Topic 1: Online Privacy

Petraeus case triggers concerns about online privacy

November 18, 2012 Jessica Guyunn, Brisbane Times
If the director of the CIA cannot keep the FBI from rummaging through his private Gmail account, what digital privacy protections do ordinary US citizens have? Precious few, say privacy advocates. As US law stands now, law enforcement can secretly gain access to people's email, often without a search warrant. Unless there are substantive changes in the law, people just have to assume their email is accessible to the government without their permission and without their notification. Ann Bartow, Pace Law School professor "When the government goes looking, it can find out pretty much everything about our lives," said Chris Calabrese, legislative counsel for the American Civil Liberties Union (ACLU). That's because the main law governing digital privacy the Electronic Communications Privacy Act (ECPA) was passed in 1986. At the time, Facebook founder Mark Zuckerberg was a toddler. The web was in its infancy and social networking had yet to be conceived. No one predicted that, as the web surged in popularity, people would begin storing their entire digital lives emails, instant messages, Facebook status updates, photos, medical records, tax returns on far-flung computer servers rather than on their home hard drives where the information has broader legal protection. Privacy watchdogs for years have warned that the antiquated federal statute and conflicting interpretations of the statute from different courts have not kept up with how people today use the web, giving more legal rights to letters and documents stored in your filing cabinet than to emails and other electronic communication. But attempts to reform federal law in US Congress and in the courts have foundered even as some courts questioned the law's constitutionality. "People worry about their password to protect their privacy. This illustrates how useless that is," Pace Law School professor Ann Bartow said. "Unless there are substantive changes in the law, people just have to assume their email is accessible to the government without their permission and without their notification." Requests from the FBI and other law enforcement agencies to access private accounts regularly flood companies like Google. The request to access the private Gmail account of General David Petraeus was one of them. In the aftermath of September 11, law enforcement says such requests are routine and more necessary than ever to fight crime and terrorism. But civil libertarians say the Petraeus scandal should serve as a wake-up call to ordinary citizens that anyone's privacy can be invaded.

Topic 1: Online Privacy "It shouldn't be that, in order to take advantage of the efficiencies and convenience of using cloud-based services, that you have to sacrifice the protections that the Constitution lays out for you," said Kurt Opsahl, senior staff attorney with the Electronic Frontier Foundation. Currently the government doesn't need a search warrant just a subpoena to access emails stored longer than 180 days, said Jennifer Granick, director of civil liberties for the Stanford Law School Centre for Internet and Society. Most people don't even know if their email has been searched since court orders are usually sealed and internet providers are generally not allowed to inform their customers. A coalition of technology companies including Google, Microsoft and AT&T is lobbying US Congress to update the law to require search warrants in more investigations. US Senator Patrick Leahy, the Vermont Democrat who heads the Judiciary Committee, has proposed legislation that would require law enforcement agents to obtain a search warrant from a judge before accessing any files stored in the cloud. But the Justice Department has pushed back against the legislation, saying it could slow criminal investigations. "In the pre-digital world, if the government wanted to find out what was going on in your bedroom, it needed to get a warrant to enter your bedroom. At least then you knew what was going on," said Jim Dempsey, vice president for public policy for the Centre for Democracy and Technology. Privacy advocates say they are also alarmed by the open-ended scope of the FBI investigation, which had devastating consequences for people who were not the intended target of the original investigation. What began as a cyber-stalking investigation over half a dozen anonymous emails that accused Jill Kelley, a Tampa, Florida, woman, of being inappropriately flirtatious with Petraeus led to his resignation over an extramarital affair with his biographer Paula Broadwell and has entangled General John R. Allen, the top NATO commander in Afghanistan, who sent "inappropriate communication" to Kelley. "The way this investigation proceeded does reflect just how much information is available to law enforcement agents when they begin to pull on a thread," said Marc Rotenberg, executive director of the Electronic Privacy Information Centre. And no one knows just how far the investigation reached, Opsahl said. "Who knows how many other people communicated with the people involved here and had their email accounts sifted through and just don't know about it," he said.

