Law in the Internet Society

View   r3  >  r2  ...
StacyMarquezSecondPaper 3 - 27 Jan 2012 - Main.StacyMarquez
Line: 1 to 1
 
META TOPICPARENT name="SecondPaper"
Changed:
<
<

Current Response to Unbeknown Cell and Internet Tracking

>
>

Current Response to Covert Tracking of Consumer Cell and Internet Usage

 
Changed:
<
<
Not a good title. "Unbeknown Cell Tracking" could work in one of the other branches of our common Teutonic languages, Dutch or German say, where participles perform wonders, but it doesn't make English. It seems to mean "current responses to covert network tracking," which is too indefinite. Indeed, as we discover, two different things each called "tracking" are being conflated.

Despite the recent attention being paid to issues of customer tracking and surveillance, the proposed legislative responses and probability of a pending lawsuit success leave much to be desired. There are different options that may better address the egregious void of consumer protection that is not keeping up with technological innovation.

This is entirely obscure. Everything here is referred to rather than told, so no one but a mindreader could know at this stage what you're talking about, which is not a good state to leave the reader at the end of an essay's introduction. She will invariably proceed with you no further under those circumstances.
>
>
Despite the recent revelation that consumers actions online are under heavy surveillance and tracking, the proposed legislative responses and probability of a pending lawsuit success leave much to be desired because companies claim they are merely collecting the statistics to improve internal service. There are different options that may better address the egregious void of consumer protection that is not keeping pace with technological innovation, namely a conversion of the current opt-out regime to one of opting-in.
 

Recent Sources of Disclosure:

Changed:
<
<
Senator Jay Rockefeller issued a statement emphasizing the need for increased consumer protection on the Internet. Rockefeller cited “disturbing” reports about Facebook’s ability to track non-members and members who have logged out of the site, stating that companies should not be tracking users without their consent. The statement followed a USA Today article regarding Facebook’s tracking practices that provides insight into how Facebook uses cookies and other technologies to track the browsing patterns of members and non-members, and suggests that the company has the ability to track members even after they log out of the Facebook website. Senator Rockefeller’s statement came shortly after media reports that Facebook and the Federal Trade Commission are close to reaching a settlement over charges that Facebook misled users about its use of their personal information. See Facebook Tracking Is Under Scrutiny, USA Today, 11/15/11.
>
>
Senator Jay Rockefeller issued a statement emphasizing the need for increased consumer protection on the Internet. Rockefeller cited "disturbing" reports about Facebook's ability to track non-members and members who have logged out of the site, stating that companies should not be tracking users without their consent. The statement followed a USA Today article regarding Facebook's tracking practices that provides insight into how Facebook uses cookies and other technologies to track the browsing patterns of members and non-members, and suggests that the company has the ability to track members even after they log out of the Facebook website. Here, "tracking" means that all the businesses have instrumented the Web so that uninformed consumers using browsers that have been peddled to them as "the Internet," and which are full of technical "features" that help people spy on them, are being spied on all the time as they move from one horrendous for-profit website to another. Senator Rockefeller's statement came shortly after media reports that Facebook and the Federal Trade Commission are close to reaching a settlement over charges that Facebook misled users about its use of their personal information. See Facebook Tracking Is Under Scrutiny, USA Today, 11/15/11. However, there is some concern that the admonishment being paid to Facebook won't provide any real relief to victimized consumers, which is why moving the system outside a for-profit regime would be the most effective protection of complete consumer privacy. Advancements in the private sector, such as the Freedom Box, would provide consumers with an alternative to for-profit exploitation of their personal data.
 
Changed:
<
<
Okay, so this is a story about how a Senator tried to attract some attention for legislation that won't move in either chamber of Congress this session, which would establish a totally non-functional "do not track list" that you don't discuss, which wouldn't do anything about the problem for which the FTC is getting ready to agree not to slap Facebook's wrist as long as they don't do again a tiny portion of the real problem that you don't explain and that no one has any intention of doing anything about. Here, "tracking" means that all the businesses have instrumented the Web so that uninformed consumers using browsers that have been peddled to them as "the Internet," and which are full of technical "features" that help people spy on them, are being spied on all the time as they move from one horrendous for-profit website to another.

Neither Senator Rockefeller—who in truth has not the slightest idea—nor you explain to the reader what is being done, or how to prevent it by using technology better. Nor do you feel it's worth pointing out that doing something about this more effective than the FTC pretend wrist-slap is why the Freedom Box is trying to exist.

Separately, Trevor Eckhart, a private security researcher, detected the Carrier IQ software while watching the packet traffic inside an enterprise network he manages. Eckhart then reviewed Carrier IQ’s privacy policy that states that its products, “work within the privacy policies of our end customers.” Eckhart found the privacy policy both “suspicious and alarming,” so he published his research on Carrier IQ and backed it up with copies of the Carrier IQ research manuals. Eckhart’s concerns were 1) whether the app tracked all data ever input and whether the data is logged or transmitted and 2) whether the data tracked can actually identify individual mobile users. Carrier IQ responded to Eckhart with a cease and desist letter and threatened to sue him for copyright infringement for his reference to their manuals. Carrier IQ apologized only after the Electronic Frontier Foundation informed them that Eckhart’s research is protected as free speech. See Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11.

And this is a story about how mobile phones that use unfree proprietary software in them that no one is allowed to change or understand have code in them that spies on the people who use the phones without their knowledge or permission, and does so in very aggressive ways. You don't explain that this is why the free software movement says that you can't really have freedom in society without free software once society is digitized. You don't say that if phones were made of free software anyone who knew how could find spyware hidden in phone software, and they could also immediately and effectively take it out, and share that fix with everybody else. That's how we achieve better levels of operational security than unfree software, protecting users' privacy, at almost no cost.

But while this might be a good way to explain the value of free software, which you don't mention at all, it hasn't anything to do with the first example, except that in both cases consumers who use stuff they don't understand are being hurt by that, because the unfree technology they don't understand is working for somebody else who understands much better than they do. As usual, that means the rich will get richer and the poor will work harder scrubbing their toilets for less. But hey, they'll eventually have enough for an iPhone.

>
>
Another example of consumers using products with software that is potentially harmful to their privacy interests came from Trevor Eckhart, a private security researcher, who detected the Carrier IQ software while watching the packet traffic inside an enterprise network he manages. Eckhart then reviewed Carrier IQ's privacy policy that states that its products, "work within the privacy policies of our end customers." Eckhart found the privacy policy both "suspicious and alarming," so he published his research on Carrier IQ and backed it up with copies of the Carrier IQ research manuals. Eckhart's concerns were 1) whether the app tracked all data ever input and whether the data is logged or transmitted and 2) whether the data tracked can actually identify individual mobile users. Carrier IQ responded to Eckhart with a cease and desist letter and threatened to sue him for copyright infringement for his reference to their manuals. Carrier IQ apologized only after the Electronic Frontier Foundation, in coordination with the Software Freedom Law Center, informed them that Eckhart's research is protected as free speech. See Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11.
 
Changed:
<
<
But you don't want to talk about that. You want to talk about some legislative proposal, and maybe a court case that might happen?

>
>
Mobile phones that use unfree proprietary software, that no one is allowed to change or understand, have code in them that spies on the people who use the phones without their knowledge or permission, and does so in very aggressive ways. The free software movement maintains that you can't really have freedom in society without free software once society is digitized. If phones were made of free software anyone who knew how to could find spyware hidden in phone software, and they could also immediately and effectively take it out, and share that fix with everybody else. That's how we achieve better levels of operational security than unfree software, protecting users' privacy, at almost no cost.
 

Reactions to Protect or Maintain Privacy:

Legislative Proposals

Changed:
<
<
Senator Rockefeller introduced the “Do-Not-Track Online Act of 2011”. The Act instructs the Federal Trade Commission to promulgate regulations that would 1) create standards for the implementation of a “Do Not Track” mechanism that enable individuals to express a desire to not be tracked online and 2) prohibit online service providers from tracking individuals who express such a desire. The regulations would allow online service providers to track individuals who do not want to be tracked only if 1) the tracking is necessary to provide a service requested by the individual (and the individuals’ information is made anonymous or deleted after the service is provided), or 2) the individual is given clear notice about the tracking and affirmatively consents to the tracking.
>
>
Senator Rockefeller introduced the "Do-Not-Track Online Act of 2011". The Act instructs the Federal Trade Commission to promulgate regulations that would 1) create standards for the implementation of a "Do Not Track" mechanism that enable individuals to express a desire to not be tracked online and 2) prohibit online service providers from tracking individuals who express such a desire. The regulations would allow online service providers to track individuals who do not want to be tracked only if 1) the tracking is necessary to provide a service requested by the individual (and the individuals' information is made anonymous or deleted after the service is provided), or 2) the individual is given clear notice about the tracking and affirmatively consents to the tracking.
 In developing the standards for the Do Not Track mechanism, the Act requires the FTC to take several factors into consideration, including 1) the scope of the standards, 2) the technical feasibility and costs of implementing and complying with a Do Not Track mechanism, 3) existing Do Not Track mechanisms that have already been developed and 4) how a Do Not Track mechanism should be publicized. The Act gives the FTC the power to enforce the rules pertaining to a Do Not Track mechanism by treating violations as unfair and deceptive acts or practices, and authorizes state attorneys general to bring civil actions for violations of the Act. The Act sets forth civil penalties of up to $16,000 per day for violations, with a maximum total liability of $15,000,000.
Changed:
<
<
You could have just pointed in one link to the Congressional Research Summary of the legislation you took this from. But you don't explain why all of this is a charade, having no technical reality at all. You don't address any of the arguments I made when I testified on the House side on the equivalent bill in December 2010, when Facebook tried to have my testimony censored. I only mention that because I think you'd have mentioned it if you'd found it, and if you didn't find it you didn't really do the background work on the legislation that you should have done, which may explain why you don't know how to explain to the reader how totally silly and unimportant it is.

