Adam Thierer's Blog, page 129

As Sonia Arrison mentioned here on Friday, the State of California is currently considering legislation that could, in the name of enhancing online privacy, impose burdensome new regulatory mandates on the Internet. Sonia has a nice column at TechNewsWorld discussing this. I also wrote about the same issue in my Forbes column this week, which is entitled, "The State of California Versus the Internet." Specifically, I discuss SB 242, "The Social Networking Privacy Act," and SB761, the so-called Do Not Track bill, and argue that: "What unifies these two measures is a general lack of understanding about the way the Internet and digital technology work. Both measures fail to appreciate the global nature of the Internet and would raise a host of unintended consequences."

While the best of intentions drive these measures, they will be complicated to enforce in practice and could have a devastating impact on the California economy in the process. "If California wants to reestablish itself as the home of high-tech innovation," I argue, "it needs to realize heavy-handed Net controls are not the ticket to either economic progress or job-creation." Moreover, "These laws could be challenged in court since state-based regulation of the Internet raise constitutional issues. The Commerce Clause of the Constitution was designed to block the sort of parochial burdens on interstate commerce that these measures would establish."

Jump over to Forbes to read the rest. Let's hope California policymakers realize what a mistake they are making before it's too late. If they don't, Congress will need to preempt this regulation of interstate commerce if it's not immediately challenged in Court and overturned.

There is a major controversy rocking the UK over the far-reaching press gag orders known as "super-injunctions," especially because they've been brought to the fore by a sex scandal between famous footballer Ryan Giggs and reality TV star Imogen Thomas. (This blog post is now officially illegal in the UK.) In my latest TIME.com Techland post, I explain the controversy and say that while the injunction is legally enforceable–Facebook has a London office with over 50 employees, and today comes word that Twitter is starting up its UK operation–they are not practically enforceable because once out, the information cannot be controlled. I wrote:

Controlling information is possible, but only at the margin and at great cost. As information technology advances, that margin at which information can be controlled gets thinner and thinner, and the costs of doing so become greater and greater. So given the apparent futility of keeping facts secret, you'd think officials would look to find better ways of confronting the new reality. That's unfortunately not the case.

"Why are we assuming that the world of communication, developing as rapidly as it is, can never be brought under control by other technological developments?" asked the head of the U.K.'s judiciary yesterday. "I am not giving up on the possibility that people who in effect peddle lies about others through modern technology may one day be brought under control."

And we should not forget to look in the mirror. While the U.S. has some of the world's most extensive free speech and press liberties, it seems every week there is a new proposal to control what information can be published online.

Social widgets, such as the now-ubiquitous Facebook "Like" button and Twitter "Tweet" button, offer users a convenient way to share online content with their friends and followers. These widgets have recently come under scrutiny for their privacy implications. Yesterday, The Wall Street Journal reported that Facebook, Twitter, and Google are informed each time a users visit a webpage that contains one of the respective company's widgets:

Internet users tap Facebook Inc.'s "Like" and Twitter Inc.'s "Tweet" buttons to share content with friends. But these tools also let their makers collect data about the websites people are visiting. These so-called social widgets, which appear atop stories on news sites or alongside products on retail sites, notify Facebook and Twitter that a person visited those sites even when users don't click on the buttons, according to a study done for The Wall Street Journal.

It wasn't exactly a secret that social widgets "phone home." However, the Journal's story shed new light on how the firms that offer social widgets handle the data they glean regarding user browsing habits. Facebook and Google reportedly store this data for a limited period of time — two weeks and 90 days, respectively — and, importantly, the data isn't recorded in a way that can be tied back to a user (unless, of course, the user affirmatively decides to "like" a webpage). Twitter reportedly records browsing data as well, but deletes it "quickly."

Assuming the companies effectively anonymize the data they glean from their social widgets, privacy-conscious users have little reason to worry. I'm not aware of any evidence that social widget data has been misused or breached. However, as Pete Warden reminded us in an informative O'Reilly Radar essay posted earlier this week, anonymizing data is harder than it sounds, and supposedly "anonymous" data sets have been successfully de-anonymized on several occasions. (For more on the de-anonymization of data sets, see Arvind Narayanan and Vitaly Shmatikov's 2008 research paper on the topic).

