Law in the Internet Society

View   r7  >  r6  ...
YuShiFirstPaper 7 - 11 Jul 2010 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
(Revised and Ready for Review)
Line: 14 to 14
 As a risk-averse person myself, I am more often than not sympathetic to the “better safe than sorry” school of thought. Deactivating one’s Facebook account for EIP, however, seemed absurd even to me. Although Facebook certainly has more than its share of privacy loopholes, it does have privacy settings that one can adjust so that only a selected group of people is able to view the profile. Most of the people who deactivated their account already had their profiles set to “private” anyway, limiting their information to just their friends. The only way, then, an employer could have seen their profile would be to ask one of the student’s friends to look at it and report back any shady findings. That is by all means a highly-unlikely scenario. Circumspection is one thing, but to think that a law firm will take the effort to find out who your friends are, then to contact that friend for information about you, and finally to have your friend agree to sabotage you by consenting to deliver unseemly information about you to the firm borders on absurdity.
Added:
>
>
Yes, perhaps. But because Facebook's business model, and its incredibly bad technology, means that there's only one kind of friend, people who have been building networks of "friends" in law firms by accepting or initiating contacts inside law firms have also put all their personal lives inside those law firms, even if only their "friends" can see it. (There's no architectural reason why social sharing has to be designed that way, but Facebook offers an outstandingly bad implementation.) So there's plenty of opportunity for informal diffusion of information into unintended locales even if people know how to manage what little residual control Facebook allows them.
 

Group 2. Privacy Views: Apathetic

In direct contrast to the previous group, the apathetic ones know that their information is probably not secure online, but they just do not care. They have public Facebook profiles, with links to their blogs (not privatized), and even their full dates of birth shown. All their photos are, of course, also open to public viewing. People in this group usually defend their nonchalance by saying that they only post innocuous content on their personal pages, or that they are too insignificant for anyone to want to “target” them in any way that might be threatening.

Changed:
<
<
With the growing sophistication of identity theft, it is naïve to think that such complete disclosure of personal information can be forever harmless. In the summer of 2008, about 5,000 current and former Columbia undergraduates were notified that a security breach resulted in their private information being exposed for a period of time. The breached information alone may not have been enough to pose significant danger to the affected people, but if combined with additional data such as one’s hometown and date of birth (taken from public Facebook profiles), an identify thief could have wrecked substantial damage on someone’s good name. Public Facebook profiles leave the door open for such attacks, and there is no justification for why someone cannot take three seconds to modify their Facebook privacy settings so that their profiles are only visible to friends.
>
>
With the growing sophistication of identity theft, it is naïve to think that such complete disclosure of personal information can be forever harmless. In the summer of 2008, about 5,000 current and former Columbia undergraduates were notified that a security breach resulted in their private information being exposed for a period of time. The breached information alone may not have been enough to pose significant danger to the affected people, but if combined with additional data such as one’s hometown and date of birth (taken from public Facebook profiles), an identify thief could have wrecked substantial damage on someone’s good name. Public Facebook profiles leave the door open for such attacks, and there is no justification for why someone cannot take three seconds to modify their Facebook privacy settings so that their profiles are only visible to friends.
 
Added:
>
>
Identity theft is not a retail matter. Credit card numbers, SS#s, maiden names and all the other relevant data allowing fraudulent purchases or (until lately) the initiation of fraudulent loans are circulated in buckets of thousands or tens of thousands, not units, having been stolen from places where one breach yields the whole database, not photographs of someone using a beer bong. Retail intrusion such as you are imagining people could protect themselves against by changing privacy settings (which is puerile, because a real attempt against a person will involve simply hacking the Facebook account by stealing the target's almost certainly non-random Facebook password) has a direct motive behind it, and will not be deterred in the slightest by the sort of trivial "protection" Facebook affords. Putting things you wouldn't want your most motivated and most destructive enemy to know in someone else's commercially-managed, ill-secured database is a recipe for disaster unless your worst enemy is a technically-illiterate eight-year-old who spends all her time in church.
 

An Amorphous Fear

Changed:
<
<
While a sizable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is. The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post, and it is certainly not as real as a thief breaking into one’s house and taking confidential files. Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.
>
>
While a sizable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is.
 
Added:
>
>
Which is true because they are carefully not educated in what the threats are, which is in turn true because money and power don't want them to understand what the threats are because money means to make money, and power means to make power, out of their ignorance. Your essay, so far, does nothing whatever to disturb that process of embedding ignorance, because you haven't described for the reader what the threats actually are or what to do about them. That you can fancy you are writing seriously about privacy threats and responses while implying that Facebook-using is consonant with even minimal respect for privacy is demonstrative.

The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post,

It's much more tangible. The lamppost is visible only to people who happen to be close enough to read what's on it. The data you put carelessly on the net is visible to everyone on earth.

and it is certainly not as real as a thief breaking into one’s house and taking confidential files.

Burglary is hard and risky. Data-stealing is easy and almost entirely riskless.

Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.

So you should be providing a clear understanding of the actual threats and what to do about them. I explained both in class, and here you are obfuscating them again.
 

What Can We Do?

Changed:
<
<
I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in an informed manner is to become as informed as possible. Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from? By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to really understand such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.
>
>
I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in an informed manner is to become as informed as possible.

But you're not informing anybody, are you?
 
Added:
>
>
Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from?
  \ No newline at end of file
Added:
>
>
They get it from the one big ill-secured database run for the purpose of spying on you that you voluntarily decided to put all your social data in for no good reason. The right response is to move your social data out of that big unsecured centralized database.

By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to really understand such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.

But that would be ignorance, and you're recommending it.

My response to the first draft was that you needed a more ambitious theme, not a less informative and more obscurantist one. A naive reader facing this draft would know nothing helpful she didn't know before reading it. A knowledgeable reader could only conclude either that you are yourself ignorant or that you are deliberately white-washing Facebook. Either way, the knowledgeable reader, like the naive one, has gained nothing.

I still think what you need here is more ambition. If this is the topic, then the ambition should be to learn more facts and imagine fewer ones. In my own view, this "in the middle-ism" between what you think of as paranoia (and which isn't even moderate concern for privacy, just cluelessness) and utter heedlessness is a poorly-chosen vantage. You should be speaking from actual expertise about something you fully understand because you have learned about it in detail. I taught a course meant to enable such a vantage for you, but perhaps I did it poorly. If you want to talk more about the matter, let's make an appointment.


Revision 7r7 - 11 Jul 2010 - 14:12:35 - EbenMoglen
Revision 6r6 - 02 Jun 2010 - 23:11:16 - YuShi
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM