| 
| 
|
 BLOG | MAY, 2009 We Have Unrealistic Expectations of Privacy May 6, 2009 at 11:30 amby Christopher
"Your webmail is less under your control than it would be if you downloaded your mail to your computer. If you use Salesforce.com, you're relying on that company to keep your data private. If you use Google Docs, you're relying on Google. This is why the Electronic Privacy Information Center recently filed a complaint with the Federal Trade Commission: many of us are relying on Google's security, but we don't know what it is. This is new. Twenty years ago, if someone wanted to look through your correspondence, he had to break into your house. Now, he can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your office; now it's on a computer owned by a telephone company. Your financial accounts are on remote websites protected only by passwords; your credit history is collected, stored, and sold by companies you don't even know exist." Even though these services offer the convenience of not being tied to one machine, I ultimately think the problems that come from it should rightfully cause us to reconsider our priorities. In previous posts on privacy, two particular concepts have come up again and again. The first is ownership. In my post about how your social media profiles are not really private, the following string from the comments is indicative:
"When you have something on the computer in your house, it is protected by the Fourth Amendment. If you put something on a computer owned by Facebook, it is not protected by the Fourth Amendment. It is only protected in some cases—email has a law that protects email and medical data has a law that protects medical data, and there are laws governing banking records. Specific laws protect certain types of data, but by changing the way we do computing so that all of our data is stored in the cloud we are effectively moving all of our personal data out of our houses and into big data warehouses, and we are erasing a line from the Bill of Rights.We may decide that we want to do that, but I want to make sure that we do not do it casually." What he's saying is that laws protecting data were crafted with our common sense understanding of what we own when we actually possess it. Yes, intellectual property laws provide plenty of nuance in this regard, but what I'm talking about here is a transition from personal data storage to corporate data storage. It makes a lot of sense to anyone to think that if you have a hard drive in your home with data on it, that data is protected on your behalf by the Constitution. The assumption is that the same protection applies to the same data when you willingly store it on Google's servers, but that assumption is wrong. As Bruce Schneier goes on to say in his post, "This isn't a technological problem; it's a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don't have the same boundaries." He's right. It is a legal problem, but I'm not sure if adapting the fourth amendment to account for "the cloud" is the only solution worth discussing. There have go to be other approaches. For instance, Nolan and I discussed the idea of having all your data exist locally on your machine, but creating some kind of protected protocol that allows you to share particular data with services like Facebook, for example. Of course, the privacy issues are still at play. We'd have to beef up the security on your machine to make sure that whatever means we employ to connect it to Facebook does not become a vulnerability to the rest of the machine. Also, in what way is the data protected between your machine and it's final destination on Facebook's (or any other "cloud" service's) server? No matter what we decide to do, we need to make sure that we are deliberately making that decision. I think the low turnout of "voters" on Facebook's recent "democratic" privacy settings vote shows that people may be disgruntled about these issue, but are still fairly complacent when it comes to actually doing anything about them.  
|
    Sign Up to Receive our Weekly Blog DigestEach week we'll email you a summary of all the blog posts that we published so you can stay in the know.   Subscribe To Our NewsletterJanuary 2012 The Truth About Content |
Nolan shared a short blog post with me yesterday about privacy that I thought was pretty good. I'm in agreement with the author, Bruce Schneier, who makes a great point about why our 
People seem to have made the assumption that the data they maintain with services like Facebook, MySpace, Google Docs, etc. belongs to them. But many of these services have clearly stated the opposite. In fact, it stands to reason that Google's entire revenue model, based upon automatically placing advertising on the sides of pages comprised of users' emails, documents, blog posts, etc., is predicated on Google's ownership of this content. Google gives away the processing power, storage, convenience and visibility, but the cost is that what you create with those tools, so long as it remains on their servers, is not yours. Think about it: If you bought some cheap hosting somewhere and put up a simple html page with some text you wrote, wouldn't you be surprised if one day you pulled it up and saw a Google ad on it? You would probably be confused at best, but most likely irate due to having had your content essentially pirated by another company. But nobody has these feelings with the content they put up with Google, Facebook, etc. Why do we get the terms of the exchange but still expect ownership?
Chris,
Glad you enjoyed the article.
I actually did a little research on that idea that we talked about and I had completely forgotten about the Data Portability Project.
It looks like it may have similar goals in mind, which means that people are thinking about the problem and doing something about it.
Nolan,
This looks great. What they say on their vision page is describing exactly what you and I discussed- hopefully it can be done Thanks for the link!
