Computer Ethics, Summer 2011
LT 412; 6:00-9:00 TTh, June 7, Class 5
Read Baase, chapter 2
AOL search leak
Pennsylvania school laptops 1
Facebook
SCOTUS cases on privacy
Video surveillance
Choicepoint and Acxiom, and other databases
Search records and forensics
Theories of privacy
email workplace privacy
Midterm: coming up this weekend?
AOL search leak, 2006
Moral: some data just cannot be anonymized.
Baase p 48: search-query data: Google case, AOL leak.
In August
2006, AOL leaked (actually, released) 20,000,000 queries from ~650,000 people. MANY of the
people involved could be individually identified, because they:
- searched for their own name
- searched for their car, town,
neighborhood, etc
Many people searched for medical issues.
Wikipedia: "AOL_search_data_scandal"
Thelma Arnold was one person identified in the leaked data, who consented to interviews and articles about her searches.
Mirror site: http://gregsadetsky.com/aol-data/
An article:
http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data
Google strongly resisted releasing "anonymized" search data to the
government.
What would make search data sufficiently anonymous?
Question: Is it ethical to use the
actual AOL data in research? What guidelines should be in place?
Are there other ways to get legitimate search data for sociological
research?
Where is google-search-history stored on your computer?
What constitutes "consent" to a privacy policy?
Are these binding? (Probably yes, legally, though that is still being
debated)
Have we in any way consented to having our search data released?
Finally, how can we do research on searches? Do we have to have a position at Google?
Pennsylvania school laptops
In the Lower Merion school district in Ardmore PA, school-owned laptops
were sent home with students. School officials have now been accused of
spying on students by turning on the laptops' cameras remotely, while
the laptops were in the students' homes.
The school's position is that remote camera activation was only done
when the laptop was reported lost or stolen, as part of the LANRev
software package (see also the open-source preyproject.com site). Note that the
current owners of LANRev now state:
We
discourage any customer from taking theft recovery into their own
hands," said Stephen Midgley, the company's head of marketing, in an
interview Monday. "That's best left in the hands of professionals."
However, the AP
article on the incident states the following:
The Robbinses said they learned of the
alleged webcam images when Lindy
Matsko, an assistant principal at Harriton High School, told their son
that school officials thought he had engaged in improper behavior at
home. The behavior was not specified in the suit.
"(Matsko) cited as evidence a photograph from the webcam embedded in
minor plaintiff's personal laptop issued by the school district," the
suit states.
Supposedly the camera was activated because the laptop was reported
as missing, but that in the case in question the laptop was declared
missing by the school because insurance fees were not paid. Matsko saw
the student ingesting something that looked to her like drug capsules;
the student in question claimed it was Mike-and-Ike
candy and there was considerable corroborating evidence that that was
the case.
Some technical details, including statements made by Mike Perbix of the
school's IS department, are available at
http://strydehax.blogspot.com/2010/02/spy-at-harrington-high.html. The
stryde.hax article also makes the following claims:
- Possession of a monitored Macbook was required for classes
- Possession
of an unmonitored personal computer was forbidden and
would be confiscated
- Disabling the camera was impossible
- Jailbreaking
a school laptop in order to secure it or monitor it
against intrusion was an offense which merited expulsion
The first, if true, would seem odd; the other points are fairly
standard (though black electrical tape is wonderfully effective at disabling what the camera can see).
Note that public schools are part of the government, and, as such, must
abide by the Fourth Amendment (though schools may be able to search
lockers on school property).
(Loyola, as a private institution, is
not so bound, though there are also several Federal statutes that
appear to apply.)
Students and parents do sign an Acceptable Use policy. However, a
signature is required for the student to be issued a laptop. Also,
students are minors, and it appears to be the case that parents are not authorized to sign away the
rights of minors.
In April 2010 the school's attorneys issued a report claiming there was
no "wrongdoing", but nonetheless documenting rather appalling privacy
practices. Some information from the report is at http://www.physorg.com/news192193693.html.
The most common problem was that eavesdropping was not terminated even
after the equipment was found.
Event data recorders in automobiles
Who owns the data? Should you know it is there?
