Nice profile of Christopher Soghoian in WIRED, entitled “The Pest Who Shames Companies Into Fixing Security Flaws”.
I’ve run into Chris at a few conferences, and read a good bit of his stuff, and I think he’s every bit as good as this profile makes him sound.
I’ve posted a first draft of my new paper, Lessons Learned Too Well, on SSRN. The paper, which is about the regulation of online anonymity, was written for a conference being held next later this week to celebrate the 10th anniversary of the Oxford Internet Institute, A Decade in Internet Time: Symposium on the Dynamics of the Internet and Society.
I’m the sort of person who prefers to post only more polished drafts — this one has a couple holes I know about and no doubt many I don’t know about too. But the symposium organizers asked us to post our papers on SSRN, and so there it is.
Comments very welcome, either below or in email.
I’m leaving for the UK tomorrow in order to give myself a bit of time to recover from jet lag before it begins, this being my first solo international journey since all my medical excitement. Posting may be light for a few days.
Below I post the introduction, which I thinks gives you some idea of what it’s all about:
Continue reading
The privacy commons is shrinking fast.
Eventually, it will work. You’ll be able to wear a camera that will automatically recognize someone walking towards you, and a microphone that will automatically tell you who that person is and maybe something about them. None of the technologies required to make this work are hard, it’s just a matter of getting the error rate down low enough for it to be a useful system.
I’m scheduled to be on a call-in to the NPR Cleveland affiliate around 9:30 am tomorrow morning as part of their morning 9-10am talk show, “The Sound of Ideas.” Here’s the promo for tomorrow’s program:
If government — from your local school board to the U.S. Capitol — operated in secret, how much would you trust it? On the next Sound of Ideas, we’ll talk to open government advocates about the public’s right to know. We’ll offer expert advice on how to access public records and keep tabs on your government. Plus, we’ll explore how technology is helping to make government more transparent.
There will be a live feed of the show The Sound of Ideas: Transparent Government / ideastream – Northeast Ohio Public Radio, and a podacast afterwards.
I spent yesterday as a ‘special government employee’ — for no salary. This was the start of my two-year term as a member of the DHS Data Privacy and Integrity Advisory Committee (the DPIAC — pronounced “dippie-ack”) — some two years after being asked to apply — and I attended my first meeting today in Washington DC, which was a public meeting of the committee. Advisory committees are a pretty mixed bag in DC, but the people I knew who were already involved in the process assured me that the committee actually helps influence outcomes, if only by helping build a record for things to happen. There’s nice short description of the committee at the IT Law Wiki and the DPIAC Charter is online too.
The committee’s primary contact in DHS is Mary Ellen Callahan, the Chief Privacy Officer (CPO) for the DHS, and she opened the meeting. She noted that the DPIAC published a Federal Register notice at 76 Fed Reg 39406 (July 6, 2011) asking for new members, for two-year terms ending 2014; applications are due August 15, 2011. Be advised that membership requires a Secret clearance, and filling out the forms is a royal pain if you have done any substantial foreign travel, or have any recurring foreign contacts (I fit both descriptions).
The meeting was ably chaired by Richard Purcell, who among other things is the Chair of TRUSTEe, and was formerly CPO of Microsoft. In addition to the committee members, there were about 45 people in the audience, about half of whom, I was told, were either from DHS or from privacy offices in other agencies.
The first item on the agenda was an address by Jane Holl Lute, the Deputy Secretary of the DHS, who spoke about International Information Sharing Programs — ie data sharing with the EU over PNR. (Although she was extraordinarily eloquent, parts of it made me want to channel Ed Hasbrouck.)
Deputy Secretary Lute framed ‘data sharing’ as being in the service of ‘security’. But, she said the EU said, we don’t want security at the expense of our rights. To which she says she replied that ‘security is one of our rights’. (This seemed to me to leave out the possibility of there being costs of information sharing.) “We are trying to build a safe secure resilient place where the American way of life can thrive.” In 10 years of dealing with PNR, she said, “we haven’t had a single privacy incident.” (A ‘privacy incident’, it later transpired, is measured by the OMB definition — an unauthorized access or disclosure ie a data breach. This doesn’t of course tell us anything about what is going on with the authorized uses.) We didn’t want to re-open negotiations…we had a perfectly functioning agreement…it just wasn’t as good as some voices in Europe thought it could be in terms of privacy principles.
In the Q&A I asked what effect recent work on the failure of de-anonymization would have on the work of her department. Deputy Sec Lute’s long and elegant reply boiled down to saying tht the nature of the beast is that law and regulation are always going to lag the technology, which I found pragmatic but unsatisfying.
Another panel member asked what the policy was regarding other governments copying the US policies and doing to US citizens what we do to them — getting US person data and using it? Again the answer was the elegant form of cagey, although DepSec Lute did mention that the law enforcement community had told DHS that it needed to keeping all data that it thought might be relevant to possible international conspiracy for 15 years. (I wondered what fraction of the data collected on foreign travelers that would be?)
