Choose Privacy Week
Welcome to Choose Privacy Week! We are thrilled to unveil a short film that introduces some of today's most interesting and complex privacy issues. To view the film and to share or embed it on your own site, click here. We hope libraries and others will share this video online and host events to discuss the issues it raises. In addition to "man on the street" interviews, the film features individuals like Neil Gaiman, Cory Doctorow, Geoffrey Stone, and ALA President Camila Alire discussing privacy.
Privacy at ALA 2010 Annual Conference
On the heels of a successful first-annual Choose Privacy Week, ALA’s Intellectual Freedom Committee and Committee on Legislation will present “Privacy, Libraries, and the Law” — a panel featuring three of today’s foremost privacy experts in the country…
Read More »Recognizing Partners, Looking to the Future
As we near the close of the first-ever Choose Privacy Week, we are tremendously grateful to the many individuals and organizations that have contributed to its success. Please allow us this blog post to recognize those on the front lines of key privacy issues today…
Read More »Privacy Programming and Public Libraries
We wanted to take a moment to highlight some of the public libraries that have told us about their fantastic Choose Privacy Week programs and activities! Here are some examples chosen from our Events page, and we hope you’ll share more events with us soon!
Read More »Digital Marketing, Privacy & the Public Interest
- Will online advertising evolve so that everyone's privacy is truly protected?
- Will there be only a few gatekeepers determining what editorial content should be supported in order to better serve the interests of advertising, or will we see a vibrant commercial and non-commercial marketplace for news, information, and other content necessary for a civil society?
- Who will hold the online advertising industry accountable to the public, making its decisions transparent and part of the policy debate?
- Will the more harmful aspects of interactive marketing - such as threats to public health - be effectively addressed?
Protecting Privacy, Promoting Consumer Rights and Ensuring Corporate Accountability
Perhaps the most powerful - but largely invisible - force shaping our digital media reality is the role of interactive advertising and marketing. Much of our online experience, from websites to search engines to social networks, is being shaped to better serve advertisers. Increasingly, individuals are being electronically "shadowed" online, our actions and behaviors observed, collected, and analyzed so that we can be "micro-targeted." Now a $24 billion a year industry [2008 estimates] in the U.S., with expected dramatic growth to $80 billion or more by 2011, the goal of interactive marketing is to use the awesome power of new media to deeply engage you in what is being sold: whether it's a car, a vacation, a politician or a belief. An explosion of digital technologies, such as behavioral targeting and retargeting, "immersive" rich media, and virtual reality, are being utilized to drive the market goals of the largest brand advertisers and many others.
A major infrastructure has emerged to expand and promote the interests of this sector, including online advertising networks, digital marketing specialists, and trade lobbying groups.
The role which online marketing and advertising plays in shaping our new media world, including at the global level, will help determine what kind of society we will create.
CDD's project works to keep the public informed and the online ad industry accountable.
Promoting Public Health in the Digital Era
The new media can be a boon to fostering healthy behaviors, including access to more information about drugs and lifestyle choices. But marketers also have the power to encourage the consumption of products and drugs that may be harmful to one's health. From investigating the online marketing of unhealthy food and beverages to children and teens to analyzing the threats from digital marketing of prescription and over-the-counter drugs, CDD is working to promote global public health.
(More - Digitalads.org)
Read More »
Real ID Online? New Federal Online Identity Plan Raises Privacy and Free Speech Concerns
- 1. See, e.g., Susan Landau et al., Achieving Privacy in a Federated Identity Management System.
- 2. See Ten Risks of PKI: What You're Not Being Told about Public Key Infrastructure
Coauthored by Seth Schoen
The White House recently released a draft of a troubling plan titled "National Strategy for Trusted Identities in Cyberspace" (NSTIC). In previous iterations, the project was known as the "National Strategy for Secure Online Transactions" and emphasized, reasonably, the private sector's development of technologies to secure sensitive online transactions. But the recent shift to "Trusted Identities in Cyberspace" reflects a radical — and concerning — expansion of the project’s scope.