Topic 1: Online Privacy

Petraeus case fuels fresh debate on online privacy

November 15, 2012, Yahoo! News
WASHINGTON (AFP) - The investigation that toppled CIA chief David Petraeus has sparked fresh debate over online privacy and the government's ability to snoop into private email accounts. "When the CIA director cannot hide his activities online, what hope is there for the rest of us?" said Chris Soghoian of the American Civil Liberties Union's Privacy and Technology Project. "This should also serve as a warning, by demonstrating the extent to which the government can pierce the veil of communications anonymity without ever having to obtain a search warrant or other court order from a neutral judge." Petraeus resigned last week when it became clear that his affair with 40-year-old military reservist Paula Broadwell, his biographer, would become public. FBI agents stumbled on the liaison after a complaint from Jill Kelley -- a close friend of both Petraeus and Allen -- who told a federal agent that she had received threatening emails, which investigators later traced to Broadwell. "It is troubling because we don't know what permissions were granted," said James Lewis, head of the Technology and Public Policy Program at the Center for Strategic and International Studies. Lewis said it was unclear if Broadwell was made aware of her rights, before agreeing to allow FBI agents to access her emails. He said even spy agencies such as the National Security Agency, when hunting for terrorists, must meet "very precise legal conditions" before obtaining email access. "We need to be clear on the rules for looking at emails without a warrant. The basic rule should be no court approval, no investigation," Lewis said. It was not immediately clear what methods the FBI used in the probe. Some reports suggest FBI agents may have obtained a court order which allowed access to Broadwell's Gmail account. Google said this week in its semiannual Transparency Report that the number of government requests to hand over data from users was on the rise. In the first half of 2012, Google received 20,938 requests for data from government entities around the world, including 7,969 from the United States. Google complied in 90 percent of those cases.

Topic 1: Online Privacy Julian Sanchez, a research fellow at the libertarian Cato Institute, said the case appears to have led the FBI on a "fishing expedition" which eventually led to Petraeus and later to top General John Allen for emails linked to people in the scandal. "It's not clear what authority the FBI had, or what the probable cause was," said Sanchez, noting that it's not yet clear if any crime was committed. "It seems like an abuse of investigative powers." The mushrooming scandal is expected to give new impetus to proposals in Congress, including a bill from Senator Patrick Leahy, to require a court warrant based on probable cause in order to get email contents from Internet firms. The ACLU's Soghoian said the Petraeus case underscores the need for stricter legislation. "It's a reminder that the legal protections for email fall far short of what they should be," he said in a blog post. Gregory Nojeim, senior counsel at the Washington-based Center for Democracy & Technology, said the case may cause lawmakers to finally wake up to the issue of digital privacy. "The Petraeus investigation shows that it's critically important to have strong privacy protections for email and other electronic communications," he said. "Without them, investigations can rapidly broaden and snare others far removed from the original target, and maybe veer out of control."

Topic 1: Online Privacy

Why We Blab Our Intimate Secrets on Facebook

Carmen Nobel, December 10 2012 Harvard Business School
A few years ago, when Leslie K. John was a doctoral student at Carnegie Mellon University, a classmate introduced her to a then-nascent website called Facebook. John took a look, scrolling through page after page of photographs, personal confessions, and ongoing accounts of people's every move. She found the whole thing perplexing. "I didn't understand why people were putting all this information out there," says John, now an assistant professor in the Marketing Unit at Harvard Business School. "There seemed to be a constant need for people to give status updates on what they were doing. It was very bizarre to me." John's curiosity led to a raft of collaborative research about information disclosure in the age of social media. Her goal: to determine when we're most likely to divulge intimate facts and when we're apt to keep our lives to ourselves. In short, the initial findings indicate that individuals are both illogical and careless with their privacy on the web. "We show that people are prone to sharing more information in the very contexts in which it's more dangerous to share," John says. Participants also were more likely to admit to unethical behavior if they were told that other participants had reported misdeeds, too. That herd mentality helps explain the propensity to air dirty laundry on Facebook, John explains. In fact, with so many Facebook members oversharing, it's gotten to the point that people get suspicious when their peers don't overshare. So why aren't most of us more logical and judicious in our approach to Internet privacy? "Broadly, the lesson of this research is that people don't really know how to value their own information," John says. "Because of this uncertainty about what the value of privacy is, people don't know when to value their information or how to care about it. And as a consequence, when people are uncertain, their judgments are often influenced by seemingly arbitrary contextual factors." The research should prove useful to marketing firms, which often use online quizzes and games to garner detailed demographic information. But the findings also highlight a catch-22 situation for conscientious companies. While these firms want to ensure customer privacy for legal and ethical reasons, the mere act of ensuring privacy seems to suppress information disclosure. What's the solution? "Perhaps the happy medium for marketers is to protect people's privacy, but don't explicitly tell them you're doing that," John says. "That may be a slippery slope. It may lead to the temptation just not to bother protecting people's privacy. But I would hope that the virtuous marketer would resist that temptation."

Topic 1: Online Privacy

Were Total Cheapskates When It Comes To Our Privacy

By Martha C. White March 19, 2012 TIME Magazine
The value of consumers personal data online has been a hot topic lately. The astronomical $100 billion some analysts have suggested Facebook could be worth when it goes public stems from the fact that the social media powerhouse has reams of data on users chatting, browsing and buying habits. But were so short-sighted we wont pay more to protect that data even if the cost of that protection is a measly 65 cents. Personal data is nowadays traded among service providers like other commodities, says the European Network and Information Security Agency. According to its research, 47% of service providers interviewed treated personal data as a commercial asset, and 48% admitted to sharing data with third parties. This should give all of us pause every time we make a purchase, download an app or access a game online, but it doesnt. ENISA conducted an experiment in which subjects were asked to make a hypothetical online purchase. The transaction could be processed in one of two ways, they were told: One method was more secure and didnt disseminate their personal information, but it cost an additional 0.50, or about 65 cents. The other way was cheaper but required participants to share additional information like a cell phone number or an email address. Only about a third of participants were willing to pay the slightly higher price in order to keep that information to themselves, even though the difference in price was made deliberately negligible by researchers. [When] a privacy-unfriendly competitor charges a lower price the privacy-friendly firm loses market share, the study observes. Giving up your privacy online to save a few bucks can have a much higher price than most of us realize. The company warehousing the data could have a security breach its happened plenty of times and leave your data exposed to the world. Even if this doesnt happen, once you relinquish your data, you have no control over if, when and to whom it could be sold. Companies have figured out our personal information is valuable; its time for consumers to start realizing this, too. For a savings of 65 cents, consumers could be giving marketers thousands of dollars worth of personal information in a single transaction, says Glen Gilmore, a digital marketing consultant who teaches online privacy at Rutgers University. Some within the marketing industry have valued a persons online data as being worth as much as $5,000 in sales in a given year, he says. Should marketers be able to buy that for less than the price of a candy bar?

Topic 1: Online Privacy

Underage Google Users and the 30Cent Lies Parents Tell to Keep Their Kids Wired
By Zara Kessler TIME Magazine Friday, Aug. 19, 2011
On July 2, Alex Sutherland thought he'd hit the jackpot. The tech-savvy 10-year-old was able to log onto Google+ and set up his profile on Google's newly minted, and still very exclusive, social network, adding his parents to his Family Circle. This is a boy who, according to a blog post by his father Martin, a Web developer and consultant in the Netherlands, can type 50 words per minute, is PowerPoint proficient and has had a Gmail account for almost two years. Snagging a Google+ account was monumental. And almost disastrous. The day after Alex plugged his birth date into his Google profile, he found his Gmail account locked. A message told him that he had 29 more days to prove that he was 13 or older. Otherwise, all of his Google services, including his Gmail account and his past correspondence, would be deleted. Google+, Google's latest and, industry experts say, most promising attempt to break into the social-networking sphere, launched on June 28. In its first few weeks, people had to get off a waiting list to get into the site. But these days, if you want to be part of the Google+ club, it's much easier to find your way through the velvet ropes. Just be sure to have your ID ready at the door. Now that Google is helping you socialize, it's going to need some basic information, including how old you are. And if you're underage, your best bet is to try another social network. Unless you and your parents are ready to tell a 30-cent fib. Google+ is currently not allowing anyone under the age of 18 to join its social circles. For those 13 to 17, their time will soon come: Google is developing safety features before welcoming in the pubescent masses that have long run wild on Facebook and MySpace. But kids under 13, like Alex, are seemingly out of luck. The Children's Online Privacy Protection Act (COPPA), a federal regulation that took effect in April 2000, forbids sites from collecting personal information from children under 13 without consent from their parents. "It's not as simple as just asking a parent for consent to let their child have an account," a Google spokesperson explained via e-mail. "There are associated implications for data and privacy involved," like reporting requirements about how information is being collected and used, and in some cases there has to be an option for parents to forbid third parties from accessing such data. That's why Facebook and some other sites simply forbid those under 13 from signing up in the first place. "We've recently started asking for a user's age in more contexts, and we plan to start asking for age on more of our properties over time," says the Google spokesperson. For example, about a year and a half ago, Gmail began to ask for ages when creating accounts in the U.S.

