Ethics Week 6, October 13 ============================================================================ Paper 1: Ethics v Law 3 different cases: outline, notes, slides Fair Use v giving full credit Beware of arguments like "you can't use someone elses ideas". These fail the "textbook case": if I buy their textbook, clearly I'm authorized to use their ideas. Besides, we use other peoples ideas all the time! Stronger ways of acknowledging credit: not partially incorporating notes identifying slides by author every time When creating notes, list pictures and examples as "from ....", or "after ...." ============================================================================ Midterm: Takehome, ~5 short answers Will be released next Sunday (Oct 19) and due Tuesday by midnight ============================================================================ RMS talk (Richard Stallman) 3:00 pm Friday, Oct 17 ============================================================================ Walmart and DRM Walmart is now selling music *without* DRM. They had announced they would discontinue support for past tracks sold *with* DRM, but have now reconsidered. Fair use: The movie _Expelled_ and part of the John Lennon song _Imagine_: Imagine there's no Heaven It's easy if you try No hell below us Above us only sky Imagine all the people Living for today The movie _Expelled_ takes emphatic exception to this view! The link http://cyberlaw.stanford.edu/node/5876 has an interesting take on Fair Use insurance. ============================================================================ Review of Smyth v Pillsbury: Bottom line, there is "no reasonable expectation of privacy for work email" and they can read it even if they promise not to. That last part fits in with longstanding law regarding employment-at-will. The main issue is really the "no reasonable expectation" part, since that blocks civil tort suits. Even if "reasonable expectation" is highly subjective. ============================================================================ gmail Who is reading all your gmail? Does it matter if it is not a person? What could they *do*? ============================================================================ Loyola's policy on email: Privacy on University electronic mail systems [1997-1998] http://www.luc.edu/its/policy_email_general.shtml In the section subtitled "Privacy on University electronic mail systems", seven reasons are given why someone else might read your email: The University community must recognize that electronic communications are hardly secure and the University cannot guarantee privacy. The University will not monitor electronic mail messages as a routine matter. But the University reserves the right to inspect, access, view, read and/or disclose an individual's computer files and e-mail that may be stored or archived on University computing networks or systems, for purposes it deems appropriate. There may arise situations in which an individual's computer files and e-mail may be inspected, accessed, viewed, read and/or the contents may be revealed or disclosed. These situations include but are not limited to: 1 During ordinary management and maintenance of computing and networking services, 2 During an investigation of indications of illegal activity or misuse, system and network administrators may view an individual's computer files including electronic mail, 3 During the course of carrying out the University's work, to locate substantive information required for University business, e.g., supervisors may be need to view an employee's computer files including electronic mail, 4 If an individual is suspected of violations of the responsibilities as stated in this document or other University policies, 5 To protect and maintain the University computing network's integrity and the rights of others authorized to access the University network. 6 The University may review and disclose contents of electronic mail messages in its discretion in cooperating with investigations by outside parties, or in response to legal process, e.g., subpoenas, 7 Should the security of a computer or network system be threatened Some _possible_ protections (not actually implemented): Protection against items 5,7: If your email is examined because we believe your account has been compromised, any contents implicating you on other matters and associated with your legitimate use of your account will NOT be held against you (except in cases of ????) Protection against 1: If your email is examined accidentally or as part of routine system maintenance, any contents implicating you on any matters will not be held against you (exceptions???) [While these would not be enforceable for staff, they WOULD be for * students: really customers * faculty: if tenured (that is a contract) ] Legit: 2, 3 [maybe], 4 [but what grounds for suspicion?] Item 6 could be clearer that outside investigations must be part of law enforcement; ================================================================================ Electronic