Judicial Recourse

In response to Eckhart’s revelation, mobile phone customers sued AT&T, Sprint, Apply and T-Mobile as well as Carrier IQ claiming that the tracking software installed on their phones violates U.S. wiretapping and computer fraud laws and seeking compensatory and punitive damages. See Pacilli v. Carrier IQ, U.S. District Court, District of Delaware (Wilmington). Violations of federal wiretap laws prohibit willful interception of wire or electronic communication and can result in $100 of damages a day per violation; that number combined with the 150 million phones assumed to contain the software could result in damages totaling $150,000,000,000. In order to succeed on their claim, however, defendants will have to address the fact that Carrier IQ asserts the software is designed to help improve service performance and that the company doesn’t sell personal subscriber information to third parties.

This is, meantime a completely different situation. Here you are reporting that some people have filed a complaint. No one has presented any evidence, indeed no one has even heard a motion to dismiss, so it's a little early to make any statements about the law or the facts. You say, though you don't explain why, that proving a violation of the wilful interception statute requires proving that the interceptor wasn't trying to improve service, or that the interceptor sells the information wrongly acquired to third parties. But I should think it would indeed be possible for the people you called "defendants" (you meant "plaintiffs") not to address either of these factual allegations and still state a claim on which relief could be granted. If those were the allegations contained in the affidavit of counsel accompanying defendant's motion to dismiss in this litigation, I wouldn't think counsel had much on his side.

So I think what passes for legal analysis here is sloppy, and wasn't edited well. If the essay is about this situation, instead of being about the various other things it takes up, fixing this would be very important. But I have the feeling it makes more sense to leave it out.

>
>
While the Act seems to make real strides in protecting consumer privacy online and on cell phones, this act has no technical reality behind it, and would merely result in a charade of consumer protection. The regulations would result in the equivalent of a "Do Not Call" list, which would simply not be useful in these different technological circumstances. These considerations lead to the conclusion that Senator Rockefeller's proposal is more of a political move, designed to engender his favor with both savvy tech companies and naive constituents simultaneously.
 

Recommendations:

Changed:
<
<
The Gramm-Leach-Bliley Act (GLB), 15 U.S.C. 6801 et seq., incidentally requires that companies develop and abide by privacy notices, but GLB could do much more in the way of structuring the content that is required by them. For instance, Trevor Eckhart was quoted as saying, “This data should be subject to some kind of clear privacy policy. Without that clarification, he argues, the software is simply a rookit: unwanted, hidden, hard to delete, but running with root level access.” Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11. The current mandate issued by the GLB only requires that the company have a notice, and does not structure the format or content of the policies which can range from general blanket statements to unattainable promises that provide the user with little true understanding of the use to which their information will be put.
>
>
The Gramm-Leach-Bliley Act (GLB), 15 U.S.C. 6801 et seq., incidentally requires that companies develop and abide by privacy notices, but GLB could do much more in the way of structuring the content that is required by them. For instance, Trevor Eckhart was quoted as saying, "This data should be subject to some kind of clear privacy policy. Without that clarification, he argues, the software is simply a rookit: unwanted, hidden, hard to delete, but running with root level access." Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11. The current mandate issued by the GLB only requires that the company have a notice, and does not structure the format or content of the policies which can range from general blanket statements to unattainable promises that provide the user with little true understanding of the use to which their information will be put. The purpose behind the GLB was mainly to address financial issues relating to the breakdown of the Glass Steagall wall and the concomitant financial danger that ensued, so it is probably not the best vehicle to address issues of consumer privacy protection. Instead, it would be more appropriate for the FCC to use its statutory authority to tell carriers that they can't subsidize the placement of phones on their networks that have rookits inside of which consumers are unaware.

Eckhart also went on record stating that companies should, "Let all handset owners see a copy of everything you've collected about them and ensure that they know when the app is running on their phones and give them the freedom to deactivate it." Id. While the last suggestion may contend with the Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 1202 if someone attempts to apply the DMCA to prevent the consumer from overriding a technical protection mechanism to remove malware, it would still be possible to comply with his first request of making the information available to the consumer so they are more educated about the what is entailed in the browsing and communication choices they make. Further, the DMCA has been widely criticized as contravening public policy, impeding competition and innovation and interfering with computer intrusion laws.

