I sent this FOIA request (pdf) to to the Office of Administration today.
Essentially, I'm asking for a copy of all of the whitehouse.gov Web server logs, any analytics reports, data/log retention policies, as well as information on the amount of money paid by the White House for its use of Akamai and Amazon S3.
It'll be interesting to see how the White House counsel responds.
Friday, March 27, 2009
One Man's War on Advertising
I can happily report that two more companies, Blue Kai and Media Math, have in the last few days modified their advertising systems to now use non-identifiable opt-out cookies. Hurrah.
I've received unofficial word that at least one other company is making a similar switch. One by one, most of the online advertising companies are realizing that identifiable opt out cookies are bad for consumers, and more importantly, really bad PR for them.
Expect a new version of TACO in the next few days, incorporating these new opt-out cookies.
As the weeks go on, I wouldn't be surprised to see that initial list of 17 bad advertisers shrink.... to just two: Microsoft and Yahoo. These firms are the largest of the offenders, are slow unwieldy corporations which are unable to turn on a dime, and in some cases, simply don't see why they should be forced to stop tracking users.
If we do get to a point where only these mega advertising titans are refusing to provide consumers with an anonymous way of opting out of tracking and targeting, progress may depend upon legislators showing a bit of interest in the topic.
---------------
In other news, Jim Harper @ CATO took another good-natured another whack at me this week.
Writing at the Tech Liberation Front, he stated that:
To say that I am solely focused on advertisers is unfair and incorrect. I wish to avoid being tracked by all parties, be they Facebook, the RIAA, online advertisers, or the US Government (remember, after all, the name of this blog). However, while the advertising industry has collectively provided consumers with a mechanism to opt-out of their more creepy practices (albeit one that is difficult to use), other would-be-watchers have not.
If Mr. Harper is aware of an opt-out cookie that I can load into my browser to opt myself out of the National Security Agency's illegal monitoring of domestic Internet traffic, I hope that he will let me know.
I will be the first to admit that privacy on the Internet sucks. I wish it were better. I wish we didn't have evil telecom companies who believe that they can monetize their customers' web browsing habits. I wish our government, even with the new President, respected the Fourth Amendment.
I am not claiming that my TACO add-on is perfect, or that it solves all of the privacy issues on the web. It is a specific technical solution for a particular policy problem. It is not a comprehensive solution to all the woes of web privacy -- it is just a way, I believe, for the little guy to reclaim a tiny little bit of that long forgotten right to be left alone.
Later on, Mr. Harper asserts that I am calling for new legislation:
Perhaps I was unclear in my previous post, but I do not believe that new legislation is required to go after advertisers who continue to engage in targeted advertising even after the user has opted out. The FTC has a clear legal mandate to go after those who engage in deceptive and unfair business practices. Advertisers who ignored their own opt-out cookies would seem to be engaging in an unfair and deceptive way. I would argue that the FTC already has all the authority it needs to go after such firms.
I've received unofficial word that at least one other company is making a similar switch. One by one, most of the online advertising companies are realizing that identifiable opt out cookies are bad for consumers, and more importantly, really bad PR for them.
Expect a new version of TACO in the next few days, incorporating these new opt-out cookies.
As the weeks go on, I wouldn't be surprised to see that initial list of 17 bad advertisers shrink.... to just two: Microsoft and Yahoo. These firms are the largest of the offenders, are slow unwieldy corporations which are unable to turn on a dime, and in some cases, simply don't see why they should be forced to stop tracking users.
If we do get to a point where only these mega advertising titans are refusing to provide consumers with an anonymous way of opting out of tracking and targeting, progress may depend upon legislators showing a bit of interest in the topic.
---------------
In other news, Jim Harper @ CATO took another good-natured another whack at me this week.
Writing at the Tech Liberation Front, he stated that:
Chris is deeply focused on advertisers and his dislike of being tracked by advertisers. Though it is not absolute, I have a preference against tracking by anyone other than sites that I know, like, and trust. I’m no more worried about advertisers than any entity that would track my surfing - and there are many.
To say that I am solely focused on advertisers is unfair and incorrect. I wish to avoid being tracked by all parties, be they Facebook, the RIAA, online advertisers, or the US Government (remember, after all, the name of this blog). However, while the advertising industry has collectively provided consumers with a mechanism to opt-out of their more creepy practices (albeit one that is difficult to use), other would-be-watchers have not.
If Mr. Harper is aware of an opt-out cookie that I can load into my browser to opt myself out of the National Security Agency's illegal monitoring of domestic Internet traffic, I hope that he will let me know.
I will be the first to admit that privacy on the Internet sucks. I wish it were better. I wish we didn't have evil telecom companies who believe that they can monetize their customers' web browsing habits. I wish our government, even with the new President, respected the Fourth Amendment.
I am not claiming that my TACO add-on is perfect, or that it solves all of the privacy issues on the web. It is a specific technical solution for a particular policy problem. It is not a comprehensive solution to all the woes of web privacy -- it is just a way, I believe, for the little guy to reclaim a tiny little bit of that long forgotten right to be left alone.
Later on, Mr. Harper asserts that I am calling for new legislation:
With the right law in place, Chris appears to believe, “[t]he Federal Trade Commission and Congress would likely take an interest” when advertisers tried to skirt opt-out cookies, using other technologies to glean information about Web surfers’ interests.
Perhaps I was unclear in my previous post, but I do not believe that new legislation is required to go after advertisers who continue to engage in targeted advertising even after the user has opted out. The FTC has a clear legal mandate to go after those who engage in deceptive and unfair business practices. Advertisers who ignored their own opt-out cookies would seem to be engaging in an unfair and deceptive way. I would argue that the FTC already has all the authority it needs to go after such firms.
Saturday, March 21, 2009
The benefits of using opt-outs
This blog post provides a legal/policy argument in support of opt-out cookies. While the author knows a decent amount about Internet law, he is not a lawyer, and this is not legal advice.
While the response to my Targeted Advertising Cookie Opt-Out (TACO) Firefox add-on has been hugely positive, a number of users have questioned the utility of this tool, as compared to other pro-privacy and anti-advertising solutions.
As just one example of this line of mild criticism, Jim Harper over at the Tech Liberation Front, suggests that users can simply make use of the "block third party cookies" feature available in most Web browsers.
This is an approach that is similarly recommended by Google, which only provided an opt-out software extension to users of Internet Explorer and Firefox. Users of other browsers (such as Safari and Chrome) are advised to just block all advertising cookies.
The problem with blocking any form of unwanted behavior, is that it just leads to an arms race.
Arms races, and the lessons from the pop-up war
Consider, for example, the scourge that was pop-up advertisements. These were a huge problem on the web, and continue to be so for anyone unlucky enough to be using an ancient browser. Their over-use by Web sites can make browsing an unpleasant, and at times, unusable experience.
So how did we do away with them? First, a number of browser add-ons began to offer pop-up blocking functionality. However, these were only used by technically savvy users. It wasn't until similar functionality was included in Firefox and Safari, often by default, that the tables really turned.
Once anti pop-up technology came baked into the browser, the advertising industry effectively lost one of its most powerful tools.
These firms had a strong incentive to find a way around this blocking, and so, over the past few years, new, sneakier forms of advertising, some even using pop-up style effects, have become commonplace.
Advertisers didn't observe the blocking of their previous techniques, and think, 'Oh, I guess we should respect people's preference to not see annoying ads", but instead took it as an invitation to innovate, and create newer, more aggressive and unblockable forms of advertising.
That is, pop-up blocking technology, while providing users with some temporary relief, merely added fuel to the arms race.
Targeted advertisements use more than cookies
Over the past ten years, cookies have gotten a lot of criticism from privacy circles. Browsers have evolved to include sophisticated cookie handling tools, particularly in Safari and IE8. As a result, cookies have become far less useful as a way to track users. After all, every Safari user automatically rejects third party cookies by default.
