Thursday, August 27, 2009

Canada Forces Facebook to make Privacy Changes

(via Ian Brown)

In a remarkable turn of events, Facebook has agreed to add significant new privacy safeguards and make other changes in response to the Privacy Commissioner of Canada’s recent investigation into the popular social networking site’s privacy policies and practices.

"The following is an overview of key issues raised during the investigation and Facebook’s response:

1. Third-party Application Developers

Issue: The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raises serious privacy risks. With more than one million developers around the globe, the Commissioner is concerned about a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online “friends.”

Response: Facebook has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under this new permissions model, users adding an application will be advised that the application wants access to specific categories of information. The user will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.

This change will require significant technological changes. Developers using the platform will also need to adapt their applications and Facebook expects the entire process to take one year to implement.

2. Deactivation of Accounts

Issue: Facebook provides confusing information about the distinction between account deactivation – whereby personal information is held in digital storage – and deletion – whereby personal information is actually erased from Facebook servers. As well, Facebook should implement a retention policy under which the personal information of users who have deactivated their accounts will be deleted from the site’s servers after a reasonable length of time.

Response: Facebook has agreed to make it clear to users that they have the option of either deactivating their account or deleting their account. This distinction will be explained in Facebook’s privacy policy and users will receive a notice about the delete option during the deactivation process.

While we asked for a retention policy, we looked at the issue again and considered what Facebook was proposing. We determined the company’s approach – providing clarity about the options, offering a clear choice, and alleviating the confusion – is acceptable because it will allow users to make informed decisions about how their personal information is to be handled.


4. Accounts of Deceased Users

Issue: People should have a better way to provide meaningful consent to have their account “memorialized” after their death. As such, Facebook should be clear in its privacy policy that it will keep a user’s profile online after death so that friends can post comments and pay tribute.

Response: Facebook agreed to change the wording in its privacy policy to explain what will happen in the event of a user’s death."

Pangloss is mildly amused that only two years after she, Ian Brown and Chris Marsden presented a paper highlighting the privacy and security issues around the use of third party apps on Facebook, changes are finally being made.

The interesting issue will be if these changes are only made for Facebook in Canada or applied worldwide; similar legal pressure has not, it seems, being exerted in other jurisdictions such as the UK and the US - but there has certainly been concern over the repeated use of third party apps as an easy way to collect personal data for fraudulent or criminal purposes, or to spread malware. One might speculate that if FB are investing in developing new more privacy-compliant code it might as well install it system-wide given the PR advantages and the fact that FB's growth appears to have peaked (the rate of growth has been declining since about January 08). Chris Soghoian on Twitter seems to indicate the changes will be worldwide. If so, the Canadians have certainly done us all a favour.

Pangloss is also intrigued by the Canadian concern over Facebook's treatment of profiles on death. While the matter is certainly a pressing one (with 200 million users, not all young, FB profiles are, sadly, often a major concern to relatives after death) in fact FB has been pretty much in the vanguard in the area of transmision of digital assets, in at least providing a clear and accessible way for relatives to ask for profiles to be "memorialised" after death.

Other sites where digital "assets" remain after death (eg eBay, Flickr, et al) are in general much less clear about what rights they offer relativesafter death, have hard to penetrate procedures on the matter, or actively refuse to allow relatives control after death (see the famous Yahoo! case where relatives of a US marine were initially refused access to his emails after death because the privacy policy forbade passing on information to any third party. At least in the US, the privacy policy remains unchanged to date.)

However in my recent talk on this subject, I also suggested that it would be easy for FB in its various preference suggestions to allow users themselves to indicate what they would like done with their profiles after death. Not all want their profiles left open for comments after death ; some would like them closed down; others might like a friend or relatives to make the decision what to do. One size does not fit all and a solution should also consider and balance the interests of both the profile owner and the relatives. However if FB take a lead here under Canadian persuasion, they may well benefit all by becoming a good practice example in a rather under-considered part of the web 2.0 field.

