AT&T reborn, Former Death Star now Net Nanny

This is a great article about what AT and T is going to do; monitor every bit of information that goes across its network. Oh sure, we’ve known for a while that they do this for the government, but apparently now they are doing it for the RIAA (recording industry) and MPAA (film industry). If this feels a little strange, maybe it’s because it reverses the idea of innocent until proven guilty (granted that is for govt. and no such principal necessarily applies to private industry). The article does a great job of pointing out that the telecoms pushed for (and got) a protection from liability for providing material (as opposed to what happened to Napster or Grokster) assuming that they had no part in deciding what it was. This would seem to contravene that. This also brings in an interesting question about which is more important as a service provider; serving your customers, or helping another industry. If free enterprise is correct, then this knowledge should mean terrible impacts on AT and T’s financial (as the article predicts). If not, then we have a profound example of user’s naïveté about privacy and control measures that is destined to play itself out with potentially unfortunate consequences in the future (the TIA program’s plant to use letter carriers as agents for the govt. and then later firefighters comes to mind as such things in the govt. sector). As for how the public will react, and if AT and T will suffer any measurable financial impact, only the future will tell.

Don’t Go Towards the Light – Facebook and Beacon

Recently it has been hard to keep on top of the unfolding problems at Facebook. For those who are unaware of what Facebook is, it is a social networking site popular amongst college students. Of course, this didn’t send them into the netherworld or online privacy issues. No their problems started with their privacy policy. Most importantly what it didn’t say. What it didn’t say is that facebook employees might just be browsing your online activity (that Facebook tracks) for their own entertainment. Now that might some issues but that at least the caveat emptor of privacy policies. In an age where people narrowly tailor their privacy policies, it then falls to the user to think of all the things that a company could do with their information and decide if they want their information used that way before accepting the terms of the service (and many companies change their privacy policy at will and without notice). This is an interesting bent on contracts and informed consent. The contract is being modified at any time and without notice (note: most sites do this, not just Facebook). Furthermore, this is a one sided contract modification (much like the strategy credit card companies use). There is no negotiation and there is probably a serious question as to whether both sides are agreeing on the contract with the new policy (I know of more than one company that get’s people to agree to changes in the employee handbook before they get to see it!). Although concerning, this probably pales in comparison to the recent brouhaha over their Beacon software.

Beacon is Facebook’s advertising platform. Facebook tracks its user’s actions on the web (and off their site). It then posted this information for all to see on their page. This meant, if you had a friend that wanted a new GPS for xmas and you went to buy it for them online, they might see that you just made the purchase on your page (whoops, surprise gone). Worse yet, what if you wanted a GPS and so did someone else and they told you they weren’t buying gifts this year, or were doing something else but you could see they bought one for someone else). This policy was Opt out so it was on be default. When news of this broke, Facebook turned off this feature; sort of. Turns out, they didn’t turn it off at all, they just turned of the reporting part of it. So they were still tracking you, you just couldn’t see they were doing it so visibly. Finally Facebook let users completely opt-out of the system.

Opt-out has become the mantra of the marketing industry (assuming tacit acceptance of their practices). There is an interesting debate about this in the tech. community about if it is better to use Technology to stop such things (NoScript and AdBlocker can be used to block Beacon completely (for the moment) if you have FireFox while others say that policy should be implemented to stop such actions. Finally there are those who feel that consumer pressure will drive this (I got an email from one Social networking site saying how they would never implement such a system (of course there is some bitter irony there since they sent me that email without my permission though a spam posting on another social networking site). Which solution will work best (policy, technology or market pressure) is an interesting debate; each with its own merits. What is clear, is that what is in place now is not working.

Security or Transparency; different views of privacy

When it comes to dealing with private information, there tends to be two paradigms that I hear espoused most frequently; secrecy and transparency. Those who favor the secrecy paradigm believe that information needs to remain hidden from others. People who subscribe to this paradigm tend to be those who we might have usually considered privacy advocates. From this point of view comes most of the writings that you find on the topic of privacy. Implicit in most discussions of the secrecy view of privacy is that information needs to be kept secret from all other parties.

It is easy to see how to support this view; people point to the tracking information used by government databases, marketing lists and nosey neighbors as evidence of need for privacy. Stories such as how the Nazi’s used public records to track Jews are often used to show the dangers in government consolidation of private information. What is less clear is how the transparency paradigm works.

On the other side of this discussion is the idea that transparency may be the best way to deal security. This is an interesting model since it relies on two things, acquiescence to power and belief in benevolent (or controllable) leadership. In this case the idea is that certain pieces of data need to be inspected as part of contractual obligations, legal mandates or national interests. In such situations, it isn’t that the information needs to be protected from all viewers, but that the dissemination, or use of that data beyond defined limits should be banned or protected though civil litigation.

Some examples of these two views in action are Amazon.com and British Petroleum. Amazon.com has a large set of (sometimes onerous) remote access and data protection measures that are intended to protect the integrity of Amazon.com’s intellectual property. Like may high tech companies, Amazon is concerned that anyone might access it’s data inappropriately and thus has erected major hurdles to accessing this information (Hurdles that exist for those that legitimately want to access it as well).

On the other side of this discussion is British Petroleum. BP has decided to take some of its critical system (like email) and have them hosted by third parties (making them far easier to access from a governmental and legal discovery aspect). BP makes a compelling argument that any of these resources could be “discovered” though governmental powers or legal subpoenas so spending money and resources to “hide” these assets is not very valuable. In their mind, the money it would cost to implement such functions is not worth the cost.

Clearly other organizations take a different view. What is interesting is that this view is a bit like other models we see. From CEO of Sun Microsystems saying “Privacy is dead, get over it” to the explosion of social networking sites like MySpace, Orkut, Friendster and Facebook; it does appear that people do feel ok giving more of their personal information that would have been discoverable though general detective work online.

When might this matter? This week it was discovered that the NSA sought to setup warrantless wiretapping of Americans. This isn’t much of a revelation since the White House stated that this was done in a response to the 9/11 attacks. For better or worse, most Americans accepted this as a trade off of liberty for temporary security, but it now appears that this program was started before 9/11. This is a big shift from what we’ve heard before. Under the secrecy paradigm, this would be quite concerning. Effort would be spend investigating and trying to change laws to roll back this system. On the other hand, if the transparence (or disclosure) paradigm were the idea from the start, there would be no issue, worry or cost to such an action.

Some people might point out that the “transparency” view is really just a pretty package around the loss of privacy. I would point out that there are important distinctions that are part of this view though. All information is not public, it is simply managed differently. Liability would apply to its abuse while the efficient transfer of this information could facilitate the efficient adjudication of issues and protection of citizens. At the root of this view is the belief in differentiating what you want to hide and the benevolence in those that hold this information. Ultimately it’s a matter of trust and accountability. Secrecy has always been about trust, the transparency paradigm shifts the thinking around trust from a “me against the world” to an “us against the others”. Different organizations (and people) are choosing to act on each of these philosophies. Time will tell us, which works best for society.