What if it's explained on page 286 of the owners manual?
Should it be possible to use it AGAINST you?
See wikipedia: "Event_data_recorder"
Facebook and privacy
When did Facebook stop being "closed", ie access was limited to your
"network" (eg Loyola)?
Did anyone care?
Facebook know a lot about you.
It knows
- who your friends are
- what you are writing to whom (using facebook)
- your age
- your education
- your job (probably)
- your hobbies
- what you "like"
In May 2010 Facebook introduced changes requiring
that some of your information be visible to everyone: your name, your
schools, your interests, your picture, your friends list, and the pages
you are a "fan" of. Allegedly your "like" clicks also became
world-readable. Here's an article by Vadim Lavrusik spelling out why
this can be a problem: http://mashable.com/2010/01/12/facebook-privacy-detrimental.
Lavrusik's specific concern is that he sometimes joins Facebook groups
as part of journalistic investigation, not out of any sense of shared
interest.
Here's a timeline of the progressive privacy erosion at facebook: eff.org/deeplinks/2010/04/facebook-timeline
Facebook also has proposed "sharing" agreements with some other sites,
and made data-sharing with those sites the default. Some of the sites (from
readwriteweb.com) are:
- yelp.com: a restaurant/shopping/etc
rating site
- docs.com: a googledocs competitor
owned by Microsoft
- pandora.com (a web-radio site in
which you say what music you "like" and you get similar music)
Right now it appears that Facebook has again stepped back from a full
roll-out of the sharing feature.
Facebook has long tinkered with plans for allowing a wide range of
third-party sites to have access to your facebook identity. Back in
2007, this project was code-named Beacon.
Supposedly the Beacon project has been dropped, but it seems the idea
behind it has not.
Ironically, third-party sites might not
need Facebook's cooperation to get at least some information about
their visitors (such as whether they are even members of Facebook).
Your browser itself may be giving this away. See
http://www.azarask.in/blog/post/socialhistoryjs.
(Note that this technique, involving the third party's setting up
invisible links to facebook.com, myspace.com, etc, and then checking
the "link color" (doable even though the link is invisible!) to see if
the link has been visited recently, cannot reveal your username.)
After resisting the most recent uproar for a couple weeks, Facebook once
again changed. However, they did not
apologize, or admit that they had broken their own past rules.
Here's an essay from the EFF, http://www.eff.org/deeplinks/2010/05/facebook-should-follow,
entitled Facebook Should Follow Its
Own Principles, in which they point out that Facebook's 2009
principles (announced after a similar uproar) state
People should have the freedom to decide
with whom they will share their
information, and to set privacy controls to protect those choices.
But Facebook's initial stance in 2010 was that users always had the freedom to quit facebook if they
didn't like it. Here's part of Elliot Schrage, FB VP for Public Policy,
as quoted in a May 11, 2010 article at http://bits.blogs.nytimes.com/2010/05/11/facebook-executive-answers-reader-questions:
Joining
Facebook is a conscious choice by vast numbers of people who
have stepped forward deliberately and intentionally to connect and
share. We study user activity. We’ve found that a few fields of
information need to be shared to facilitate the kind of experience
people come to Facebook to have. That’s why we require the following
fields to be public: name, profile photo (if people choose to have one),
gender, connections (again, if people choose to make them), and user ID
number.
later, when asked why "opt-in" (ie initially private) was not the
default, Schrage said
Everything is opt-in on Facebook.
Participating in the service is a
choice. We want people to continue to choose Facebook every day. Adding
information — uploading photos or posting status updates or “like” a
Page — are also all opt-in. Please don’t share if you’re not
comfortable.
That said, much of your information is still public by default.
Two weeks after Schrage's claim that users would always be free not to
use Facebook if they didn't like it, Facebook CEO Mark Zuckerberg
weighed in, with a May 24, 2010 article in the Washington Post: http://www.msnbc.msn.com/id/37314726/ns/technology_and_science-washington_post/?ns=technology_and_science-washington_post.
In the article, Zuckerberg does not seem to acknowledge that any
mistakes were made. He does, however, give some Facebook "principles":
- You have control over how your information
is shared.
- We do not share your
personal information with people or services you don't want.
- We do not give advertisers access to your
personal information.
- We do not and
never will sell any of your information to anyone.
- We will always keep Facebook a free service for
everyone.
The first principle is a step back from the corresponding 2009
principle.
Facebook vigorously claims that your information is not shared with
advertisers, by which they mean that your name is not shared. However,
your age, interests, and general location (eg town) are shared, leading to rather creepy
advertisements at best, and cases where your identity can be inferred at
worst.
Recall that advertisers are facebook's real customers. They are the ones
who pay the bills. The users are just users.
Deja News, once at deja.com (now run by google): where is it now? It
still lets you search archives of old usenet posts, though the social
significance of that is reduced in direct proportion to the reduced
interest in Usenet. Think of being able to search for someone's
years-old facebook posts, though (and note that there's no reason
Facebook can't just enable this).
Facebook mini-feeds, Baase p 55
Allowed active notification to your friends whenever you change your
page. Why was this considered to be a privacy issue?
I note that lots of people have left these enabled.
Whatever one says about Facebook as a source of privacy lost, it is
pretty clear to everyone that posting material to Facebook is under our control, though perhaps only in the sense that we participate in Facebook voluntarily. Thus, the Facebook
privacy question is really all about whether we can control
who knows what about us, and continue to use Facebook.
Facebook and other sites
Facebook now shows up on unrelated sites. Sites are encouraged to
enable the Facebook "like" button, and here's an example of
theonion.com displaying my (edited) friends and their likes: http://cs.luc.edu/pld/ethics/theonionplusFB.html. How much of this is an invasion of privacy?
While Facebook does seem interested in data-sharing agreements with
non-FB sites, it is often not at all clear when such sharing is going
on. The two examples here, for example, do not necessarily involve any
sharing. An embedded "like" button, when clicked, sends your
information to Facebook, which can retrieve your credentials by using
cookies. However, those credentials are hopefully not
shared with the original site; the original site may not even know you
clicked "like". As for the box at theonion.com listing what my friends
like, this is again an example of "leased page space": Facebook leases
a box on theonion.com and, when you visit the site, it retrieves your
FB credentials via cookie and then fills in the box with your friends'
"likes" of Onion articles. The box is like a mini FB page; neither the
likes nor your credentials are shared with The Onion.
One concern with such pseudo-sharing sites is that they make it look
like sharing is in fact taking place, defusing objections to such
sharing. If someone does object, the fact that no sharing was in fact
invoved can be trotted out; if there are not many objections, Facebook
can pursue "real" sharing agreements with confidence. They also make it
harder to tell when objectionable sharing is occurring.
An example of a true data-sharing agreement would be if a restaurant-review site let you log into their site using your Facebook cookies, and then allowed you to post updates about various restaurants.
Finally, here is a lengthy essay by Eben Moglen, author of the GPL, on
"Freedom in the Cloud: Software Freedom, Privacy, and Security for Web
2.0 and Cloud Computing": http://www.softwarefreedom.org/events/2010/isoc-ny/FreedomInTheCloud-transcript.html.
Mr Moglen adds some additional things that can be inferred from
Facebook-type data:
- Do I have a date this Saturday?
- Who do I have a crush on (whose page am I obsessively reloading)?
You get free email, free websites, and free spying too!
Mr. Zuckerberg has
attained an unenviable record: he has done more harm to the human
race than anybody else his age.
Because he harnessed Friday night. That
is, everybody needs to
get laid and he turned it into a structure for degenerating the
integrity of human personality and he has to a remarkable extent
succeeded with a very poor deal. Namely, “I will give you
free web hosting and some PHP doodads and you get spying for free
all the time”. And it works.
Later:
I’m not suggesting it should be illegal.
It should be
obsolete. We’re technologists, we should fix it.
Here are some of the June 2010 Facebook privacy settings, from privacy
settings => view settings (basic directory information). Note that
there is a clear Facebook-provided explanation for why some things are best left visible
to "everyone".
Your name, profile picture, gender and
networks are always open to everyone. We suggest leaving the other
basic settings below open to everyone to make it easier for real world
friends to find and connect with you.
* Search for me on Facebook
This lets friends find you on Facebook. If you're visible to fewer
people, it may prevent you from connecting with your real-world friends.
Everyone
* Send me friend requests
This lets real-world friends send you friend requests. If not set to
everyone, it could prevent you from connecting with your friends.
Everyone
* Send me messages
This lets friends you haven't connected with yet send you a message
before adding you as a friend.
Everyone
* See my friend list
This helps real-world friends identify you by friends you have in
common. Your friend list is always available to applications and your
connections to friends may be visible elsewhere.
Everyone
* See my education and work
This helps classmates and coworkers find you.
Everyone
* See my current city and hometown
This helps friends you grew up with and friends near you confirm it's
really you.
Everyone
* See my interests and other Pages
This lets you connect with people with common interests based on things
you like on and off Facebook.
Everyone
Here are some more settings, from privacy settings => customize
settings (sharing on facebook)
* Things I share
o Posts by me
(Default setting for posts, including status updates and photos)
Friends Only
o Familyused to let you look up old
Friends of Friends
o Relationships
Friends Only
o Interested in and looking for
Friends Only
o Bio and favorite quotations
Friends of Friends
o Website
Everyone
o Religious and political views
Friends Only
o Birthday
Friends of Friends
.
* Things others share
o Photos and videos I'm tagged in
Friends of Friends
o Can comment on posts
Friends Only
o Friends can post on my Wall
Enable
o Can see Wall posts by friends
Friends Only
* Contact information
o Friends Only
Facebook and advertising
Facebook claims that user data is not turned over to advertisers, and
this seems true (with a couple slip-ups): advertisers supply criteria
specifying to whom their ads will be shown, and Facebook shows the ads
to those users. For example, if I see an ad for "Illinois drivers age
54", it doesn't mean that Facebook has turned over my age; it is more
likely that the advertiser has created an ad for each age 30-65,
perhaps, and asks Facebook to display to a user the one that matches
his or her age.
Once you click on the ad, however, the advertiser does know what ad you
are responding to, and thus knows your age if you choose to give them
your name. There was a slip-up a couple years ago where game sites
(often thinly veiled advertising) were able to obtain the Facebook ID
of each user. Here's what they say:
In order to advertise on Facebook, advertisers give us an ad they want
us to display and tell us the kinds of people they want to reach. We
deliver the ad to people who fit those criteria without revealing any
personal information to the advertiser.
For more information on how to do this, see http://www.facebook.com/adsmarketing/index.php?sk=targeting_filters. Facebook supports targeting based on:
- Location, as determined from your IP address
- Language (eg Spanish-speaking residents of the Chicago area)
- Age and sex
- Likes and Interests. I decided to "like" horseback riding a few
months ago, but have yet to see an ad relating to this. Other people
have had new ads appear almost instantaneously.
- Connections: did someone Like your page? Did someone rsvp to your event? Play your game? You can also target their Friends.
- Advanced Demographics: birthdays, schools and professions
Note that you don't get to choose what attributes advertisers can use,
because advertisers do not see them! And Facebook itself has access to
everything (duh).
Facebook and privacy more fine-grained than the Friend level
What if you've Friended your family, and your school friends, and want
to put something on your wall that is visible to only one set? The
original Facebook privacy model made all friends equal, which was
sometimes a bad idea. Facebook has now introduced the idea of groups: see http://www.facebook.com/groups.
Groups have been around quite a while, but have been repositioned by
some (with Facebook encouragement) as subsets of Friend pools:
Have things you only want to share with a small group of people? Just
create a group, add friends, and start sharing. Once you have your
group, you can post updates, poll the group, chat with everyone at once,
and more.
For better or worse, groups are still tricky to manage, partly because
they were not initially designed as Friend subsets. When posting to a
group, you have to go to the group wall; you can't put a message on
your own wall and mark it for a particular group. News feeds for group
posts are sometimes problematic, and Facebook does not make clear what
happens if a group posting is newsfed to your profile and then you
Comment on it. You may or may not have to update your privacy settings
to allow group posts to go into your newsfeed. Privacy Settings do not
mention Groups at all (as of June 2011).
