Older blog entries for MRyan (starting at number 19)

PrivacyCamp Washington, DC 2009

Co-sponsored by the Center for Democracy and Technology, the Electronic Privacy Information Center, and the Future of Privacy Forum (among others), this inaugural "unconference" brings together interested individuals and organizations to share knowledge and foster collaboration. The event is June 20th, 2009, from 8AM to 5PM at the Center for American Progress (1333 H Street NW, Washington, DC 20005). You can register here and Shaun Dakin is the contact should you have any questions.

Syndicated 2009-06-08 22:26:44 from Ryan Calo's blog

Patient Privacy Rights FTC Comments

Teneille Brown, Joshua Auriemma, and I helped Patient Privacy Rights draft the public comments it submitted to the Federal Trade Commission on Monday. Thanks to Patient Privacy Rights executive director Ashley Katz for the opportunity to assist.

The FTC sought comment on a proposed interim rule that would require certain entities to notify consumers upon the unauthorized acquisition of electronic health information.

Patient Privacy Rights' recommendations include:

*Clarifying that the rule covers Microsoft HealthVault, Google Health, and similar entities that deal in electronic health information.

*Requiring entities to keep an audit trail of unauthorized access and clarifying that publishing electronic health information on the web constitutes "acquisition" under the rule.

*Reconsidering the position that de-identified electronic health information may be excluded from the proposed interim rule in all instance.

The final comments are attached.

Syndicated 2009-06-04 00:36:19 from Ryan Calo's blog

State AG Threats To Craigslist Implicate Free Speech

This post is co-authored by Ryan Calo and CIS summer intern Joshua Auriemma.

On Saturday Night Live’s classic segment “Really?!? With Seth & Amy,” two incredulous news anchors blast a ridiculous current event—for instance, the fact that AIG held a lavish retreat six days after receiving 85 billion dollars in federal bailout money to celebrate the company’s top earners. “Really?” Amy Poehler asks. “What does it take to be a top earner at AIG right now? Did you sell your office furniture on Craigslist?”

Some lawyers following the ultimately successful pressure placed by various state attorneys general on Craigslist to take down its erotic services section have experienced a “Really?!?” moment of their own. A particularly unsubtle letter from South Carolina AG Henry McMaster basically threatened Craigslist with "criminal investigation and prosecution" of its management personnel if the popular classifieds website didn’t remove all offending material by 5:00PM, Friday, May 15, 2009.

Really? A state attorney general can send a letter to Craigslist threatening to initiate criminal charges against its management unless it shuts down a predominantly legal forum on the basis that the AG dislikes the kind of stuff that gets posted there?

As an initial matter, it is not clear what legal hook an AG would have. Section 230 of the Communications Decency Act would appear to immunize Craigslist for the content posted on the site by its users. See 47 U.S.C. § 230(c)(1) (“No provider … of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”). See also id. at §230(e)(3) (“No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.”). Our best guess is that Craigslist ultimately gave in to state AG demands not out of fear of losing a criminal trial, but due to the sheer prospect of facing investigations and lawsuits in multiple states, generating bad press and costing potentially thousands of dollars in defense fees regardless of outcome.

What is clear, however, is that threats of criminal action motivated by disapproval of lawful speech constitute state action for First Amendment purposes. In the 2007 case of Porter v. Bowen, for instance, the Ninth Circuit applied intermediate scrutiny to find that the California’s Secretary of State violated the First Amendment when he threatened to prosecute the owners of a website devoted to vote-swapping. 496 F.3d 1009 (9th Cir. 2007). Interestingly, the plaintiff in Porter was a distinct website, not even affiliated with the vote-swapping website that actually received the legal threat. Id. See also Carlin Communications, Inc. v. Mountain States Tel. & Tel. Co., 827 F.2d 1291, 1295 (9th Cir. 1987) (deputy attorney’s threat to prosecute a telephone company unless they dropped plaintiff’s adult phone service converted activity to state action).

No state AG is going to voice disapproval of erotic content per se. Thus, McMaster’s open letter refers to the harmful activities that Craiglist’s erotic services section allegedly facilitates. But even in this public document, McMaster cannot resist multiple references to “the unrestricted manner in which graphic pornographic pictures are posted and displayed by users on the craigslist site.”

Recall that attempts to restrict access to online pornography by adults on the basis of its alleged availability to children have repeatedly been struck down as unconstitutional under the First Amendment. See, e.g., Reno v. American Civil Liberties Union, 521 U.S. 844, 875 (1997) (“It is true that we have repeatedly recognized the governmental interest in protecting children from harmful materials . . . [b]ut that interest does not justify an unnecessarily broad suppression of speech addressed to adults.”).

