All Things Digital

If power corrupts, and absolute power corrupts absolutely, what does absolute information awareness do?

That’s a good question to ask in light of FBI Director Robert Mueller’s call for “omnibus” Internet surveillance. In testimony to the Judiciary Committee of the House of Representatives on Wednesday, Mueller suggested legislation be passed that would give the bureau the right to monitor the Internet at the backbone level.

Said Mueller: “I think legislation has to be developed that balances on one hand, the privacy rights of the individual who are receiving the information, but on the other hand, given the technology, the necessity of having some omnibus search capability utilizing filters that would identify the illegal activity as it comes through and give us the ability to preempt that illegal activity where it comes through a choke point as opposed to the point where it is diffuse on the Internet.”

Shades of Carnivore, right? The “choke point” to which Mueller alludes is presumably the National Security Agency, which has been probing the data passing through the Internet backbone like some Orwellian spinal surgeon. Which is a little frightening. Because the packets of data being passed back and forth over the Internet don’t come prelabeled. There’s no “ILLEGAL ACTIVITY” designation. It’s just activity, and Mueller would apparently like permission to survey it all.

While respecting the privacy rights of the individual, of course. Thoughtful.

The ability to control how much information is available to the public has long been one of Facebook’s core principles. It was this very feature, for example, that Facebook used to distinguish itself from other social networks back when it first launched.

Of course, the ensuing years proved that protecting the privacy of its users was not exactly Facebook’s strong suit–especially when it came to digging up the advertising revenues necessary to justify its fantastical $15 billion valuation. There have been privacy issues with Facebook’s news-feed service, with its controversial Beacon advertising system, and with its terms of service, which granted popular applications access to far more personal user data than is necessary.

And now there’s another. A bug in permission restrictions in Facebook Groups allows members to upload content without first receiving permission from a Group admin. I know this firsthand, because over the past few days videos, photos and blog posts have been appearing on the All Things Digital Facebook Group, and neither Walt, Kara nor I–the only three people with admin privileges to the group–put them there (see screen below). Worse, while I was able to delete the photos and blog posts, I was unable to pull the videos off the page. There was no mechanism to remove them.

Worse still, the bug that makes this possible is not specific to the All Things Digital Facebook Group alone. It affects all Facebook Groups, site-wide.

We alerted Facebook to the issue and the company quickly identified the bug. Said spokesperson Brandee Barker: “Engineering has pushed out a fix that should go site wide shortly.”

UPDATE: Facebook engineers fixed the permissions bug, and we were able to remove the rogue videos from our page.

If the major search engines took the privacy of their users as seriously as they claim, they wouldn’t hold onto their personal search data for so long. That’s the opinion of Europe’s Article 29 Data Protection Working Party, which today recommended that the European Union require search engine providers to “delete or irreversibly anonymize data once they no longer serve the specific and legitimate purpose they were collected for.” The Working Party figures that ought to be about six months.

That will no doubt come as a shock to Google (GOOG), Yahoo (YHOO) and Microsoft (MSFT), who all retain search data for a year or more. But it can’t be nearly as shocking as the Working Party’s recommendation that IP, or Internet Protocol, addresses be protected as personal information, a requirement that, were it to be implemented, could interfere with their ability to deliver relevant ads.

From the Working Party document:

A key conclusion of this opinion is that the Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the EEA, and that the onus is on search engines in this position to clarify their role in the EEA and the scope of their responsibilities under the Directive.

“This Opinion concludes that personal data must only be processed for legitimate purposes. Search-engine providers must delete or irreversibly anonymize personal data once they no longer serve the specified and legitimate purpose they were collected for and be capable of justifying retention and the longevity of cookies deployed at all times. The consent of the user must be sought for all planned cross-relation of user data, user-profile enrichment exercises. Web site editor opt-outs must be respected by search engines and requests from users to update/refresh caches must be complied with immediately. The Working Party recalls the obligation of search engines to clearly inform the users upfront of all intended uses of their data and to respect their right to readily access, inspect or correct their personal data.”

If the Motion Picture Association of America is so intent on shuttering BitTorrent trackers, perhaps it should set its sites on the really big offenders, like say … Google (GOOG). It’s going to have to sooner or later, because some day there won’t be any smaller operations left for it to sue.