Communications Privacy Act, 1986: The ECPA has three exceptions that serve to limit its applicability to employer monitoring 1. The provider exception; 2. The ordinary course of business exception 3. The consent exception. Generally, most employer monitoring falls under one of these. Phone surveillance in the workplace Keystroke monitoring Location monitoring Do computers empower workers, or shackle them? =============================================================================== =============================================================================== New case: United States v Warshak, 6th circuit decided June 2007, redecided July 2008 Warshak: spammer promoting "Enzyte" for "natural male enhancement" He was a suspect in a fraud case. The gov't got an order from a US Magistrate asking for his email records. The emails were turned over to him. Eventually Warshak found out about this: Warshak: get a search warrant! US: all we need is subpoena (much weaker) subpoena v search warrant: latter is stronger warrant for unopened email, subpoena for opened?? (stored-document doctrine) Subpoenas give you a few days to comply. Warrants do not. Subpoenas may or may not be issued by a court! But for search warrants *must* be court-issued Search warrants are supposed to describe precisely what is being sought. Phone calls: need *Warrant* (supreme court _Katz v US_ case, 1967) [Patriot Act created some new classes of search warrant, but the basic principle remained.] Are subpoena rules for email overly broad? US argument: users of ISPs don't have a reasonable expectation of privacy. This is clear for employer-provided email, though there's no reason to suppose loss of privacy extends to the government. But what about commercial email? Here's an imaginary Yahoo Terms-of-service by Mark Rasch, from securityfocus.com/columnists/456/3 : Because a customer acknowledges that Yahoo! has unlimited access to her e-mail, and because she consents to Yahoo! disclosing her e-mail in response to legal process, compelled disclosure of e-mail from a Yahoo! account does not violate the Fourth Amendment. The point here is that because Yahoo has access to your email, the gov't thinks that all your email should be treated just like any other commercial records. Govt' argued that this case was like the 1976 _US v Miller_ case, where bank records were found NOT to be protected Stored Communications Act, part of ECPA email stored 180 days or less: gov't needs a warrant more than 180 days: warrant, subpoena, or court order See http://www.usdoj.gov/criminal/cybercrime/ECPA2701_2712.htm §2703 (a): less than 180 days (b): more than 180 days Warshak was arguing that the gov't should need a warrant for ANY of his email. District court Warshak won. (Quote from full 6th circuit decision) The court reasoned that Warshak likely would succeed on his Fourth Amendment claim because internet users have a reasonable expectation of privacy in e-mails, and because the orders authorized warrantless searches on less than probable cause. 3-judge panel of 6th circuit appellate court Warshak won, June 2007. THe decision was far-reaching, not specific to the facts at hand. The decision was by a 3-judge panel. From the ruling: [W]e have little difficulty agreeing with the district court that individuals maintain a reasonable expectation of privacy in e-mails that are stored with, or sent or received through, a commercial ISP. The content of e-mail is something that the user “seeks to preserve as private,” and therefore “may be constitutionally protected.” October 2007: 6th circuit agrees to _en banc_ review (whole court) July 2008: full court ruled that the case was not "ripe": broad question was not ready to be addressed. The ripeness doctrine serves to “avoid[] . . . premature adjudication” of legal questions and to prevent courts from “entangling themselves in abstract” debates that may turn out differently in different settings. Conventional wisdom as to why the supreme court is not likely to hear the case: they would have to find that the case *was* "ripe", and they are much more likely to wait for a case where "ripeness" is more evident. (See Eugene Volokh, volokh.com/posts/1176832897.shtml) Traditionally, the courts consider 4th-amendment cases "after the fact". Gmail: *all* gmail is "read" at google. Just not necessarily by people. =============================================================================== What if your ISP examined your email? Would it make a difference if the reason was: * to detect terrorism * to detect criminal activity * to detect hacking targeting the ISP * to detect protests about lack of "net neutrality", and slow down your service as retribution? Back to gmail issue =============================================================================== =============================================================================== RFID Overall survey of active v passive rfid tags. Why they might remain attached to purchased items. RFID tags in identification cards creeping incursions: when do we take notice? Is there a feeling that this "only applies to stores"? no immediate *social* consequences? Is there a *technological* solution? How do we respond to real threats to our privacy? People care about SSNs now; why is that? RFID tags Question: are RFID tags a huge invasion of privacy, touching on our "real personal space", or are they the next PC/cellphone/voip/calculator that will revolutionize daily life for the better by allowing computers to interact with our physical world? all your clothing displays where you bought it "Hello. My underwear comes from Wal*Mart" Well, actually, no; RFID tags don't take well to laundering. RFID tags on expensive goods, signaling that I have them: iPods cameras electronics Loyola RFID cards RFID v barcodes: unique id for each item, not each type readable remotely without your consent "Kill" function Active and passive tags Are there ways to make us feel better about RFID?? Serious applications: Inventory management Store checkout Access control (eg of people into Lewis Tower, or of cars into a lot) Personnel tracking (knowing where people are) Computer interface to real world Tracking exposure to viral illness embedded in currency as anti-counterfeiting measure [!] Getting devices to detect each other, and interoperate compare with BlueTooth Self-guided museum tours Smart refrigerator: keeps track of dates refrigerator + TV: you only get ads for things you might buy. Smart laundry Where are my keys? Where is my copy of _War and Peace_ consumer recalls compliance monitoring for medications theft reduction Technological elite: those with access to simple RFID readers? Sort of like those with technical understanding of how networks work? 2003 boycott against Benetton over RFID-tagged clothing boycottbenetton.com: "I'd rather go naked" Is the real issue a perception of control? Guenther & Spiekerman Sept 2005 CACM article, p 73 [not assigned as reading] Models: User-control. User implements, in effect, a password Agent model: you delegate access decisions to a software package that understands your privacy preferences Bottom line: Guenther & Spiekerman found that changing the privacy model for RFID did *not* really change user concerns. Is there a "killer app" for RFID? Smart refrigerators don't seem to be it I-Pass is maybe a candidate, despite privacy issues (police-related) Speedpass (wave-and-go credit card) is another example What about cell phones? They allow us to be tracked, too! What about existing anti-theft tags? They are subject to some of the same misuses. Papers: Eckfeldt: focuses on benefits RFID can bring. Airplane luggage, security [?], casinos, museum visitors Does RFID really matter? When would rfid matter? RFID: tracking people within a fixed zone tracking within a store: gillette razor customers photographed cosmetics customers photographed magazines/books entry/exit tracking profiling people cell-phone tracking: when can this be done? inducements to waive privacy? having to take products to "kill" counter losing warranty/return privileges RFID shopping carts in stores: scan your card and you get targeted ads as you shop. From nocards.org: "The other way it's useful is that if I have your shopping habits and I know in a category, for instance, that you're a loyal customer of Coca Cola, let's say, then basically, when I advertise Coca Cola to you the discount's going to be different than if I know that you're a… somebody that's price sensitive." Fujitsu representative Vernon Slack explaining how his companies "smart cart" operates. ================================================================================ =============================================================================== Tracking: Printer tracking dots word .doc format Search engines don't use search engine suggested by isp or by browser google/gmail: avoid =============================================================================== SSN see http://cpsr.org/issues/privacy/ssn-faq/ Privacy Act of 1974: govt entities can't require its use unless: *federal* law specifically allows its use (as it does for tax info, social security, drivers licenses) OR: use was required prior to 1/1/1975 Virginia required SSN for voter registration under second exception; overturned in ??? SSN and: phone/electric/other accounts health insurance student records [!] What exactly is identity theft? National Identity Card What are the real issues? tracking? matching between databases? Identity "theft"? =============================================================================== Old-fashioned examples of privacy issues, now kind of quaint: Matching: Should the government be able to do data mining on their databases? In particular, should they be able to compare DBs for: taxes & welfare taxes & social security bank records & welfare? student aid and draft registration? tax & immigration No-fly list, and corrections Other criminal databases; problem of how corrections are made library records - threatened by Patriot I caller ID PATRIOT act: bank