Just as with the pop-up example mentioned above, this use of blocking technologies has merely encouraged an arms race, with advertisers turning to other methods for long term tracking. Technologies like Adobe's Flash, AIR, Microsoft's Silverlight, and the offline content in HTML5 can all be used to provide cookie-like tracking functionality.
Better yet for the advertisers, most users don't know that these technologies can be used to invade their privacy.
Ending the arms race
Should we follow the traditional approach, and just escalate the arms race? For example, the excellent BetterPrivacy Firefox add-on allows users to protect themselves against the tracking Flash cookies/LSO files used by YouTube, eBay and many other sites.
In my opinion, this cat and mouse game is a huge waste of energy. What we need is a way to remove ourselves from this cycle, and I think that opt-out cookies are a way to do this.
Unlike all of the previous anti-advertising technologies, the opt-out mechanism provides users with a way to positively affirm that they do not wish to be tracked and targeted. This opt-out cookie is something that advertisers cannot ignore.
Now, consider the following hypothetical situation: In a year or two Google/Doubleclick sees that 50% of Web users have opted out of their targeted advertising. In an attempt to innovate around this, the company switches to the use of Flash-based cookies to target and track users.
While the company's privacy policy specifically talks about the use of cookies, it would be tough to see how Google could argue that it had the right to use alternative tracking technologies to track users who had opted out of its older cookie-based system.
The Federal Trade Commission and Congress would likely take an interest, and any attempt by Google's lawyers to argue that opt-outs only applied to html cookies, even if their privacy policy stated as much, would draw laughter and ridicule.
Simply put, opt-out cookies are a game changer. Once consumers affirmatively state their desire to not be tracked, companies can not continue the cycle of innovating around blocking technologies. For the advertisers, the game is over.
Best practices, defense in depth
The funny thing is, you don't need to actually accept third party cookies to get the benefits of opt-out cookies.
On my own computer, I disable all third party cookies, I've set the browser to clear all cookies upon starting, I use the awesome AdBlock Plus and NoScript. However, I still use my own opt-out cookie add-on.
With the other technologies and policies that I've set, no advertising network can use the existing cookie based technologies in order to track and target me. Some might say that the opt-out cookies provide no added value.
However, I see them as a form of defense-in-depth. If these advertising firms find a way around AdBlock Plus, and innovate around the third party cookie block, my positive declaration of my desire to not be targeted might provide me with some more protection.
At the very least, if the advertisers are ever caught tracking opt-ed out users via some other technology, my own use of opt-outs will give me a far better position, should I wish to take legal action.
So -- what are you waiting for? Download the Targeted Advertising Cookie Opt-Out (TACO) add-on today.
While the response to my Targeted Advertising Cookie Opt-Out (TACO) Firefox add-on has been hugely positive, a number of users have questioned the utility of this tool, as compared to other pro-privacy and anti-advertising solutions.
As just one example of this line of mild criticism, Jim Harper over at the Tech Liberation Front, suggests that users can simply make use of the "block third party cookies" feature available in most Web browsers.
This is an approach that is similarly recommended by Google, which only provided an opt-out software extension to users of Internet Explorer and Firefox. Users of other browsers (such as Safari and Chrome) are advised to just block all advertising cookies.
The problem with blocking any form of unwanted behavior, is that it just leads to an arms race.
Arms races, and the lessons from the pop-up war
Consider, for example, the scourge that was pop-up advertisements. These were a huge problem on the web, and continue to be so for anyone unlucky enough to be using an ancient browser. Their over-use by Web sites can make browsing an unpleasant, and at times, unusable experience.
So how did we do away with them? First, a number of browser add-ons began to offer pop-up blocking functionality. However, these were only used by technically savvy users. It wasn't until similar functionality was included in Firefox and Safari, often by default, that the tables really turned.
Once anti pop-up technology came baked into the browser, the advertising industry effectively lost one of its most powerful tools.
These firms had a strong incentive to find a way around this blocking, and so, over the past few years, new, sneakier forms of advertising, some even using pop-up style effects, have become commonplace.
Advertisers didn't observe the blocking of their previous techniques, and think, 'Oh, I guess we should respect people's preference to not see annoying ads", but instead took it as an invitation to innovate, and create newer, more aggressive and unblockable forms of advertising.
That is, pop-up blocking technology, while providing users with some temporary relief, merely added fuel to the arms race.
Targeted advertisements use more than cookies
Over the past ten years, cookies have gotten a lot of criticism from privacy circles. Browsers have evolved to include sophisticated cookie handling tools, particularly in Safari and IE8. As a result, cookies have become far less useful as a way to track users. After all, every Safari user automatically rejects third party cookies by default.
Just as with the pop-up example mentioned above, this use of blocking technologies has merely encouraged an arms race, with advertisers turning to other methods for long term tracking. Technologies like Adobe's Flash, AIR, Microsoft's Silverlight, and the offline content in HTML5 can all be used to provide cookie-like tracking functionality.
Better yet for the advertisers, most users don't know that these technologies can be used to invade their privacy.
Ending the arms race
Should we follow the traditional approach, and just escalate the arms race? For example, the excellent BetterPrivacy Firefox add-on allows users to protect themselves against the tracking Flash cookies/LSO files used by YouTube, eBay and many other sites.
In my opinion, this cat and mouse game is a huge waste of energy. What we need is a way to remove ourselves from this cycle, and I think that opt-out cookies are a way to do this.
Unlike all of the previous anti-advertising technologies, the opt-out mechanism provides users with a way to positively affirm that they do not wish to be tracked and targeted. This opt-out cookie is something that advertisers cannot ignore.
Now, consider the following hypothetical situation: In a year or two Google/Doubleclick sees that 50% of Web users have opted out of their targeted advertising. In an attempt to innovate around this, the company switches to the use of Flash-based cookies to target and track users.
While the company's privacy policy specifically talks about the use of cookies, it would be tough to see how Google could argue that it had the right to use alternative tracking technologies to track users who had opted out of its older cookie-based system.
The Federal Trade Commission and Congress would likely take an interest, and any attempt by Google's lawyers to argue that opt-outs only applied to html cookies, even if their privacy policy stated as much, would draw laughter and ridicule.
Simply put, opt-out cookies are a game changer. Once consumers affirmatively state their desire to not be tracked, companies can not continue the cycle of innovating around blocking technologies. For the advertisers, the game is over.
Best practices, defense in depth
The funny thing is, you don't need to actually accept third party cookies to get the benefits of opt-out cookies.
On my own computer, I disable all third party cookies, I've set the browser to clear all cookies upon starting, I use the awesome AdBlock Plus and NoScript. However, I still use my own opt-out cookie add-on.
With the other technologies and policies that I've set, no advertising network can use the existing cookie based technologies in order to track and target me. Some might say that the opt-out cookies provide no added value.
However, I see them as a form of defense-in-depth. If these advertising firms find a way around AdBlock Plus, and innovate around the third party cookie block, my positive declaration of my desire to not be targeted might provide me with some more protection.
At the very least, if the advertisers are ever caught tracking opt-ed out users via some other technology, my own use of opt-outs will give me a far better position, should I wish to take legal action.
So -- what are you waiting for? Download the Targeted Advertising Cookie Opt-Out (TACO) add-on today.
Wednesday, March 18, 2009
Some companies get it
This afternoon, I received a call from Aaron Ahola, the Chief Privacy Officer at Akamai. He had seen my blog post from last week describing my new opt-out cookie Firefox add-on (200 active users on Monday, 1000 users on Tuesday, 3000 on Wednesday), and the problems I had noted with the opt-out cookies used by several advertising networks (including his own).
Aaron told me that he looked into the advertising opt-out cookie issue and confirmed that what I had reported was true -- that Akamai was giving users an identifiable opt-out cookie when they asked to not be tracked.
Not only did he understand the privacy issues at play, but he immediately asked his engineers to look into the issue and fix it.
As of 4PM today, Akamai's advertising system now uses generic, non identifiable opt-out cookies.
While this pleases me immensely, I am more shocked than anything. Just 5 days after I started to tinker with the code for Google's open-source Advertising Cookie Opt Out Plugin, Akamai pushed through a change in policy across its entire advertising system.
Not only was this the right decision, but it was damn fast.
After working so much over last few years to debunk the doublespeak echoed by the privacy czars at companies like Google and Facebook, is is refreshing to find someone who speaks honestly, understands the concerns of the privacy community, and is willing to fix a flawed policy when it is pointed out.
Bravo Akamai. Now, lets see if the remaining advertising networks will show themselves to be as savvy.
Aaron told me that he looked into the advertising opt-out cookie issue and confirmed that what I had reported was true -- that Akamai was giving users an identifiable opt-out cookie when they asked to not be tracked.
Not only did he understand the privacy issues at play, but he immediately asked his engineers to look into the issue and fix it.
As of 4PM today, Akamai's advertising system now uses generic, non identifiable opt-out cookies.
While this pleases me immensely, I am more shocked than anything. Just 5 days after I started to tinker with the code for Google's open-source Advertising Cookie Opt Out Plugin, Akamai pushed through a change in policy across its entire advertising system.
Not only was this the right decision, but it was damn fast.
After working so much over last few years to debunk the doublespeak echoed by the privacy czars at companies like Google and Facebook, is is refreshing to find someone who speaks honestly, understands the concerns of the privacy community, and is willing to fix a flawed policy when it is pointed out.
Bravo Akamai. Now, lets see if the remaining advertising networks will show themselves to be as savvy.
Saturday, March 14, 2009
Feds submit 20k phone location requests per year, no warrant required
Update: the lazy amongst you can read Ethan Zuckerman's summary of the lecture. You're missing out though, really.
Last week, the Berkman Center hosted Al Gidari, a partner at Perkins Coie, who frequently represents some of the major telecom companies as well as a few household names in the Web 2.0 world. Most famously, he represented Google, and helped to fight off the Department of Justice's request for search logs.
I was super happy to have helped to bring Al to Berkman. He is one of the most knowledgeable people out there on the obscure and shadowy world of surveillance law.
Perhaps the most interesting gem for me was Al's mention that the wireless carriers each receive about 100 requests per week from law enforcement for the location information on consumers. Most importantly, one request can be for "every person using this particular cell tower in a 10 minute span" -- and thus, can apply to hundreds or thousands of people.
100 requests per week * 4 wireless carriers (Sprint, Verizon, AT&T, T-Mobile) * 52 weeks = 20,800 requests per year, none of which require a warrant or judicial oversight. Scary.
If you only watch one lecture this year, watch this. I've embedded the video here, but Flash-streaming version, and downloadable mp4s/mp3s for your iPod can be found at the Berkman Center site.
Last week, the Berkman Center hosted Al Gidari, a partner at Perkins Coie, who frequently represents some of the major telecom companies as well as a few household names in the Web 2.0 world. Most famously, he represented Google, and helped to fight off the Department of Justice's request for search logs.
I was super happy to have helped to bring Al to Berkman. He is one of the most knowledgeable people out there on the obscure and shadowy world of surveillance law.
Perhaps the most interesting gem for me was Al's mention that the wireless carriers each receive about 100 requests per week from law enforcement for the location information on consumers. Most importantly, one request can be for "every person using this particular cell tower in a 10 minute span" -- and thus, can apply to hundreds or thousands of people.
100 requests per week * 4 wireless carriers (Sprint, Verizon, AT&T, T-Mobile) * 52 weeks = 20,800 requests per year, none of which require a warrant or judicial oversight. Scary.
If you only watch one lecture this year, watch this. I've embedded the video here, but Flash-streaming version, and downloadable mp4s/mp3s for your iPod can be found at the Berkman Center site.
Friday, March 13, 2009
Freedom from evil cookies
Executive Summary: I've modified Google's new Advertising Cookie Opt Out Firefox Plugin to allow users to opt-out of the tracking by 16 other advertising companies. The software is super alpha right now (the result of a few hours hacking this afternoon), and will hopefully be available on addons.mozilla.org in the next few days. If you're not a developer, please don't download it yet. If you are, you can find it here
A large number of commercial companies now track users' browsing across the web, in order to profile them, and then serve them targeted advertising. This so called behavioral advertising is a threat to the average user's privacy.
An industry group, The Network Advertising Initiative, provides an easy way for users to opt-out of the tracking performed by its member companies. Users can visit a single web page, and then easily set opt-out web cookies for all of the NAI members advertising networks.
The problem with this is that the moment a user clears his or her cookies, they also lose the opt-out cookies. Regularly clearing browser cookies, or better, setting the browser to erase them all at the end of a session, is a recommended practice. Unfortunately, by doing this, users are then required to re-visit the NAI opt-out page each time they start browsing the web. This is obviously not a reasonable thing to expect.
Google recently announced that it would be engaging in the large scale collection and use of targeted advertising information. However, in addition to offering an opt-out cookie, the company has also developed a Firefox add-on, so that users can maintain the opt-out cookies, even if they regularly erase the other cookies.
Google should be commended for releasing such a useful privacy enhancing technology (even though their use of targeted advertising is creepy, and should be prohibited by the FTC). If only this add-on could be used to protect people from the prying eyes of the other advertising networks.
Since Google released the Firefox-addon as an open-source project (under the Apache 2.0 license), I have forked the code, and added in the opt-out cookies of 16 other advertising networks.
By installing this add-on, you will receive long-term opt-out cookies for the following NAI member advertising networks:
The Bad News
All of the above companies use a cookie similar to "OPT_OUT=1". Unfortunately, some other NAI member companies force a unique tracking ID upon users in the process of opting out of the targeted ad tracking. That is, in addition to an "OPT_OUT=1", they'll also force a "USER=12345678" cookie, which could enable them to uniquely track visitors to their site.
For example, when trying to opt out of Yahoo's tracking, I was given the cookie
Similarly, Akamai gave me this cookie
Simply put, we shouldn't have to trust these companies to not track us. Users should not be given unique IDs in order to opt-out.
The following companies force unique IDs upon users wishing to opt-out. This add-on does not currently provide opt-out functionality for these networks, since I don't want to encourage their sketchy ways. Hopefully, being listed here might shame them into providing a more pro-privacy way of opting out.
These companies are:
Disclaimer: This code is based on the Advertising Cookie Opt Out Plugin by Valentin Gheorghita, a Google Engineer. It was not sanctioned by Google, the Network Advertising Initiative. While the folks at the Berkman Center (who pay me) are huge supporters of privacy, I have done this in my personal capacity, and this is not an official blessed Berkman project.
A large number of commercial companies now track users' browsing across the web, in order to profile them, and then serve them targeted advertising. This so called behavioral advertising is a threat to the average user's privacy.
An industry group, The Network Advertising Initiative, provides an easy way for users to opt-out of the tracking performed by its member companies. Users can visit a single web page, and then easily set opt-out web cookies for all of the NAI members advertising networks.
The problem with this is that the moment a user clears his or her cookies, they also lose the opt-out cookies. Regularly clearing browser cookies, or better, setting the browser to erase them all at the end of a session, is a recommended practice. Unfortunately, by doing this, users are then required to re-visit the NAI opt-out page each time they start browsing the web. This is obviously not a reasonable thing to expect.
Google recently announced that it would be engaging in the large scale collection and use of targeted advertising information. However, in addition to offering an opt-out cookie, the company has also developed a Firefox add-on, so that users can maintain the opt-out cookies, even if they regularly erase the other cookies.
Google should be commended for releasing such a useful privacy enhancing technology (even though their use of targeted advertising is creepy, and should be prohibited by the FTC). If only this add-on could be used to protect people from the prying eyes of the other advertising networks.
Since Google released the Firefox-addon as an open-source project (under the Apache 2.0 license), I have forked the code, and added in the opt-out cookies of 16 other advertising networks.
By installing this add-on, you will receive long-term opt-out cookies for the following NAI member advertising networks:
- Google / Doubleclick
- Collective Media
- Acerno
- Turn
- Next Action
- Audience Science
- BlueLithium
- Advertising.com
- [x+1]
- Fox Audience Network
- AlmondNet
- Safecount
- Tacoda Audience Networks
- Traffic Marketplace
- Tribal Fusion
- Undertone Networks
The Bad News
All of the above companies use a cookie similar to "OPT_OUT=1". Unfortunately, some other NAI member companies force a unique tracking ID upon users in the process of opting out of the targeted ad tracking. That is, in addition to an "OPT_OUT=1", they'll also force a "USER=12345678" cookie, which could enable them to uniquely track visitors to their site.
For example, when trying to opt out of Yahoo's tracking, I was given the cookie
B=c97l3894rlqpf&b=3&s=cf.
Similarly, Akamai gave me this cookie
AOOC=368398094.
Simply put, we shouldn't have to trust these companies to not track us. Users should not be given unique IDs in order to opt-out.
The following companies force unique IDs upon users wishing to opt-out. This add-on does not currently provide opt-out functionality for these networks, since I don't want to encourage their sketchy ways. Hopefully, being listed here might shame them into providing a more pro-privacy way of opting out.
These companies are:
- Akamai
- Atlas
- Blue Kai
- BlueLithium
- FetchBack
- Interclick
- MindSet Media
- Media 6 Degrees
- 24/7 Real Media
- Specific Media
- Yahoo
Disclaimer: This code is based on the Advertising Cookie Opt Out Plugin by Valentin Gheorghita, a Google Engineer. It was not sanctioned by Google, the Network Advertising Initiative. While the folks at the Berkman Center (who pay me) are huge supporters of privacy, I have done this in my personal capacity, and this is not an official blessed Berkman project.
Wednesday, March 11, 2009
White House ends "experiment," goes back to YouTube
Sigh. I was all set to write a blog post praising the White House.
A week ago, I wrote about the new "delayed cookie" option that YouTube was offering, and particularly, the company's broken promises with regard to privacy. The short version is that YouTube is serving videos from a new "www.youtube-nocookie.com" domain, while quietly forcing Flash cookies upon users who view any page that had embedded one of those videos.
What I didn't mention in that blog post was that the new White House, YouTube-free Flash-based video tool was doing the same thing. That is, anyone who visited the White House blog would receive a long-term Flash cookie, even if they never clicked play.
I'd been kicking the White House in the knees for much of the last couple months, and so I thought I would give them a break, at least for a couple weeks, while I focused my attention on YouTube/Google. I did, however, drop the White House Web team a friendly email to let them know about this Flash cookie issue.
Fast forward one week, and it seems that the White House has quietly made another change to its site, this time doing away with the Flash-based cookies for its Akamai hosted video player. This is great news.
The White House received a bit of criticism, and, yet again, in response, they changed their policies for the better.
This blog post should have ended there, with praise for the White House, and their rapid positive response to the concerns of the privacy community.
Unfortunately, there is some bad news.
Back to YouTube
The White House first rolled out its own Flash-based video solution for the President's video messages on Feb 28th. Responding to my blog post at CNET on the issue, the White House quickly spun the news as an "experiment" and in no way a shift of policy.
Over the next few days, the White House gave me a bit of reason to be hopeful, as it then posted several more videos to its site, all using its own Flash based tool.