After a prolonged, and quite nasty, legal battle with the MPAA, TorrentSpy is shutting down. “The legal climate in the USA for copyright, privacy of search requests and links to torrent files in search results is simply too hostile,” reads a statement posted to the site’s front page by founder Justin Bunnell. “We spent the last two years, and hundreds of thousands of dollars, defending the rights of our users and ourselves… [W]e now feel compelled to provide the ultimate method of privacy protection for our users–permanent shutdown.”

Second, the [Temporary Restraining Order] against Wikileaks violates the First Amendment because judicial orders enjoining reporting on or dissemination of documents constitute prior restraints. Under Pentagon Papers, the First Amendment prohibits prior restraints in nearly every circumstance, even where national security may be at risk and the press’s source is alleged to have obtained the documents unlawfully. The privacy and commercial interests Plaintiffs cite are simply not on the same order of magnitude required to justify a prior restraint, and the grab bag of federal, state and foreign laws they cite do not authorize prior restraints.”

–Excerpt from amicus brief in Bank Julius Baer v. Wikileaks

The U.S. District Court judge who issued the injunction ordering Wikileaks.org disabled has, after a bit of thought, come to view it as privacy and civil-rights groups had: overly broad and violative of the whistleblower site’s First Amendment rights.

Responding to a barrage of motions filed by a coalition of media and public-interest organizations Friday, Judge Jeffrey White reversed the permanent injunction he issued two weeks ago shuttering Wikileaks. In his ruling, White–while not admitting that his original order may well have violated prior restraint –acknowledged it was complicated by free-speech issues. “There are serious questions about prior restraint, possible violations of the First Amendment, which the court can make no definitive findings about at this point,” he wrote. “It is clear that in all but the most exceptional circumstances, an injunction restricting speech pending final resolution of the constitutional concerns is impermissible.”

Clear, too, that attempting to restrict free speech on the Internet is a near impossibility these days. “There are serious concerns that the court has, and serious questions raised, about the effectiveness of any order that this court might issue given the current state of affairs,” White continued. “Maybe that’s just the reality of the world that we live in. When this genie gets out of the bottle, that’s it.”

Or as Internet pioneer John Gilmore once put it, “The Net interprets censorship as damage and routes around it.”

PREVIOUSLY:

Like Trying to Take Pee Out of a Swimming Pool …

Facebook shed some 400,000 members between December and January in the United Kingdom. This according to new figures from Nielsen Online, which charted a 5% decline in U.K. traffic month-to-month.

Which begs the question: Is Facebook nearing its saturation point? Is enthusiasm for the social-networking phenom finally wearing off? Have we all been spammed by the ironically named “Funwall” one time too many? Are the site’s privacy issues finally taking their toll? Or are its zombified members too busy seeking human flesh to bother updating their profiles?

Or were they simply on winter holiday?

That last scenario seems the most obvious explanation. December and January are the months at issue here. And Nielsen’s figures show that there are 712% more Facebook users than a year ago. Still, this is the first drop the firm has recorded in Facebook’s user numbers in the U.K. since the site became large enough to track. There wasn’t a similar drop in usage last year. Or the year prior. So maybe there is something more here. The early beginnings of a long-term erosion, perhaps?

“One month of falling audiences doesn’t spell the decline of Facebook or social networking,” said Nielsen’s Alex Burmaster. “However, most of the leading social networks are less popular in the U.K. than they were a year ago. It was inevitable that early growth rates couldn’t be sustained and the larger networks have been plateauing over the last few months.”

Seems the leading social networks to which Burmaster refers were also less popular in the U.S. According to the latest stats from comScore, Facebook attracted 33.9 million unique visitors stateside in January–down 2% percent from 34.7 million in December. That’s a decline of approximately 800,000 users. Again, this drop could also be chalked up to Seasonal Facebook Defection Disorder. Or not. After all, it’s not like we haven’t seen this sort of thing before. Remember Friendster?

UPDATE: Facebook disputes Nielsen’s metrics. “The number of users for Facebook continues to climb in the U.K.,” the company said. “Our internal monthly active user numbers rose between December and January in the U.K. and are now at more than 8.3 million. Facebook tracks active monthly users, rather than registered users or unique visitors. Active users reflect those who have used the site in the past 30 days.”

