U.S. Chamber of Commerce and others seek influence in congressional privacy discussion

The nation’s most prolific enablers of privacy violation continue debating how closely to emulate the European Union privacy law (GDPR), but maybe they’ll put off big decisions until 2020.

Earlier this month, the U.S. Chamber of Commerce submitted a 10-point plan which seeks, among other things, to limit consumer lawsuits for data breaches. The Chamber reasons that money spent on litigation drains businesses of funds that could be used to prevent data breaches. True enough, if only the savings were earmarked for that purpose.

Meanwhile, USA Today reports that Google and AT&T want to craft federal law as a defense against California’s GDPR clone. This is a familiar strategy. Big companies doing business in thousands of U.S. jurisdictions prefer one strong, federal law to a patchwork of state laws, whether it’s about taxation or other regulatory schemes.

A very snarky DEF CON session this summer revealed the GDPR as a hybrid of conceptually sound consumer protections and a big bundle of expensive mandates for business. LPP wondered how the presenter expected to win cooperation from American business while portraying American business persons as greedy pigs.

 

Advertisements

Are you paranoid if you want to scan the women’s room for cameras?

When does your insistence on privacy move from a concern to an obsession? If you want to scan the public restroom for cameras, are you paranoid? That was the question earlier this year when spy cams were spotted in the bathroom at a Starbucks in an Atlanta suburb.

Debbie Currier at The Spy Shop in Reno, Nevada, says a defensive posture does not make you paranoid.  Currier demonstrated an $80 sweeping device called the Little Angle multi-detector.

“If you’re having a gut feeling, and you have a tool like this, and it gives you peace of mind, it’s worth $80,” said Currier, who carries a similar device when she travels,  because you never know what’s hidden in hotel rooms. Story continues below…

SpyCamDetector_LPP

The CC308 Little Angle multi-detector photographed on a newspaper, for scale

The Little Angle measures slightly less than four inches. Besides detecting camera lenses, it identifies eavesdropping devices. It uses an active laser and a passive wireless method, according to its user manual. (Sure enough, the red window in the body of the device lights up when it’s pointed at the camera lens in a phone, and when it’s swept across a camera hidden in a piece of art on the shop’s wall.)

It’s hardly the most sophisticated detector of its kind. The Spy Shop also has a $400 model, used primarily by private investigators. The high-end devices are more sensitive, allowing a sweep to be completed more quickly.

“It’s a patience thing,” Currier said of sweeping with the entry level devices. “You have to take your time. You have to zero in. It’s a process of elimination.” She suggests moving the device over objects like lamps and door knobs, paying special attention to screws and crevices. But a tiny lens could be hidden anywhere.

David and Debbie Currier have operated The Spy Shop for 30 years. They also sell cameras, which Debbie acknowledges can be used for good or ill, but her hope is that parents and other caretakers use them to keep an eye on kids and the elderly.

 

Congress accomplishes the impossible – causes me to root for Zuckerberg

Two U.S. House and Senate committees, in two days, were able to accomplish the impossible. Their examination of Facebook CEO Mark Zuckerberg found me rooting for Zuckerberg. No small feat, since Zuckerberg for at least a decade has been the poster child for gross privacy violation, and an emblem of Silicon Valley’s indifference to the humanity of internet users.

A few thoughts:

1) Facebook is now a Rorschach on which politicians can project their own agendas. The drug warriors, for instance, channeled their opioid fury at Facebook for facilitating the sale of the drugs. One of them went so far as to suggest that Zuckerberg is personally responsible for the opioid crisis.​

Racial discrimination, political bias, fake news, hate speech, child endangerment, you name it. If it’s bad, Facebook and Zuckerberg took a two-day beating for it. He was pressured repeatedly to vow public support for certain pieces of pending legislation, and could only sputter in response to demands for a yes-or-no answer, right now, that the details in such bills would be important. Which is the only answer a lawmaker deserves from a reasonable person.

2) Many legislators weren’t particularly interested in reasoned responses, or any responses at all, really. Repeatedly, even after questions concerning Facebook’s intricate back-end operation, Zuckerberg was interrupted before he could squeeze out a complete sentence.

“I apologize, Mr. Zuckerberg,” said elected officials with ticking stopwatches, who were allotted five minutes apiece. “But I have four minutes left (for me to be on camera asking penetrating questions that were written for me by someone else — someone who understands Facebook, which I clearly don’t. Quickly now, I must now demonstrate my concern about issue XYZ).

3) Who knew that there is a Technology Accountability Caucus? Yes, there is (newly formed), and boy are they mad! Which bodes ill for…

4) … free speech. Overnight, a new breed of Congressional Content Warrior has emerged. Get out your tin foil hats, First Amendment advocates, there’s a regulatory gamma-ray-free-expression-particle storm brewing, with dubious implications for online speech platforms, and more broadly for technological innovation.

5) On the issue of responsibility for the content, Zuckerberg gave up a lot of ground — more than he needed to, I think. In his determination to be polite and respectful, he failed to convey that some of the interrogators’ assumptions were patently stupid.

It’s logistically impossible, even for a boy genius leading an army of 20,000 in-house censors, to perform an instant take-down of every ​​objectionable post arising from a pool of 2 billion users, and still carry out the mission of providing a social platform for the world.

In other words, the beauty of Facebook is also something for which it is vilified. It was disappointing that Zuckerberg wasn’t more comfortable asserting this very legitimate defense.

He did try vainly, many times, to explain that user-generated content is policed primarily by other users, who alert Facebook when something is offensive, and there is an orderly system for content review. Despite mass-adoption of user-generated content platforms, people still don’t grasp how they work. And by people, I mean legislators who have the power to control the future utility of social media, and the profitability of an enormous economic sector.

6) Zuckerberg clearly thinks all objectionable content problems will be solved by Artificial Intelligence. In the five-year plan, AI will identify hate speech, with human linguists assisting in the short term. This is a chilling prospect, even if the AI applications could be taught to distinguish authentic hate from sarcasm, jest, and transparently dumb, trivial utterances. In dozens of languages.

7) And who, among content producers, thinks that the Facebook standard, once it meets the satisfaction of the regulators, will not apply to everyone in the business? Moreover, if get-tough legislators are true to their record, they will incorporate some kind of criminal punishment for violations.

Then they’ll move on to the next political Rorschach, leaving it to the courts to sort out the mess in a series of lengthy, expensive, life-ruining cases.

8) ​There’s much more, but that’s enough for now. I consumed a bit more than four hours over two days, and then walked away because the questioning was maddeningly repetitive, and the legislative preening was no longer bearable.

#ShoutYourAbortion and the art of violating your own privacy

If you #ShoutYourAbortion on Twitter, and the public reaction scares the crap out of you, well, you should only blame yourself.

Abortion doctors have been murdered on their way to work, and people have gone to court for the right to harass women entering clinics. Planned Parenthood has been infiltrated by videographers hoping to incriminate its personnel. You probably know all of this if you’ve waded into pro-choice advocacy.

You must also know if you’ve sought health care – women’s or otherwise — that the federal government has thousands of pages of regulation intended to protect your medical privacy. Your wart removal and your colonoscopy are equally sacred in the eyes of the law. Nobody – not even your insurance company – is supposed to receive details about those procedures without your permission.

But Amelia Bonow traded privacy for protest in the face of a threat to federal funding for Planned Parenthood, by publicizing her own abortion. She encouraged other women to share without apology that they’ve had abortions. Bonow soon left her apartment because of death threats.

As a free speech advocate, who am I to rebuke Bonow and her followers? I won’t. But as a privacy advocate, I would suggest that you never know when or why you might later regret sharing personal information. You also never know which information you might some day regret sharing.

Bonow told the New York Times that she’s not sure how seriously to take the threats, and not sure when it will be safe to go home.

“I’m not a public figure,” she said. Actually, she is a public figure now. You may have heard that the internet never forgets, and that forever is a long, long time.

By the way, have you also heard that any information you commit to a digital device can get out of your control?

If you carry around stored video of yourself having sex, for instance, as Indiana House Majority Leader Jud McMillan did, you really have nobody else to blame when your phone gets stolen and your personal porn goes public.

This can be particularly embarrassing for a family values guy. Yes, he is.

The takeaway should be obvious, but I guess it isn’t. You can’t be hurt by the stuff you never reveal. You can’t reveal the stuff you never record. Almost anything you reveal or record can be cause for regret.

From DEF CON 23: If supply and demand make a market, where is the market for privacy?

