thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Wednesday, November 29, 2006

Who Controls the "Dog" that You are Online?

Slate has published a nice and polemical column by about how the public display of peoples' lives on the internet has changed in the last ten years. He reminds us of the famous cartoon by Peter Steiner "On the Internet, nobody knows you're a dog", first published in The New Yorker in July 1993.

Nowadays, it seems that everybody wants everybody else to know not only that they're a dog, but also which kind of dog, where they live, which dogfood they like, and who their dog buddies are. It started already in Web1.0, but social platforms like Myspace or Facebook on the one hand, and free blogging services like this one here have made it much easier for everybody to publish online without having to know HTML codes or how to use an FTP server. And of course, publishing includes publishing things about themselves. This is a common theme among the people who think about what privacy and anonymity used to be, and it is not limited to the internet.
TV shows like "Big Brother" or others also are based on the principle of showing private details to the general audience. At a privacy congress I co-organized in 2002, we already had this as a theme in the opening session, and that was long before Web2.0. (The German documentation is here.)

But Kinsley and a lot of others always miss three important points.

First, the problem is not that people publish information about themselves. This is free speech, and I would always fight for everybody's right to be able to do it. But that does not mean that I also want to have to do it myself. The privacy problems do not lie in the fact that people become more outspoken about themselves (which is just one side-effect of the current neoliberal model of society, where everybody is his own entrepreneur), but in the extent to which people are forced to publish about themselves - socially, legally or economically.

Second, what the online community still has to learn is the fact that just because something is online somewhere about someone else, it is not automatically appropriate to tell everybody else everywhere about this. This is what Helen Nissenbaum has called "contextual integrity": My buddies at Myspace meet me there in my private role, where things that are relevant and expected are much different from what my boss should see if he's looking for my professional online behaviour, eg at our institute's website. Different information about people is relevant and should be used in different contexts. In the old times, people called it politeness and discretion, and it included the fact that gossiping was highly regulated through social norms. We still have to learn how to use information about others in an appropriate way in the new online contexts - even if it is theoretically out there for all the world to see.

Third, all this relates to what people publish about themselves. It's a totally different thing if I publish information about myself, or if others collect, store, transfer, and use information about me. In the latter case, I have much less control over it (even under strong European data protection law). Even more important, some data that is collected is much more detailed than I would ever publish or even write down for myself. Cookies, referrers and other technologies allow others to track which websites I visit, how long I read them, where I go next, which ads I click and so on. This is the shift from transactional data in the offline world (e.g. credit card bills when I go shopping) to behavioural data that now is produced in the online world (how often I return to a website, when I read a specific blog etc.). So it's both the amount of data and the information it reveals that is becoming much bigger, and it's the ability of companies to collect this even without my knowledge. This is where the real transformation of and threat to privacy through the internet lies.

Saturday, November 18, 2006

Stefan Brands on User-Centric Identity Management and Privacy

A very nice presentation (and short summary) on the dangers of the current frenzy of "user-centric" ID-management. Stefan looks at how
the data subject is in essence contributing to “super-federation”,
thereby weakening instead of improving privacy and user control. He provides a number of criteria to assess if any identity-management system actually protects privacy. It's one of the best pieces on the subject I've seen so far. Stefan should re-formulate his criteria into the "laws of privacy-friendly identity", as they are much more to the point that the Ontario ones.

Reputation Systems and the Social Function of Lying

Reputation systems are part of what I would call Web 3.0. They don't just connect people (like many web2.0 platforms do), but they also add some information on the semantic layer of the links. Examples are microformats like XFN or FOAF, self-managed platforms like claimID, or outsourcing and "let lawyers deal with this" services like Reputation Defender. And of course there are the built-in reputation systems in platforms like eBay or Amazon that allow users to rate others' payment or delivery morale.

Ok - long preface just to say that Alice Marwick at has started to write about reputation systems and their inherent problems. (She also provides a link to the Reputation Research Network with a long list of academic papers on the subject.)

My favourite quote, which really hits the mark:
We have a wide variety of social norms and social practices built up around avoiding being honest about our friends.
This reminds me of one the old classics of sociology. Georg Simmel wrote about the value of secrets for the functioning of modern and complex societies - exactly 100 years ago and still worth a read. And always a good counter-argument to the "nothing to hide"-statements against privacy that have become way too popular recently.

Thursday, November 09, 2006

Reputation Defender or: Privacy 2.0 as a business model

A company called Reputation Defender is offering an interesting service:
We scour the Internet to dig up every possible piece of information about you and present it in an interactive monthly report.
They scan social networks like MySpace or Facebook, professional review websites, blogs, news sources, pics and videos at Flickr, YouTube, etc. and
millions of additional sites on the "open Internet."
All for $15,95 a month. So it sounds like they know how to use Google and Technorati. Wow. But it gets better: They have lawyers!
If we find an item of online content you don't like, we'll carry out our proprietary DESTROY process for you on that item for the one-time low fee of $29.95. This is where the rubber hits the road. It is an arduous and time-consuming process for our team of specialists, but we work hard so you can sleep better at night. You don't pay this till you command us to DESTROY unwanted online content.
Which probably means they send automated cease-and-desist letters (also called "nastygrams") in the manner of the recording industry mafia.

I don't particularly dislike this offer, though I may sound like (which is probably because their wording is just over the top). I do think it is yet another sign that people feel there is a business case in protecting privacy. Which is a good thing. I only wonder how much they would ask for getting all the information about us that is not on the web, but in large corporate data warehouses. I also wonder how they will deal with the obvious "censorship" accusation, especially if they want to target news sites and bloggers. Anyway, the Privacy 2.0 bubble is growing, it seems.

Surveillance, Identity, and Reputation Management in Games and Reality

I stumbled over two unrelated blog posts today, which I immediately connected in my privacy-driven mind. The first is Jamie Lewis from the Burton Group linking to Esther Dysons report of a company called Seriosity. They have developed a reputation and attention management system that works like in-world currencies in online games, e.g. Linden Dollars in Second Life. The idea for this is actually very old and dates back to tribal palaver cultures. It has been brought to the Western world through more recent innovative moderation techniques. We used a similar method once at a meeting in Berlin, where people could donate cinnamon sticks worth a minute each to people they thought should be listened to more. It's really cool when some of the celebrities run out of sticks and no-one is willing to donate any more for them. The thing with Seriosity is that it can and will be used to do some company-wide rating of employees. And here you get the privacy issues again. Cinnamon-sticks are context-sensitive, and their flows are not recorded. But Serios - that's what the currency in Seriosity is called - flow through a corporate server, and in the end might make a full rating of all employees possible. This rating comes from the other employees, not from any automated system. But it might be used for automatically sorting the employees into categories like "overachiever" or "slowpoke", and possibly establishing a performance-based salary system with it. This mght in the end turn into a corporate culture where the attention you get is more important than the actual work you do. It certainly encourages the more extrovert personalities.

The other post is from Michael Zimmer who reports from the Society for Social Studies of Science (4S) annual meeting in Vancouver last week. He sat in on a "fascinating panel" on surveillance in massive multiplayer online games, called "Discipline and Punish: The Game". From the panel abstract:
Because surveillance in these spaces can be absolute, with every character’s movement, communication, and decision logged, recorded, and subject to reproduction, it becomes increasingly important to understand both the productive uses of such technologies, as well as the potential effects on how players perceive the worlds they play and such experiences might transfer to broader questions of surveillance in contemporary society.
Having looked at the literature on digital identity over the last few months, I noticed a number of loose and unconnected ends: In the mid-nineties, people like Sherry Turkle wrote about the distributed, postmodern self that allows for different roles in different online and offline worlds. Then, people turned to the prejudices and stereotypes from the real world and how they are reproduced in online worlds that would not neccessarily need these limitations. The recent literature on identity management looked at how real identities (the ones of real persons) are established and mirrored in online spaces. With the merging of online and offline spaces and identities, the concept of surveillance studies finally is being applied to virtual online worlds. The link between practices of surveillance and practices of identity-management looks like the natural next step to be made. The discussion has just started among the practicioners like Kim Cameron and Ann Cavoukian, but a more academic evaluation is still largely missing. I bet that there will be a lot of studies coming out on this over the next year, and I just hope I find the time to contribute my own little paper.

Wednesday, November 08, 2006

Germany wins global privacy ranking

The long-awaited "Privacy and Human Rights" Survey 2005 finally came out last week - a massive book, about 1200 pages. Because of the size of the book and also some changes in personell at EPIC, it took longer than expected, therefore some information is a bit outdated now, unfortunately. But it is still the most comprehensive global survey in this field and certainly worth a look. You can order it from EPIC's publisher or download it from PI.

A new thing the colleagues from Privacy International did this time was a global privacy ranking of all the countries surveyed. Interesting results: Germany ranks on top (we still seem to have the best legal protections, even under the "war on terror" surveillance schemes), closely followed by Canada and Argentina. The worst of all European countries is the UK, which has "endemic surveilllance" and is as bad as Russia or Singapore. The US is only a little bit better. Global privacy invaders no 1 are China and Malaysia. See the ranking, the press release, the background paper.

Thursday, November 02, 2006

Dynamic Coalition on Privacy launched at UN Internet Meeting in Athens

Gus Hosein and I have been getting very good feedback to the two privacy workshops we organized at the Internet Governance Forum, and in other discussions here in Athens the importance of privacy was highlighted as well. In order to use the momentum and the spirit of Athens, a group of diverse stakeholders has now announced a "dynamic coalition" (that is the official wording here) to further work on privacy issues in internet governance. Below is our press release from today. The list of entities that want to join is getting longer every hour at the moment. If you are interested, drop me a mail at [bendrath (at)].

Press Release / IGF outcome on Privacy Protection

Dynamic Coalition on Privacy launched at UN Internet Meeting in Athens
IGF participants kick off process for privacy in digital identity management, development, and freedom of expression

Athens, 2 November 2006. At the Internet Governance Forum (IGF), a UN conference on future internet public policy taking place in Athens this week, a diverse group of stakeholders has agreed to launch a Dynamic Coalition on Privacy, which will address emerging issues of internet privacy protection such as digital identities, the link between privacy and development, and the importance of privacy and anonymity for freedom of expression. It will initiate an open process to further develop and clarify the public policy aspects of privacy in internet governance in the perspective of the next IGF meeting in Brazil in 2007. The group will use online collaboration tools as well as facilitate meetings at related events all over the world throughout the year. Participants in Athens in particular agreed that there is a need for greater public participation in technical and legal standardizations that have a global public policy impact on privacy. They also emphasised that it is important to better include perspectives from developing countries in these processes.

One of the main outcomes of the IGF is the creation of "dynamic coalitions" or multi-stakeholder groups working together on a common issue over a multi-year process. The Dynamic Coalition on Privacy is a direct outcome of two privacy workshops at the IGF on 31 October, co-organized by the Information Systems Group at the LSE and the University of Bremen. It also reflects discussions held during the IGF main session on cyber-security as well as the IGF workshops on "Human Rights and the Internet" organized by the Council of Europe and on an "Internet Bill of Rights" organized by the Government of Italy together with IP Justice and the Internet Society of Italy. It builds upon several months of multi-stakeholder collaboration in the run-up to the UN meeting in Athens.

Start-up actors include representatives from

  1. Privacy International
  2. "Privacy and Identity Management in Europe" (PRIME) Project
  3. Association for Progressive Communication (APC)
  4. Microsoft
  5. SAP
  6. Amnesty International
  7. French Government
  8. Council of Europe (to be confirmed)
  9. Privacy Commissioner of Canada
  10. WSIS Civil Society Working Group on Privacy and Security
  11. WSIS Human Rights Caucus
  12. North American Consumer Project on Electronic Commerce (NACPEC)
  13. Net Dialogue of Harvard's Berkman Center and Stanford's Center for Internet and Society
  14. OSCE Representative on Freedom of the Media
  15. LSE Information Systems Group
  16. American Civil Liberties Union (ACLU)
  17. University of Bremen
  18. Internet Service Providers' Association of South Africa
  19. Hellenic Data Protection Authority
  20. IP Justice
  21. European Digital Rights (EDRi)
  22. Danish Human Rights Institute
  23. Electronic Frontier Finland
  24. Independent Centre for Privacy Protection in Kiel, Germany
  25. WISeKey
  26. Digital Rights Ireland,
  27. Computer Professionals for Social Responsibility (CPSR)
  28. Privaterra
  29. Deutsche Vereinigung für Datenschutz (DVD)
  30. Metamorphosis Foundation
  31. Kuwait Information Technology Society
  32. Japan Computer Access for Empowerment (JCAFE)
  33. Netzwerk Neue Medien (NNM)
  34. Identity Commons Working Group on Identity Rights Agreements
  35. Cyberlaw Asia
  36. Center for Communications & Policy Research, India
  37. Associazione per la Libertà nella Comunicazione Elettronica Interattiva (ALCEI)

The coalition is open to interested parties and will start a global process to engage more stakeholders over the next year. Therefore, the start-up actors call for people interested in or willing to join the work of this coalition and for recommending other stakeholders that should be contacted.

The French government has offered to host a follow-up meeting in Paris in early 2007.

Wednesday, November 01, 2006

Theorizing Internet Governance in Athens - my privacy findings had a small hickup and my previous post from Sunday disappeared. So, again: We had an interesting first symposium of the Global Internet Governance Academic Network (GigaNet) here at the IGF in Athens. I presented on "Hybrid Regimes, Power, and Legitimacy in Global Governance: Insights from Internet Privacy Regulation". My presentation is here.