If the federal government expands its existing surveillance powers any more, it’s going to be able to supply the White House power grid with electricity generated exclusively by the Founding Fathers spinning in their graves.

The U.S. Senate approved espionage legislation yesterday that would not only grant the National Security Agency sweeping new powers to intercept international phone calls and emails, but it would also grant retroactive immunity to the telecom companies that participated in the government’s post-9/11 warrantless domestic spying program.

With a 68-29 vote, the Senate passed the revision to the 30-year-old Foreign Intelligence Surveillance Act along to the House of Representatives, which has already taken issue with its telecom-immunity provision. Said Sen. Chris Dodd (D., Conn.), “[The Senate has] just sanctioned … the single largest invasion of privacy in the history of the country.”

Sen. Russell Feingold (D., Wis.) was equally incredulous. “It is inconceivable that any telephone companies that allegedly cooperated with the administration’s warrantless wiretapping program did not know what their obligations were,” he said. “And it is just as implausible that those companies believed they were entitled to simply assume the lawfulness of a government request for assistance.”

Ah. And that being the case, it follows that we shouldn’t simply assume the lawfulness of a government request for broader clandestine surveillance powers. Right?

Said Michael Sussmann, a former Justice Department intelligence lawyer who represents several telecommunication companies: “This is a dramatic restructuring of surveillance law. And the thing that’s so dramatic about this is that you’ve removed the court review. There may be some checks after the fact, but the administration is picking the targets.”

Welcome to Oceania …

It’s been nary a month since Facebook CEO Mark Zuckerberg apologized for the social network’s first privacy scandal, and already the site seems poised to embark on its second.

According to a new study from the University of Virginia, many of Facebook’s most popular applications access far more personal user data than is necessary. From the study:

We performed a systematic review of the top 150 Facebook applications in October 2007 and examined their information needs. We found that 8.7% didn’t need any information; 82% used public data (name, network, list of friends); and only 9.3% needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7% of applications are being given more privileges than they need.”

And what sort of user data are we talking about here? Pretty much all of it, according to the company’s terms of service.

In order to allow you to use and participate in Platform Applications created by Developers (”Developer Applications”), Facebook may from time to time provide Developers access to the following information (collectively, the “Facebook Site Information”). … Examples of Facebook Site Information: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wall™, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.”

Quite a list–and one that the social network’s users could recall the next time Facebook asks them to agree to “allow this application to … know who I am and access my information” …

… For Google, privacy did not begin and does not end with our acquisition of DoubleClick. And we believe that privacy for legislators, regulators, privacy groups and other stakeholders shouldn’t begin or end with Google. Privacy is a serious issue that spans several industries from financial services to entertainment to e-commerce, and that ought to be addressed holistically in the interest of individuals throughout Europe and the world. One particular company–and certainly one particular merger–should not be singled out.”

–Peter Fleischer, Google’s Global Privacy Counsel

The Federal Trade Commission’s decision to approve Google’s proposed $3.1 billion acquisition of online ad-serving vendor DoubleClick without condition hasn’t exactly elicited resounding calls of huzzah! from the European Union. On the contrary, European parliamentarians seem out to spoil the deal.

At a hearing before the European Parliament’s Civil Liberties Committee to discuss the legality of search companies’ privacy policies, talk quickly turned to the acquisition and its potential impact on citizens’ online privacy. Seems a few of the EU’s top privacy regulators feel that IP, or Internet Protocol, addresses should be protected as personal information when they can be used to identify an individual on a computer network. Google, which uses IP addresses to identify users’ geographical location, among other things, disagrees.

After first upbraiding the committee for attempting to shoehorn a privacy case into a competition law review, Peter Fleischer, Google’s Global Privacy Counsel, pointed out that IP addresses aren’t always personally identifiable. “There is no black or white answer: Sometimes an IP address can be considered as personal data and sometimes not,” he said. “It depends on the context and which personal information it reveals.” And this is true to some extent, but becoming less so as we move toward Internet Protocol version 6 (IPv6).

Of course, were IP addresses to be categorized as personal information, Google would have a more difficult time delivering relevant search results and, more importantly, ads. Which, as Dutch parliamentarian Sophie in ‘t Veld pointed out is the real reason Google is arguing so vehemently against treating IP addresses as sensitive personal data. “The reason you want to have the data is because it gives you a competitive advantage,” she said. “It is business. I don’t think they can be completely disconnected. And we should discuss that side of things too. … Having that much information is market power.”

This proposed acquisition raises serious competition and privacy concerns in that it gives the Google DoubleClick combination unprecedented control in the delivery of online advertising, and access to a huge amount of consumer information by tracking what customers do online.”

–Microsoft General Counsel Brad Smith

The Federal Trade Commission isn’t going to let calls for the recusal of Chairwoman Deborah Platt Majoras or the concerns of Microsoft, AT&T and consumer advocacy groups at home and abroad get in the way of Google’s purchase of online ad-serving vendor DoubleClick.

The FTC today voted 4-1 to approve the $3.1 billion acquisition without condition. “After carefully reviewing the evidence, we have concluded that Google’s proposed acquisition of DoubleClick is unlikely to substantially lessen competition,” the commission’s majority wrote in a statement, adding that it planned to keep an eye on the company should it wield its market power unwisely. “The markets within the online advertising space continue to quickly evolve, and predicting their future course is not a simple task,” the commission continued. “Accounting for the dynamic nature of an industry requires solid grounding in facts and the careful application of tested antitrust analysis. Because the evidence did not support the theories of potential competitive harm, there was no basis on which to seek to impose conditions on this merger. We want to be clear, however, that we will closely watch these markets and, should Google engage in unlawful tying or other anticompetitive conduct, the commission intends to act quickly.”

One would hope so. In a lone dissenting opinion, commissioner Pamela Jones said the merger of Google’s data with DoubleClick’s is potentially quite problematic.

The transaction will combine not only the two firms’ products and services, but also their vast troves of data about consumer behavior on the Internet. … I acknowledge that behavioral targeting may create economic efficiencies that would–in the short run–be attractive to the parties’ advertiser and publishing customers (putting aside for a moment the potential impact on consumers on the privacy front). Still, marrying the two datasets raises long-term competition questions that beg further inquiry.

• In a post-merger online advertising market driven by the value of behavioral targeting, will Google/DoubleClick face meaningful competition?
• Will any other firm be able to amass a dataset of the same scope and size?
• Will any other company be able to overcome network effects and offer an equally focused level of behavioral targeting?
• If advertisers and publishers have to channel their online advertising through Google/DoubleClick in order to access the best dataset that supports targeted advertising, will any other firms have the ability or incentive to compete meaningfully in this market?

“… I am convinced that the combination of Google and DoubleClick has the potential to profoundly alter the 21 century Internet-based economy–in ways we can imagine, and in ways we cannot. I do not doubt that this merger has the potential to create some efficiencies, especially from the perspective of advertisers and publishers. But it has greater potential to harm competition, and it also threatens privacy. By closing its investigation without imposing any conditions or other safeguards, the commission is asking consumers to bear too much of the risk of both types of harm.”

The FTC’s ruling now leaves the final decision on the deal to the European Commission.

This morning Ask.com became the Internet’s least intrusive search engine. Too bad it’s also one of least used. Because with a 2.9% share of the search market, few are likely to pay much mind to the title.

That said, “AskEraser,” which allows users to delete their search queries and related data (IP address, user ID, session ID) from Ask’s servers, is a stride for consumer privacy on the Internet–especially in these days of Facebook Beacon and the AOL data Valdez. “Anywhere that you log into, anywhere where you put in personalized information, there should be a way–an easy way–to control how that information is used and retained,” Doug Leeds, Ask.com senior vice president, told The Wall Street Journal. “We are giving users the ability themselves to take control of their privacy.”

Well, some control, anyway. Ask.com recently signed a five-year sponsored search and advertising agreement with Google, so it sends user data to Google even in cases where it’s been deleted with the AskEraser function. So while Ask might not retain its users’ data, Google does. But then Google probably already had their data anyway, right?

So while AskEraser might be a nice gesture, it’s not really a grand victory for consumer anonymity on the Web. And because of that, critics say it’s not likely to be much of a selling point. “My gut tells me that basically it is not going to be a competitive advantage,” Larry Ponemon, chairman and founder of the Ponemon Institute, an independent research company, told the New York Times. “I think people will look at it and see it as a cool thing, and they may use it. But I don’t think it will be a market differentiator.”