Signing online increasingly means signing away your privacy
“Stop spreading lies about Iran on Facebook,” hissed the message written in Farsi and sent to Hamid, an Iranian-American graduate in California. We know where to find you, the anonymous writer warned: “Watch out, we will come after you.” Hamid was shocked: he thought the change he’d made to his Facebook photo – replacing it with a symbol of solidarity with the Iranian opposition – could be viewed only by people he’d “friended”. But Hamid hadn’t counted on Facebook changing its privacy settings to make specific personal information (like lists of friends and profile pictures) publicly available.
Welcome to the downside of social media and the Arab Spring. Over and over, we’ve read glowing accounts of how people power, via Facebook, Twitter, YouTube and Skype, has toppled one dictator after another: assemble 3,000 people in a public space at noon? No problem. Disseminate photos of a government’s bloody atrocities even before the foreign press gets there? Done.
But, as author Lori Andrews hammers home in her alarming new book I Know Who You Are and I Saw What You Did, people power carries a price: the stripping-away of our right to privacy, our right not to have our personal data shared with a jealous ex-boyfriend, a potential employer, a police investigator.
“We’ve all been herded peacefully into Facebook Nation without adequate consideration of our right of privacy or even our rights of property,” writes Andrews, a law professor and director of the Institute for Science, Law and Technology at the Illinois Institute of Technology in Chicago. “In every other setting, we’d have a commercial property right over photos we took or missives we wrote, but in Facebook Nation, the company is commercialising our postings.”
Facebook is obviously the big dog here; with 845 million active users, Mark Zuckerberg’s social network, were it a country, would be the world’s third largest, behind only China and India. Locally, the UAE has the highest – 54 per cent – Facebook penetration in the Middle East: 2.8 million users at last count, and growing. Yet when questions arise over online privacy, Facebook is hardly alone. Shortly after Andrews’s book was published, the American media reported that Google had found a way to spy on consumers’ searches on iPhones and iPads, even after users had imposed blocks. An alert Stanford University graduate student named Jonathan Mayer discovered that Google had installed computer code that bypassed privacy settings on Apple’s Safari browser – despite consumers’ confidence in them.
Last weekend the US media revealed that Android phones can secretly copy photos and post them on the web. We already knew that Apple mobile devices can access a customer’s photo library. But Google, which makes Android’s mobile operating system, goes to the next level: if an app can send data over the internet, it can copy that person’s photos to a remote server without permission.
Certainly few users of social media know the degree to which Facebook et al. have been collecting their information. Almost all of us are aware of “cookies”, those lines of code that alert advertisers to web pages we’ve visited and the products we’ve bought online and that allow advertisers the opportunity to customise the ads that they send us. But such “behavioural advertising” isn’t as benign as it seems, Andrews points out. “Weblining” can occur, denying opportunities – like credit card and mortgage terms – to people based on their digital practices alone. And it gets worse: how many of us have heard of the other tools of the spyware trade: web beacons, data aggregators, deep packet inspection, “scraping”? How many of us know exactly what these tools do?
The author astounds us with those stories, which are the most compelling aspect of her book. We read about a divorced woman who, because she posted lewd comments on her new boyfriend’s MySpace page, lost custody of her child. We meet a second woman, Lynn, who was browsing photos, on a stranger’s public page, of her Disneyland dream wedding when she noticed something familiar about the groom. In fact he was Lynn’s own husband, and he was two-timing both wives (and committing the crime of bigamy into the bargain).
More stories? The state of Texas installed surveillance cameras along the Texas-Mexico border, then invited viewers to monitor the footage for illegal immigrants and drug traffickers. (The $2 million Texas spent on the project resulted in only 26 arrests and a bunch of emails about armadillos crossing the border.) Then there is the computer program that searches for the word “vacation” on social network site postings, identifying empty homes just ripe for the picking by thieves; and the 24-year-old teacher who posted a photo of herself drinking beer during an Irish brewery tour and was summarily dismissed from her job ... the anecdotes, the evidence stretch on and on.
“Our digital identities on the web – email, personal websites, and social media pages – are starting to overshadow our physical identities,” Andrews frets in her book. “As we work and chat and date over the web, we are creating a digital profile of ourselves that redefines us – and could come back to haunt us.”
Scott McNealy, the co-founder of Sun Microsystems, once famously summed up the situation this way: “You have zero privacy anyway. Get over it.”
But internet users aren’t getting over it. A 2010 UAE survey by Real Opinions found that 76 per cent of internet users believed their searches for products and their visits to websites should not be monitored without express permission. Interestingly though, 60 per cent of those surveyed also favoured behavioural targeting, showing that their qualms about privacy don’t necessarily rule out their positive views towards customised content.
