C is for Cookie

If you grew up with Sesame Street then you probably remember that Cookie Monster (that lovable blue haired cookie eating machine) loved cookies. Alas, the cookies in your web browser are a bit different. For those that are unaware, cookies are one of the ways that a web site can save little bits of information to your computer. These bits of information are stored so that websites can remember things about you.

Although there are other ways to track users online (Flash super cookie, Windows Media Player user ID, XML data islands, etc.) cookies are by far the most common. (Why you might care about this is dealt with in my post about behavior based marketing which will go up next week). The concern for privacy comes in two ways, one is in the cookies on your machine, and the other is what sites do with your cookies. A cookie from a site, by definition, means that you were on that site (unless you’ve placed a fake cookie on your machine to make it look like you were there, which is quite uncommon). Some hackers will try to steal, or corrupt, your cookies to create desired effects (access to webmail accounts for instance). Sites will use the cookies to know when you are coming back to them. Cookies come in several varieties; Session cookies, 1^st party cookies and 3^rd party cookies. Session cookies are cookies that are only good for the time you are using your web browser. Once you close your web browser, those cookies are gone (or expired). 1^st party cookies are cookies that are sent by a site to you machine for that site (cookies should only be returned to the sites that sent them to you (hackers sometimes get around this). 3^rd party cookies are cookies set by sites that you aren’t on, but are showing you material (the most common use of this is advertising on a site that comes from an advertiser but is shown on a different site). All cookies have the ability to set an expiration date after which they are no longer valid. Many sites will set these far off into the future.

Many browsers now give you the ability to manage cookies in various ways though (according to someone I spoke to in internet marketing) most people do not alter their cookies settings so they don’t worry about the small fraction of users that do. Each user can decide what the want to block or allow (making this automatic or having it prompt you each time. Note: prompting sounds like it gives you the most options but is really a pain in the butt, try it and you’ll see). You usually can choose to always block (or allow) cookies from various sites (and some sites won’t let you use them without having cookies enabled). One thing most people don’t realize is that if you choose to block cookies (or allow) from a particular site, that information is stored on your machine. If someone were to search your machine they could tell what sites you had been to (or not) based upon which cookies you chose to block or accept. This information is generally not transmitted across the net (unless your machine is hacked) so someone would need physical access to your machine to obtain this information but it is a trail for those that are concerned about such things).

In general it is important to understand how information is tracked about you and your browsing activities. There are easy ways to limit this tracking and cookies is the primary way websites do this. If you are concerned, you can disable these technologies in most browsers, but many of them greatly diminish your online experience. Examples of these measures are: always clearing your cache, not accepting cookies, not installing plug-ins/add-ons like Windows Media Player, Flash, disabling JavaScript, etc..

I'm Telling: The Conflicts of Privacy and a Free Press

So one of the things that wasn't immediately obvious to me before reading A Right to Privacy is the conflict of a free press and privacy. The best example I have of this is the paparazzi and celebrities. On a level most of us are more familiar we think of it as your best friend who told a secret you told them in 6^th grade. In both cases, information you would have rather kept secret is now very public. The question that this raises is what limits are there on the press' ability to print information (or someone's ability to speak information). In general we have laws that protect against the spreading of untruthful information (slander and liable) and this is one of the major differences between our sense of free speech and that in Britain (where if the speech causes economic harm, you are liable for it, even if it is true). So, there is “free speech”, but not “speech that is free from consequences”, if it is false. Well what if that “speech” is true, but obtained by questionable means? (eaves dropping on your phone calls, reading your emails, searching your trash, etc.) This is where we get into the insisting bits. It may be a low grade move to go ask your neighbors if they notice anything about you(such as John Ashcroft’s TIPS program), or intercept your Internet transmissions (such as the Carnivore System used by the FBI), but how do you protect such information (like being on a DC madam's call list http://www.dcphonelist.com/) or responding to an ad on CraigsList (http://www.encyclopediadramatica.com/index.php/RFJason_CL_Experiment) from becoming public. In general we have the belief that information that we give away freely we don't have an expectation of privacy to but even that theory is flawed as in the case of your social security number to an employer or a tax return (one of the other factors is weather the information is considered of public interest which tends to have impact on celebrities but not on “regular folks”). So how do we draw the line? That is a question that is left up to our legislators. The press is, in most cases, not state run so the 4^th and 14^th amendments don't apply to it. In a society of totally free press and free information, there would be no secrets(think of an Orwellian dystopia where the govt. runs the newspaper). In a society with total privacy, there would be no freedom of speech (think of it like an extrapolated version of Cheney's energy commission).