While these social widgets may well pose no real threat to privacy, some especially privacy-sensitive users might be wary of the risk of being "tracked" by a social networking service, however small that risk may be. Such concerns aren't totally unreasonable — if, say, the browsing data collected by Facebook or Google were to be breached and subsequently de-anonymized and tied to authenticated (logged-in) users by malicious actors, the resulting privacy harms could be quite serious.

Fortunately for privacy-conscious users, there are several ways to stop social widgets from collecting data about your browsing habits. As the Journal points out, you can simply log out of your Twitter or Facebook account prior to visiting other websites. Other methods include clearing out your cookies or using your browser's privacy mode when visiting social networking sites. And, of course, there's always the "nuclear option" of deleting your social networking accounts entirely.

Perhaps the most convenient, slick way to avoid social widgets is to simply use a browser add-on that selectively disables cross-site requests from Facebook, Twitter, and Google. The WSJ profiled one such add-on, Disconnect, which is compatible with Chrome, Firefox, and Safari.

If you're a Firefox user, the popular add-on NoScript also offers a robust and effective mechanism for blocking social widgets. To do so, you'll need to paste a few lines of code in NoScript's Application Boundaries Enforcer (ABE), a powerful module that allows users to establish custom rules governing scripts and cross-site requests. If you've got NoScript installed (get it here), simply go to the 'Options' menu, select the 'Advanced' tab, then the 'ABE' subtab:

After checking the 'Enable ABE' box, select the USER Ruleset, then paste in the following lines:

Site .facebook.com .fbcdn.net facebook.net

Accept from SELF

Accept from .facebook.com .fbcdn.net facebook.net

Deny INCLUSION



Site .twitter.com

Accept from SELF

Accept from .twitter.com

Deny INCLUSION



Site .google.com googleapis.com

Accept from SELF

Accept from .google.com

Deny INCLUSION

Then hit 'Refresh' and 'OK' and you're all set. If you've done this correctly, you should no longer see Facebook, Twitter, or Google widgets. To verify that no data is being transmitted to the companies, install and run HTTP traffic analyzer Fiddler then visit a webpage featuring social widget. If no HTTP request is transmitted to a social networking service, you're in the clear. Note that this technique also doesn't affect the functionality of Twitter, Facebook, or Google, so you can still use each of these services with full functionality. If you want to block other social widgets, simply add additional lines to ABE in NoScript in the same manner as above including the domains of the services you wish to block.

As this post hopefully illustrates, privacy-conscious users aren't helpless; extant technological solutions can address many privacy concerns already, while more robust tools are constantly emerging. As for Facebook, Twitter, and Google, it's hard to fault them for responding to user demands. Statistics indicate that social widgets are immensely valuable and popular among users, so activating them by default is a sensible decision.

I'd like to see these firms offer a mechanism for authenticated users to opt out of social widget data collection entirely. Greater transparency regarding how the data sets are anonymized would also be welcome. Meanwhile, privacy-conscious users can take matters into their own hands by opting out manually.

For those who wonder about the latest craziness coming from California, here is a summary.  It's truly shocking that California policy makers are going after Silicon Valley, since it is one of the reasons the economy hasn't completely tanked.

From my recent TNW column:

Facebook is having a tough month. First, it was revealed that the company hired a PR firm to portray competitor Google in a negative light, and now it is facing an even worse scenario: government regulation.

 

The Social Networking Privacy Act (SB 242) introduced into the California Senate by Sen. Ellen Corbett, D-San Leandro, would force any social networking site to make new users choose their privacy settings when they register and make the default settings private except for the user's name and city of residence.

This is a huge challenge to Facebook CEO Mark Zuckerberg who has argued that making personal data public is the new "social norm."

 

Clearly, the battle over what constitutes the appropriate social norm is up for grabs. According to Corbett, "you shouldn't have to sign in and give up your personal information before you get to the part where you say 'please don't share my personal information.'"

 

This might sound like common sense at first, but someone should remind the senator that signing up for Facebook is voluntary. No one is required to log in or give up their data.

 

In addition to its stipulations about privacy settings, the bill would force social networking sites to remove any personally identifying information that a user wants to delete and would allow parents to edit their children's Facebook profiles.

 

Suddenly the horror that "Mom's on Facebook" could mean a lot more than potential embarrassment for kids. For those under 18, it might mean deletion of one's online identity.

[…]

Read more here.