Maybe the biggest concern, however, is that Facebook's fast-and-furious
update tradition is at odds with the fundamental need to be meticulous
when security is important.
Caller ID
When it first came out in the early 1990's, Caller ID was widely seen as
a privacy intrusion.
That is, it took away your "right" to call someone anonymously.
Actually, that is a plausible right if you're calling a commercial
enterprise; if you don't want them calling you back, you should be able
to refuse to give them your number.
Within a decade, Caller ID was widely seen as a privacy boost: you
could control who could interrupt you. This is privacy in sense #2
above; the original issue was privacy in sense #1.
Caller ID never caught on with stores; it did catch on with ordinary people.
Is there any right to phone
someone anonymously? What if you're trying to give the police a tip?
What if you're a parole officer?
Facebook "connections": http://www.eff.org/deeplinks/2010/05/things-you-need-know-about-facebook
Your connections are not communications with other users, but are links
to your school, employer, and interests. It is these that Facebook
decided to make "public".
Personalization
We understand that all sorts of online purchasing information is
collected about us in order for the stores to sell to us again.
Whenever I go to amazon.com, I am greeted with book suggestions based
on past purchases. But at what point does this information cross the
line to become "personalized pitches"?
What if the seller has determined that we are in the category
"price-sensitive shopper", and they then call/mail/email us with
pitches that offer us the "best price" or "best value"? (See the box on
Baase, p 78, for a related example.)
Political parties do this kind of personalization all the time: they
tailor their pre-election canvassing to bring up what they believe are
the hot-button issues for you personally.
SCOTUS cases on privacy -- Baase pp 69ff
1928: Olmstead v United States: 4th amendment does NOT apply to wiretaps
1967: Katz v United States
4th amendment does too apply to wiretaps! Privacy may still exist in a
public area.
Katz was using a pay phone; the FBI had a microphone just outside the
phone booth. To the appellate court, the fact that the microphone did
not intrude into the phone booth was significant in finding for the
FBI, but the supreme court reversed.
Doctrine of "reasonable expectation of privacy" (REoP) replaced the
doctrine of "physical intrusion"
Problem with REoP: as technology marches on, isn't our reasonable
expectation diminished? And does this then give the government more
license to spy?
1976: US v Miller
information we share with others (eg our bank) is NOT private.
Government can ask the bank, and get this information, without a
warrant. (However, the bank could in those days refuse.)
1979: Smith v Maryland
Reduction of REoP by the police is not SUPPOSED
to diminish our 4th-amendment rights. However, in that case the supreme
court ruled that "pen registers" to record who you were calling did NOT
violate the 4th amendment.
http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=CASE&court=US&vol=442&page=735
Application of the Fourth Amendment
depends on whether the person
invoking its protection can claim a "legitimate expectation of privacy"
that has been invaded by government action. This inquiry normally
embraces two questions: first, whether the individual has exhibited an
actual (subjective) expectation of
privacy; and second, whether his
expectation is one that society is prepared to recognize as
"reasonable."
First, we doubt that people in general
entertain any actual expectation
of privacy in the numbers they dial. All telephone users realize that
they must "convey" phone numbers to the telephone company, since it is
through telephone company switching equipment that their calls are
completed. All subscribers realize, moreover, that the phone company
has facilities for making permanent records of the numbers they dial....
If you want to keep a number private, don't call it!
Note the crucial issue that the defendant voluntarily shared the number with the phone company!
Justices Stewart & Brennan dissented
The telephone conversation itself must
be electronically transmitted by
telephone company equipment, and may be recorded or overheard by the
use of other company equipment. Yet we have squarely held that the user
of even a public telephone is
entitled "to assume that the words he utters into the mouthpiece will
not be broadcast to the world." Katz v. United States
What do you think of this distinction? Is there a difference
between sharing your phone number with the phone company and sharing
your actual conversation with them?
2001: Kyllo v United States
Thermal imaging of your house IS a 4th-amendment search! This is a very
important case in terms of how evolution in technology affects what is
a REoP
http://www.law.cornell.edu/supct/html/99-8508.ZS.html
Held: Where, as here, the
Government uses a device that is not
in general public use, to explore details of a private home that would
previously have been unknowable without physical intrusion, the
surveillance is a Fourth Amendment “search,” and is presumptively
unreasonable without a warrant.
How long into the future will this hold? Could it be that part of the
issue was that the general public was not very aware of the possibility
of thermal imaging? If thermal imaging were
to come into not only general public awareness but also general public use (eg by equipping cellphones with
IR cameras), would the situation change?
I believe there was a trial-level civil case in which a judge ruled
that eavesdropping on someone else's phone call made on an
old-fashioned cordless phone (remember those?) was not an invasion of
privacy because no one had a "reasonable expectation of privacy" when
using a cordless phone because "everyone" knew that it was easy to
listen in to someone else's call simply by playing with the channel
button. However, I cannot find this case.
The FBI and cellphone
location records
nearest-tower (cell-handoff) records v GPS records
Supposedly the Justice Department gets warrants for GPS data (nearest few feet), but usually does not for nearest-tower data (which positions you to within a few miles at worst, a few hundred feet at best).
Another distinction is between realtime data (where you are now) and "historical" data (where you were).
The federal government has tried to claim that nearest-tower data simply amounted to "routine business records". Are they?
Video surveillance -- Baase p 72
This is a big issue in Chicago, where there are both "obvious" and
"hidden" cameras.
2001 Super Bowl: Tampa police used facial-recognition software on all
100,000 fans. It didn't work terribly well.
London: heavy camera use to:
- charge tolls for driving into central London during rush hour
- enforce
youth curfews
London in 2005:
- report indicating cameras had little effect on crime
- (after
the report) cameras helped identify subway bombers
What about the rate of false positives?
Should the London cameras be used to track lesser crimes, such as
pickpocketing? Supposedly the Chicago street cameras have been quite effective in handling minor crimes.
Look at the websites. Are these sites bad? (ChoicePoint is now LexisNexis.com/risk (for Risk
Solutions)
What if you are hiring someone to work with children? Do such employees
have any expectation of privacy with regard to their past?
ChoicePoint sells to government agencies data that those agencies are
often not allowed to collect directly. Is this appropriate?
ChoicePoint might argue that it is similar to a credit bureau, though
exempt from the rules of the Fair Credit Act because they don't
actually deal with credit information.
Baase p 60: "At least 35 government agencies are or were clients of
ChoicePoint". Some of the data collected (again from Baase):
- credit
data
- divorce, bankruptcy, and other legal records
- criminal
records
- employment history
- education
- liens
- deeds
- home
purchases
- insurance
claims
- driving records
- professional licenses.
From the Acxiom website (http://www.acxiom.com/products_and_services/background_screening/faq/Pages/FAQs.aspx)
Must I supply applicants’ dates of
birth?
Date of birth is critical to the criminal
record search process. The
majority of courts use date of birth as a primary identifier, but
please note that a handful actually require this piece of information
to process requests. However, Acxiom offers alternative options to
customers who are unable to supply this information. Our toll-free
Applicant Date of Birth Line allows applicants to call and register
date of birth information via a touchtone answering system. Acxiom then
retrieves this information for use in the search process, subsequently
reporting “match” or “non-match” record results to the customer while
never divulging the specifics of the date of birth. Additionally, date
of birth information may be confidentially submitted via a specially
dedicated URL (www.acxiomdob.com) that forwards applicants to an
internal 128-bit SSL encrypted website where they are prompted to enter
the needed information.
Why is this an issue?
You can not legally ask age in a job interview in the US, if you have four or more employees.
http://smallbusiness.findlaw.com/employment-employer/employment-employer-hiring/employment-employer-hiring-interview-legal.html
You can ask the candidate to
authorize the release of a credit report (you can't get the credit
report without asking). However, several states are considering banning
this practice (except for jobs involving responsibility for money), on
the theory that applicants can't say no, and that it makes it much
harder for those who have had credit problems ever to recover.
Baase
p 61: case study on federal DB on all US college students. The database
would list all courses taken, with grades; it would also include loan
and scholarship records.
Good example of a fairly common situation: creation of a new database
containing confidential information.
