May 9, 2011
As part of its Privacy Revolution efforts, ALA declared last week Choose Privacy Week, with this year’s efforts focusing on youth and privacy. If you dig into the websites and publicity around the event, you’ll find that this initiative is about creating dialogue about privacy in our society today, but I didn’t see a lot of talk on blogs or Twitter this week about privacy–at least, not more than I usually do. That’s especially disappointing because I think that in a lot of cases, you can’t choose privacy, as ALA exhorts us to do.
Each of us encounters more and more numerous breaches of personal privacy today, whether it’s with our cell phone records, grocery store coupons, airport scanners, or library circulation records. All of these small invasions lead to the creation of an overall “surveillance society” which is counter to U.S. Constitutional principles and to the way Americans want to live. One would have to become a hermit to avoid all invasions of personal privacy – no checking account, no health insurance, no mortgage. But with knowledge of how data is collected and used, you can make choices. In your doctor’s office there is some information you are not required to give. If you use a credit card at a store, you might consider using cash when you discover that they will profile your age, class, income, and size with collected data.
I feel like even in their introduction of the notion of choosing privacy, they’re supporting me here: They describe a “surveillance society” and admit that one would have to live in complete isolation to avoid incursions of privacy, but then, rather than questioning the ethics of a surveillance society or making the case for reclaiming privacy on a nationwide level, they suggest ways to protect the tiny snippets of personal information that are under our control only in very specific situations.
Our concept of privacy has changed a lot in the last few decades (perhaps most visibly with the rise of social media and the increased surveillance in the name of national security after 9/11), and that’s especially true for young people. It’s this change in our expectations for privacy–and our ignorance of who is collecting data about us and what they know about us–that make it impossible to choose privacy sometimes. We don’t even know when companies are collecting data about us, we don’t know what they do with that data, and we have no idea how secure that data is.
Secret data collection: cell phone examples
Late last month, news broke that, if you were an iPhone user, your phone was creating a database of every cell phone tower and WiFi hotspot that it connected to. That alone is surprising, but what was really distressing is that the data went back for an entire year, it wasn’t encrypted, and the data was synced to your computer. Simply by downloading a small piece of software, you could see that data visualized.
Apple actually addressed what data they were collecting and why and then released an iOS update to scale back their data collection, but the guys who initially discovered this, Alasdair Allen and Pete Warden, hit the nail on the head with why it’s still a disturbing situation:
What’s so bad about this?
The most immediate problem is that this data is stored in an easily-readable form on your machine. Any other program you run or user with access to your machine can look through it.
The more fundamental problem is that Apple are collecting this information at all. Cell-phone providers collect similar data almost inevitably as part of their operations, but it’s kept behind their firewall. It normally requires a court order to gain access to it, whereas this is available to anyone who can get their hands on your phone or computer.
By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements.
And it’s not just Apple: Android phones, Windows phones, and even mobile apps are collecting data about you. Apple and Google will both attend a hearing on mobile privacy before the Senate Judiciary Subcommittee on Privacy, Technology, and the Law this week–just as Google is being sued for Android’s location tracking. And it’s even crazier than Apple’s tracking:
More disconcerting, however, is the fact that Android devices collect “its location every few seconds and transmitted the data to Google at least several times an hour,” according to research by security expert Samy Kamkar. Google said it uses this data for a variety of uses, but unlike Apple, Android attaches a unique ID number to the data. While that ID number is effectively random and can’t be directly linked to a particular device or user, it is possible to analyze such data and correlate it to particular individuals using increasingly advanced “deanonymization” techniques.
That is bonkers. It is completely nuts that companies are able to collect all of this information without any sort of informed consent–and that we are not more up in arms about it.
The safety of collected data
So say you’re okay with corporations of various sorts collecting data about you and you’re okay with what they’re doing with the data. Do you trust that your data is safe? Last month, a company called Epsilon (which sends 40 billion marketing emails a year on behalf of other companies like Target, Hilton, Citi, and LL Bean) had customer data stolen, including email addresses.
What this means is that if you gave Target your email address and didn’t uncheck enough boxes, they gave your email address (and name and whatever else they knew about you) to Epsilon so they could send you marketing emails from Target. But now that Epsilon’s data has been stolen–that’s your information, by the way–whoever those data thieves were now have your information. Maybe you trusted Target–but did you trust Epsilon? And who has your information now?
April was just a terrible month for data security, apparently, because it’s also when the PlayStation Network was hacked. Sony actually shut down their servers–completely halting online gaming for PS3 or PSP users–to ferret out exactly what had happened, but admitted that hackers had access to names, birthdays, email address, physical addresses, PSN passwords and logins and handles and online IDs, and maybe even credit card information. Sony also waited nearly a week after they discovered the breach before they notified anyone of what had happened. So if you used the PlayStation Network, now you have to be on the lookout for additional privacy incursions, for other scams, and for suspicious credit card activity.
So what information are you giving companies? And how much do you really trust those companies?
Amazon and privacy–and libraries
This erosion of our expectation to privacy is even starting to affect libraries. While I’m excited that Amazon has finally decided to play nice with libraries and allow library ebook lending on the Kindle via OverDrive, Amazon collects all kinds of data about Kindle users and seems to plan to continue to do so even in a library setting. Sarah of Librarian in Black has a lot of questions about Kindle Library Lending, including some about patron privacy, and Josh Hadro blogged for Library Journal about privacy concerns.
In short: if a Kindle owner downloads a library ebook and makes annotations while he or she is reading, after the checkout period has expired, those annotations will still persist, so if the patron downloads the ebook again or buys the ebook, they annotations will also persist in the ebook. That sounds like a cool feature for lovers of marginalia, but man oh man, as a librarian does that worry me. We don’t save patron data beyond what we have to (like, you know, your name and address). We do not have a record of every book you’ve ever checked out–and that’s a good thing, because if the FBI comes calling, we don’t have anything to give them, so you can read whatever you want. Amazon? Not as dedicated to your privacy. It’s in the name of a cool feature you will like, but they’re a for-profit corporation, so rest assured that they’re doing it for their own benefit at least as much as yours.
And details aren’t available yet, but what if this isn’t something you can opt out of? How do you choose privacy then?
Demand privacy, don’t just choose it
So yes, there’s something to be said for knowing how to customize your Facebook privacy settings (since, according to the New York Times, “the web means the end of forgetting”). But more than that, I think we need to be asking why Facebook never deletes images from their servers, what they’re doing with our personal information (sharing it with other companies? Selling it to other companies? Making money off of us by selling targeted ads?), and why, so frequently, having any expectation to privacy requires opting out rather than opting in, or completely avoiding companies and services altogether. (The LA Times has an interesting article on some of the creepy data collection that goes on online and what’s being done about it.)
We need to ask our legislators to lobby for laws (find your representatives in the House or the Senate) that would prevent cell phone companies (and even mobile app creators) from collecting data about where we are and what we’re doing and what other data we have on our phone–all without telling us they’re doing it. We need to push for the FTC to actually get with the times and do something about the collection of private data.
It’s not even enough to be notified that our data is being collected, especially since that doesn’t tell us what it’s being used for. We need to demand better safeguards and encryptions for the data about us that is being collected. We need to not just accept the system we have and make superficial choices within that, but change the structure of the entire system. We need to not choose privacy, but demand it.
Edit: check out this TEDxObserver talk by Cory Doctorow about how we’re trained to divulge personal details for perceived rewards and about getting kids to care about online privacy:
Filed under: Uncategorized