 

 

Free live streaming by Ustream

Every year since 1995, the Federal Communications Commission has released a report on the state of competition in the wireless market. Last year's report was the first not to find the market "effectively competitive." As a result, expectations are high for the new annual report. How it determines the state of competition in the wireless market could affect regulatory policy and how the Commission looks at proposed mergers.

Tune in here to watch this afternoon's panel discussion on these issues, brought to you by the Mercatus Center at George Mason University's Technology Policy Program.

The panel features:

Thomas W. Hazlett, Professor of Law & Economics, George Mason University School of Law
Joshua D. Wright, Associate Professor of Law, George Mason University School of Law
Robert M. Frieden, Professor of Telecommunications & Law, Penn State University
Harold Feld, Legal Director, Public Knowledge

One of my favorite topics lately has been the challenges faced by information control regimes. Jerry Brito and I are writing a big paper on this issue right now. Part of the story we tell is that the sheer scale / volume of modern information flows is becoming so overwhelming that it raises practical questions about just how effective any info control regime can be. [See our recent essays on the topic: 1, 2, 3, 4, 5.]  As we continue our research, we've been attempting to unearth some good metrics / factoids to help tell this story.  It's challenging because there aren't many consistent data sets depicting online data growth over time and some of the best anecdotes from key digital companies are only released sporadically. Anyway, I'd love to hear from others about good metrics and data sets that we should be examining.  In the meantime, here are a few fun facts I've unearthed in my research so far. Please let me know if more recent data is available:

Facebook: users submit around 650,000 comments on the 100 million pieces of content served up every minute on its site.[1]
YouTube: every minute, over 35 hours of video are uploaded to the site.[2]
eBay is now the world's largest online marketplace with more than 90 million active users globally and $60 billion in transactions annually, or $2,000 every second.[3]
Google: 34,000 searches per second (2 million per minute; 121 million per hour; 3 billion per day; 88 billion per month)[4]
Twitter already has 300 million users producing 140 million Tweets a day, which adds up to a billion Tweets every 8 days[5] (@ 1,600 Tweets per second)
Apple: more than 3 billion apps have been downloaded from its App Store by customers in over 77 countries.[6]
Yelp: as of March 2011 the site hosted over 17 million user reviews.

"Humankind shared 65 exabytes of information in 2007, the equivalent of every person in the world sending out the contents of six newspapers every day."[7]
Researchers at the San Diego Supercomputer Center at the University of California, San Diego, estimate that, in 2008, the world's 27 million business servers processed 9.57 zettabytes, or 9,570,000,000,000,000,000,000 bytes of information.  This is "the digital equivalent of a 5.6-billion-mile-high stack of books from Earth to Neptune and back to Earth, repeated about 20 times a year." The study also estimated that enterprise server workloads are doubling about every two years, "which means that by 2024 the world's enterprise servers will annually process the digital equivalent of a stack of books extending more than 4.37 light-years to Alpha Centauri, our closest neighboring star system in the Milky Way Galaxy."[8]








[1] Ken Deeter, "Live Commenting: Behind the Scenes," Facebook.com, February 7, 2011, http://www.facebook.com/note.php?note.... Also see: http://www.facebook.com/press/info.php?statistics




[2] http://youtube-global.blogspot.com/2010/11/great-scott-over-35-hours-of-video.html




[3] eBay, "Who We Are," http://www.ebayinc.com/who




[4] Matt McGee, "By The Numbers: Twitter Vs. Facebook Vs. Google Buzz," SearchEngineLand, February 23, 2010, http://searchengineland.com/by-the-numbers-twitter-vs-facebook-vs-google-buzz-36709




[5] http://blog.twitter.com/2011/03/happy-birthday-twitter.html Also see: http://blog.twitter.com/2010/02/measuring-tweets.html




[6] http://www.apple.com/pr/library/2010/01/05appstore.html




[7] Martin Hilbert and Priscila Lopez, "The World's Technological Capacity to Store, Communicate, and Compute Information," Science, February 10, 2011, http://annenberg.usc.edu/News%20and%20Events/News/110210Hilbert.aspx.




[8] Rex Graham, "Business Information Consumption: 9,570,000,000,000,000,000,000 Bytes per Year," UC San Diego News Center, April 6, 2011, http://ucsdnews.ucsd.edu/newsrel/gene....