Topic 1: Online Privacy "If we learn that someone is not old enough to have a Google account or we receive a report, we will investigate and take the appropriate action." (Google is also raising hackles for not allowing anyone, regardless of age, to register for a Google+ account using a pseudonym.) So how do kids join Facebook, MySpace and other sites that ask for one's birthday from the get-go? They lie. In May, Consumer Reports estimated that, based on its "State of the Net" survey of 2,089 online households in the past year, Facebook had 7.5 million active underage users, more than 5 million of whom were under 11. No one is really blaming Facebook or MySpace or Google+. No matter how hard social networks try to find underage users, kids will find a new way to trick them. Cancel one account, they'll create another. In March, Mozelle Thompson, Facebook's chief privacy adviser, told the Australian federal parliament's cybersafety committee that the site removes 20,000 underage accounts each day. In Alex's case, he managed to get his Google account unlocked and get all of his e-mails back. How? With the help of his parents. Just in case an eligible user accidentally enters an underage birth date, Google offers two means of correcting the error within 30 days: either send or fax a copy of a current government-issued ID, or let Google charge you 30 U.S. cents to confirm that you have a valid credit card as the logic seems to go, if you are over 18, you are capable of registering for a credit card. The nominal fee will also show up on the cardholder's monthly statement, where an eagle-eyed parent might notice even the tiniest of unauthorized charges. As Google states in its FAQs about age requirements, "If you are under 18, your parent or guardian will have to supply the confirmation on your behalf."

Topic 1: Online Privacy

Can Interviewers Insist on Shoulder Surfing Your Facebook Page?

By Martha C. White March 09, 2012 TIME Magazine
Privacy advocates say that, for now, it is legal for a prospective employer, during a job interview, to insist that you log into your Facebook page and then click through your friends only posts, photos and messages. The ACLU put a stop to companies demanding that applicants turn over their login and password credentials, but shoulder surfing, as its been dubbed, is legal for the time being. Aleecia M. McDonald, a privacy researcher and resident Fellow at the Stanford Center for Internet and Society, says high unemployment makes it hard to stamp out this practice. When you have a job market where there are more job seekers than hirers, youre going to see things like demanding to see your Facebook wall because if you say no, someone else is waiting for that interview. Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, doubts that opening up ones Facebook page to a potential employer is ever voluntary. The fact of the matter is, in a tight job market, if youre looking for a job, youre going to do anything you can to get that job, he says. If you feel most of the other applicants are going to be providing this information, youre probably not going to be willing to say no. Things employers legally cannot ask are available for them to discover on Facebook, McDonald says. The problem is that its almost impossible for a job-seeker to prove in court that he or she was passed over because of a status like race or religion thats protected by anti-discrimination laws. We just have to hope that employers are not being influenced by those factors, but all research shows that these things do influence hiring decisions, she says. McDonald says most people assume their online privacy is much more protected than it actually is. In research Ive done, what weve found is that people actually think there are strong laws that protect their privacy online, she says. Those laws they think are there actually dont exist. With Facebook in particular, McDonald says, the fact that you initially needed a college email address to join and could only see people in your network gave users an expectation of privacy. This impacted the types of things users were willing to post, prompting them to be more open than they might have been on a public website. Even after Facebook grew and started dismantling that privacy wall brick by brick, the idea remained in the public imagination that a persons page wasnt exposed to the outside world. Stephens: I think these are sort of tangible issues that people can get a grasp on, and theyre seeing their privacy violated in a way that seems unconscionable to them.