The issue is not, in the end, even about safety. Shutting down a section of Craigslist will not stop sex crimes. If anything, having solicitations appear online and in a central location creates an additional tool for law enforcement concerned about prostitution and exploitation by creating a digital trail. Law enforcement apprehended the alleged “Craigslist Killer,” who set off the whole controversy to begin with, in part by tracing the IP address of someone who emailed the victim. No such trail exists on the street corner or in printed classifieds.

Simply put, we need to let go of the puritanical urge to force change on mainstream Internet services because their content offends someone. State governments are accomplishing through threat what they never could through regulation. This represents a blow to our collective liberty.


Syndicated 2009-05-19 22:33:35 from Ryan Calo's blog

WhatApp? Alpha (Preview)

A generous grant from the Rose Foundation has made it possible for the Center to develop WhatApp?, an expert and user-driven review website for software apps that focuses on privacy, security, and other Silicon Values. We now have a working alpha, which we will spend the summer testing, improving, and populating with content in anticipation of a beta next year. The attached is a series of screen shots from a Power Point presentation of the demo. Thanks to Quinn Interactive for their timely, high-quality work thus far.

Syndicated 2009-05-14 23:40:42 from Ryan Calo's blog

Does NAI’s Opt Out Tool Stop Consumer Tracking?

I heard a rumor that I hope isn’t true. Specifically, I heard that opting out of behavioral profiling may not stop advertising companies from tracking you as you travel across the Web. Rather, according to the rumor, in many cases you merely opt out of seeing the tailored ads your web history might otherwise trigger.

The ability to opt out of behavioral profiling essentially underpins the argument for self-regulation by the industry. The idea is that (1) people like tailored ads and (2) those that worry about the practice, for instance, from a privacy perspective, can opt out of it. Setting aside the apparent frailty of cookie-based opt out (when you delete your cookies, you delete your opt out as well) and the availability of other means to track users (like flash cookies), this seems pretty straightforward and convincing.

But what does “opting out” mean, exactly? A close look at the Network Advertising Initiative website, which offers an opt out tool on behalf of most major online advertisers, turns up no guarantee that opting out will stop a company from logging where a user has traveled.

In the NAI's words:

The NAI Opt-out Tool replaces a network advertiser's unique online preference marketing cookie on your browser with a general opt-out cookie. It does not delete individual cookies nor does it necessarily replace other cookies delivered by network advertisers, such as those that are used for aggregate ad reporting or mere ad serving purposes. Such cookies allow network advertisers to change the sequence of ad banners, as well as track the aggregate number of ads delivered (impressions).

You don’t need to be Derrida to see that this carefully crafted language comes apart upon reflection. How can the tool "replace[] a network advertiser's unique online preference marketing cookie" but at the same time not "delete individual cookies [or] replace other cookies delivered by network advertisers, such as those that are used for … mere ad serving purposes”? Where I come from, "replace" means "to put something new in the place of" something else. You take the cookie that tracks me away, and you replace it with a cookie that says not to.

So does opting out stop tracking or not? Lawyer and blogger Sarah Bird wrote about the NAI’s opt out cookie about a year ago after attending a conference at Berkely Law School. Specifically, she wrote:

The audience was extremely interested in cookies and how they work. ... People were surprised and confused to learn that the NAI’s opt-out program doesn’t prevent advertisers from collecting information about you; it only prevents advertisers from serving you targeted ads. The companies still get to benefit from your information, you still have to see ads, but the ads aren’t targeted towards your preferences. Somehow, I have a feeling that most consumers who bother to use the NAI's opt-out program don't realize this. After all, I have to imagine that it is the tracking itself that bothers privacy-sensitive people, not the targeted ads.

I have to agree with Sarah here.

To be clear, I’m not convinced that behavioral advertising is all that dangerous a practice from the perspective of personal privacy. Advertisers don’t really care who you are and much of the tracking that occurs is anonymous. True blocking is easy—for a veritable buffet of privacy enhancing technologies, visit our wiki database—and the government can go directly to users’ Internet service providers if they want access to web surfing habits.

But still, this rumor bothers me. Have advertisers allowed the misapprehension to persist that opting out of behavioral profiling stops the practice of tracking? If so, for shame. The industry should confront the harms of tracking, real or imagined, head on, instead of lulling users into a false sense of control over their browsing history.

Syndicated 2009-04-27 23:52:26 from Ryan Calo's blog

Kevin Bankston Discusses Wiretapping On Countdown