Caller ID: A Profile In How An Issue Can Change

So by now we are all well acquainted with caller ID; the technology that allows you to see what number is calling you before you pick up the phone. Originally this technology was sold to people at an added cost as a way to screen calls and do away with “crank” calls. Users could “opt out” of the system by dialing *67 before calling a number to show as unlisted on the recipient’s caller ID. The phone companies then sold additional services to permanently block your number (a nice way to get you coming and going; though this is really no different than paying to have your number unlisted). At the time people opposed the idea of caller ID on the grounds that this would be used as a means of discrimination. The examples given were that organizations, like banks, would use the data to route calls from low income areas to call lines with fewer representatives. None the less caller ID became a standard feature on most phone plans and to my knowledge there haven’t been any large cases of such segmentation happening (mostly I would presume since banks have found better ways to segment, such as asking for your acct. number when you call and then routing you based upon the credit rating they have given you).

One important distinction with the caller ID implementation was that although you could block your number when you called someone, you could not block it from the government. This was justified by the need for criminal investigations and finding 911 callers.

It didn’t take long for phone phreaks (think of them as the hackers of today only they focused on manipulating phone systems and had their heyday in the 80s and 90s) to figure out how this system worked and how to manipulate it. At first this was through phone redirectors (such as calling card dialups) but these always showed the number that was the dialup (much like calling cards today or calls from a corporate PBX). Since even this gave away some information, others people found ways to double transmit the caller ID info to overwrite the original signal with new data, or loop though a PBX programmed to send whatever caller ID info the caller wanted (services like this are still advertised on the internet). It didn’t take long for telemarketers to pick up these techniques as a way to get people to answer their phones (this was pre-call block list). Because of this spoofing, various laws were considered to make spoofing your caller ID information a crime (in my mind this is a little like saying we would prosecute John Jay, Alexander Hamilton and James Madison (the writers of the federalist papers) for signing them PUBLIUS or for not identifying yourself to the police (strangely enough there was a case on this where the court said you do have to give your name to the police (2004 Supreme Court decision in the Hiibel case)).

Today concerns of phone numbers being used for discrimination are mostly assuaged since the ubiquitous use of cell phone, number portability, and pay as you go SIM cards that make phone numbers almost meaningless. There are new issues arising though. Some services (twitter.com an obvious example) rely on caller ID for a personal identifier (login credentials). Caller ID spoofing allows people to manipulate such tools and the government is moving (along with private groups) to stop this. It is a trade-off, of anonymity for utility. What should be most concerning is how this evolution of technology has kept one thing stable; government control. With each step in this process, the public has given up some of its privacy/anonymity in exchange for not just security, but in some cases convenience (a common theme in privacy issues). What is more disturbing is that with each of these steps, the government has been able to protect its interests. In a way this allows the government to ensure that private groups can not oppose it because they have a different set of rules to play by than the rest of us.

In hindsight; caller ID is an interesting case; it’s gone from a screening tool, and fears of discrimination, to a tool of identification which is being legislated from being faked. It is a technology that can be hidden from private parties, but not the government (and in that is the concern). Information in the hands of a benevolent government can forward the public interest, but if such a government were to want to use that information against its people, having such access allows another level of control over the population. Our forefathers designed a country to have protected rights because they had grave concerns about the abuses of power by the government. We should think about what tradeoffs we are making with our decisions and how those decisions shift the balance of power.