Mary Ellen Callahan, the DHS CPO spoke second, and provided an acronym-rich account of her department’s recent work. The office is certainly busy, both on projects it seems to have initiated to ensure that PII is handled carefully within DHS, and on projects that arise out of data sharing agreements, e.g. five new information sharing agreement (ISAAs) with the national counter-terrorism center (NCTC) — oh joy. I suspect that rather than mis-transcribing this rapid-fire account, I’ll have to wait for the meeting minutes (there were verbatim transcripts of previous meetings, but we were told these are being discontinued due to the budget cuts; the Federal Advisory Committee Act (FACA) only requires minues so that’s what we’ll have henceforth).
CPO Callahan also does FOIA for DHS, and its seems the DHS is the government leader in FOIA requests, having already gotten over 100,000 this year (the Dept of Defense had only 75,000 last year). 75% of the FOIA traffic is CIS — immigration related. Part of increase is due to fact that response time is better, so it encourages people to file. Some of the bulk is also from communities worried about immigration reform and/or enforcement activities.
Emily Andrew, Senior Privacy Officer, National Protection and Programs Directorate (NPPD), DHS spoke third, and described an office that had been a team of one when she started there, but has been growing rapidly.
Current DPIAC members are: Chair Richard V. Purcell (Corporate Privacy Group), Members: Joseph Alhadeff (Oracle), Ana Anton (NC State Computer Science), Ramon Barquin (Barquin Int’l), J. Joward Beales III (GWU Management & Public Policy), Renard Francois (Caterpillar Inc.), Yours Truly, Joanna L. Grama (Purdue IT), David Hoffman (Intel), Lance Hoffman (GWU Computer Science), Joanne McNabb (Cal Dept. of Consumer Affairs), Lisa S. Neslon (U. Pitt, Public & Int’l Affairs), Greg Nojeim (CDT), Charles Palmer (IBM), Lydia Parnes (Wilson Sonsini & ex-FTC), Christopehr Pierson (Citizens Financial Group/RBS), Jules Polonetsky (Future of Privacy Forum), John Sabo (CA Technologies), Ho Sik Shin (Millennial Media, Inc), Lisa J.Sotto (Hunton & Williams), Barry Steinhard (Privacy International, ex-ACLU).
It seems as if the DPIAC will have a busy fall. All of its work product, and all discussions other than subcommittee deliberations, are public documents, presented for discussion in public meetings, so I intend to at least blog pointers to them here as they come onstream.
Yahoo! has revised its Privacy Policy. Instead of holding user search and other data for 90 days, it will hold it for 18 months. And then it will not delete it but will just “annonymize” it — something we know doesn’t work very well.
Why move to a so-much-more-evil policy? The stated reason is given as:
To meet the needs of our consumers for innovation, personalization and relevance, Yahoo! is moving to align our log file data retention policy closer to the competitive norm across the industry.
Is 18 months really closer to the “competitive norm across the industry”? Not if you define the industry to include more than the US: In Europe, the law requires ‘anonymization’ after six months. In the US, Google keeps anonymizes IP addresses after 9 months and cookies in search engine logs after 18 months. The EU is not happy about this.
Yahoo! Data Retention FAQ:
Q: Why is Yahoo! changing its user log data retention policy?
A: To meet the needs of our consumers for innovation, personalization and relevance, Yahoo! is moving to align our log file data retention policy closer to the competitive norm across the industry. Once the new policy goes into effect, we will no longer apply a 90-day retention policy to raw search logs or other log file data and will instead hold raw search log files for 18 months prior to anonymization. As for non-search data, we will be removing the current 90-day retention period for these log files as we re-examine the right policy going forward that allows us to meet consumer demand for richer, more deeply personal experiences in our products.Q: What is Yahoo!’s updated user log data retention policy?
A: Yahoo!’s new policy will be to de-identify search log data within 18 months of collection with limited exceptions to meet legal obligations. For other, non-search log data we collect, that data will be retained for a longer period in order to power innovative product development, provide personalized experiences, and better enable our security systems to detect and defend against fraudulent activity.Q: When will the updated policy go into effect?
A: Yahoo! is providing advanced notice to our users of our intention to change our log file data retention policy. Yahoo! is rolling out notifications across Yahoo! to help ensure that we have given appropriate notice to our consumers of this change in our policy. Thirty days after we have completed these notifications, we will put the new policy into effect. We expect this will occur sometime in mid-to-late August.Q: Does this change the data retention period for data collected prior to the update?
A: No – Yahoo! will only apply the updated retention period to data collected AFTER the updated policy goes into effect.
I see that the original announcement was in April. I guess I just don’t use Yahoo! much — and here’s one more reason not to.
Jotwell Blenderlaw