 
Changed:
<
<
Maybe this is about whether to change a statute that's actually about something else (repealing the prohibition against merger of investment and commercial banking: the purpose of GLB was to create the immense danger to the financial economy that almost immediately materialized in 2008). But more likely it's about something that could be dealt with more simply. FCC surely already has all the statutory authority it needs to tell carriers they can't subsidize the placement of phones on their networks that have rootkits in them consumers don't know about. FCC could in fact tell everybody to use free software in phones, so that we'd all know exactly what our phones do, and we'd be able to take any malware out of them. Why should we amend a statute we should never have made in the first place, that repealed a very important protection against the kind of insane predatory finance capitalism that blew up in 2008, in order to deal with a problem that FCC can administratively handle, and this or other civil litigation can make so profoundly bothersome to the carriers that they will themselves move to abate?

Eckhart also went on record stating that companies should, “Let all handset owners see a copy of everything you’ve collected about them and ensure that they know when the app is running on their phones… Give them the freedom to deactivate it.” Id. While the last suggestion is in direct contention with the Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 1202, it would still be possible to comply with his first request of making the information available to the consumer so they are more educated about the what is entailed in the browsing and communication choices they make. Further, the DMCA has been widely criticized as contravening public policy, impeding competition and innovation and interfering with computer intrusion laws.

No, his suggestion is not "in contention" with DMCA, unless someone attempts to apply the DMCA to provide the consumer from overriding a technical protection mechanism to remove malware. But it's true that it would make sense for there to be a DMCA exemption for this situation, and in fact the quadrennial DMCA exemption proceeding is now going on at Library of Congress, which is actually part of the Commerce Department. Oh, and I see that there are two parties asking for such a DMCA exemption, the Electronic Frontier Foundation, and the Software Freedom Law Center, run by .... Eben Moglen. So I suppose you'd have mentioned that if you'd found it, just to be polite, and inasmuch as you haven't mentioned it I think you probably didn't find that, which means you might not have looked into this situation very thoroughly.

Other legislative options include mandating that companies cannot require consent in order to use their website though this is likely politically infeasible.

This has to do with the other situation, which is different, as I've mentioned, and it's confusing to go from one to the other suddenly without so much as a transition. And what sense would it make to say that Amazon can't require consent to use its website to buy things? Is there someone who would use Amazon's website to buy things who would not consent to use Amazon's website. Are you sure you've thought through this "politically impossible" suggestion, whose difficulties strike me as more than just political?

For companies that distribute their privacy notices online, it is quite common for them to require the customer to check a box to indicate their acceptance of the policy before they are allowed access to the site they desire to visit. See Money & the Law: Technology Raises New Privacy Concerns, The Gazette, 12/2/11. In most cases, this could be read as something close to a contract of adhesion, which is presented as a standard form on a take-it-or-leave it basis where one party does not have an ability to negotiate because of an unequal bargaining position.

And? Is there someone out there who thinks that the way we should work the Web is for everyone to establish individually their terms of service with each web service, through custom contracts directly negotiated between the parties? So there is no alternative to form agreements, though there are any number of possible arrangements for the automated negotiation of privacy requirements within the context of any given web service. Which—along with the fact that you're imagining that we live in an "opt-in" world where operators have any current reason to require consent, we actually live in an "opt-out" world in which they don't—means that privacy policies themselves are much less attractive than the technologies of web services as a domain in which to make real progress in respecting privacy. Hence, among many other similar initiatives, Freedom Box.
>
>
For companies that distribute their privacy notices online, it is quite common for them to require the customer to check a box to indicate their acceptance of the policy before they are allowed access to the site they desire to visit. See Money & the Law: Technology Raises New Privacy Concerns, The Gazette, 12/2/11. In most cases, this could be read as something close to a contract of adhesion, which is presented as a standard form on a take-it-or-leave it basis where one party does not have an ability to negotiate because of an unequal bargaining position. While there may not be room for custom contracts to be negotiated between the parties, there are a number of possible arrangements for the automated negotiation of privacy requirements within the context of any given web service that could be engineered to garner more consumer protection. Finally, privacy policies would be much more specific and detailed if we switched our privacy regime to an opt-in system, as opposed to our current opt-out framework, where consumers considering opting-in would have the correct disclosure incentives and consumers would have more knowledge of the use to which their personal data is being put.
 
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.

Revision 3r3 - 27 Jan 2012 - 18:10:55 - StacyMarquez
Revision 2r2 - 21 Jan 2012 - 21:51:32 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM