Tag Archives: Human rights

The Privacy Myth

If there’s one myth that endures in this age of online participation, blogs, shared photo albums and Web 2.0, it’s that we’ve overcome our concerns about privacy. It sounds on the surface, logical: We must have gotten over this weird paranoia, or else why would we share so much online? Why would we bother about privacy issues when there’s no real evidence that people, companies, governments and the NSA are out to get us? This, for example, from Web 2.0 blog TechCrunch guest contributor Steve Poland:

I’m sure there’s data to back me up on this, but today compared to 10 years ago — people are way more comfortable with the Internet and have less privacy concerns. Or at least the younger generations that have grown up with the Internet aren’t as concerned with privacy — and spew what’s on their mind to the entire world via the web.

I can’t speak for the younger generation, having been kicked out of it some years ago. But if we’re talking more generally about folk who have embraced the Net in the past 10 years, I’d have to say I don’t think it’s that we don’t care about privacy. We just don’t understand it. In that sense nothing has changed. I think what is happening is the same as before: People don’t really understand the privacy issues of what they’re doing, because the technology, and its liberating sensuality, are moving faster than we can assimilate to our culture. This is not new: Technology has always outpaced our intellectual grasp. If you don’t believe me think radio, TV, cars and cellphones. We were lousy at predicting the impact of any of these technologies on our environment. Lousy.

Usually, it’s because we just don’t stop to think about the privacy implications, or we don’t stop to ask deeper questions about the sacrifices we may be making when we buy something, give information to a stranger, register for something, accept something, invite someone in to our digital lives, install software, sign up for a service, or simply accept an email or click on a link. The speed of communication – click here! register here! — makes all this easier. But I don’t really blame the reader. Often it’s us journalists who are to blame for not digging enough.

Take, for example, a new service called reQall from QTech Inc in India. On the surface, it sounds like a great service: phone in a message to yourself and it will appear in your email inbox transcribed with 100% accuracy. Great if you’re on the road, on the john or at a party and don’t want to start jabbing away or scrawling the note on the back of your spouse’s neck.

Rafe Needham of Webware initially enthuses about it on his blog. But then he later finds out that

Update: I’m told that ReQall’s speech-to-text engine isn’t wholly automated. “We use a combination of automated speech recognition technology and human transcription,” a company co-founder told me. Which means there may be someone listening to your notes and to-do items. Yikes!

Yikes indeed. Who would record a message knowing that a stranger is going to be transcribing it, and a company storing it on their servers? To be fair to Rafe he’s not the only one not to initially notice this privacy angle. And at least he bothers to write it up. Dean Takahashi didn’t mention it in his (admittedly) brief Mercury News piece, for example. The company’s press release makes no mention of it either, saying only that

reQall is patent-pending software technology that uses a combination of voice interface and speech-recognition technology to record, log and retrieve your tasks, meetings and voice notes.

(The same press release appears on Forbes’ own website, which I always think looks a bit odd, as if there’s no real difference between a story and a press release. But that’s another rant for another day.) That, frankly, would leave me thinking there was no human interaction either.

But then again, there are clues here and if we (by which I mean us hacks) were doing our job we should probably follow them. Any Google search for reqall and privacy throws up an interesting trail. A CNN report on memory quoted Sunil Vemuri talking about reQall but says issues about privacy and keeping such records free from subpoena have yet to be worked out. When a blogger called Nikhil Pahwa quoted CNN on ContentSutra someone from QTech wrote in:

Please note that there is an inaccuracy in the post. QTech is not “currently working on sorting out issues related to privacy laws, and how to prevent these recordings from being subpoenaed.” Can you correct this?

The text was duly crossed out, so now it reads:

According to the report, they’re currently working on sorting out issues related to privacy laws, and how to prevent these recordings from being subpoenaed are still to be worked out.

So we’re none the wiser. Are there issues? Are QTech working on those issues? Or are there issues that other people are working on, not QTech? Their website sheds little light. There’s nothing about human transcription on any of the pages I could find, nor in the site search. Their privacy policy (like all privacy policies) doesn’t really reassure us, but neither does it explicitly scare our pants off. A brief jaunt through it (I’m not a lawyer, although I sometimes wish I was, and I think John Travolta in “A Civil Action” makes a good one) raises these yellow flags:

  • QTech can use your location, contact details etc to “send you information related to your account or other QTech Service offerings and other promotional offerings.” I.e. the company knows where you are, your phone number and home address and could spam you.
  • QTech may “include relevant advertising and related links based on Your location, Your call history and other information related to Your use of the Services.” I.e. The company could send you stuff based on what information you’ve given in your messages, and any other information you carelessly handed over during the course of using the service.
  • QTech can use the content of your audio messages (and your contact information) for, among other things, “providing our products and services to other users, including the display of customized content and advertising,  auditing, research and analysis in order to maintain, protect and improve our services … [and] developing new services.” I.e. the company can mine the contents of your messages and other stuff and spam other customers. Somehow this seems more scary than actually spamming you.
  • QTech will hold onto those messages “for as long as it is necessary to perform the Services, carry out marketing activities or comply with applicable legislation.” I.e. don’t think your messages are going to be deleted just because you don’t need them anymore.

