers. A major fight also erupted about whether to include openness requirements as part of the usage rules for key 700 MHz spectrum soon up for auction, and the FCC did in fact choose to include some openness provisions. There were congressional rumblings as well, including a hearing on wireless innovation and competition prompted by AT&T’s exclusive iPhone deal with Apple. All of this shined a major spotlight on questions about innovation in the wireless marketplace, increased public awareness of the limits of mobile phones and mobile services, and very likely played a significant role in prompting Verizon Wireless executives to consider a different policy.

(more…)

It was reported last week that Donald Kerr, the Principal Deputy Director of National Intelligence, made the controversial proclamation: “Protecting anonymity isn’t a fight that can be won.”

At an October conference, Kerr, in advocating for greater information sharing between intelligence agencies responsible for national security, stated that “in our interconnected and wireless world, anonymity – or the appearance of anonymity – is quickly becoming a thing of the past.”

Kerr urged that we “move beyond the construct that equates anonymity with privacy and focus more on how we can protect essential privacy in this interconnected environment.” By “essential privacy” he appears to mean – albeit oxymoronically – that the government, particularly the intelligence community, knows who you are and has information about you, but must work within “a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards” that govern the use of personal information.

Kerr backed up his thesis by pointing out his “willing[ness] to share my credit card number and expiration date with a person I have never seen,” and his ability “to get past being anonymous in” such online transactions. He also highlighted the fact that many young people freely provide all sorts of personal information on websites like MySpace, Facebook and YouTube.

There are two problems with these statements. First, Kerr completely dismisses the value of anonymous speech in a free, democratic society. He tried to soften the blow by stating, “We have always been a free people who can defend ourselves without giving up the liberties that animate us to action.” But by asserting that “[p]rotecting anonymity isn’t a fight that can be won,” Kerr seems to be expecting some sacrifice of fundamental liberty.
(more…)

Earlier today Google announced the Google Policy Fellowship program, which offers undergraduate, graduate, and law students the opportunity to spend the summer contributing to the public dialogue on issues fundamental to the future of the Internet and its users, and exploring future academic and professional interests in Internet and technology policy. CDT is one of nine organizations that will be hosting fellows for the summer.

Fellows will have the opportunity to make substantive contributions to CDT’s work in one or more issue areas, including free expression, consumer privacy, security and freedom, digital copyright, and open government. Fellows may engage in a variety of activities while at CDT, including conducting policy research and analysis; drafting reports and analyses; attending government and industry meetings and conferences; and participating in other advocacy work.

To apply for the Google Policy Fellowship program, click here.

As the old saying goes, “Information is power.” So it is no surprise that the free media is often the first to go when dictatorial regimes – or even ostensibly “democratic” governments – find themselves in power struggles with the people they govern.

Last month, we called on the U.S. and other democratic countries to speak out against Burma’s shutting down of the Internet and other media in an attempt to quell the pro-democracy protests led by the country’s Buddhist monks.

Now this week – in a shocking dictatorial double-play – both Pakistan and Georgia declared emergency rule (effectively, martial law), suspending their constitutions and clamping down on independent media. Pakistan’s President, General Pervez Musharraf, asserted his need to fight terrorists – but it seems clear that he’s made a desperate move to retain power midst increased calls for his ouster, or at least the shedding of his military uniform. In recent months, lawyers have been the heroes of Pakistan, taking the lead in protesting Musharraf’s longtime military rule, and the current state of emergency.

The Washington Post reported that Musharraf “moved quickly to control the media, which he said was partly to blame for the current crisis. Authorities have blacked out TV networks and threatened broadcasters with jail time, but so far have spared the Internet and most newspapers. Most people in Pakistan, where illiteracy is rife, get their news from TV or radio.” Unlike in Burma last month, that the Internet has been spared in Pakistan is, fortunately, enabling at least some people to communicate with each other and get information out about what is happening in their country.

It was also reported that the pro-Western, formerly Soviet country of Georgia shut down private TV stations this week in a claimed attempt to combat Russia’s efforts to undermine the fledging democracy. Even if Georgia’s president is right about Moscow’s intentions, Georgia will never be a “beacon of democracy” (as U.S. President George Bush has said) if it employs Stalinistic tactics to control its people.