Tuesday, August 25, 2009

Harry Mandelson and the 3 Strikes of Doom

As numerous bloggers are reporting today, first the Guardian and now the Beeb have reported that the Dept for Business under the proud thrusting leadership of Peter Mandelson, has done a volte face and done exactly what they stated in the Digital Britain consultation in June they would not do - added the possibility of 3 Strikes - disconnection as sanction for filesharing - into the melting pot of the UK's endless file-sharing consultations. This notwithstanding that without substantial judicial control of disconections, about which we have zero detail, both the the European Parliament and the French Constitutional Court have indicated that such a policy would probably contravene human rights.

Best of all, this change of heart is not even vaguely democratic or considered. Instead, as the Guardian put it, "The surprise move will intensify speculation that Lord Mandelson reached a secret deal to protect the film and music industries with Hollywood mogul David Geffen earlier this month." Ho bloody ho for public "consultation".

There had also been whispers for some time that the industry was unhappy with the speed at which the Digital Britain consultation was moving, ie, would anything get done before the current government was voted out and the whole farce had to start again. So now we have proposals for a fast track procedure for 3 strikes which will not only breach European law but have arrived mid-consultation, when many organisations and individuals may already have responded, making a simple mockery of consultative democracy and exposing the government's business leaders as mere lackeys to the dying throes of the music industry's last attempts to protect anti-competitive and antiquated business models.

As ORG point out:

"Yet again, we see knee-jerk reactions and policy swerves, this time in direct contravention of the government’s own consultation guidelines. Those guidelines are there for a reason: to make sure government policy is balanced and considered. We will be making a formal complaint."

Some regular readers may wonder why Pangloss has focused so much on this issue over the last few years, and sometimes I do too. I am not primarily an IP expert. I have no great love for filesharers and my own life is reasonably complete without free access to the complete works of Michael Jackson. The reason I have become so involved in this single issue is because throughout, a single industry sector has shown complete contempt both for democratic procedures, the public interest and for basic and fundamental human rights, all in the name of extracting the last cent of their own, still not inconsiderable, profits.

Ok, companies exist to make profits. But worst of all, our own elected democratic governments, though very well aware of all these points, have gone along like sheep, far more willing to disproportionately criminalise a generation and remove access from students, the unemployed et al to the most essential facility we have ever developed, for minor civil infringements (no one is talking about commercial criminal piracy here) than consider the public balance of interests.

Is this because rock and film stars are sexy? or because the content industry has spent so much on lobbyists there must now be one per MP at least? - I do not know. And of course it is mid August , the height of the sleepy season when many influential newsmakers and commentators might be hoped to be somewhere near Tuscany or at least the Edinburgh Fringe rather than a keyboard:) Perhaps when the first UK Pirate Party MP or MEP is elected the government will wake up to the startling wrongheadedness of the current approach.

So this is why I continue to care about this topic, and why you should too. Read the ORG blog; write to your MP and MEP; complain.

Monday, August 10, 2009

V for Videos

Pangloss is teaching Internet law to undergrads for the first time in a while this academic year coming and was idly wondering if she could spend the first lecture showing videos with which to seduce the suckers , sorry, encourage the freshers to understand how exciting IT law is:-)

These are first thoughts for the curriculum - would anyone else like to suggest their own favourites? In particular, it's not hard to find fun videos on file sharing, privacy and social networking sites (indeed web 2.0 in general) - but I could do with help on less obvious stuff like e-contracting, e-commerce or other aspects of IP??

here's my starting favourites!