Nevertheless, consumers across the globe are angry that when they do defend their privacy by disabling cookies on their browsers, the websites they use don’t run as well.
Those same consumers are also angry when employers ask for their screen names and passwords to social network sites. And those in America can’t believe that the Internal Revenue Service searches Facebook and MySpace profiles for evidence of taxable transactions. They’re stunned that “data aggregators” collect information on half a billion people around the world. Data aggregators like Checkpoint and Acxiom gather details about individuals into reports and then sell this intelligence to businesses and government agencies. If you’re unfamiliar with Acxiom, you’re not alone. Its former president calls it “the biggest company you’ve never heard of”.
Thankfully, there is progress to report: in the United States, on February 22, the Obama administration announced voluntary guidelines to protect consumer privacy online. These guidelines say users should have more control over information collected on them and how it’s used. Consumers should be able to correct false information about themselves and to limit information collected about their children. According to the document. “Consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” Obama said in a statement. “As the internet evolves, consumer trust is essential for the continued growth of the digital economy.”
Although the guidelines are voluntary and contain no “do not track” rule, Google, Yahoo!, Microsoft and AOL have all agreed voluntarily to embed a “do not track” button in their web browsers. This will allow users to opt-out of behavioural tracking systems. However, no one is cheering just yet: the watchdog group Electronic Privacy Information Center (Epic) praised the principles but cautioned that the challenge will be “implementation and enforcement.” Similarly, the Electronic Frontier Foundation warned that advertisers might tweak their terms of service and continue to track unwitting users, away from public view. Furthermore, there is some confusion as to what “do not track” even actually means.
In the global environment, meanwhile, the Obama principles are seen as bringing the US more in line with existing European Union regulation that limits online companies from collecting more data than is needed for a transaction. The EU further requires companies to ensure that data is accurate and to set a time frame for identifiable databases. Those rules are also being tightened: in January, the EU overhauled its privacy rules to give agencies overseeing data protection in its 27 countries the authority to sanction companies that violate proposed requirements for handling personal information.
Meanwhile, back in the US, trouble of another kind is already looming. Effective from the first of this month, Google was poised to unify privacy settings for 60 different services, from YouTube videos to mobile devices using Android software. Google has defended the changes, saying they make its procedures easier to understand. But Epic rejected that explanation, filing a lawsuit to persuade the US Federal Trade Commission to intervene. Thirty-six state attorneys general also signed a joint letter of protest, saying Google’s new policy will deny consumers choices about pooling their data.
To restore choices to consumers, Andrews, in I Know Who You Are and I Saw What You Did, puts forward her own solution: a “Social Network Constitution”. The author’s proposed document, posted on her website, calls for “The Right to Connect”; “The Right to Free Speech and Freedom of Expression”; The Right to Privacy of Place and Information”; “The Right to Privacy of Thoughts, Emotions, and Sentiments”; “The Right to Control One’s Image”; “The Right to a Fair Trial”; “The Right to an Untainted Jury”; “The Right to Due Process of Law and the Right to Notice”; “Freedom from Discrimination”; and “Freedom of Association”.
Andrews tackles each proposed right, providing stories of both horror and hope, and updates on how states and agencies are responding. For the rights to a fair trial, an untainted jury, and due process, Andrews describes, for instance, a Cleveland, Ohio, judge who posted anonymously on The Plain Dealer newspaper’s website. No big deal there, except that the judge, Shirley Strickland Saffold, wrote opinions about cases she was presiding over.
In Georgia, another judge, Ernest “Bucky” Woods, contacted a defendant in his court (charged with theft by deception) and offered advice on her case. He convinced the local district attorney to defer the woman’s prosecution until she could pay off her debts, and according to emails, also may have visited her apartment and helped out with her rent.
In Britain, meanwhile, a juror went on Facebook to describe a sexual assault and abduction case she was involved in and asked friends to weigh in on which way she should vote.
Andrews doesn’t miss the cultural divide here, among young people who have been practically raised online: “With a generation gap around the use of social networks, new mechanisms need to be put into place to make sure that jurors refrain from seeking and disseminating information related to a case,” she writes. Accordingly, her proposed Social Network Constitution covers the right to an untainted jury, as well as a fair trial, specifying that evidence from social networks may be collected only if there is probable cause and a warrant has been issued.