Everyone talks about privacy, but nobody does anything about it, to mangle Mark Twain’s witticism regarding the weather.

Economists at Princeton are launching a study to explain why there’s not a more robust market for privacy products and services, given our growing understanding that our most private matters are routinely plundered from online sources.

“There’s a demand for privacy,” economist Rene Mahieu told me earlier this month at DEF CON 23. “Also, I’ve been here at DEF CON and I’ve heard a lot of talk about the technical possibility for creating privacy. So there is a potential supply.”

It follows, therefore, that there should be a market. “A vibrant market,” he says.

Mahieu and Princeton research colleagues are starting with some theories, but it seems to me this question can be answered from the gut. Digital privacy is inconvenient, complicated, and expensive.

Economists have names for these obstacles, Mahieu informs me.

“Information asymmetry” may dampen the inclination to purchase, even from consumers with a clear interest in the product. In a technology transaction, the potential buyer may not understand the product, and becomes doubtful that it will deliver on its promise. Mahieu likens it to buying a used car. The seller has more information than the buyer about the vehicle, and holds the cards when it comes to contract terms. It feels better to walk away than to spend money one something when you’re not convinced it will meet your needs.

“Network effects” describes the lonely experience of adopting a privacy-enhancing messaging service, for instance, and discovering that none of your friends use it, and therefore you can’t talk with your friends. Do you undertake a massive recruitment project or continue to expose yourself to privacy invasion? Most likely, you resign yourself to the latter. Life’s too short.

There’s also the abstract nature of privacy invasion, stacked up against the convenience and pleasure of connection.

“The problems are uncertain and in the future,” Mahieu says, “while the gratification is now, and direct.”

As part of their research, the team wants to talk with business people who’ve had first-hand experience developing privacy products, successful or not. They’re interested in entrepreneurs as well as folks who’ve toiled in big data. Mahieu encountered some of them at DEF CON. One entrepreneur described his innovation, which had been well-received by everyone who tried it. But it didn’t sell, and was ultimately offered for free.

“That’s the starting point for our question,” Mahieu says. “Why, given the immense interest, and the growing interest in privacy, and our technical capabilities, is the market not functioning as we expect it to be?”

If you can help explore the question, he’d like to hear from you. The research project is at the Center for Information Technology Policy at Princeton, but you can contact him directly.  renemahieu@riseup.net

7th Circuit Court of Appeals: You don’t own your personal information

UPDATE August 9, 2015:  Regarding my claim below that a robust market for personal information on the dark web constitutes evidence of its value as a commodity, attorney Caitlin Kelly Henry points out (in the context of a casual conversation at DEF CON) that the court would not recognize illegal activity. But she also notes that businesses are routinely engaged in the lucrative practice of marketing of their customers’ personal data, making essentially the same point. Caitlin adds that this case is well outside her practice area. Thanks nonetheless, Caitlin.

7th Circuit Court of Appeals: You don’t own your personal information

Woah! This is not good news, and while the case was covered in the legal press, this was not the headline. Buried deep in the dicta —  page 13 of a 17-page decision —  the court says personal information is not a property right.

The question before the court was whether Neiman Marcus customers have standing to sue after the company suffered a credit card breach that exposed the plaintiffs’ personal ID and financial data. The court said they do.

The discussion centered on Neiman’s argument that there was no actual injury since the plaintiffs were not accountable for fraudulent charges on their accounts. Standing can’t be argued on speculative claims of future harm, Neiman argued.

Potential future injury is what’s at issue. Until this decision, there was a high bar to establish the risk of future injury from exposure of personal information. The 7th Circuit has lowered it, granting standing on the speculative claim, and asking why else cyberthieves would steal credit card numbers, if not to set up fraudulent accounts.

After a lengthy discussion of the various legal issues involved, the court threw in some brief comments on the ownership of personal information, mostly for good measure. “For the sake of completeness…” the court said.

Plaintiffs also claim they have a concrete injury in the loss of their personal information, which they characterize as an intangible commodity… This assumes that federal law recognizes such a property right. Plaintiffs refer us to no authority that would support such a finding. We thus refrain from supporting standing on such an abstract injury, particularly since the complaint does not suggest that the plaintiffs could sell their personal information for value.