Chris
It seems pretty straightforward to just not put anything you don't want public on a social network. I don't think we need new laws, we just need to share less stuff.
Chris, you say, "Why do we get the terms of the exchange but still expect ownership?" But isn't that precisely what understand by getting the terms of the exchange- that we don't own it? I don't think there's a much of a privacy problem as you think. People seem pretty content to just throw in their stuff into a big melting pot and let the companies do what they want around it. So long as the tools work, it's a pretty symbiotic relationship.
@Ralph, I hear what you're saying, but I don't think the issue is that simple. What you're talking about speaks to the second issue, that of the intentionality of critical policy making. I think our culture is pretty enthralled with sharing of content over social networks at this point, and barring a significant backlash (who knows, it could happen), we're going to have to address policy to protect people.
@Alex, I don't think so. People get the terms of the exchange- they say things like, "I don't mind the ads on my gmail account." But the "my" is what concerns me. My gmail account is not really mine; it's mine in name only. The exchange almost distracts from the critical issue of ownership, which is why there are all kinds of court cases where personal data stored on an ISP server or a social network is now available without warrant (and incriminating) that would not have been available when it was stored on a person's home computer. Another example is with Facebook, where their terms keep quite ambiguous what actually happens when you "delete" some content from your profile. They seem to prefer the term "remove," which does not confirm whether your content is gone from their servers, not just your page.
You are becoming a privacy policy wonk!
Bob, Wikipedia defines "wonk" as: An overly studious or hard-working person; A persnickety person who overly focuses on details; A nerd or an expert. I'm not sure I qualify for the expert part, but I guess I can except the rest. Thanks?
Clearly, there needs to be a firmer distinction drawn between content on Facebook and documents you create with Google Docs -- both in the courts and articles such as this one. If I upload pics to FB, obviously, my intention is to share them. No one uses FB as an external storage drive. Who I want to share them with, in the case of FB, should be up to me, but it is content that has been explicitly designated as public, to some extent or another. FB can probably use them as content for their remarketing, based on their T&Cs, which I believe is just wrong, but it's not as if they "own" the content in the traditional sense either. My awesome picture of of a landscape Photoshop-ed together with my sister's wedding pic riding on top of a buffalo is not something FB can make 10,000 copies of and sell on the street, or to Getty as stock imagery, or Hallmark for a greeting card.
The issue with Google is entirely different. There is CLEARLY an expectation of privacy and ownership when I'm drafting sensitive documents for my own use... or writing my great american novel... Google doesn't "own" the rights to either one. And I believe, neither should they have easy access to either one... much like bank employees can't just rifle through your safe-deposit box... or self-storage employees can't sift through your stuff in a space you've rented (though I'm convinced they do:). Google is a little different (and more like the safe-deposit example) than FB in that there is, in many cases, payment for services rendered (as there is with my Yahoo premium email account, incidentally, though I haven't gone through the T&Cs to see if they expect to read and steal all of my excellent 1-liners and hysterical forwards).
Essentially, some combination of the courts, users, and providers need to establish, without confusion, what the intent and expectation of site/server/application usage is up-front and not in tiny, ridiculously long legalese. This probably won't happen until someone high-profile gets royally screwed by one of these giants, but it will. They should get out in front of it while they can.
@JwD, I think you're on to something in terms of the ownership issue. Your comparison to the self-storage facility is not quite clear since, as you point out, the customer pays for the space and can maintain a lock on it. With most of the services I mentioned, the user is not paying for the storage at all. The transaction is implied based upon ad revenue models. But, as you rightly point out, the expectation of ownership is there! Unfortunately, these companies have the ability to set up extensive terms and conditions using esoteric "legalese" that they assume (rightly, I suspect) that nobody will read. Ultimately, though, I do agree that this will have to be decided by some precedent-setting case of some kind...
Yes, but payment for services rendered is only a small part of the issue, and revenue model is somewhat beside the point. Google Docs, I believe, has a payment component to their model, as does Yahoo Premium mail, but that doesn't mean FB gets to do whatever they want because it's free. Privacy and ownership should not be predicated on the exchange of money, but rather, as mentioned, on the _expectation_ of privacy and ownership. As well, and necessarily, the definition of both of those terms requires stricter definition before a meaningful discussion of either can move forward. Great conversation, though, and keep pushing it!
To second @JwD, yes, keep pushing it! Internet privacy is going to be the issue of the decade- it's just too bad it already has been the issue of the past decade but nobody noticed.