Hanno F. Kaiser, a U.S. and EU antitrust lawyer and partner with Latham & Watkins LLP, has just released an important essay on a topic I have devoted much time to here over the years: the debate over the relative advantages of "open" vs. "closed" technological systems and the Lessig-Zittrain-Wu school of thinking about these issues.

Kaiser's essay is entitled, "Are Closed Systems an Antitrust Problem?" and it appears in the latest edition of Competition Policy International.  This essay is not to be missed. Kaiser's terrific paper helps us better understand and debunk many of the myths and misperceptions that continue to riddle this debate. Here's Kaiser's key insight:

At bottom, the bad reputation of closed systems or walled gardens in the "open versus closed" debate is quite undeserved. Walled gardens generally benefit their environments—both in the real world and the digital realm. The primary purpose of a garden wall, after all, is to shelter plants from wind and frost, not to keep intruders out. In the protected space of the garden, flowers can grow that would not otherwise survive in the wild. Walled gardens thus deliberately create a microcosm that is different from the surrounding ecosystem. Therefore, as long as the garden does not take over the entire ecosystem, walled gardens increase, not reduce, overall diversity. From a competition policy perspective, enjoying the fruits of a walled garden is generally not a guilty pleasure.

Therefore, "as a policy matter, 'open' is not necessarily better than 'closed'," Kaiser argues, and elaborates as follows:

Our initial question whether "closed" systems are inherently anticompetitive can be restated as follows: "Is there a reason to believe that intra-platform restraints imposed by the platform sponsor on various contributors are commonly exclusionary?" To that question, the answer is no. Is it possible that such restraints can lead to anticompetitive exclusion? Yes, but not unless the platform has significant market power vis-à-vis rival platforms.

In other words, it is foolish to over-simplify the debate as many scholars do when they imply that "open"=good and "closed=bad. (For a recent example, see my essay here earlier this month about Cory Doctorow's misguided effort to equate open systems with "techno-optimism.")

In my work, I've tried to focus on the happy balance and healthy competition that exists today between such systems. Shouldn't that be what counts most? Scholars like Lessig, Zittrain, Wu, Doctorow sometimes seem to want to force a false 'open-or-nothing-else' choice upon us. Such thinking is troubling from a policy perspective since it means law might force many consumers to use systems that may not be to their liking.  Moreover, such thinking reveals an ironic insecurity among these "Openness Evangelicals," as I have called them: they seem to have very little faith in the open systems and technologies they trumpet. If such systems really are superior, shouldn't they win out in the end?

Importantly, however, Kaiser also debunks the simplistic notion that "open" and "closed" systems are easily defined:

As an analytical tool the labels "open" and "closed" are of limited utility, because they cannot adequately capture the complexity of selective openness at various layers of a system within their single binary distinction.  Addressing the central antitrust issue requires that we move past the "ready labels" and focus on whether specific vertical restraints at all levels result in anticompetitive exclusion and foreclosure.

Quite right. I also appreciated Kaiser's thought's on Tim Wu's "Separations Principle," which would rigidly segregate all information services into three buckets–content, conduit, and devices–and keep them there. Kaiser says:

The Separations Principle amounts to a general rule against vertical integration in the information sector irrespective of market power, foreclosure, and efficiencies. Such a sweeping rule requires extraordinarily strong justifications, which Wu fails to provide. In fact, our analysis of the competitive effects of open and closed systems does not suggest that closed systems pose anywhere near the level of concern that would justify such a radical expansion of antitrust market regulation.

Kaiser is actually being too generous. Wu's radical prescription for the information sectors flies in the face of decades of antitrust scholarship and would have devastating ramifications for the Digital Economy in practice, as I noted in part 6 of my multi-part review of his book The Master Switch.

Anyway, read Hanno Kaiser's terrific paper. It's a major contribution to the literature in this arena and a real breath of fresh air compared to what I regard as the hopelessly pessimistic (and usually overly-simplistic) literature on "open" vs. "closed" technological systems.

P.S … I put together a separate page here at the TLF to house my 30 or so essays addressing "Problems with the Lessig-Zittrain-Wu Thesis."  Also, this chapter from the Next Digital Decade book on the case for Internet optimism ties together all my various critiques into one essay.

 

TechFreedom, CEI and ATR's DigitalLiberty.net just put out the following statement about ECPA reform, something Ryan and I have blogged about here and here. Also check out the larger coalition letter we released in April with seven other leading free market groups and digitalfourthamendment.org.