A free and independent media is the cornerstone of a free society. To Westerners, this truism is often taken for granted. But savvy rulers are all too conscious of it. It was Joseph Stalin who said, “Ideas are more dangerous than guns.” What better way to control ideas than to control the media? As with Burma, democratic nations around the world must decry, in words and deeds, emergency rule and the suppression of independent media – such actions have no place in a free society.

Among all of the press releases, surveys, and reports released last week for the FTC’s behavioral targeting Town Hall, there’s one in particular that deserves some extra attention since its authors were not in DC for the event. The Samuelson Clinic at UC-Berkeley and the Annenberg Public Policy Center at UPenn jointly released a study last week about consumers’ fundamental misunderstandings of online advertising. Two of the study’s findings are particularly alarming.

The first is that when consumers see the words “Privacy Policy” on a Web site, they assume that the site will not share their data. In each of two different surveys conducted over the last few years, over half of all adults agreed with this statement: “When a web site has a privacy policy, I know that the site will not share my information with other websites or companies.” This is perhaps one of the most fundamental misconceptions that consumers could have about how the Web works. There was much debate last week about whether consumers prefer to receive targeted ads over non-targeted ones, and whether they understand the trade-offs involved in making that decision. If consumers don’t even understand how privacy policies work, it’s hard to imagine that they understand behavioral targeting.

Indeed, the second alarming finding confirms this lack of understanding. The survey asked respondents to pick a Web site that they valued, and then explained to them a common scenario of third-party behavioral advertising — serving ads on the “valued” site based on their visits to other sites. A whopping 85% of those surveyed did not agree that “valued” sites should be allowed to engage in this common practice. When offered the choice of visiting a site with this policy or paying to visit the site in exchange for not being tracked, over half of the respondents said they would rather find the information offline than choose either of those options. Clearly, consumers have no idea that they are being tracked across the Web. If they truly understood their options and could act on them, they might make very different choices than they do today.

The Samuelson/Annenberg study gives us great insight into consumer confusion about advertising on the Web. Obviously, much work remains in ensuring that consumers understand what choices they have online, and that those choices continue to promote a vibrant and dynamic online environment.

The Do Not Track proposal announced last week by CDT and eight other groups — which aims to improve consumer choices about behavioral targeting in online advertising — has generated a diverse array of reactions in the press. One of these, discussed in BusinessWeek and elsewhere, is the idea that adoption of the Do Not Track List would reduce advertising revenue. The way the argument goes is that behaviorally targeted ads are more valuable than other kinds of ads, and use of the Do Not Track List would mean that fewer behaviorally targeted ads would get served to Internet users. BusinessWeek cites Tim Vanderhook, CEO of behavioral ad network Specific Media:

“The value of advertising on the Internet would drop because you couldn’t say, ‘This is a finance person. Let me show them a finance ad,’” says Tim Vanderhook, chief executive of Specific Media, one of the largest privately held behaviorally targeted ad networks. “So the only way to make as much money is a) make them pay or b) show them more ads.”

The funny thing about this line of reasoning is that consumers already have a way to opt out of some behavioral targeting — the Network Advertising Initiative (NAI) opt-out cookie. Specific Media itself is a member of the NAI and provides this tool to Internet users (see theirprivacy policy for more information). Thus, the argument that ad revenues decrease when consumers are provided with a choice about whether to be behaviorally targeted can only really mean one of two things: behavioral targeting firms have somehow overcome the loss of revenue associated with the use of the NAI opt out, or the NAI opt out doesn’t work.

We’re pretty sure it’s the latter, which is one of the reasons why we helped to develop the Do Not Track proposal in the first place. Do Not Track has the same goals as the NAI opt out: to provide consumers with a choice about whether to be tracked online for advertising purposes. The difference is that the Do Not Track list would be (1) well-understood and accessible to consumers, (2) persistent, (3) applicable to the behavioral targeting industry at large, rather than a small subset of companies, and (4) enforceable against all types of tracking technologies. By arguing that the Do Not Track List would hurt ad revenues, ad networks are essentially arguing that the system they provide for consumer choice — the NAI opt out — is broken. Do Not Track merely seeks to fix it.