The very notion of collecting evidence online is fraught with danger: the US Constitution prohibits “unreasonable searches,” yet in a 2010 survey of 727 law enforcement agencies across 48 states, 62 per cent acknowledged using social networks in criminal investigations. In some scenarios such action might catch a true criminal, but what about the American youth Andrews describes who was convicted of drink-driving that resulted in an injury. The youth was hardly guiltless, yet he probably received a heavier sentence than he might have because of Facebook photos, presented at trial, of him dressed for Halloween as a “jailbird”, complete with prison-style garb. The defendant just wasn’t taking his case seriously, the prosecutor argued; and the judge agreed.
Andrews does not. “Our Social Network Constitution should apply the right to privacy to forbid social network dragnets unless there is probable cause to think a crime has been committed,” she writes. “Dragnet” is the operative word here; people post stupid stuff on Facebook all the time, so when they end up in a legal bind, they need assurances that those indiscretions won’t ultimately wreck their lives.
And sometimes the dragnet strategy – going looking for a crime without any evidence that one exists – gets much worse than “youthful indiscretions”. New York has been buzzing since the Associated Press reported that thousands of law-abiding Muslim Americans have been under surveillance by the New York Police Department, via their websites and student blogs at New York University, Columbia, Yale, and other institutions of higher learning.
One thing in social networks’ favour is that generally legal systems haven’t been particularly aggressive on privacy rights. “What reasonable person would have had an expectation of privacy for a posting on a social network?,” a California appellate court opined in 2009.
But shouldn’t certain social networks and websites be held to the same standards as publishers? Shouldn’t they be liable for defamation and other tort crimes stemming from damage to people resulting from material published on their pages? Case in point: a British schoolteacher, Celia Blay, in 2007 uncovered the true identity of “Cami”, a seemingly sympathetic nurse who counselled suicidal young people on Facebook. The trouble was that “Cami” convinced three of them to enter a suicide pact with her. Two actually killed themselves, one in front of a webcam.
“Cami” personally never went through with the pact, of course. “She” was a he – a Minnesotan named William Francis Melchert-Dinkel with voyeuristic tendencies. Yet despite his despicable acts, the British whistle-blower, Celia Blay, was unable for years to see him prosecuted. The reason: Canada, where the second suicide victim lived, refused to consider her online correspondence with Melchert-Dinkel a significant factor in her death. Only in 2011 did a Minnesota judge find a legal argument substantial enough to override Melchert-Dinkel’s free speech defence and sentence the man to almost a year in prison and prohibit him from using the internet without express consent.
The Cami case is an extreme of what can go wrong on the internet. But Andrews, Epic and others have all written about the many other scenarios that water down our glee over social media’s successes in the Arab Spring. When we read, for example, of the 2010 study reporting that 20 per cent of children in the US, aged 10 to 18, had been cyber-bullied, we have to give pause for thought. The US is hardly alone here: in 2010, the Abu Dhabi Education Council felt the need to include cyberbullying in its new guidelines about student behaviour.
As Andrews points out: “Currently, people’s rights on Facebook shift at the whim of Mark Zuckerberg.” This is the young man, of course, who’s poised to enter the ranks of the mega-wealthy, once his company goes public. This is a guy whose company has been experimenting with facial recognition software without users’ permission and who has who-knows-what future ventures planned
that may further strip away our online privacy rights, even as Facebook’s “nation” increases, in the near future, to a billion people worldwide.
“Imagine having access to the political views, sexual preferences, relationships, tastes, foibles, emotional states, workplace attitudes, etc. of a billion people,” Andrews writes, quoting Richard Power in the journal CSO: Security and Risk. No government, corporation or geopolitical alliance could pull that off, Power notes. Yet Zuckerberg already has.
It is my opinion that we should all say a big collective “no” to that. The more developed that the web and mobile electronic devices become, the more our “second self” develops in digital form. We need to figure out as a society whether we really want the ads we click or the products we buy online to limit how we’re perceived in future transactions with employers, banks and credit agencies and even personal relationships. That’s why the notion of an opt-out button has to become an enforceable rule of internet life so we can be free to make commercial decisions without feeling that someone is forever looking over our shoulders.
Invasion of privacy by other people is trickier. No one’s freedom of speech should be abridged in the process. But vigilance by the internet community is key, to head off cyberbullying of our children; the kind of intimidation that Hamid suffered on Facebook; and horrific instances like the American who talked people into taking their own lives.
If we all pay attention, then maybe, just maybe, through official efforts, activism by watchdog groups, and even consideration of Lori Andrews’s Social Network Constitution, Facebook’s founder can ultimately be stopped. Certainly we have to try.
Joan Oleck is a freelance writer based in Brooklyn, New York.
Published: March 9, 2012 04:00 AM