Cordless Phones: All your base (stations) belong to us

Everyone knows that eavesdropping isn’t polite. We’ve also all had the experience of accidentally overhearing something in a conversation (in many cases out of context). Since we can hardly hold people accountable for hearing what others say within earshot, we are usually on our own to protect our privacy in such situations. This becomes a bit more complicated when you put a phone into the mix. The transmission of a phone conversation across the telephone lines is a protected form of confidential speech and recording such conversations is illegal without consent (in some states you need one party (or a judge’s order) in others, like California, you need both parties consent (or a judge’s order)). These wiretapping provisions also applied to wireless phone transmissions. What is interesting is although the government may need a warrant to listen in to your wired phone call conversations (called land lines) they (eavesdroppers) do not to listen in to your wireless calls (http://caselaw.lp.findlaw.com/casecode/uscodes/18/parts/i/chapters/119/sections/section_2510_notes.html). This is because the law says so but from a practical matter it is because wireless calls are broadcast and thus anyone who can receive that broadcast can listen in to what you are saying. Since you are broadcasting, you have no reasonable expectation of privacy (well talk more about this in another posting).

In the 80s and 90s this meant not only government listening to people’s phone calls became much easier, but that private parties could listen in with greater ease (note, there is a distinction between what people.govt. can do, and what they can do legally. Recording something might put you (or the govt. afowl of some laws, but it doesn’t stop information gathering, legal or otherwise). In many cases people would take a cordless phone handset and walk around their neighborhoods (a radio scanner would work as well) and just switch channels until they tuned into someone’s conversation. The handset method also allowed people to pickup unused base stations (where your phone rests to recharge) and use their line to make long distance calls for free (or local calls that were much harder to trace to the person making the call). Several advancements over the years have made this more difficult. Phones have moved to new frequencies (higher frequencies mean people need newer equipment to listen in but the greater range for your phone, the farther away an eavesdropper can be). Phones also started blocking the base station if the phone was in the charger (a modest improvement). Another improvement was frequency hopping (exactly what it sounds like). Perhaps the biggest change was the move to spread spectrum technology.

Spread spectrum technology spreads the conversation out over the entire frequency band. This prevents traditional monitoring tactics as any one frequency doesn’t show enough signal to make it appear that there is anything being transmitted. This technology was used by the military in WWII and only in the 90s became civilian use technology.

What is of note of all of these changes is that all of them are still able to be intercepted (though private parties have to go through more, and more expensive, loops to continue to eavesdrop government surveillance still has the ability to listen in without the burdens of a warrant that land lines require. What is also worthy of note, is that although the technology has evolved, the one thing that would seem to be the most effective way to protect the privacy of phone users (encryption) has never been offered (Another article will discuss encryption of communications).

From the user’s perspective, the critical thing here is that you are most protected from privacy invasion in your phone calls by using traditional land line communications. When you add the convenience of wireless, you are giving up some of the potential privacy of your conversation.

If privacy is so important, why didn’t our founding fathers write it into the constitution or the bill or rights?

Ok, let’s start the way all my favorite folks started, by answering a question with a question. That question is, “How many of our founding fathers signed the original Declaration of Independence?” Seems simple right? After all we’ve seen that document with that big John Hancock signature at the bottom. But how many of them signed the original document? The question is a bit of a trick, since we know there is a huge list (56) of them that eventually signed it. The trick is that they signed it in August after the first draft was distributed (the original was only signed by two people). Why? Well for one, because signing such a document would be considered an act of treason and as Benjamin Franklin reminded those at the signing that,”We must all hang together, or we shall surely hang separately.” The privacy and anonymity of their thoughts and speech was clearly something that was top of mind for these men.

The Supreme Court has referred to a right of privacy on many occasions and in most of these, the fourth amendment is the usual starting point. For those that are trying to remember their civics lessons, that’s the one that says that you should be protected from unreasonable search and seizure (technically this only applied to the federal government but the 14^th amendment expanded this to protection from state’s governments as well).

This is where it gets much grayer. Some people view the fourth amendment as meaning what it says with not logical extrapolation or allowances for changes in technology. Others feel that this expresses intent and should expand to encompass new technologies and realities. The Supreme court over the years has expressed opinions ranging the gambit on this issue so it is safe to say that this is an undecided issue (as an aside, Row V. Wade is actually based on a right to privacy). Thus, this is where the debate about whether we have a right to privacy or not, and to what extent it goes comes from. In later blogs we will look at what this means from the standpoint of private citizens and corporations (which the law treats as citizens).