Web 2.0

The machine is us - Web 2.0 changes everything

"FriendFace" (IT Crowd) - web 2.0 - social networks and privacy

The Facebook Song

Wikipedia, editing the umlaut - web 2.0 and distributed editing

What is web 2.0? an educationalperspective - intro to web 2.0


Big Brother State - privacy & surveillance

The Last Enemy extract - life as an un person in an ID card world

ACLU pizza delivery - private/public data collection and privacy


4chords (Axis of Awesome) - creativity, mash ups, copyright, parody

Filesharing RIAA parody ad (IT Crowd) - filesharing and P2P

3 minute medley on the music wars(from TED)

Content and tubes

The Internet is For Porn - self explanatory

Net Neutrality, Lessig-style - infrastructure

Tuesday, August 04, 2009

Update on amendment 138

If you were thinking things had gone strangely quiet on this front, well.. (via ORG blog)

"DG Information Society has quietly released its position on the Telecoms Package Second Reading, just as everyone is heading off for the summer holidays. No doubt Commissioner Viviane Reding was hoping no-one would see it. Why? It calls for a “compromise” text which the Council of Ministers was trying to push onto the European Parliament, which could have the effect of giving permission to governments to block access to Internet services and applications.

The so-called “compromise” is the replacement of Amendment 138 ( which seeks to protect users rights on the Internet) with an alternative which was drafted by the Council (sometimes known as the ‘fake 138′). The replacement, when considered in context with other Amendments in the Package, will seal in to the Telecoms Framework a right for governments to implement ‘measures regarding end-users’ access to or use of services and applications through electronic communications networks’.

The so-called “compromise” is positioned in Article 1 of the Framework directive, addressed to Member States. It should be read in conjunction with Amendment 1.2a of the Universal Services and Users Rights directive, which will permit broadband providers to block impose “conditions limiting access to and/or use of services and applications”. In light of T-Mobile blocking Skype, BT throttling peer-to-peer services, and Karoo, a small UK ISP cutting off users, it should now be abundantly clear what this text means. . "

Source: IpTegrity

(without prejudice - Pangloss has not seen the original text yet)

Sunday, August 02, 2009

The Economics of Privacy on Social Networks

Pangloss is pleased to see that Joseph Bonneau of the Cambridge Computer lab has now blogged the terrific work his team have done examining the uptake, marketing and impact of privacy tools provided by social networking sites.

Bonneau's team examined 45 sites, collecting over 250 data points about each sites’ privacy policies, privacy controls, data collection practices, and more. The results were fascinating, as presented at the WEIS conference in London. The full paper and complete dataset are available online as well.

For anyone who's ever wondered why the Facebook privacy tools are greyed out on the front page compared to the other menu items, there are revelations:

"The most interesting story we found though was how sites consistently hid any mention of privacy, until we visited the privacy policies where they provided paid privacy seals and strong reassurances about how important privacy is. We developed a novel economic explanation for this: sites appear to craft two different messages for two different populations. Most users care about privacy but don’t think about it in day-to-day life. Sites take care to avoid mentioning privacy to them, because even mentioning privacy positively will cause them to be more cautious about sharing data. This phenomenon is known as “privacy salience” and it makes sites tread very carefully around privacy, because users must be comfortable sharing data for the site to be fun. Instead of mentioning privacy, new users are shown a huge sample of other users posting fun pictures, which encourages them to share as well. For privacy fundamentalists who go looking for privacy by reading the privacy policy, though, it is important to drum up privacy re-assurance."

In other words, as long suspected, privacy is the enemy of the SNS business model and the sites are very well aware of this, despite being having to be seen to pay lip service to increasing numbers of well meaning codes of practice. Indeed the full paper found that SNS which actively marketed themselves as privacy-protective and hence attracted "privacy fundamentalists", tended simply not to do very well (assessed by longevity and growth of audience in the market). What incentive then to make privacy tools easy to see and use for consumers?

This study adds to the weight of evidence that self regulation and consumer education are not ultimately anything like a real solution to the current problems of voluntary and involuntary data disclosure on SNSs. Good to see real empirical evidence like this :)

Also worth noting for security scholars: the papers are in the main now available from Security and Human Behaviour 2009, the "new" conference (following on from the succes of WEIS) on security and how it is affected by psychological and social factors. Hoping to have time to digest these in thenext few weeks, especially as I've been asked to speak myself at the Cyber Conflict Law and Policy Conference at the Cooperative Cyber Defence Centre of Excellence (CCD COE) in Estonia in September. Should be fascinating :-)