Tuesday, December 01, 2009

8 Million Reasons for Real Surveillance Oversight

Disclaimer: The information presented here has been gathered and analyzed in my capacity as a graduate student at Indiana University. This data was gathered and analyzed on my own time, without using federal government resources. This data, and the analysis I draw from it will be a major component of my PhD dissertation, and as such, I am releasing it in order to receive constructive criticism on my theories from other experts in the field. The opinions I express in my analysis are my own, and do not reflect the views of the Federal Trade Commission, any individual Commissioner, or any other individual or organization with which I am affiliated.

UPDATE 12/3/2009 @ 12:20PM: I received a phone call from an executive at TeleStrategies, the firm who organized the ISS World conference. He claimed that my recordings violated copyright law, and asked that I remove the mp3 recordings of the two panel sessions, as well as the YouTube/Vimeo/Ikbis versions I had embedded onto this blog. While I believe that my recording and posting of the audio was lawful, as a good faith gesture, I have taken down the mp3s and the .zip file from my web hosting account, and removed the files from Vimeo/YouTube/Ikbis.

Executive Summary

Sprint Nextel provided law enforcement agencies with its customers' (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

The evidence documenting this surveillance program comes in the form of an audio recording of Sprint's Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies' extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics -- since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

Introduction

"[Service providers] have, last time I looked, no line entry in any government directory; they are not an agent of any law enforcement agency; they do not work for or report to the FBI; and yet, you would never know that by the way law enforcement orders them around and expects blind obedience."
-- Albert Gidari Jr., Keynote Address: Companies Caught in the Middle, 41 U.S.F. L. Rev. 535, Spring 2007.

"The reason we keep [search engine data] for any length of time is one, we actually need it to make our algorithms better, but more importantly, there is a legitimate case of the government, or particularly the police function or so forth, wanting, with a Federal subpoena and so forth being able to get access to that information."
-- Eric Schmidt, CEO of Google, All Things Considered, NPR interview between 5:40 and 6:40, October 2, 2009.

Internet service providers and telecommunications companies play a significant, yet little known role in law enforcement and intelligence gathering.

Government agents routinely obtain customer records from these firms, detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and of course, huge amounts of geolocation data, detailing exactly where an individual was located at a particular date and time.

These Internet/telecommunications firms all have special departments, many open 24 hours per day, whose staff do nothing but respond to legal requests. Their entire purpose is to facilitate the disclosure of their customers' records to law enforcement and intelligence agencies -- all following the letter of the law, of course.

'Juking' the stats

If you were to believe the public surveillance statistics, you might come away with the idea that government surveillance is exceedingly rare in the United States.

Every year, the US Courts produce the wiretap report which details every 'intercept' order requested by Federal, state and local law enforcement agencies during that year. Before the police, FBI, DEA or other law enforcement agents can tap a phone, intercept an Internet connection, or place a covert bug into a suspect's home, they must obtain one of these orders, which law professor and blogger Orin Kerr describes as a "super warrant," due to the number of steps the government must go through in order to obtain one.

The official wiretap reports reveal that there are approximately 2000 intercept orders sought and approved by judges each year.



As you might expect, the vast majority of these intercept orders are for phone wiretaps. Thus, for example, of the 1891 intercept orders granted in 2008, all but 134 of them were issued for phone taps.



The number of electronic intercept orders, which are required to intercept Internet traffic and other computer assisted communications is surprisingly low. There were just 10 electronic intercept orders requested in 2008, and only 4 of those were from the Federal government -- which was itself a massive increase over the one single order sought by the entire Department of Justice in both 2006 and 2007.



This graph, and the information contained within it, simply does not make sense. The number of electronic intercepts should, like the number of phone wiretaps, be going up over time, as more people purchase computers, and as criminals or other persons of government interest start to use computers to communicate and plan their business activities. Why were there almost 700 total (federal and state) electronic intercept orders obtained in 1998, but only 10 in 2008?

While I have no way of proving it, I suspect that there have never been a large amount of electronic intercept orders obtained in order to monitor computer communications. The electronic intercept orders, as reported by the US Courts, include those used to monitor computers, fax machines, and pagers. The wiretap report doesn't break down the numbers for these individual technologies -- but I suspect that the nearly 700 electronic intercept orders granted in 1998 were largely for fax machines and pagers. Thus, as these technologies died out, it is only natural that the number of electronic intercept orders declined

That still leaves us with one large question though: How often are Internet communications being monitored, and what kind of orders are required in order to do so.

The stats don't cover all forms of law enforcement surveillance

As I described at the beginning of this article, the government routinely obtains customer records from ISPs detailing the telephone numbers dialed, text messages, emails and instant messages sent, web pages browsed, the queries submitted to search engines, and geolocation data, detailing exactly where an individual was located at a particular date and time.

However, while there are many ways the government can monitor an individual, very few of these methods require an intercept order.

In general, intercept orders are required to monitor the contents of real time communications. Non-content information, such as the To/From and Subject lines for email messages, URLs of pages viewed (which includes search terms), and telephone numbers dialed can all be obtained with a pen register/trap & trace order.

While wiretaps require a "superwarrant" which must be evaluated and approved by a judge following strict rules, government attorneys can obtain pen register orders by merely certifying that the information likely to be obtained is relevant to an ongoing criminal investigation -- a far lower evidentiary threshold.

In addition to the fact that they are far easier to obtain, pen register orders are also not included in the annual US courts wiretap report. Not to fear though -- a 1999 law requires that the Attorney General compile annual statistics regarding DOJ's use of pen register orders, which he must submit to Congress.

Unfortunately, the Department of Justice has ignored this law since 2004 -- when five years worth of reports were provided to Congress in the form of a single document dump covering 1999-2003. Since that one submission, both Congress and the American people have been kept completely in the dark regarding the Federal government's extensive use of pen registers.



Since we don't have any pen register stats for the last five years, it is difficult to do a current comparison. However, for the five years worth of data that we do have, it is possible to make a few observations.

First, in 2003, Federal agents used 15 times more pen registers and trap & traces than intercepts. Perhaps this was because each of the 578 Federal intercept orders obtained in 2003 had to be thoroughly evaluated and then approved by a judge, while the 5922 pen registers or 2649 trap & trace devices each received a cursory review at best.

Second, the number of pen registers and trap & trace orders went down after 9/11, at a time when the FBI and other parts of DOJ were massively increasing their use of surveillance. 4210 pen registers were used in 2000, 4172 in 2001, and 4103 in 2002.

It is important to note that these numbers only reveal part of the picture, as these statistics only cover the use of pen registers/trap & traces by the Department of Justice. There are no public stats that document the use of these surveillance methods by state or local law enforcement. Likewise, these stats only cover the requests made for law enforcement purposes -- pen register surveillance performed by the intelligence community isn't reported, even in aggregate form.

Stored Communications

The reporting requirements for intercepts and pen registers only apply to the surveillance of live communications. However, communications or customer records that are in storage by third parties, such as email messages, photos or other files maintained in the cloud by services like Google, Microsoft, Yahoo Facebook and MySpace are routinely disclosed to law enforcement, and there is no legal requirement that statistics on these kinds of requests be compiled or published.

There is currently no way for academic researchers, those in Congress, or the general public to determine how often most email, online photo sharing or social network services deliver their customers' data to law enforcement agents.

While these firms deliver sensitive customer data to government agents on a daily basis, they go out of their way to avoid discussing it.
"As a matter of policy, we do not comment on the nature or substance of law enforcement requests to Google."

"We do not comment on specific requests from the government. Microsoft is committed to protecting the privacy of our customers and complies with all applicable privacy laws."

"Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws."
Only Facebook and AOL have publicly disclosed the approximate number of requests they receive from the government -- 10-20 requests per day and 1000 requests per month, respectively.

Follow the money

"When I can follow the money, I know how much of something is being consumed - how many wiretaps, how many pen registers, how many customer records. Couple that with reporting, and at least you have the opportunity to look at and know about what is going on.
-- Albert Gidari Jr., Keynote Address: Companies Caught in the Middle, 41 U.S.F. L. Rev. 535, Spring 2007.
Telecommunications carriers and Internet firms do not just hand over sensitive customer information to law enforcement officers. No -- these companies charge the government for it.

Cox Communications, the third largest cable provider in the United States, is the only company I've found that has made its surveillance price list public. Thus, we are able to learn that the company charges $2,500 for the first 60 days of a pen register/trap and trace, followed by $2,000 for each additional 60 days, while it charges $3,500 for the first 30 days of a wiretap, followed by $2,500 for each additional 30 days. Historical data is much cheaper -- 30 days of a customer's call detail records can be obtained for a mere $40.

Comcast does not make their price list public, but the company's law enforcement manual was leaked to the Internet a couple years ago. Based on that 2007 document, it appears that Comcast charges at least $1000 for the first month of a wiretap, followed by $750 for each month after that.

In the summer of 2009, I decided to try and follow the money trail in order to determine how often Internet firms were disclosing their customers' private information to the government. I theorized that if I could obtain the price lists of each ISP, detailing the price for each kind of service, and invoices paid by the various parts of the Federal government, then I might be able to reverse engineer some approximate statistics. In order to obtain these documents, I filed Freedom of Information Act requests with every part of the Department of Justice that I could think of.

The first agency within DOJ to respond was the U.S. Marshals Service (USMS), who informed me that they had price lists on file for Cox, Comcast, Yahoo! and Verizon. Since the price lists were provided to USMS voluntarily, the companies were given the opportunity to object to the disclosure of their documents. Neither Comcast nor Cox objected (perhaps because their price lists were already public), while both Verizon and Yahoo! objected to the disclosure.

I then filed a second request, asking for copies of the two firms' objection letters. Those letters proved to be more interesting than the price lists I originally sought.

Click here for the complete Verizon price list letter.
Click here for the complete Yahoo! price list letter.

First, Verizon revealed in its letter that it "receives tens of thousands of requests for customer records, or other customer information from law enforcement."


Assuming a conservative estimate of 20,000 requests per year, Verizon alone receives more requests from law enforcement per year than can be explained by any published surveillance statistics. That doesn't mean the published stats are necessarily incorrect -- merely that most types of surveillance are not reported.

In its letter, Verizon lists several reasons why it believes that its price list should remain confidential. Of these reasons -- two stand out. First, the company argues, customers might "become unnecessarily afraid that their lines have been tapped, or call Verizon to ask if their lines are tapped (a question we cannot answer.)"

The second interesting reason is that:
"Our pricing schedules reveal (for just two examples) that upon the lawful request of law enforcement we are able to [redacted by USMS]. In cooperation with law enforcement, we do not release that information to the general public out of concern that a criminal may become aware of our capabilities, see a change in his service, correctly assume that the change was made at the lawful request of law enforcement and alter his behavior to thwart a law enforcement investigation."

I'm not sure what capabilities this section is referring to -- but I'd love to find out more.

Yahoo!'s letter is far less exciting, and doesn't even hint at the number of requests that the company receives. There is one interesting tidbit in the letter though:
"It is reasonable to assume from these comments that the [pricing] information, if disclosed, would be used to "shame" Yahoo! and other companies -- and to "shock" their customers. Therefore, release of Yahoo!'s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies."



Geolocation

"Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers." Ellen Nakashima, Cellphone Tracking Powers on Request, The Washington Post, November 23, 2007.

"Law enforcement routinely now requests carriers to continuously 'ping' wireless devices of suspects to locate them when a call is not being made ... so law enforcement can triangulate the precise location of a device and [seek] the location of all associates communicating with a target."
-- Christopher Guttman-McCabe, vice president of regulatory affairs for CTIA -- the Wireless Association, in a July 2007 comment to the Federal Communications Commission.

As mobile phones have become ubiquitous, the law enforcement community has learned to leverage the plentiful, often real-time location information that carriers can be compelled to provide. Location requests easily outnumber wiretaps, and as this article will reveal, likely outnumber all other forms of surveillance request too.

In terms of legal requirements, this information can often be gained through the use of a hybrid order, combining a Stored Communications Act request and a Pen Register request. As noted before, the former law has no reporting requirement, and the law requiring reports for the Pen Register requests has been ignored by the Department of Justice since 2004.

In March of this year, telecommunications lawyer Al Gidari, who represents many of the major telcos and ISPs, gave a talk at the Berkman Center at Harvard University. During his speech, he revealed that each of the major wireless carriers receive approximately 100 requests per week for customers' location information.

100 requests per week * 4 wireless major carriers (Sprint, Verizon, AT&T, T-Mobile) * 52 weeks = 20k requests per year.

While Gidari's numbers were shocking when I first heard them, I now have proof that he significantly underestimated the number of requests by several orders of magnitude.

Hanging with the spooks

Several times each year, in cities around the globe, representatives from law enforcement and intelligence agencies, telecommunications carriers and the manufacturers of wiretapping equipment gather for a closed door conference: ISS World: Intelligence Support Systems for Lawful Interception, Criminal Investigations and Intelligence Gathering.

ISS World is no stranger to the privacy community. Back in 2000, FBI agents showed off a prototype of the Carnivore interception system to attendees at ISS World. Days later, stories appeared in both the Wall Street Journal and The New York Times after one attendee leaked information to the press.

ISS World had been on the list of events that I'd wanted to attend for a long time, even moreso after my research interests started to focus on government surveillance. Thus, in October of this year, just a month after moving to Washington DC, I found myself at the Washington DC Convention Center, attending ISS World.

Looking around at the name badges pinned to the suits milling around the refreshment area, it really was a who's who of the spies and those who enable their spying. Household name telecom companies and equipment vendors, US government agencies (both law enforcement and intel). Also present were representatives from foreign governments -- Columbia, Mexico, Algeria, and Nigeria, who, like many of the US government employees, spent quite a bit of time at the vendor booths, picking up free pens and coffee mugs while they learned about the latest and greatest surveillance products currently on the market.

The main draw of the event for me was two panel discussions: A presentation on "Regulatory and CALEA Issues Facing Telecom Operators Deploying DPI Infrastructure", and a "Telecom Service Providers Roundtable Discussions"

Not knowing ahead of time what the speakers would say, and not wanting to be called a liar if I later cited an interesting quote in a research paper, I decided to make an audio recording of the two panels.

One wireless company, 50 million customers, 8 million law enforcement requests for customer GPS information in one year

Both panels are fascinating, and worth listening to in full.
Click here for an mp3 of the complete the Deep Packet Inspection Panel.
Click here for mp3 of entire telecom panel.

However, by far the most jaw-dropping parts of the telecom service providers roundtable were the following quotes:
"[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in.
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

"In the electronic surveillance group at Sprint, I have 3 supervisors. 30 ES techs, and 15 contractors. On the subpoena compliance side, which is anything historical, stored content, stored records, is about 35 employees, maybe 4-5 supervisors, and 30 contractors. There's like 110 all together."
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel, describing the number of employees working full time to comply with requests for customer records.

"Cricket doesn't have as many subscribers so our numbers are going to be less. I think we have 4.5 - 5 million subscribers. We get approximately 200 requests per calendar day, and that includes requests for records, intercepts. We don't have the type of automation they do, and we can't do the location specificy that they can, because we don't have GPS."
-- Janet A. Schwabe, Subpoena Compliance Manager, Cricket Communications

"Nextel's system, they statically assign IP addresses to all handsets ... We do have logs, we can go back to see the IP address that used MySpace. By the way - MySpace and Facebook, I don't know how many subpoenas those people get, or emergency requests but god bless, 95% of all IP requests, emergencies are because of MySpace or Facebook... On the Sprint 3G network, we have IP data back 24 months, and we have, depending on the device, we can actually tell you what URL they went to ... If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months ... We don't store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte ... but ultimately, that's why we store the data ... It's because marketing wants to rifle through the data."
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

"Two or three years ago, we probably had less than 10% of our requests including text messaging. Now, over half of all of our surveillance includes SMS messaging."
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.


Conclusion

As the information presented in this article has demonstrated, the publicly available law enforcement surveillance statistics are, at best misleading, and at worst, deceptive. It is simply impossible to have a reasonable debate amongst academics, public policy makers, and members of the public interest community when the very scale of these surveillance programs is secret.

As an example, consider the following quote from the November 4, 2009 markup hearing of the House Judiciary Committee, which is currently considering a bill to expand the government's PATRIOT Act surveillance powers. During the hearing, Rep. Lamar Smith, the Ranking (Minority) Member said the following:
Unlike other tools which actually collect content, such as wiretaps, pen registers and trap-and-trace devices merely request outgoing and incoming phone numbers. Because the government cannot collect any content using pen registers, a minimization requirement makes no sense. What is there is there to minimize?
After reading this article, it should be clear to the reader that pen registers and trap & trace devices are used for far more than just collecting phone numbers dialed. They are used to get email headers (including To, From and Subject lines), the URLs of web pages viewed by individuals, and in many situations, they are used (along with a Stored Communications Act request) to get geolocation information on mobile phone users.

The reason I'm quoting Rep. Smith isn't to poke fun at his expense, but to make a serious point. How can we have a serious public debate about law enforcement surveillance powers, when the senior most Republican on the committee responsible for the oversight of those powers doesn't understand how they are being used? Likewise, this paragraph should by no means be read as an attack on Rep. Smith. How can he be expected to understand the extensive modern use of pen registers, when the Department of Justice continues to break the law by failing to provide yearly statistics on the use of pen registers to Congress?

My point is this: The vast majority of the government's access to individuals' private data is not reported, either due to a failure on DOJ's part to supply the legally required statistics, or due to the fact that information regarding law enforcement requests for third party stored records (such as email, photos and other data located in the cloud) is not currently required to be collected or reported.

As for the millions of government requests for geo-location data, it is simply disgraceful that these are not currently being reported...but they should be.



Monday, August 17, 2009

Going Fed

This week will be my last at Harvard's Berkman Center for Internet & Society. It has been a fantastic place to work, and for the first time in my academic life, I found a supportive environment where it is OK to be interested in both technology and law/policy. I will miss Berkman and the friends I made there sorely (but not the horrible Boston weather).

In two weeks, I will move to Washington DC, where I will begin working half time as a technical consultant to the Division of Privacy and Identity Protection in the Bureau of Consumer Protection at the US Federal Trade Commission. As I understand it, the FTC has a lot of really smart lawyers, but they (currently) lack geek skills.

David Vladeck, the new head of the Bureau of Consumer Protection recently told the New York Times that "he would hire technologists to help analyze online marketers’ tracking." I guess that means people like me.

Those regular blog readers who are used to my usual acerbic writing style may be disappointed. I expect that my writing on this blog will dry up -- with the occasional post to announce new research papers or updates to TACO. While I haven't been told to do this, I am assuming that it is simply no longer appropriate to use this blog to shame the corporations that continue to do harm to user online privacy -- at least as long as I am also on the government's payroll.

Hopefully, there will be other ways that I can help to achieve this positive change from within the DC beltway.

I also recognize that many people might find it surprising that I am going to work for the US government. After all, I have spent much of my public blogging railing against the oppressive surveillance state and the numerous privacy invasions committed by the law enforcement and intelligence agencies.

My position at the FTC will involve no classified work, I have not, and will not get a security clearance, and I intend to be solely focused on things that improve consumer privacy, not hurt it. The FTC is not in the business of violating the rights of Americans. There are other agencies that seem to be taking care of that.

I will be at the FTC half time. The other (unpaid) half of my time will be spent wrapping up my dissertation, writing research papers, and continuing to work on TACO.

There are likely to be some users of TACO who are not terribly keen on the idea of running code on their computers designed and maintained by someone who is paid by the US government. TACO is open source, which means anyone can look through the source code online to see if there are any hidden backdoors (there aren't). Furthermore, Mozilla won't roll out an update to the 100,000 TACO users until a Mozilla volunteer has looked through the code and verified that it is safe.

As an additional layer of safety for paranoid TACO users, I have added two new people to the TACO development team: Sid Stamm, and Dan Witte, both employees of Mozilla. Sid is also a paranoid security geek, and Dan is in charge of the cookie related code within the Firefox browser. Dan also rewrote the most recent version of TACO to make it several times faster.

Both have agreed to lend a hand if and when I encounter technical problems with future TACO versions (since, my coding skills are not so great). However, they will also be able to act as a layer of protection, should someone try to force me to make changes to the TACO codebase. Defense in depth, I suppose.

My Dissertation Proposal Colloquium

Update: This is my dissertation proposal, which means it has not been written yet. In a year, once the dissertation is done, it will of course be posted online.


Christopher Soghoian
Wednesday, September 2
1:00pm
Informatics East, Room 130
Indiana University Bloomington

PROFITS VS. PRIVACY?

STUDYING THE FAILURE OF THE WEB 2.0 INDUSTRY TO DEPLOY PRIVACY ENHANCING TECHNOLOGIES



It is now more than 30 years since the invention of public key cryptography. Yet, now, in 2009, the vast majority of Internet users still transmit their own personal information over networks without any form of encryption. When consumers check their Google Mail, Facebook or MySpace accounts using the increasingly ubiquitous free wireless networks in public places, they face a very real risk of theft and hijacking of their online accounts. While skilled technical experts and corporations have easy access to effective security technologies, most consumers still lack basic privacy online. The question we must ask is why?

Effective cryptography is no longer restricted by US export laws, protected by patents, or requires so much computing power that it is impractical for all but state secrets. Yet the market has still failed to deliver products that provide strong authentication and confidentiality by default. The problem is not restricted to cryptography and data security – the market has failed to deliver in other areas, such as the increasing amounts of personally identifiable information that is quietly collected by online advertisers, search engines and government agencies.

This thesis will argue that the failure of the market to provide services that are safe and secure by default is not a failure of the computer science research community, but the result of complex and skewed incentives that play out in the policy, legal and business spheres. As a result, those wishing to improve the state of basic security and privacy for end-users must look beyond the search for new algorithms and cryptographic techniques. They must instead work to solve the policy problems which have thus far frustrated the deployment of basic privacy enhancing technologies. This thesis will effectively weave together technical, legal and policy perspectives, allowing us to reach a level of depth and analysis which would be otherwise impossible if we approached this problem from a single angle.

This thesis will consist of a taxonomy detailing numerous market failures, followed by several in depth case studies, and proposed solutions.

I will first survey several ways in which privacy enhancing technologies can fail to reach consumers, such as skewed incentives by dominant service providers, patent thickets, usability problems, and outright government prohibitions on the use and export of particular technologies.

I will then present several case studies: An analysis of key privacy risks associated with log retention by search engines, and the failure of the market to protect consumers from this threat; a look at the industry-wide failure to provide effective cryptographic data confidentiality and authentication to users of “cloud” and other Web 2.0 services; the legal and policy issues surrounding the government’s ability to compel service providers into inserting privacy invading back doors into their own products; and an analysis of the behavioral advertising industry, and its decade-long failure to provide easy to use and effective opt-out mechanisms for end-users.

Finally, I will propose specific legal and policy solutions to the privacy issues highlighted in the case studies, as well as several policy solutions for the general failures highlighted in the initial survey.

Wednesday, August 12, 2009

Google's commitment to transparency

From Google's Privacy Page:
"At Google, we’re committed to transparency and choice."
From a February 2009 post to the Official Google Blog by Jonathan Rosenberg, Senior Vice President of Product Management:
"Everyone should be able to defend arguments with data ... Information transparency helps people decide who is right and who is wrong and to determine who is telling the truth ... This is why President Obama's promise to "do our business in the light of day" is important, because transparency empowers the populace and demands accountability as its immediate offspring."
From the February 2009 contract signed between Google and the US General Services Administration, enabling government agencies to use YouTube videos on their web sites:
Confidentiality

The parties shall not disclose to any third parties Confidential Information disclosed by one party to the other under this Agreement. Each party shall protect Confidential Information by applying the same degree of care used by the parties to protect their own confidential information. If any Confidential Information is required to be produced by law, the noticed party will promptly notify the other party, and to the extent allowed by law, cooperate to obtain an appropriate protective order prior to disclosing any confidential information. Both parties agree that, notwithstanding any other provision of this Agreement, Provider may be bound by the Freedom of Information Act, as well as other federal laws and regulations that may require disclosure of information, including disclosure of the fact that an agreement is in place between the parties. Provider agrees that any disclosure of information pursuant to the Freedom of Information Act or other law, regulation or compulsory process requiring disclosure will not, to the extent lawfully permitted, include any Confidential Information. Any required disclosure by Provider of documents that may contain Google Confidential Information will be preceded by notice to Google in accordance with applicable law, regulation and policy including 5 USC 552 and applicable agency rules.

....

Provider acknowledges that, except as expressly set forth in this Agreement, Google uses persistent cookies in connection with the YouTube Video Player. To the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.

Saturday, August 01, 2009

My new paper and Defcon talk

In three hours, I will present my latest research paper at the Defcon computer hacker conference:
Manipulation and abuse of the consumer credit reporting agencies

This paper will present a number of loopholes and exploits against the system of consumer credit in the United States that can enable a careful attacker to hugely leverage her (or someone else's) credit report for hundreds of thousands of dollars. While the techniques outlined in this paper have been used for the personal (and legal) profit by a small community of credit hackers, these same techniques could equally be used by more nefarious persons - that is, criminals willing to break the law, engage in fraud, and make off with significant sums of money. The purpose of this paper is to shed light on these exploits, to analyze them through the lens of the computer security community and to propose a number of fixes which will significantly reduce the effectiveness of the exploits, by both those with good and ill intentions.

The paper was published in First Monday on Friday evening. With that, the secrecy surrounding this work vanished, and so Wired News was free to write about it.

This work has been under fairly tight wraps for the past few months, primarily due to my fear that the credit agencies might lawyer up and try to halt the publication if they were given prior warning. As a precautionary measure, I asked the Defcon organizers to list me as an "anonymous speaker" in the program schedule.

Now that the work is public, my hope is that the three credit agencies will carefully read my analysis of these exploits, and deploy the fixes that I suggest.

Friday, July 31, 2009

NAI to require minimum 5 year expiration date for opt out cookies

One week ago, I published an open letter to the Network Advertising Initiative, in which I complained that the behavioral advertising opt-out cookies offered by many NAI members had been set to shamefully short periods of time -- in some cases, as short of six months.

Over the past few days, executives from many NAI member firms contacted me to let me know that they were shifting to a better policy. I outlined the updated policies of those companies in this blog post.

This morning, I was contacted by the Executive Director of the Network Advertising Initiative, who informed me that the group will be requiring that all NAI member firms set their opt-out cookies to last at least five years. I expect to see news of this posted to the NAI site in the next few days.

Depending on your perspective, you could either see this as:

1. A sign that the industry can effectively and rapidly police itself when notified of a problem, or

2. Proof that the industry has for nearly a decade offered crippled opt-outs that silently vanished just a few months after the consumer expressed their wish to not be tracked.

While it is quite fun to see the industry scrambling to perform emergency damage control in response to my blog posts, it is pretty pathetic that I had to do this at all. This multi-billion online advertising industry should not depend upon a single graduate student to keep it honest.

Thursday, July 30, 2009

My comments on the new proposed federal cookie and web tracking guidelines

One week ago, Vivek Kundra, the federal CIO, asked for feedback and input on a proposed overhaul of the rules prohibiting the use of tracking cookies on federal web sites.

I submitted my 5 page comments document today. For those of you who don't want to wait until all of the comments have been posted to the White House web site, I've embedded my submission here.

Monday, July 27, 2009

TACO 2.0 released

Update: Mozilla has approved TACO 2.0. All current TACO users should see a prompt to update the add-on the next time they restart Firefox.

I am happy to announce the release of version 2.0 of the Targeted Advertising Cookie Opt-out (TACO) Firefox add-on.

This version has been completely rewritten from scratch, primarily by Daniel Witte @ Mozilla Corp. It also includes opt-out cookies for 6 additional advertising companies: Snoobi, comScore VoiceFive, Hurra, Criteo, Coremetrics and EyeWonder.

I am waiting for the nice folks at Mozilla to read through the code and then approve it. If you lack patience, and simply cannot wait, TACO 2.0 can be installed by clicking here. Otherwise, wait a few days until Mozilla approves it, and then the 100,000 or so existing TACO users should receive an automatic update to this new version.

A total rewrite

The original TACO was essentially a fork of Google's Advertising Cookie Opt Out Plugin. Google's original tool included one cookie -- I simply modified it to include an additional 100 or so opt out cookies.

The problem is that Google's original code wasn't all that good -- it would reload all of the opt-out cookies each time a new window/tab was opened, and then force them to be reloaded again every 10 minutes, even if none of the opt-out cookies had changed.

Perhaps this isn't such a big deal for a tool that is designed to install a single opt-out cookie. However, it clearly didn't scale well.

Unfortunately, my Javascript skills are pretty horrible, and so I really wasn't up to the task of rewriting TACO by myself. Luckily, Daniel Witte, Mozilla's resident cookie guru offered to lend a hand, and eventually rewrote the entire add-on from scratch.

This new version is considerably faster, and no longer re-installs 100+ cookies into the browser each time a new tab/window is opened nor does it reinstall them again every 10 minutes after that.

Blocking third party cookies

One of the biggest complaint from TACO power-users was that the tool would not function when the user had configured the browser to block all 3rd party cookies (a suggested practice, and one which both Safari and Chrome do by default). I am happy to announce that TACO now plays nicely with blocked 3rd party cookies, and so the paranoid amongst you should feel free to go ahead and block them without having to worry about it breaking TACO.

A note about EyeWonder

Finally, blog-readers may remember that I recently pointed to EyeWonder's non-existent broken opt-out as an example of one the worst practices in the industry.

After 9 days, it looks like the company finally designed and implemented fixed the opt-out, and so users of TACO 2.0 are automatically opted out of all of EyeWonder's behavioral advertising.

Behavioral advertising opt out cookie expiration update

Updated on July 28 with news from Yahoo! and 24/7 Real Media
Update again on July 29 with news from Microsoft and Fetchback

Just a quick update regarding the open letter I published to the Network Advertising Initiative last week, regarding the shamefully short expiration dates assigned to the opt-out cookies for many of the NAI members.

Within 6 hours of the letter hitting my blog, I received an email from Doug Miller, the head of privacy at AOL, informing me that the opt-out cookies for AOL's Advertising.com and TACODA had been set to such short periods of time because of a bug and that his team had since changed them to expire in 2099.

The next day, the CEO of BlueKai contacted me to let me know that the six month expiration for his company's opt-out cookie was also a bug, and that his team was changing it to expire after 5 20 years.

Also on Friday, I was contacted by a representative from Media 6 Degrees, who informed me that the six month expiration for their opt-out cookies was an engineering oversight. They informed me that by July 31st at the latest, the company's opt-out cookies will be set to expire after 10 years.

Media 6 Degrees also made it a point to state that "[W]e agree with, and fully support, the assertion that the NAI should define and require a minimum expiration time for all member out-out cookies."

Yahoo! announced on Tuesday July 28 that they will be changing their opt out cookie to expire after 20 years. Yahoo! was even nice enough to give me a shout out in the official blog post announcing the change.

24/7 Real Media contacted me on July 28th to let me know that they have changed their opt out cookie to expire after 30 years.

On July 29, I was contacted by Microsoft's privacy team to let me know that live.com (which is not a member of the NAI) will also be shifting to five years. Atlas, Microsoft's advertising platform, is an NAI member and already had a 5 year expiration to begin with.

Also on July 30, the folks from Fetchback tweeted to let me know that as of today, their opt-out cookie is now set to expire after five years.


Not so much love from Yahoo!

While the 24 month expiration date for Yahoo's opt out cookie isn't as bad as the 6 months for some NAI members, it still isn't anything to be proud of, particularly when the company's major competitors have set an example by adopting opt out expirations of 30-60 years.

I contacted a senior member of Yahoo's privacy team, who informed me the company plans to add some language to the Yahoo opt out web page that will inform consumers of the fact that they will need to revisit the page every 2 years. However, the Yahoo executive I spoke with showed absolutely no interest in lengthening the expiration date of the company's opt out cookies.

So much for bold leadership Yahoo.

Sunday, July 26, 2009

Apple: Want anonymity? You must be a drug dealer

Anonymity can be a very useful thing. Iranian dissidents use anonymity preserving systems in order to browse the web without suffering under the watchful eye of the state security apparatus. Likewise, FBI agents investigating child pornographers browse the Web using systems like Tor, so that the bad guys don't see a fbi.gov address in the web server access logs.

Bloggers, whistleblowers, and our founding fathers all made use of anonymity in order to freely speak unpopular or dangerous information.

While anonymity is arguably as American as apple pie, that hasn't stopped Apple Corp. from continuing its war against all things anonymous.

In 2004, AppleInsider, a Mac rumor blog, published (presumably leaked) information about a forthcoming Apple product. The company went to court in order to try and force the blog to reveal their anonymous sources. AppleInsider turned to the Electronic Frontier Foundation, who successfully convinced the court to apply California's journalist shield law to bloggers. The court eventually forced Apple to pay the EFF a cool $700,000 in legal fees.

Apple still hates anonymity

Even after that rather expensive lesson, it seems that Apple still has no love for those who seek anonymity.

In a recent filing with the copyright office, Apple has argued that consumers who wish to jailbreak their mobile phones and change the device's unique serial number must be drug dealers or other criminals.
[E]ach iPhone contains a unique Exclusive Chip Identification (ECID) number that identifies the phone to the cell tower. With access to the BBP via jailbreaking, hackers may be able to change the ECID, which in turn can enable phone calls to be made anonymously (this would be desirable to drug dealers, for example) or charges for the calls to be avoided.
Remember that the only way a US consumer can legitimately use an iPhone (at least in Apple's eyes) is to sign up for service with AT&T: A company that willingly (and illegally) violated the privacy of millions of Americans by allowing the US National Security Agency to spy on their calls, text messages, emails and web browsing activity.

To therefore argue that drug dealers are the main beneficiaries of iPhone anonymity is a pretty disgraceful lie. David Hayes, Apple's bigshot IP lawyer at Fenwick and West who wrote this letter should be ashamed of himself.

Thursday, July 23, 2009

An open letter regarding opt out cookie expirations

(click for a larger picture)


Charles Curran
Executive Director
Network Advertising Initiative
62 Portland Road
Suite 44
Kennebunk ME 04043

Dear Mr Curran,

I write to you today to draw your attention to several problems related to the process through which consumers can opt out of behavioral advertising performed by Network Advertising Initiative (NAI) member companies.

In particular, I would like to draw your attention to the widely varying expiration dates for the behavioral advertising opt out cookies supplied by the various NAI member advertisers. The opt out cookies for some sites last as little as six months, while others last as long as sixty years. This variability is not communicated to consumers, and as a result, many are unlikely to know that they must revisit the NAI web site and re-opt out every six months in order to maintain total opt out coverage.

I urge you to update the NAI Self-Regulatory Code of Conduct to require that your members adhere to a reasonable minimum expiration age for opt out cookies (I suggest at least five years). I also ask that you add text to the NAI opt out page to inform consumers of the shortest opt out cookie expiration, and make it clear that they will need to re-visit the site at that time in order to renew the opt out cookies.

The Issue in Depth

The Network Advertising Initiative provides a single-stop web site through which consumers can opt out of the behavioral advertising performed by its 34 member companies.

The text on this site advises consumers that:
To opt out of an NAI member's behavioral advertising program, simply check the box that corresponds to the company from which you wish to opt out. Alternatively, you can check the box labeled "Select All" and each member's opt-out box will be checked for you. Next click the "Submit" button. The Tool will automatically replace the specified advertising cookie(s) and verify your opt-out status.

While the site makes it relatively easy for consumers to opt out, no mention is made of the fact that many of the opt out cookies have been intentionally set to expire after a few short months, and thus the consumer will need to return to the NAI web site and repeat the process with some regularity in order to maintain total opt out coverage.

I am concerned that the NAI and its member companies have done nothing to inform consumers of this important issue. As a result, many consumers may falsely believe that a single visit to the NAI web site is sufficient.

There has already been quite a bit of attention paid to the ease with which opt out cookies can be accidentally erased by users (for example, whenever they clear out their browser cookies). The NAI itself even recognizes that problem, advising visitors to its frequently asked questions page that:
Will I ever need to renew my opt-out or opt out again?

If you ever delete the "opt-out cookie" from your browser, buy a new computer, or change Web browsers, you'll need to perform the opt-out task again. It's only when the network advertiser can read an "opt-out" cookie on your browser that it can know you have decided not to participate.

Those few users who explore the NAI site long enough to read through the frequently asked questions are quite likely to be deceived by the text of this statement – which implies that opt out cookies will stay put, except in the event that the user clears out her cookies, purchases a new computer, or switches to a new web browser.


(click for a larger picture)


Opt out cookie expiration dates vary, but are often far too short

When the NAI member firms implement their opt out process, their engineers set the length of the cookie expiration. While web cookies must have an expiration date (as per the technical standard), some NAI members have erred on the side of user privacy, and set their cookies to expire after 60 years or more. Unfortunately, many other NAI members have chosen to set their opt out cookies to expire after far shorter periods of time, some as short as six months.

There is simply no legitimate reason to set such a short expiration date.

With regard to opt out cookie expiration age, BlueKai, Media6Degrees and Specific Media are the worst of all NAI members. These firms have set their cookies to expire after 6 months. AOL’s Advertising.com is a close second at just 8 months.

Most NAI members do not inform consumers of the opt out expiration

Of the 14 NAI members whose opt out cookies are set to expire in 24 months or less, BlueKai is the only firm to mention this fact in its privacy policy.

On the 6th paragraph of BlueKai’s privacy policy, the company notes that “As of May 1, 2009. BlueKai cookies will expire after six months from the date they are created.” However, this text is in the section of the privacy policy describing the company’s use of tracking cookies, which is 5 paragraphs above the section on opt outs. As a result, the few consumers who do read BlueKai’s policy are quite likely to wrongly believe that this statement only applies to the tracking cookies, and not the opt out cookie too.

The other 13 NAI members with opt out cookies that expire after a period of 24 months or less make no mention at all on their own web sites or privacy policies of this important bit of information.

My recommendations

Most consumers are unlikely to be aware of the short expiration dates of many NAI member opt out cookies. I urge you to take comprehensive steps to increase the length of the opt out cookies, and to better inform consumers of the fact that even under ideal circumstances, they will still need to re-visit the NAI web site a couple times per year in order to opt out again.

In order to provide consumers with a better opt out process, I urge you to do the following:

1. Update the NAI Self-Regulatory Code of Conduct to require that member companies adhere to a reasonable minimum expiration age for opt out cookies – at least five years.

2. Update the NAI Self-Regulatory Code of Conduct to require that member companies disclose the opt out expiration time in the privacy policy contained on their own web sites.

3. Add text to the NAI Opt Out Page to inform consumers of the expiration date of all the NAI members, so that they know when they must return in order to maintain complete opt out protection.

Saturday, July 18, 2009

Some of the worst opt-outs failures in the online advertising industry

I'll be releasing a new version of TACO in the next few days. In the process of collecting a bunch more opt-out cookies, I came across a couple examples of horribly broken opt-outs.

In order to share my amusement/frustration with the rest of the Internet, I'm presenting them here:

1. Teracent

In the 100+ online advertising firms whose opt-outs I have requested, this is the only one that I've found that requires a CAPTCHA in order to opt-out. By itself, this would merely be an annoyance. However, the CAPTCHA code on their opt-out page is broken, and thus even correctly entered answers are rejected as invalid. Thus, it is impossible to ever successfully receive an opt-out cookie from their site.



2. EyeWonder

This company has a lot going for it. Their privacy page makes all kinds of bold promises, such as the fact that their cookies comply with the Platform for Privacy Preferences (P3P). The buttons to opt-in and opt-out are fairly easy to discover, and clearly labeled. Unfortunately, both the opt-in and opt-out buttons link to non-existent pages on their website. Anyone wishing to opt-out is thus met with a 404 error.



These are not the first two horribly broken opt-out sites that I have discovered -- just the most recent. A few weeks ago, I had to email the folks at BlueKai, after discovering that the opt-out links on their web site had been broken for over two months. On the plus side - BluKai's CEO, Omar Tawakol had the links fixed within 2 hours of my initial email, after 5PM on a Friday afternoon.

This is not an attempt to argue that these companies are maliciously providing broken opt-outs on their site. Hanlon's Razor tells us to never attribute to malice that which can be adequately explained by stupidity. In this case, it far more likely to be ineptitude rather than some devious plot to stop consumers from using the opt-outs.

Why would they need to go out of their way to break the opt-outs? Even when the opt-outs are working, few if any consumers will actually discover them in the first place.

My point is that the industry is not doing a good job of policing itself, companies are not performing the most basic form of quality assurance and testing, and it is clear that they are not hiring outside auditors to independently verify that the opt-outs are working properly.

This industry is big enough, and profitable enough to not need to depend upon a single motivated graduate student to discover and police its broken opt-outs.

This is an industry that is desperately fighting the efforts of Congress to force it to switch from an opt-out model to opt-in for data collection and use... yet many of the industry players can barely provide working opt-outs.

We need comprehensive regulatory oversight of this industry, and we need it now.

Friday, July 17, 2009

Reading between Yoo's lines

Writing in the Wall Street Journal yesterday, torture/illegal wiretapping enabler John Yoo argued:
Unlike, say, Soviet spies working under diplomatic cover, terrorists are hard to identify. Yet they are vastly more dangerous. Monitoring their likely communications channels is the best way to track and stop them. Building evidence to prove past crimes, as in the civilian criminal system, is entirely beside the point. The best way to find an al Qaeda operative is to look at all email, text and phone traffic between Afghanistan and Pakistan and the U.S.
While Yoo doesn't come out and say it, the far more obvious difference between KGB spies and Al Qaeda operatives is that the Russians probably used strong encryption, and not, say, a shared Hotmail account.

The US government snooped on the communications of millions of Americans because Joe Terrorist still doesn't know how to use Pretty Good Privacy. If Al Qaeda's communications were all protected by strong encryption, it probably would have been much tougher to justify (even inside the permissive Yoo/Gonzales Department of Justice) the disgraceful warrantless interception and "other programs" which we still have yet to learn much about.

More Mistruths from Google on Privacy

When it comes to discussing the details of the company's privacy policies, Google is rarely forthcoming. Company statements, while technically truthful, are usually very deceptive to all but the expert reader. This allows Google to say one thing, while meaning another.

A fantastic example of this can be seen in statements made during a recent newspaper interview by Marissa Mayer, Google's vice president of search products and user experience:
"When you look at, for instance, search history, which is what personalised search is based on, you can actually see all of the information that Google has about you and you can understand how it's being deployed and you also can decide to opt out of the service entirely, or you can even delete various parts of the data that you don't like or you'd rather we didn't have. So there's a lot of transparency and control available to the user there, and we want to operate with a lot of transparency, because we want our users to be informed about what's going on."
The casual reader might see Mayer's comments, and wrongly believe that they can log in to the Web History page on Google's site, delete the information on their previous searches, causing the information to be deleted from Google's various log files, and thus protect their data from a subpoena submitted by a government investigator, the entertainment industry or divorce lawyer. Anyone believing this is, unfortunately, dead wrong.

Consider this snippet from the Frequently Asked Questions page for the Google Web History service:

You can choose to stop storing your web activity in Web History either temporarily or permanently, or remove items, as described in Web History Help. If you remove items, they will be removed from the service and will not be used to improve your search experience. As is common practice in the industry, Google also maintains a separate logs system for auditing purposes and to help us improve the quality of our services for users. For example, we use this information to audit our ads systems, understand which features are most popular to users, improve the quality of our search results, and help us combat vulnerabilities such as denial of service attacks.

As this page makes clear, Google does not promise to delete all copies of your old search records when you delete them using the Web History feature. No, the company will merely no longer show them to you, and will no longer use that information to provide customized search.

I'm sure this was an honest mistake on Mayer's part, right? As the company's vice president of search products and user experience, its not like she should actually be expected to understand the fine grained details of the company's policies for search and user privacy.

A pattern of deception

Unfortunately, Mayer's misstatement of the facts is not the first time that Google has given misleading statements to the press about its privacy policies.

Last September, Google announced to the world that:
Today, we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users.
The usually fantastic Ellen Nakashima at the Washington Post was the first to announce the news via an exclusive interview with Google Privacy Czar Jane Horvath. Unfortunately, Nakashima allowed her article to be used as a tool of the Google politburo.
[Horvath] said Google also would anonymize the IP addresses associated with search queries typed in by users into Google's standard search bar nine months after they have been collected. "This really just illustrates how seriously we do take data anonymization,"
Miguel Helft at the New York Times didn't do much better.

It wasn't until I took the initative to contact Google's PR team a few days later with a series of in-depth technical questions about the specifics of the policy that the the truth emerged

Writing at CNET, I revealed that:
Google announced on Monday that the company will be reducing the amount of time that it will keep sensitive, identifying log data on its search engine customers. To the naive reader, the announcement seems like a clear win for privacy. However, with a bit of careful analysis, it's possible to see that this is little more than snake oil, designed to look good for the newspapers, without delivering real benefits to end users....

Google has now revealed that it will change "some" of the bits of the IP address after 9 months, but less than the eight bits that it masks after the full 18 months. Thus, instead of Google's customers being able to hide among 254 other Internet users, perhaps they'll be able to hide among 64, or 127 other possible IP addresses .... this is a laughable level of anonymity.
Once I pointed out how useless Google's new privacy policy actually was, the tech press soon jumped onboard. The Register called it "Google Privacy Theatre", while ZDNet called it a "farce." Robert X. Cringley, wrote that "the announcement was designed to make headlines and appease regulators while doing nothing to release Google's stranglehold on your data."

Google and the Press

In this instance, Google was technically telling the truth. After all, at 9 months, the company does delete some information from their logs. It just happens that the act of deleting one or two bits of data does almost nothing to protect user privacy, and to describe it as "anonymity" is arguably false and deceptive advertising.

Unfortunately, most of the folks in the tech press are simply not up to the task of reading between the lines of Google's privacy doublespeak -- doing so usually requires the rare combination of expertise in the law as well as strong technical skills.

The true meaning of opt-outs

Don't worry though -- all is not lost. When government officials and regulators turn their gaze upon Google, they are often able to cut through the propaganda, and get to the truth. For some reason, Google seems far less able to lie to the Feds.

A fantastic example of this can be seen in the video clip embedded below, which is from the Behavioral Advertising hearing in the House of Representatives one month ago. Rep. Bobby Rush gets execs from both Google and Yahoo to admit that the companies do not allow consumers to opt out of the collection of data, but merely the use of that data. This is something that most firms are loathe to admit in public, and instead leave the consumer hopelessly trying to read between the lines of their multi-page privacy policies.

Monday, July 13, 2009

My response to Safecount

Thank you to all the people who emailed me their thoughts, and those who left comments on my previous blog post regarding Safecount's request that their cookie not be included in TACO.

After thinking things through, I sent Tom Kelly, the company's COO this response:
Hi Tom,

The feedback I received on my blog was not particularly supportive of your request.

I have thought things through, and decided to do the following:

1. I have added a note to the TACO home page, which states:

"Safecount argues that they are not a behavioral advertising company. However, they are a member of the Network Advertising Initiative, and do collect detailed data on the browsing and ad-viewing habits of Internet users. Furthermore, this data is often collected with no notice provided to the user on the web page where Safecount's tracking code has been embedded. "

2. If you or your engineers would like to spend a day or two creating the code necessary to enhance TACO, which will provide users with a list of the companies whose opt-out cookies are available and or active, and a way for users to disable individual opt-outs, I would be happy to look over such a patch, and if it is decent, consider applying it to the mainline TACO codebase.

Such a feature would be nice, but frankly, it isn't important enough for me to spend my own time developing it. However, just to be clear, even if such an ability to disable individual opt-out cookies existed within TACO, I would have them all turned _on_ by default. That is, users would need to go into a preferences window, scroll down through 60 or so company names (since Safecount is not at the beginning of the alphabet), and then choose to disable your opt-out cookie.

As you know very well (and in fact, your business model depends upon it), few consumers ever take the time to dig through preference windows or look into privacy policies in order to learn about particular company's activities. Thus, were such a feature to exist, I highly doubt if more than a handful of consumers would ever make use of it.

In any case - I would be happy to consider such a patch, but I suspect that it probably isn't worth your engineers' time to work on it.

Cheers

Chris

Sunday, July 12, 2009

Thoughts on the DMCA exemption process

On Friday, we sent off our 11 page reply letter to the Copyright Office, in response to the questions they sent us regarding our Digital Millennium Copyright Act exemption requests for DRM abandon-ware.

There is a semi-decent chance that I will be either employed or engaged in consulting work half-time starting in September, which could make it difficult for me to blog (particularly given the style and tone that I tend to use). Thus, I want to take this opportunity now, while I still have the freedom to fully express my thoughts, to reflect on this process, and thank the many who assisted me.

First, I originally had the idea for the exemption request in May or so of last year. In the process of writing a law paper on the hacking of subsidized electronic goods by consumers, I spent a lot of time studying the cell-phone unlocking exemption that Jennifer Granick had won back in 2006. I think it would be fair to say I was inspired by her actions.

The DMCA process is one of the few ways through which an individual can actually make a difference to impact federal cyber law and copyright policy. It doesn't matter how many former Senate staffers you have working for your cause, nor are donations to PACs a necessary requirement for access. As someone with both a desire to make a difference, and a lack of money/access, the appeal was clear.

Writing up the request

My exemption submission simply wouldn't have been possible without the assistance of a skilled legal team, lead by Phil Malone at the Harvard cyberlaw clinic. While lay-persons do submit requests every year, they are never taken seriously (and when you read some of them, you understand why). The process is fairly straight-forward, but still requires some knowledge of the specifics of the DMCA.

I had the idea for both the consumer and researcher exemptions, and probably provided around 50-60% of the text in the original exemption request comment and in our reply letter. After reading Slashdot every day for the past 14 years, it was easy for me to dig up citations to all the past instances of failed media stores, a task which would have taken a clinical intern significanly more time.

I gather that most clinical clients do not participate as much, nor directly contribute as much to the final work product. However, since I know the DMCA fairly well, and knew the specifics of situation which we were examining, I think my participation helped quite a bit. Plus, it is (for a copyright policy geek) quite a fun activity.

However -- my participation alone was not enough. Phil Malone and Arjun Mehra turned my rantings of repeated industry abuse and a plea for relief into a compelling legal document. To be clear -- while I strongly encourage technologists and copyright activists to get involved with the DMCA exemption process, you really are wasting your time without the assistance of tech-savvy lawyers.

Arguing for the exemptions in DC

Before going to DC in May to argue in-person for my exemption requests, I went to a Federal Trade Commission town-hall focused on DRM. This event was something of a trial run, with many of the same characters who would later show up in DC.

The industry folks who argued on behalf of DRM at that event, were frankly, clueless shills masquerading as experts, and as such, they seemed to do a good enough job revealing their ignorance that I didn't need to do much to help.



As one copyright expert tried to warn me ahead of time, most of the people at the FTC town hall were on the "B-team", while the industry would make sure to send the "A-team" to the DMCA exemption hearing.

Unfortunately, I didn't really listen to him, and so when I did go to Washington to argue for my exemptions before the Copyright Office, I was a tad bit over-confident.

An important note for future copyright geeks: If you are considering asking for a DMCA exemption, and end up arguing for it in person, do not under-estimate Steve Metalitz, the industry's main attack dog on DMCA related issues. He is very good, and very quick on his feet. Unless you are a seasoned lawyer, do not allow him to drag you into the weeds in a discussion of the specifics of copyright law -- stick to issues of consumer harm and industry abuse.

The hearing itself was thrilling, exciting, and sort of like a court room -- with a panel of judges (well, copyright office lawyers) on a podium at the front of the room, and with the "good guys" (me) and the "bad guys" (Metalitz and someone from Time Warner) at two tables, seperated by an aisle.

My only real regret from the hearing was not having a hot-shot lawyer sit next to me, who I could defer to on legal related questions. It wasn't until the hearing was over that I looked back, and saw that both Wendy Seltzer and Fred von Lohmann had snuck into the hearing after it started, and had thus been watching it from the back row.

While I handled things pretty well, on questions relating to the specifics of section 1201, I wasn't as strong. Luckily, the Copyright Office attorneys didn't really hammer me with legal questions, and focused the questions on topics that I could actually provide expert testimony.

A word on timing and legal clinics

A DMCA exemption is a perfect, small, self-contained project for Law School legal clinics. Exemption requests are due in the fall, optional reply comments are due in the spring, the hearings are in the late spring, and then question reply comments are due over the summer. The entire process, from start to finish, is over in less than 9 months. Furthermore, it is something that can be done by a single (supervised) clinical intern.

As a result, it is not terribly surprising that university law clinics are now playing an increasingly prominent role in the DMCA exemption process.

In 2009, 3 different groups of exemptions were sought by individuals represented by the Harvard cyberlaw clinic, the Samuelson-­Glushko Technology Law & Policy Clinic at the University of Colorado School of Law, and the Glushko-Samuelson Intellectual Property Law Clinic at the Washington College of Law, American University. Clinics have played a similarly strong role in previous years.

Unfortunately, it does not appear that the copyright office realizes the role that these clinics play (and the students who provide the manpower). As a result, the DMCA exemption hearings were scheduled for May 1 at Stanford, and May 6,7, 8 in Washington DC. For those of you not (or no longer) in academia -- this is right before, or during the middle of final exams for many law students.

Had the copyright office scheduled the hearings two or three weeks earlier, they would have made the lives of the clinical students much easier. I know from my own experience that it was very difficult to get much in the way of time as I tried to prepare for the hearings from Arjun Mehra (my clinical student) and Phil Malone (who teaches classes in addition to his role running the clinic, and thus had class projects and term papers to grade).

Likewise, sending out questions during the middle of the summer, when the clinical students are off working internships is not particularly helpful. Luckily, Berkman has a few fantastic students who are interning at our cyberlaw clinic for the summer. As a result, I was able to get the help of another fantastic clinical student, Rachel Gozhansky, who helped in drafting our reply to the Copyright Office's questions.

I am not sure if the two other clinics were able to gather the student summer labor necessary in order to work on the responses to the copyright office's questions.

Given the increasingly important role that law school clinics are playing in the DMCA process, I hope that the Copyright Office will consider the realities of the academic calendar for future DMCA exemption rulemakings.

Thursday, July 09, 2009

Safecount: Please opt us out of TACO

This afternoon, I received an interesting set of emails from Tom Kelly, the Chief Operating Officer at Safecount.

Hi Christopher -

A colleague forwarded us a link to your Taco download page where we were surprised to see Safecount listed with the likes of many ad networks.

While we, and I, find your development efforts to be interesting, and nicely in line with the entrepreneurial spirit of the web, some of the classifications on your page are quite mis-leading to consumers.

Safecount is a research company and we occasionally invite certain website visitors randomly to volunteer their opinions. We don't sell any products, we don't target anyone with advertising based on behavior or attitude, and we only work with publishers who give us permission to perform research on their sites.

That's the danger of generic 4th party cookie blocking, it ends up blocking web efforts OTHER than ad revenue, behavioral targeting profiteers. Maybe you'll consider removing Safecount from your list.

Respectfully,

- tom

After asking him if I could post his email to my blog, he followed up with this:

Sure thing, Chris. My point is that, while Safecount does place cookies on user's browsers based on certain ads they've seen:

A) we don't use that info to target any marketing or advertising to them - we're not a behavioral targeting group
B) we're 100% transparent in the cookies we do place

As a matter of fact, one can go to www.safcount.net and view ALL of the info we have for their computer (not personal info). There they can also delete that data and tell us how often they'd agree to be invited to take a quick survey, including "never". We're as much about control and transparency as I think you are.

Thanks, Chris.

- tom

It has been nearly four months since the first version of TACO was first released. The latest version supports 84 different behavioral advertising firms, has been downloaded nearly 250,000 times, and is in daily use by nearly 80,000 users. That means that my tool is responsible for 6.7 million opt-out cookies (actually, it's more, due to the fact that some networks require multiple cookies for different advertising domains). Holy cow!

In those four months, this is the first time that an advertising industry executive has asked me to remove his company's opt-out cookie from TACO, and so I am honestly not quite sure how to react.

My initial reaction is to say no, for the following reasons:

1. I have created TACO for fun, as a side project. I don't charge for TACO, and I have a day job (well, actually, several). I really don't have time to evaluate each advertising company one by one to figure out if the company engages in a good or bad activity. If consumers want that level of analysis, they are free to use the "complete" or "selective" opt-out tools provided by PrivacyChoice -- which is run by a former Yahoo! advertising executive who has Seen the Light, Loves Privacy And Who You Should Totally Trust (TM).

2. Picking individual advertising industry companies who should or should not be included in TACO is a slippery slope, which will open me up to criticism, and accusations of abuse of power. TACO currently includes every generic, non-identifiable opt-out http cookie of all the online advertising industry companies that I know about. This is an easy standard to adhere to, and should protect me from accusations of bias.

3. Safecount, WPP (the mega advertising firm which owns it), the Network Advertising Initiative and others are free to make their own competitors to TACO which provide users with more choice, which provide users with less choice, which make it more or less difficult to opt out, or which make you dinner and do your laundry. TACO is open source, so they are even free to fork my code, and save themselves the weekend of coding it will take to create it from scratch.

4. Safecount is an advertising industry firm, which uses long term cookies to track the browsing and other activities of end-users. The company might not be in the behavioral advertising business, but it is certainly in the collection of consumer data business, which is still creepy.

5. Safecount has provided consumers with the ability to opt-out of its data collection/use, but then objects when tools like TACO actually make it easy for consumers to opt-out. 99% of consumers have never heard of the company, and so wouldn't even know to visit their opt-out page in the first place.

6. If the company is really "as much about control and transparency" as I am, they could switch from an opt out model to an opt in model. Let consumers who value the survey taking experience choose to have data on their browsing across multiple websites collected and analyzed. If the company switched to this model, the opt-out mechanism provided by TACO would be moot.

7. Likewise, while consumers can "go to www.safcount.net and view ALL of the info we have for their computer (not personal info)," this simply isn't good enough. It is totally unrealistic to expect consumers to visit the websites of 90-100 different advertising firms to "view the data collected on them", evaluate it, consider each company's 20+ page privacy policy, and then evaluate the kind of business and data relationship that they'd like to have with that firm.

Consumers don't opt-out of telemarketing from individual advertising firms after evaluating each firm's policy on calling during dinner hours -- No. They sign up for a single do-not call list, and are then free of the annoyance. We need the same for the online advertising industry. A single opt out for all data collection and usage.

After writing this all down, I think I am even more convinced that leaving Safecount in the list of opt-outs provided by TACO is a good idea.

However, I suppose a reasonable case can be made that the company is not a behavioral advertising firm -- and so I am open to at least changing the language on the TACO page to note that Safecount is merely an advertising firm that collects detailed information on the browsing and web viewing activity of Internet users.

Blog readers -- do you have any thoughts on this? Please leave a comment.