records, ISP logs are all things gov't can now demand without a warrant What are our "effects"??? ======================================================================= Govt data collection: what does this really have to do with computing? Govt has resources to keep records on "suspects" even with pencil and paper. Government and e-privacy: * matching between government databases * eavesdropping on internet communications * eavesdropping on the phone (including VOIP) * obtaining commercial records (bank, credit, grocery) * getting search-engine records (google) * transponders: I-Pass, cellphone, RFID * facial recognition * databases of suspicions (Terrorist Information Agency) What if FACIAL RECOGNITION were to really take off? What would be the consequences? There are all those cameras already. Most arguments today against facial recognition are based on the idea that there are too many false positives. What if that stopped being the case? What about camera evidence of running lights or speeding? ========= =================================================================== Commercial privacy: E-bay privacy - Ebay has (or used to have) a policy of automatically opening up their records on any buyer/seller to any police department. This one is quite remarkable. What do you think? Is this *ethical*? =================================================================== Medical Privacy- the elephant in the room? * employment * insurance * social (ED, SSRI, therapy, any serious illness) HIPAA =================================================================== =================================================================== Odlyzko and price discrimination: real goal behind all this commercial info? Odlyzko: price discrimination basic supply/demand. You set price P, user X has threshold Px P <= Px: user X buys it P > Px: user X does not buy it But what you really want is to charge user X the price Px. Example: Alice & Bob each want a report. Alice will pay 1100, bob will pay 600. You will only do it for $1500. Charge Alice 1000, bob 500: both think they are getting a deal. But is this FAIR to alice? In one sense, absolutely yes. But what would Alice say when she finds out bob paid half, for the same thing? Possible ways to improve the perception of value: give it to Alice earlier give her bonus tracks, too delete some features from Bob's copy, or disable them What do computers have to do with this? Airline pricing: horrendously complicated, to try to maximize revenue for each seat. Online stores certainly *could* present different pricing models to different consumers. Does this happen? Dell: different prices to business, education academic subscriptions and price discrimination two roundtrip tickets including weekends are less than one Minneapolis -> Newark Wed-Fri: 772.50 Minneapolis -> Newark Wed-nextweek: 226.50 Newark-> Minneapolis Fri-nextweek: 246.50 issue isn't online shopping so much as store shopping versioning ======================================================== What about grocery stores? CASPIAN: nocards.org They're against grocery discount cards. A big part of their argument appears to be that they don't really save you money. customer-specific pricing: nocards.org/overview Latest strategy: scan your card at a kiosk to get special discounts. nocards.org/news/index.shtml#seg3 Jewel "avenu" program One clear goal within the industry is to offer the deepest discounts to those who are less likely to try the product anyway. In many cases, this means offering discounts to shoppers who are known to be PRICE SENSITIVE. Clearly, the cards let stores know who is brand-sensitive and who is price-sensitive. Loyal Skippy peanutbutter customers would be unlikely to get Skippy discounts, unless as part of a rewards strategy. They *might* qualify for Jif discounts. Classic price discrimination means charging MORE to your regular customers, to whom your product is WORTH more, and giving the coupons to those who are more price-sensitive. "shopper surveillance cards": 1. Allow price discrimination: giving coupons etc to the price-sensitive only. There may be other ways to use this; cf Avenu at Jewel "The idea used to be that you, the consumer, could shop around, compare goods and prices, and make a smart choice. But now the reverse is also true: The vendor looks at its consumer base, gathers information, and decides whether you are worth pleasing, or whether it can profit from your loyalty and habits." -- Joseph Turow, Univ of Pennsylvania 2. segmentation (nocards.com/overview) What about arranging the store to cater to the products purchased by the top 30% of customers (in terms of profitability)? Caspian case: candy aisle was reduced, although it's a good seller, because top 30% preferred baby products. Using a card anonymously doesn't help here, as long as you keep using the same card! Using checkout data alone isn't enough, if "the groceries" are bought once a week but high-margin items are bought on smaller trips. ========================================================