Public private lives
A bookshop assistant followed me home the other day, wrote down my street address, took a photograph of my house. Ever since, every morning I find an advertising banner draped over my car windshield that I have to remove before I can drive to work.
That is, of course, a fantasy scenario. But it's an attempt to describe what some of today's Web site practices would look like if transferred into the physical world. That shops do not follow you home is why the analogy between Web tracking and walking on a public street or going into a shop doesn't work. It was raised by Jim Harper, the director of information policy studies at the Cato Institute, on the first day of ACM Computers, Freedom, and Privacy, at his panel on the US's Do Not Track legislation. Casual observers on the street are not watching you in a systematic way; you can visit a shop anonymously, and. depending on its size and the number of staff, you may or may not be recognized the next time your visit.
This is not how the Web works. Web sites can fingerprint your browser by the ecology of add-ins that are peculiar to you and use technologies such as cookies and Flash cookies to track you across the Web and serve up behaviorally targeted ads. The key element - and why this is different from, say, using Gmail, which also analyzes content to post contextual ads - is that all of this is invisible to the consumer. As Harlan Yu, a PhD student in computer science at Princeton, said, advertisers and consumers are in an arms race. How wrong is this?
Clearly, enough consumers find behavioral targeting creepy enough that there is a small but real ecology of ad-blocking technologies - the balking consumer side of the arms race - including everything from Flashblock and Adblock for Mozilla to the do-not-track setting in the latest version of Internet Explorer. (Though there are more reasons to turn off ads than privacy concerns: I block them because anything moving or blinking on a page I'm trying to read is unbearably distracting.)
Harper addressed his warring panellists by asking the legislation's opponents, "Why do you think the Internet should be allowed to prey on the entrails of the hapless consumer?" And of the legislation's sympathizers, "What did the Internet ever do to you that you want to drown it in the bathtub?"
Much of the ensuing, very lively discussion centered on the issue of trade-offs, something that's been discussed here many times: if users all opt out of receiving ads, what will fund free content? Nah, said Ed Felten, on leave from Princeton for a stint at the FTC, what's at stake is behaviorally targeted ads, not *all* ads.
The good news is that although it's the older generation who are most concerned about issues like behavioral targeting, teens have their own privacy concerns. My own belief for years has been that gloomy prognostications that teens do not care about privacy are all wrong. Teens certainly do value their privacy; it's just that their threat model is their parents. To a large extent Danah Boyd provided evidence for this view. Teens, she said, faced with the constant surveillance of well-meaning but intrusive teachers and parents, develop all sorts of strategies to live their private lives in public. One teen deactivates her Facebook profile every morning and reactivates it to use at night, when she knows her parents won't be looking. Another works hard to separate his friends list into groups so he can talk to each in the manner they expect. A third practices a sort of steganography, hiding her meaning in plain sight by encoding it in cultural references she knows her friends will understand but her mother will misinterpret.
Meantime, the FTC is gearing up to come down hard on mobile privacy. Commissioner Edith Ramirez of course favors consumer education, but she noted that the FTC will be taking a hard line with the handful of large companies who act as gatekeepers to the mobile world. Google, which violated Gmail users' privacy by integrating the social networking facility Buzz without first asking consent, will have to submit to privacy audits for the next 20 years. Twitter, whose private messaging was broken into by hackers, will be audited for the next ten years - twice as long as the company has been in existence.
"No company wants to be the subject of an FTC enforcement action," she said. "What happens next is largely in industry's hands." Engineers and developers, she said, should provide voluntary, workable solutions.
Europeans like to think the EU manages privacy somewhat better, but one of the key lessons to emerge from the first panel of the day, a compare-and-contrast discussion of data-sharing between the EU and the US was that there's greater parity than you might think. What matters, said Edward Hasbrouck, is not data protection but how the use of data affects fundamental rights - to fly or transfer money.
In that discussion, while the Department of Homeland Security representative, Mary Ellen Callahan, argued that the US is much more protective of privacy than a simple comparison of data protection laws might suggest. (There is a slew of pieces of US privacy legislation in progress.) The US operates fewer wiretaps by a factor of thousands, she argued, and is far more transparent.
Ah, yes, said Frank Schmiedel, answering questions to supplement the videotaped appearance of European Commission vice-president Viviane Reding, but if the US is going to persist in its demand that the EU transfer passenger name record, financial, and other data, one of these days, Alice, one of these days...the EU may come knocking, expecting reciprocity. Won't that be fun?