The draft NSTIC now calls for pervasive, authenticated digital IDs and makes scant mention of the unprecedented threat such a scheme would pose to privacy and free speech online. And while the draft NSTIC "does not advocate for the establishment of a national identification card" (p. 6), it’s far from clear that it won’t take us dangerously far down that road. Because the draft NSTIC is vague about many basic points, the White House must proceed with caution and avoid rushing past the risks that lay ahead. Here are some of our concerns.
Is authentication really the answer?
Probably the biggest conceptual problem is that the draft NSTIC seems to place unquestioning faith in authentication — a system of proving one's identity — as an approach to solving Internet security problems. Even leaving aside the civil liberties risks of pervasive online authentication, computer security experts question this emphasis. As prominent researcher Steven Bellovin notes:
The biggest problem [for Internet security] was and is buggy code. All the authentication in the world won't stop a bad guy who goes around the authentication system, either by finding bugs exploitable before authentication is performed, finding bugs in the authentication system itself, or by hijacking your system and abusing the authenticated connection set up by the legitimate user. All of these attacks have been known for years.
A Real ID Society?
The draft NSTIC says that, instead of a national ID card, it "seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions," which can be obtained "from either public or private sector identity providers." (p. 6) In other words, the governments want a lot of different companies or organizations to be able to do the task of confirming that a person on the Internet is who he or she claims to be.
Decentralized or federated ID management systems are possible, but like all ID systems, they definitely pose significant privacy issues. 1 There’s little discussion of these issues, and in particular, there’s no attention to how multiple ID's might be linked together under a single umbrella credential. A National Academies study, Who Goes There?: Authentication Through the Lens of Privacy, warned that multiple, separate, unlinkable credentials are better for both security and privacy (pp. 125-132). Yet the draft NSTIC doesn’t discuss in any depth how to prevent or minimize linkage of our online IDs, which would seem much easier online than offline, and fails to discuss or refer to academic work on unlinkable credentials (such as that of Stefan Brands, or Jan Camenisch and Anna Lysyanskaya).
Providing a uniform online ID system could pressure providers to require more ID than necessary. The video game company Blizzard, for example, recently indicated it would implement a verified ID requirement for its forums before walking back the proposal only after widespread, outspoken criticism from users.
Pervasive online ID could likewise encourage lawmakers to enact access restrictions for online services, from paying taxes to using libraries and beyond. Website operators have argued persuasively that they cannot be expected to tell exactly who is visiting their sites, but that could change with a new online ID mechanism. Massachusetts recently adopted an overly broad online obscenity law; it takes little imagination to believe states would require NSTIC implementation individuals to be able to access content somehow deemed to be "objectionable."
Anonymity
The draft NSTIC "envisions" that a blogger will use "a smart identity card from her home state" to "authenticate herself for . . . [a]nonymously posting blog entries." (p. 4) But how is her blog anonymous when it’s directly associated with a state-issued ID card?
The proposal mistakenly conflates trusting a third party to not reveal your identity with actual anonymity — where third parties don’t know your identity. When Thomas Paine anonymously published Common Sense in 1776, he didn’t secretly register with the British Crown.
Indeed, the draft NSTIC barely recognizes the value of anonymous speech, whether in public postings or private email, or anonymous browsing via systems like Tor. Nor does it address issues about re-identification, e.g. the ability to take different sets of de-identified data and link them so as to re-identify individuals.
Bellovin credits the draft NSTIC for suggesting the use of attribute credentials rather than identity credentials — that is, using credentials that could establish that you're authorized to do something without saying who you are. But, as he puts it, "We need ways to discourage collection of identity information unless identity is actually needed to deliver the requested service," and the draft NSTIC doesn't seem to address this.