*  *  *

WASHINGTON D.C. – Sen. Patrick Leahy (D-Vt.) today introduced legislation (S. 1011) to reform the Electronic Communications Privacy Act (ECPA).  The law, enacted in 1986, was designed to protect individuals' privacy by limiting governmental access to electronic data stored or sent using platforms or computers owned by third parties.

"Several lawmakers have proposed sweeping new regulation of how companies collect and use data to fund and improve the online content and services cherished by consumers," said TechFreedom President Berin Szoka.  "The costs to consumers of such regulations could be enormous, yet the harms supposedly justifying new regulations remain largely amorphous.  Today, finally, we see a bill that focuses on the one clear harm that seems to underlie most online privacy concerns: law enforcement's access to personal data without judicial scrutiny.  Addressing that very real problem should unite everyone who cares about privacy."

Sen. Leahy's proposed legislation would amend ECPA to protect Americans' private information stored remotely or in the "cloud" from unwarranted search and seizure, and limit unwarranted governmental access to mobile location information.  The reforms would implement two of the four consensus principles advocated by the Digital Due Process coalition, a diverse coalition of public interest organizations, free market groups, high-tech companies, and scholars.

"As technology has advanced, the laws protecting Americans from unreasonable search and seizure have failed to keep up," said Kelly William Cobb, Executive Director of Americans for Tax Reform's DigitalLiberty.Net.  "The reforms take an important step toward updating antiquated protections for consumers utilizing modern-day cloud and mobile services. Importantly, the bill ensures law enforcement continues to have the tools to preserve national security and fight crime, while making the law coherent and consistent for everyone."

"Sen. Leahy's proposed modernization of ECPA would benefit not only law enforcement but also firms that offer innovative electronic communications services," said Ryan Radia, CEI Associate Director of Technology Studies. "Uncertainty over how to apply ECPA to these platforms harms companies that value user privacy but also want to abide by the law. Users also suffer under this confusing regime, as law enforcement may compel providers to disclose certain types of private user information through a mere subpoena issued without meaningful judicial review and sometimes with no notice whatsoever.  The reforms would also reduce the incentive for cloud computing firms to locate their servers abroad, beyond the reach of U.S. law enforcement."

"ECPA reform is a win-win: It benefits consumers, law enforcement, and businesses.  It also honors our constitutional heritage by clarifying that normal law enforcement access to private data should be subject to the judicial warrant requirement enshrined in the Fourth Amendment," said Szoka. "Setting clear standards for law enforcement access is the best way for the U.S. to raise global standards for protecting privacy.  Sen. Leahy's bill is an important first step, but comprehensive ECPA reform should address all four Digital Due Process principles."

On the podcast this week, Joseph Menn, a Financial Times technology reporter and the author of Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down The Internet, discusses cyber crime. Menn says that one of the main challenges of cybersecurity is that the internet was never intended for many of the things it's used for today, like e-commerce or critical infrastructure management. He talks about the implications of the internet still being in beta form and comments on the recent Sony data breach and other similar cyber attacks. Menn also discusses his book, telling a few anecdotes about the people who go beyond computer screens in pursuit of internet crime lords.

Related Links


Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet
"'Fatal System Error' has insight on cybercrime," San Francisco Chronicle
"Sony Hack Caps Recent String of Security Horror Shows," PC World

To keep the conversation around this episode in one place, we'd like to ask you to comment at the web page for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

Here's a quick excerpt from an interesting press release sent out over PR Newswire last week—it sounds like someone is angling for a fat government contract:

EMC® announced the 2011 Data Hero Awards winners and finalists

First annual Data Hero Visionary award goes to Vivek Kundra, the first Chief Information Officer (CIO) of the United States of America

EMC just happens to be huge provider of cloud storage solutions, which they're actively trying to sell to the public sector, and apparently already have.

Kundra, of course, was honored:

I'm truly honored to be recognized for this 2011 Data Hero visionary award. The modern economy is powered by data and technology. That's why we strive to find innovative paths to lower government cost, engage citizens and institute radical transparency to bring them closer to their government and to help move us all forward, together.

I really like the way he worked in the bit on "radical transparency."  It's not as though if you say something enough, it magically changes reality, but that doesn't stop the flow of awards.

Be on the lookout for an EMC press release involving a massive federal government cloud computing project.