Do Not Track: First they ignore you, then they ridicule you, then they fight you, then you win.

In July of 2009, my friend and research collaborator Sid Stamm helped me to put together a prototype Firefox add-on that added two headers to outgoing HTTP requests:

X-Behavioral-Ad-Opt-Out: 1
X-Do-Not-Track: 1

The idea for the Do Not Track header came from a conversation I'd had with security researcher Dan Kaminsky in March of 2009.

A few months after we released the DNT prototype, I started working at the FTC. Once there, Ashkan Soltani and I evangelized the header-based mechanism as a superior solution to the flawed opt-out cookies that the industry had grudgingly delivered. In December 2010, the FTC issued a privacy report that called for a "do not track" system that would enable people to avoid having their actions monitored online.

Today, the Obama Administration, the FTC and the advertising industry will announce that the last remaining web browser (Chrome) will support the Do Not Track header, and that the major online advertising networks will look for and respect it.

The total time, from the first conversation about the concept to a White House press conference announcing broad industry support? 3 years. Decades in Internet time, but this is extremely quick by Washington, DC standards.

First they ignore you:

In mid July 2009, the Future of Privacy Forum organized a meeting and conference call in which I pitched the header concept to a bunch of industry players, public interest groups, and other interested parties. I was perhaps slightly over-dramatic when I told them that the "day of reckoning was coming", for opt out cookies, and that it was time to embrace a header based mechanism...none of the advertising firms showed any interest in the header.

Then they laugh at you:

[Microsoft Vice President Dean] Hachamovitch said it’s naive to simply trust that the tracking sites will obey an anti-tracking signal. “We don’t have ‘do not send me pop-up window’ HTTP headers,” said Hachamovitch, speaking at UC Berkeley. “We just have pop-up blockers.” Similarly, he noted, there’s no “Do Not Phish Me” button on browsers.

Then they fight you:

The Interactive Advertising Bureau, which represents online advertisers, said "there is currently no definition" of what advertisers should do when receiving the do-not-track notification. "It's like sending a smoke signal in the middle of Manhattan; it might draw a lot of attention, but no one knows how to read the message," said Mike Zaneis, senior vice president of the organization.

Then you win:

A coalition of Internet giants including Google Inc. has agreed to support a do-not-track button to be embedded in most Web browsers—a move that the industry had been resisting for more than a year.

How long does it take for the FTC to investigate a company?

The Federal Trade Commission is the nation's premier privacy enforcer. In the last few years, it has gone after Facebook, Google, Twitter and several other firms for violating consumers' privacy or deceiving them about the degree to which they protect that privacy. To outsiders, the FTC can seem highly secretive - it doesn't announce when it opens an investigation, only when an investigation ends in a settlement, a lawsuit, or a public closing letter.

As a result, although the newspapers and blogs may be filled with stories about a particular privacy firestorm, there is no way to know if the FTC is investigating a company. A year or two later, the FTC might announce a settlement, or, the FTC may quietly close an investigation, without ever tipping the public off to the fact that agency staff spent months investigating the company.

I spent a year working in the FTC's Division of Privacy and Identity Protection between 2009-2010, where I got to assist with several important privacy investigations. I saw first hand how frustrating it is for staff, when advocates, the media and Members of Congress demand that the FTC investigate a company or worse, criticize the FTC for doing nothing, when FTC staff are already several months into a complex investigation.

In order to try and help the general public better understand this topic, I recently sought and obtained (via FOIA) the official Matter Initiation Notices (pdf) filed by FTC staff when they formally opened investigations into all of the major privacy-related cases settled during the past few years.

As these documents show, even the fastest privacy case (Google Buzz) took a year from start to finish, while others, such as Facebook (2.3 years) and ControlScan (2.7 years) took far longer.

The take-home lesson from this data? The FTC's investigations are not quick. Given that there are just a couple dozen attorneys in the Division, this isn't surprising. If we want better (and faster) privacy enforcement, giving the FTC more money to hire additional staff would be a great first step.

Sprint recklessly exposed Carrier IQ logged URL data to easy government access

In recent weeks, there has been considerable controversy around Carrier IQ and the data collected by it and the wireless phone companies who have partnered with the firm. Now that class action lawsuits have been filed, and the FTC is reportedly probing the company, one of the most important questions will be: What is the harm?

As I will attempt to argue in this blog post, by allowing Carrier IQ to collect and retain private user data (such as URLs of pages viewed), Sprint recklessly exposed this sensitive information, which would normally require a court order for the government to obtain, to access with a mere subpoena.

Last week, technical experts Ashkan Soltani and Peter Eckersley reported that Carrier IQ's software was, in some cases, collecting keystrokes and the contents of (SMS) text messages. A 19-page report (pdf) released by Carrier IQ confirmed the researchers' claims, putting the blame on a technical bug and accidental overlogging by Sprint or HTC.

For the purpose of this blog post, lets give Carrier IQ the benefit of the doubt. Instead, it is sufficient to focus our attention on one form of intentional data collection that Carrier IQ and its partner Sprint have acknowledged: the URLs of websites visited by handset owners. [There are others kinds of data that the company has intentionally logged too, for example, location data, but we don't know as much about this right now, so I'm focusing my analysis on URLs]

Carrier IQ and Sprint: Yeah, we log URLs

In a letter to Senator Franken (pdf) last week, Carrier IQ acknowledged that its software has been used by one wireless carrier to collect the URLs of webpages viewed by subscribers:

Embedded versions of IQ Agent allow for the collection of URLs if requested by a Network Operator in a profile. These can be collected together with performance metrics so that Network Operators can determine how devices on its network perform for specific web sites... The profile specified by the Network Operator and loaded on the device dictates if this information is actually gathered. The IQ Agent cannot read or copy the content of a website. Only one of Carrier IQ's customers has requested a profile to collect URLs of websites visited on devices on its network.

In its letter to Senator Franken (pdf), Sprint acknowledged that it was the wireless carrier that collected URLs:

Sprint already knows the website of a URL of a website that a user is trying to reach from routing the request on its network. This information may be collected through the Carrier IQ software as part of a profile established to troubleshoot website loading latencies or errors experienced by a population of subscribers.

Let us ignore the fact that in the same letter, Sprint falsely denies collecting users' search query information (the search terms are in the Google/Bing URL), that it failed to disclose that Sprint collects through Carrier IQ the URLs of webpages viewed over encrypted HTTPS connections which it would never learn by watching the network, or, that it probably also gets through Carrier IQ the URLs accessed by handset owners when they are using WiFI and not Sprint's network. While these are interesting points (and show that Sprint is either lying to a Senator, or their legal team is embarrassingly ignorant about technology), they are unnecessary for our analysis.

It is also worth mentioning, although similarly unnecessary for our analysis, that Sprint's Electronic Surveillance Manager revealed in comments at the ISS World surveillance conference in 2009 that Sprint allows its marketing department to look through the logs of URLs viewed by its subscribers:

On the Sprint 3G network, we have IP data back 24 months, and we have, depending on the device, we can actually tell you what URL they went to ... If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months ... We don't store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte ... but ultimately, that's why we store the data ... It's because marketing wants to rifle through the data.

Legal protections for URL data under US privacy law

It is beyond a cliche at this point to complain that our primary electronic privacy law dates from 1986, and hasn't been substantially updated since. This law not only differs in the legal protections offered to data based on whether it is is content or non-content, but also, based on what kind of company is holding the data.

As a Sprint customer, I am obviously unhappy about the fact that that the company voluntarily logs and retains the URLs that subscribers visit - which are subsequently available to the government. However, I can get at least a tiny bit of comfort from the fact that the Electronic Communications Privacy Act requires a court order issued under 18 USC 2703(d) before Sprint can be forced to disclose these records to law enforcement agencies.

Furthermore, if Sprint wished to do so, it could probably argue that URLs contain communications content, and thus should only be disclosed pursuant to a probable cause warrant. [DOJ has acknowledged in its Search and Seizure manual that URLs can contain content, at least in context of real-time intercepts via a pen register]. However, given Sprint's general pro-government approach to privacy, I wouldn't expect them to lift a finger to protect their customers.

Carrier IQ and ECPA

What about Carrier IQ? Does the government need a court order to get URLs when held by the company?

To be considered a "remote computing service" (RCS) or an "electronic communication service" (ECS) provider under the Electronic Communications Privacy Act (ECPA), you need to actually provide services to the public. Carrier IQ does not do this -- its customers are wireless carriers. On this point alone, user data held by Carrier IQ is simply not subject to the limited protections of ECPA.

Furthermore, even if we ignore the important requirement relating to providing services to the public, a service provider also has to actually provide the ability to send or receive a users' communication for it to be considered an ECS under the law. See Sega Enterprises Ltd. v. MAPHIA, 948 F. Supp. 923, 930-31 (N.D. Cal. 1996) (video game manufacturer that accessed private email of users of another company's bulletin board service was not a provider of electronic communication service); State Wide Photocopy, Corp. v. Tokai Fin. Servs., Inc., 909 F. Supp. 137, 145 (S.D.N.Y. 1995) (financing company that used fax machines and computers but did not provide the ability to send or receive communications was not provider of electronic communication service).

Since Carrier IQ is merely covertly logging the URLs that consumers are viewing, rather than actually delivering web pages to the end user, they also aren't covered under ECPA.

So what?

As Carrier IQ is neither an RCS or ECS under ECPA, any data held by the company can be obtained by the government with a mere subpoena (and potentially, but I'm not as sure of this, by a civil litigant too, such as a divorce lawyer).

As Sprint opted to have user data sent to Carrier IQ, where it was held for 30-45 days, rather than having the carrier IQ software send the data directly to Sprint's servers, I believe that Sprint recklessly exposed this private information to easy access by the government without a court order. There are plenty of ways that the company could have guaranteed that this data would always remain protected under ECPA -- but it didn't do so.

Likewise, while Sprint claims in its letter to Senator Franken that it tells its customers in its privacy policy that it collects information about the sites that they visit, it never discloses to subscribers that this private data is collected and stored by a third party, or the important way this will enable government access to that data. Sprint needlessly kept its customers in the dark about the ways in which the firm was exposing their data to government access.

In its letter to Senator Franken, Carrier IQ denied getting any requests from law enforcement agencies for user data. Sprint had to issue a much more delicately worded statement: it has not disclosed Carrier IQ data to law enforcement (the reason for this careful wording, I suspect, is the presence of 110 employees in Sprint's Electronic Surveillance team who do nothing but supply user data to law enforcement and intelligence agencies).

Although the recent FOIA response that Muckrock received suggests that the FBI has at least some interest in Carrier IQ data, if we rely on the statements of Carrier IQ and Sprint, then, at least as it relates to URL data, the risks I have described in this blog post are largely theoretical. Even so, it doesn't change the fact that Sprint has demonstrated an extremely cavalier attitude towards user privacy.

In a best case scenario, Sprint's legal team simply didn't consider the ECPA/law enforcement related implications of using Carrier IQ's technology. In a worst case scenario, they knew what they were doing, and didn't care. In either case, the company should be held responsible.

Commerce Dept: export licenses for intercept tech have "exploded" over last 2,3 years

Earlier this year, the Commerce Department's Bureau of Industry and Security held a two-day Conference on Export Controls and Policy. It included a workshop specifically focused on the rules governing the export of encryption technologies (which include intercept equipment). The full transcript can be found here: part 1 (pdf), part 2 (pdf).

As a non-lawyer, and non-expert in export control regulations, I was pretty surprised to learn that the government already strictly regulates the export of covert communications surveillance technology. What this means, of course, is that the Commerce Department already has a list of every foreign buyer of US made covert surveillance technology. Unfortunately, they won't provide this information to the public, and as far as I know, they won't provide it in response to FOIA requests.

In any case, reading through the transcript of the event, the following section caught my eye, as it specifically addressed the regulations that apply to surreptitious listening technology:

Michael Pender: Licenses [for "surreptitious listening" technology] are required for export to all end users, all destinations, and there's a general policy of denial.

The exceptions are for U.S. government agencies or communication-service providers there in the normal course of their business. So, if you're representing a U.S. law-enforcement agency and you're partnering with some other organization in another country and you need to send something out of the county, you know, contact us. Licenses are authorized for that situation.

If you represent a telecommunications company and you receive court orders for wiretaps from the local law enforcement and you have to comply with those court orders, you know, that's one of the few circumstances in which we can grant a license.

And you wouldn't think there would be that many licenses for these products in general in a year, but the rate at which they're coming in has just exploded over the course of the last 2, 3 years. I mean, I think I went from getting one a year to like five times as many, and then again, it's at least doubled or tripled in just the last year.

Twitter's privacy policy and the Wikileaks case

Summary: The federal judge in the Wikileaks case cited in his order a version of Twitter's privacy policy from 2010, rather than the very different policy that existed when Appelbaum, Gonggrijp and Jonsdottir created their Twitter accounts back in 2008. That older policy actually promised users that Twitter would keep their data private unless they violated the company's terms of service. It is unclear how the judge managed to miss this important detail.

---

Earlier this week, a federal judge in Virginia handed down an order in the high-profile Twitter/Wikileaks case. That order has already been widely covered by the media, so I won't summarize it here.

In ruling that Appelbaum, Gonggrijp and Jonsdottir did not have a reasonable expectation of privacy in the IP addresses that Twitter had collected, the judge specifically highlighted the existence of statements about IP address collection in Twitter's privacy policy.

(from page 3 of the order)

The judge noted that Twitter reveals in its privacy policy that it collects "many types of usage information, including physical location, IP address, browser type, the referring domain ..." To support this claim, the judge cited the "Bringola declaration" (pdf), which is a collection of screenshots from Twitter's website produced by a paralegal working for Appelbaum's lawyer.

The privacy policy reproduced in the Bringola declaration and cited by the judge was effective as of November 16, 2010, and appears to have been the current privacy policy in March of 2011 when the paralegal made the screenshots. That privacy policy included the following "Log Data" section:

Our servers automatically record information ("Log Data") created by your use of the Services. Log Data may include information such as your IP address, browser type, the referring domain, pages visited, your mobile carrier, device and application IDs, and search terms. Other actions, such as interactions with our website, applications and advertisements, may also be included in Log Data. If we haven’t already deleted the Log Data earlier, we will either delete it or remove any common account identifiers, such as your username, full IP address, or email address, after 18 months.

There is a slight problem with relying on a privacy policy created on November 16, 2010 to decide the reasonable expectation of privacy of these three individuals: They created their Twitter accounts several years before the document was written.

According to the useful website howlonghaveyoubeentweeting.com, Appelbaum's Twitter account was created on February 23, 2008, Gonggrijp created his on September 26, 2008, and Jonsdottir created hers on November 14, 2008.

Thankfully, Twitter seems to archive all the old versions of their privacy policy. It would appear that all three individuals would have "agreed to" (ignoring the fact that none of them likely read the thing in the first place) Version 1 of the privacy policy, dated May 14, 2007. The "Log data" section of that policy reads as follows:

When you visit the Site, our servers automatically record information that your browser sends whenever you visit a website ("Log Data" ). This Log Data may include information such as your IP address, browser type or the domain from which you are visiting, the web-pages you visit, the search terms you use, and any advertisements on which you click. For most users accessing the Internet from an Internet service provider the IP address will be different every time you log on. We use Log Data to monitor the use of the Site and of our Service, and for the Site's technical administration. We do not associate your IP address with any other personally identifiable information to identify you personally, except in case of violation of the Terms of Service.

There are a few things worth noting here:

1. The term "referring domain" appears in privacy policy cited by the judge in his court order, but not in Version 1 of the Twitter privacy policy. This strongly suggests that the judge is citing a newer version of the Twitter policy. The term appears to have been added in Version 2 of the privacy policy, dated November 18, 2009.
2. In Version 1 of its policy, Twitter promised its users that it would not associate their IP addresses with any other personally identifiable information sufficient to identify them personally, unless they violated the Twitter terms of service. This pro-user sentence was removed in Version 2 of Twitter's privacy policy, one year later.
3. The government has not alleged that any of the 3 individuals violated Twitter's terms of service. As such, it would appear that they could reasonably rely on Twitter's claims that it wouldn't associate their retained IP address information with their existing account records or any other personally identifiable information.

This is very interesting.

The old version of Twitter's policy that the three individuals "agreed" to also includes the following paragraph about updates to the document:

This Privacy Policy may be updated from time to time for any reason; each version will apply to information collected while it was in place. We will notify you of any material changes to our Privacy Policy by posting the new Privacy Policy on our Site. You are advised to consult this Privacy Policy regularly for any changes.

Note, Twitter didn't say that it would send out emails to users when it updated its privacy policy, instead, it advised users to revisit the site on a regular basis to see if the policy had changed. How this sentence passed the laugh test at Twitter's HQ, I do not know.

In subsequent edits to the policy, Twitter reworded this section, so that it now reads:

We may revise this Privacy Policy from time to time. The most current version of the policy will govern our use of your information and will always be at https://twitter.com/privacy. If we make a change to this policy that, in our sole discretion, is material, we will notify you via an @Twitter update or e-mail to the email associated with your account. By continuing to access or use the Services after those changes become effective, you agree to be bound by the revised Privacy Policy.

Got that? As of Version 2 of Twitter's privacy policy, merely by continuing to use Twitter, you agree to be bound by whatever the company adds to the policy. Oh, and it is up to the company to decide if the changes to the policy are important enough to justify telling users.

I know that I am not the first researcher to point out how stupid privacy policies are, or that no one reads them. Many others have done it, and done so far more eloquently than me. My goal in writing this blog post is simple: Not only is a federal judge ruling that 3 individuals have no reasonable expectation of privacy with regard to the government getting some of their Internet transaction data, but the judge isn't even citing the right version of a widely ignored privacy policy to do so. If the judge were to examine the privacy policy that existed when these three targets signed up for a Twitter account, he might decide that they do in fact have a reasonable expectation of privacy and that the government needs a warrant to get the data.