Privacy, Identity Theft and Surveillance
The draft NSTIC seems to presuppose widespread use of smart ID cards. In one example, it envisions that an individual will use "a smart identity card from her home state" to "authenticate herself for a variety of online services," presumably modeled upon driver’s licenses. (p. 4)
One major concern, acknowledged briefly in the draft, is whether people's computers can really be secure enough to be used for these purposes — smart ID cards or no smart ID cards. As noted above, the vast majority of privacy and authentication vulnerabilities stem from buggy software, and when a computer is trivial to compromise, its users’ credentials are easy to steal. The NSTIC proposal could, in fact, decrease user privacy and enable identity theft: once a user’s digital ID is stolen, it could be used to both pose as the user and access all the user’s accounts and data.
Consider, for example, the proposal to use a state digital ID card to access health records and online banking. What happens next time you lose your wallet?
Furthermore, by consolidating your credentials, the NSTIC plan may provide the government with a centralized means of surveilling your online accounts. And if the government issues your digital ID itself, it won’t even need to approach a third party with any kind of legal process before surveilling you.
The draft NSTIC also mentions the development of a public-key infrastructure (PKI). (pp. 15, 27) We support good, widespread encryption, which could allow people to get correct public keys reliably and possibly cut down on phishing, spam, fraud, and pretexting. But as Bruce Schneier and Carl Ellison have explained, doing PKI properly isn’t easy.2 All of their concerns apply, in some form, to the NSTIC proposal.
Another concern that’s emerged recently is whether governments could coerce certificate authorities in a PKI to issue false credentials in order to facilitate surveillance. Chris Soghoian and Sid Stamm have reported on an industry claim that governments could get "court orders" giving them access to falsified cryptographic credentials. This threat seems greater if the government itself is running the PKI.
Much more could be said. The NSTIC is only a draft, and the Department of Homeland Security and the White House sought public input online through July 19th. Because of the importance of this issue, EFF has joined with a coalition of concerned civil liberties group to ask the Administrations for a longer comment period and a way to submit more detailed comments. We hope and expect that this will be only the beginning of a public debate about ID management online.
Read More »
EPIC to Urge Congress to Strengthen Privacy Laws for Facebook Users
In prepared testimony (PDF) for a Congressional hearing on "Online Privacy, Social Networking and Crime Vicitimization," EPIC Executive Director Marc Rotenberg urged lawmakers to update federal law to protect the privacy of Facebook users. Mr. Rotenberg said that Facebook's constant changes to the privacy settings of users have made it virtually impossible for users to control who gets access to their personal information. He also said that the failure of the Federal Trade Commission to investigate Facebook's business practices means that Congress must now amend the federal privacy law to limit the ability of Social Network companies to disclose user information to third parties without informed and explicit consent. Also testifying at the hearing are witnesses from the FBI, the Secret Service, Symantec, and Facebook. For more information, see EPIC Social Networking Privacy, EPIC Facebook, and EPIC In re Google Buzz.
Read More »
Social networks, identity services, and national ID
Most of the reporting on last month’s conference on Computers, Freedom and Privacy (where we joined a panel on current hot topics in privacy) has focused on the issuance of a Social Network User’s Bill of Rights. That’s testimony to the importance of Facebook, but the implications extend even to those who aren’t currently users [...]
Read More »
WordStream Infographic: Do You Know Who’s Watching You?
WordStream Internet Marketing has put together an infographic about the various ways that a person’s personal data can be gathered or their privacy invaded. Below is only the top piece of the infographic; click on the image to go to WordStream’s full graphic.
Infographic by WordStream Internet Marketing
Read More »
Court Says Privacy Advocate May Publish Social Security Numbers
A federal appeals court has ordered Virginia’s attorney general to back away from threats of suing a privacy advocate who publishes Social Security numbers of elected officials on the internet.
The decision by the 4th U.S. Circuit Court of Appeals means Betty Ostergren avoids being sued by the state’s top law enforcement official for breaching a [...]
Read More »
Privacy Revolution's latest Tweet
NYTimes: The Web Means the End of Forgetting - http://nyti.ms/dabph2
© 2009 Privacy Revolution. American Library Association. Web Design by Digital Peabody and Unleaded Software