What!!?? There is and has been a thriving market for personal information, and yes, the information has monetary value. Business has been so good, in fact, that the value per ID on the dark web has gone down since its peak, just as any commodity responds to excess supply.

In this opinion, the 7th Circuit has contradicted itself, acknowledging that the purpose of stealing credit card data is to make fraudulent charges and set up fraudulent accounts in the name of the card holder, yet declaring that the card holder’s personal information has no value.

I’m no lawyer, and further research is in order, but I predict a large herd of worms crawling out of this open can. And by the way, is anyone else reading these documents all the way through?

CASE UPDATE: Neiman Marcus has requested a rehearing en banc in the data breach lawsuit referenced below. The retailer asserts that the 7th Circuit Court’s “use of an expansive standard” to establish standing in data breach suits will be “enormously consequential to the national legal landscape.”

Looking for the last private place? It’s not between the sheets.

If you long for the last private place, be assured there is no refuge between the sheets. If, on the other hand, you’d like to invade someone’s sexual privacy, forces are conspiring to help you. Engage these forces at your own peril.

If you want to know whether someone is cheating, you can get some help from notorious privacy invader Spokeo. Just enter your sweetie’s email address on Spokeo’s “is he cheating on you?” page, and its web scraper will gather up all the references it can find related to the address. For a price.

“CAUTION: This information is potentially shocking,” the site warns. “Spokeo uses proprietary deep web technology to search over 70 social networks for status updates, photos, relationships, and profiles. Please prepare yourself for the unexpected.”

I entered my husband’s email address, which is not his name, but a fairly generic word. Spokeo told me there were 51 results with the same email handle — that is, just the part before the @ symbol, not the complete address. But I’d have to cough up a credit card number to find out if any of them belong to my man.

“Hey,” I jabbed him in the ribs. “Are you cheating on me?”

“No,” he said without looking up from his smartphone, “Why do you ask?”

I wasn’t curious enough to pay money to a company I consider despicable, so I left Spokeo without further interaction. Within a few hours, Spokeo was spamming me with other services I might find useful.

Some folks may be treated free of charge to a report about their spouse’s sex-seeking behavior, whether they want it or not. Cyberattackers last week issued a serious threat to Ashley Madison, a website that facilitates infidelity: Shut down your business or we’ll post stolen client data for the world to see – including nude photos,  sexual fantasies, and credit card data.

The site is still operating, and this is probably a ticking time-bomb for millions of marriages.

The attackers, who call themselves “The Impact Team,” apparently think they’re doing some kind of public  service. They’re motivated by the failure of the parent company, Avid Life Media, to adequately scrub personal data from another hook-up site it runs. There’s a $19 charge for the scrub service, which removes personal profile and “community data” if the user decides to cut loose from the cheater’s club. But it doesn’t scrub credit card information.

Oops.

Credit card data is a valuable identification tool. So valuable that the Cook County Sheriff in Illinois made a demand some years back to another business. Sheriff Thomas Dart used the implicit force of his office to persuade Backpage.com to require credit cards for sex-related transactions.

Backpage.com is a marketplace on the Craigslist model, offering a host of goods-and-services categories, including a range of adult services, like strippers, escorts, dominatrix and fetish. Backpage not only complied with the demand from the sheriff, but actively works with law enforcement to accomplish its ostensible purpose — finding suspected child predators and human traffickers. The company cooperates with subpoenas by providing client data when it’s sought, and also puts its sex ads through a vigorous regimen of internal scrutiny both before and after they post.

Nonetheless, Sheriff Dart recently send a demand to Mastercard and Visa to “defund” Backpage. That is, stop processing its transactions. The credit card companies responded by halting their services to Backpage, despite long relationships and no indication of criminal activity.  Backpage went to court seeking an injunction against Sheriff Dart and claiming prior restraint of free speech.

The judge sided with Backpage, and granted the restraining order, but allowed that Backpage is not necessarily certain to prevail at trial.

Yes, offering dominatrix services is a form of speech. Maybe performing the service is, too. But the free speech question requires consideration of the entire website, including users who are not seeking sexual services. When you post a free ad to sell your used NordicTrack, you are subsidized by the strippers and other adult-oriented service providers who pay for their ads. Backpage suggests that the business is unsustainable without the revenue from the sex ads. If the company shuts down, everyone loses a forum for speech.