Benefits:
- tracking graduation records
- tracking how programs & funding affect student
performance
Drawbacks:
- cradle-to-grave tracking of behavior issues, sometimes
unsubstantiated
- potential availability to employers, etc
- identity theft
- errors
Is such a database a good idea?
What if in 2012 a law is passed giving prospective employers access
to the data, if the job applicant signs a consent form? What do you
think would happen if you refused to sign?
Related "database-matching" issue:
should the government be able to link databases of:
- men receiving student aid
- men registered with the selective service (draft)?
Joe the Plumber
aka Samuel Joseph Wurzelbacher
He went to an Obama rally and asked a serious question about Obama's
tax plan (in which he apparently confused income with profit). Obama
made his "spread the wealth" remark in response. After this was in the
press, McCain ran with it, and referred to him multiple times in the
debate, as a symbol of middle-america and small businesses.
One reporter (in a print newspaper column I failed to save) argued that
Wurzelbacher should have no
expectation of privacy. At what point does this become true? Is it true
of Obama? Was it true for Palin, or McCain? Wurzelbacher did try to
capitalize on his sudden fame, and some might argue that in doing so he
lost his expectation of privacy. But suppose he had tried to remain a
private citizen?
Allegations about him:
- no license (but he wasn't a contractor; he might need a journeyman's license; this is unclear)
- back
taxes: $1,182 to Ohio
- child
support: Helen Jones-Kelly: director of Ohio Dept of Job & Family
Services, authorized a probably-illegal check on Wurzelbacher's child-support
payments.
Julie McConnell, of the Toledo Police Dept, was charged also.
Apparently neither case went anywhere, but Jones-Kelly later
resigned.
- divorce records: 2006 income was $40K
- voter records:
he's registered, but his last name was misspelled "Worzelbacher"
- related
to
Robert Wurzelbacher (not!), son-in-law of Charles Keating &
convicted of Savings & Loan fraud; RW served 40 months in prison
Lucas county clerk of courts: http://apps.co.lucas.oh.us/onlinedockets/Default.aspx
Search for "Wurzelbacher".
Is the availability of this kind of
search appropriate?
See also Baase, §2.3.5, on Public Records. Her examples include:
- records on everyone who gave more than $100 to a political candidate
- records
on flight plans of executive aircraft, as a way of tracking the
position of the CEO
- judges financial-disclosure forms. Formerly,
you had to show your
ID to get access; now it's online. These forms show where judges'
family members work and go to school.
What of the above is legitimate to talk about for a private citizen?
At what point did Wurzelbacher stop being a private citizen?
Wurzelbacher asked Obama a financial question. Does this make W's
income and taxes fair game? What about his child-support records?
Aw, to hell with facts: see http://www.slate.com/id/2202480
Search records and computer forensics
In 2002, Justin Barber was found shot four times on a beach in Florida.
None of his injuries were serious. His wife April, however, had been
shot dead. Barber described the event as an attempted robbery.
There were some other factors though:
- Barber had recently taken out a large life-insurance policy on his
wife
- Barber was having an affair
- Barber was heavily in
debt
- April Barber's family was sure Justin did it
Police searched Barber's computer for evidence of past google searches.
They apparently did not
contact google directly. Barber had searched for information on gunshot
wounds, specifically to the chest, and under what circumstances they
were less serious. Barber was convicted.
More at:
http://news.cnet.com/8301-13578_3-10150669-38.html
Case of Lee Harbert:
Harbert's vehicle struck and killed Gurdeep Kaur in 2005. Harbert fled
the scene. When arrested later, his defense was that he thought he had
hit a deer. But his on-computer searches were for
"auto glass reporting requirements to law enforcement"
"auto glass, Las Vegas" (the crime was in California)
"auto theft"
He also searched for information on the accident itself. Harbert too was
convicted.
more at http://news.cnet.com/8301-13578_3-10143275-38.html
Case of Wendi Mae Davidson
Police found her husband's body in a pond at the ranch where Davidson
boarded her horse. Police found the ranch itself by attaching a GPS
recorder to her car. Davidson also used an online search engine to
search for the phrase
"decomposition of a body in water".