Privacy documents are written by lawyers, so they’re about as weaselly as they can be. And QTech’s is no different. But there is some cause for concern here, and we journalists should at least try to explore some of these issues. I looked for any acknowledgement that there’s a human involved in the transcription, and some reassurance that the content of those messages is not going to be mined for advertising purposes, and that it would be possible for customers to insist their messages are deleted. I couldn’t find anything, although to their credit QTech do say they won’t “sell, rent or otherwise share Your Contact Information or Audio Communications with any third parties except in the limited circumstance of when we are compelled to do so by a valid, binding court order or subpoena”. But if QTech are doing their own advertising then does that really make any difference?

I’m seeking comment from QTech on this and will update the post when I hear it. And this isn’t really about QTech; it’s about us — citizens, readers, bloggers, journalists — thinking a little harder about our privacy before we throw it away for a great sounding service. Do you want, for example, your personal memos (“Calling from the pub. God I really need a holiday. I think I’m cracking up”) mined for advertising (“Hi! Can I interest you in Caribbean cruise? I hear you’re cracking up!” “Hi, need psychological counselling? I’m told you do” “Hi! Need Viagra? I hear from that last message you left you probably do”)?

Airports And The Privacy Of The Humiliated

I couldn’t help wondering about the privacy implications of airlines calling out people’s names over the airport PA system.

In Sydney and Melbourne airports recently I lost count of announcements along the lines of ‘Would Mr and Mrs X of flight X to X please go to gate X where their plane, and hundreds of their fellow passengers, are waiting patiently for them to board’, usually along with some humorous and belittling remark or two, which I have to say I found hugely amusing initially.

But then I got to thinking: What if it was me? What if it was someone who was having serious medical problems in the washroom? What if it was someone travelling incognito with someone who wasn’t their wife, or on some sensitive errand? What if someone already on the plane decided they’d be inconvenienced enough and jotted down the tardy passengers’ name to wreak revenge later?

Maybe it’s paranoia and an overworked privacy gland, but I’m not sure that, in this present version of the world, airlines and airports should be quite so fast and loose with announcements that identify individuals, their flight numbers and their embarrassment.

Plaxo and Privacy — A Storm In A Teacup?

Plaxo, the besieged contact updating service, is pointing readers of its blog to an article that takes issue with the company’s critics.

The article, written by Jim Harper of PolicyCounsel.com, takes issue with privacy concerns, especially those aired by Australian academic Roger Clarke which I’ve tried to summarise in an earlier post. Jim’s language is quite robust, apparently a reaction to Roger’s own riposte to an earlier posting by Jim on RFID tags. Still, he makes an interesting point: Why all the fuss about handing over your contact data?

For just a moment, let me go into Clarke’s starting point a little further: the idea that contact information is sensitive. It’s not. In fact, contact information is created precisely for the purpose of sharing. People print contact information on cards and give it out. There are entire books – called “phone books” – designed to broadcast contact information far and wide. People put their contact information on letters and in e-mails. Contact information is about as private as the nose on your face.

So who is right? It’s true that contact information in itself is a more or less public commodity. I can decline to hand over my business card to someone I don’t like the look of, but once the card is handed over to anyone, I can no longer assume that information is secure. But my reading (and hey, I’m no expert) of Roger’s original piece is that there are two main outstanding problems:

  • It’s less about handing over one’s data about oneself, but about someone else handing over their data about you. The main objection people have about Plaxo is that, by uploading their address book to Plaxo’s servers, someone else is giving away information about you. As Roger points out: “Under the doctrine of privity, a contract creates rights and responsibilities for the parties to the contract, but for no-one else. Hence there are no rights whatsoever under the contract for the individuals to whom the data relates.”
  • The second issue is about the connections implied in such data — not just whether you’re in someone’s address book, and who else is there alongside you. If someone is arrested for fraud, does the fact that you’re in their address book make you a suspect? Roger writes: ”The threat involved in consolidations of address-books therefore has an important social dimension, and if it affects a person’s employability or career advancement, then an economic dimension as well.”

On the surface neither of these concerns may seem all that relevant. If you’re in a criminal’s address book/PDA/cellphone chances are you’re going to be interviewed by police, whether they got the information from Plaxo or from riffling through his dashboard glove compartment. And, in the first case, what’s the difference between someone storing your contact details in their PDA than online with Plaxo?

First off, I think Jim’s taking too much of an old world view of privacy. He writes that “there isn’t much difference between an online social network and the online or offline lists of club memberships, fraternities, churches, phone systems, magazine subscribers, buyers of goods, sellers of goods, transporters of goods, employees, employers: the list of lists goes on and on.” True, in terms of the nature of such data. But computers and the Internet make handling — and, potentially, mining — such lists much more efficient. In its first seven months Plaxo had more than a million members: Assume, each one has a contact list of 100 people. That’s 100 million names (lots of duplication, of course, but my figures are conservative.) Plaxo has promised not to do anything with this data, but Roger’s point is a fair one: Existing privacy laws don’t really deal with situations where users voluntarily surrender data about other people. So we’re already in new territory.

Internet users are already aware of this; just a year or so ago many of us wouldn’t have baulked at entering personal details into a website in return for access. Not any more. The Internet, once this great repository of information and a community of benign and helpful folk, has turned around and bit us on the collective behind. Spam is just the most visible aspect of it. We now see our lives visible online, so much so that prospective dates are ‘Googled’ to see whether their background is up to snuff. Privacy nowadays is not so much about keeping yourself to yourself, but in trying to reassert some sort of control over which specific data enters the public domain. A blogger is quite happy to spill their most intimate beans online, but that doesn’t mean they’re about to reveal their cellphone number to telemarketers, or become part of some large database that may end up being sold to SMS-Spammers-R-US.com a few years down the track. Personal contact data are, after medical and financial data, the most sensitive data one has.

Jim’s right to raise questions about the heat that Plaxo has been taking (and I readily confess some of the postings here have perhaps contributed to it, although I’ve tried to synthesize the arguments for and against, along with Plaxo’s responses). But it seems to me that if people feel uncomfortable with their data being held by a company that has not revealed how it is going to make its money (or even if it has) then their right to not have their data stored there must be respected, both in law and in the storers’ privacy policy.  

More On Plaxo And Privacy

An interesting academic piece on the privacy aspects of Plaxo (and other networking services), noticed by bagus.

Roger Clarke, who wears several hats as an academic and consultant in Australia and Hong Kong, focuses not on the privacy of those who sign up for such services but “on a matter that is new, and of great concern: the privacy of other individuals whose data is volunteered to such services by its users.”

The piece is worth reading. He makes some important points about how this is more than just an issue of some sleazy marketing guy making use of your data to sell you stuff, or build a profile of your shopping habits. He also points out that this kind of data — stored by individuals in a private capacity — is not covered by most data protection laws.

His conclusion:  “In general, people would be well-advised firstly to stay well clear of all address-book and ‘social networking systems’, and secondly to prevail upon their friends, colleagues and acquaintances that they should avoid making any data about them available to service-operators like Plaxo.”

News: RFID Notes

 A longish piece from Slate on our old friends RFIDs — Radio Frequency Identification Devices — which are feared and admired for their ability to hold all sorts of data about what you’re doing, buying, washing or eating. Earlier this month Hitachi announced the release of a tiny wireless ID chip that can be “easily embedded in bank notes.”
 
Although the story doesn’t focus on it, it makes a good point: Whereas privacy advocates — fearing these things may hold data about our purchases etc well after we left the shop — may be silenced by the idea of a ‘kill switch’ which disables the tag at checkout, presumably the same wouldn’t really be a good idea in currency. So why exactly should we have RFIDs in our currency, and what does it mean for us? More anon.

News: Big Brother’s Net

 For those of you interested in how the Internet is not an unrestricted place for everyone, Reporters Sans Frontieres/Reporters Without Borders last month published their second annual report on censorship in cyberspace, “The Internet under Surveillance – Obstacles to the free flow of information online” which details “attitudes to the Internet by the powerful in 60 countries, between spring 2001 and spring 2003”.
 
 
The report looks at quite a few countries, although it leaves some obvious ones out: It looks at Australia, for example, but leaves out Indonesia and Brunei. Looking at China, for example: “Population : 1,284,972,000; Internet users : 59,100,000; Privately-owned ISPs : no; Internet Users and cyber-dissidents in prison : 42. The number of Internet users doubles nearly every six months and the number of websites every year. But this dizzying growth is matched by the authorities’ energetic attempts to monitor, censor and repress Internet activity, with tough laws, jailing cyber-dissidents, blocking access to websites, monitoring online forums and shutting down cybercafes.”
 
Download the full report as a PDF file here (2.5 MB).