More at http://news.cnet.com/Police-Blotter-Murderer-nabbed-via-tracking,-Web-search/2100-7348_3-6234678.html
How do such cases relate to the AOL search-data leak, and Thelma Arnold?
While none of those individuals was charged with anything, some of
their searches (particularly those related to violent pornography) are
rather disturbing.
Case of Antoine Jones
Jones was an alleged cocaine dealer in the Washington, DC area. Police
attached a GPS tracker to his car while it was parked in the driveway.
By following him over a 30-day period, the police were able to build a
strong case against him. But Jones argued that such tracking was
unreasonable warrantless search, despite a 1983 Supreme Court ruling
that allowed wireless tracking for single trips.
In August 2010, the DC Court of Appeals agreed, and overturned his conviction.
The ninth circuit and the seventh circuit (including Illinois) have ruled otherwise, however.
We're still waiting for a final decision on US v Antoine Jones. The DC
Appellate Court overturned his conviction because the GPS monitoring
was for more than one or two trips; the Seventh and Ninth circuits
ruled differently however. The DC Appellate Court did, in November 2010, deny the US a rehearing en banc, which means the US will either appeal to the Supreme Court or lose.
Where is google-search-history stored on your computer? Is it stored anywhere, anymore?
Theories of Privacy
Is it obsolete?
See Baase, p 92. Is it true that "young people of today" are not as
concerned about privacy?
WHY?
Warren and Brandeis, 1890
(Louis Brandeis later became a supreme-court justice.) They argue for
the principle of "inviolate personality"
that gives everyone specific
rights regarding their personal information. Their primary concern was
apparently newspaper gossip columns. Their argument was that repeating
"private" information about someone violated a fundamental right.
Baase, p 106.
Problems arise here because Warren and Brandeis were not able to
formulate precisely what was meant by an "inviolate personality", or to
explain at what point your rights to your inviolate personality give
way to the Public's Right To Know. For government officials, for
example, the right of the voters to know what they are really like
might be very important.
Another issue is that WB seemed most concerned with publication
of data that violated our privacy. What if it is just made available to
a selected few? Employers? People on some committee at our church?
Car-rental agencies? People with some self-defined Need To Know, such
as our annoying neighbors? This is not normally understood to be
publication.
Thomson, 1975
Judith Jarvis Thomson argued against the WB position, claiming that
every time a privacy right is violated,
there is in fact some other,
more concrete, right being violated. Hence, we do not need
special
privacy rules. One of her examples is the Magazine Scenario: if you
don't want people to read it, you can keep it private. If they break
into your house, they have broken the law. If someone interrogates you
violently and thus obtains private information, the real issue is the
violence and not the privacy invasion. If a company reveals information
about you in a way that is contrary to their own privacy policy that
you accepted, they are violating your contractual rights. A less-clear
example is the Shower Scenario: she argues that if someone peeps at you
while you shower, they have violated your "right to your person". Is
this just a WB-style privacy right, or is the "right to your person"
more concrete and limited?
Others have tried to find examples where your right to privacy was
violated, but no other rights were. What if someone reads your email?
Are there other rights involved besides your right to privacy?
Transactions
On pp 108-109, Baase describes a scenario involving Joe, Maria, and
some potatoes. Joe buys the potatoes from Maria; Maria sells the
potatoes to Joe. Who owns the information about the transaction? Either
party might want the
information kept private; does the other party then have an obligation
to keep it so? Or does the privacy-concerned party have to add that
into the contract up-front, so that if Joe wants it private then he
might have to pay more, or if Maria wants it private then she might
have to charge less?
Who is the transaction about?
Another example is the making of "connections" visible to Everyone on Facebook: which party is in charge here?
In the real world, sellers are often large corporations. When we as
individuals buy things, the balance of power is skewed in favor of the
larger seller. Does this change things?
Property Rights to Personal Information
Do we have such rights? What about "negative" information, such as
- tenant payment information or activism
- driving records
- credit
information
One immediate issue is the transactions
one: is a tenant's late-payment history their
property, or the landlord's? Judge Richard Posner argued that personal
information that is not "expensive" in the economic sense should
receive more protection.