However, at least based on the appearance of a 30 minute video embedded into the White House page today, it looks like the "experiment" is over. YouTube is back.
While this new video uses YouTube's "delayed cookie" option, due to the Flash cookie issue mentioned earlier, visitors to the White House site continue to receive long-term tracking Flash cookies, even if they never click play.
I am honestly rather disappointed in the White House for this move. As long as YouTube continues to force any tracking mechanism, be it a html cookie, flash cookie, or via any other form, the White House simply should not be embedding YouTube videos in its website.
Of course, this return to YouTube comes the very same day that Google has announced that it will start using cookies to track the web-surfing behavior of users across the Internet, which it will then use to serve them targeted advertisements. This raises serious questions -- namely, will tracking data from videos embedded into the White House Web site end up in Google's targeted advertising database?
A week ago, I wrote about the new "delayed cookie" option that YouTube was offering, and particularly, the company's broken promises with regard to privacy. The short version is that YouTube is serving videos from a new "www.youtube-nocookie.com" domain, while quietly forcing Flash cookies upon users who view any page that had embedded one of those videos.
What I didn't mention in that blog post was that the new White House, YouTube-free Flash-based video tool was doing the same thing. That is, anyone who visited the White House blog would receive a long-term Flash cookie, even if they never clicked play.
I'd been kicking the White House in the knees for much of the last couple months, and so I thought I would give them a break, at least for a couple weeks, while I focused my attention on YouTube/Google. I did, however, drop the White House Web team a friendly email to let them know about this Flash cookie issue.
Fast forward one week, and it seems that the White House has quietly made another change to its site, this time doing away with the Flash-based cookies for its Akamai hosted video player. This is great news.
The White House received a bit of criticism, and, yet again, in response, they changed their policies for the better.
This blog post should have ended there, with praise for the White House, and their rapid positive response to the concerns of the privacy community.
Unfortunately, there is some bad news.
Back to YouTube
The White House first rolled out its own Flash-based video solution for the President's video messages on Feb 28th. Responding to my blog post at CNET on the issue, the White House quickly spun the news as an "experiment" and in no way a shift of policy.
Over the next few days, the White House gave me a bit of reason to be hopeful, as it then posted several more videos to its site, all using its own Flash based tool.
However, at least based on the appearance of a 30 minute video embedded into the White House page today, it looks like the "experiment" is over. YouTube is back.
While this new video uses YouTube's "delayed cookie" option, due to the Flash cookie issue mentioned earlier, visitors to the White House site continue to receive long-term tracking Flash cookies, even if they never click play.
I am honestly rather disappointed in the White House for this move. As long as YouTube continues to force any tracking mechanism, be it a html cookie, flash cookie, or via any other form, the White House simply should not be embedding YouTube videos in its website.
Of course, this return to YouTube comes the very same day that Google has announced that it will start using cookies to track the web-surfing behavior of users across the Internet, which it will then use to serve them targeted advertisements. This raises serious questions -- namely, will tracking data from videos embedded into the White House Web site end up in Google's targeted advertising database?
Tuesday, March 10, 2009
Someone is lying
I have three conflicting reports, two from TSA agents, and one from a police officer -- which do not mesh. Someone simply isn't telling the truth . . .
In February of 2007, I caused an "incident" at Washington Reagan Airport. Back then, it was legal to fly without ID, something I had done over a dozen times. On this one occasion however, a TSA agent refused to permit me to do so, called over a police officer, who then compelled me to show her my drivers license under the threat of arrest. Once I had done so, the officer then handed my drivers license to the TSA agents, over my vocal protests, who then wrote down my info for their incident report.
I wrote a blog post describing that incident shortly after it happened. Days later, I wrote a letter of complaint to the Metro. Wash. Airport Authority.
In the several hundred pages that I got from my recent FOIA request to TSA, I found a few gems.
First, a statement of fact was written on on March 29, 2007 describing that incident, by a TSA Security Officer (likely a Mr. Christopher Gibilisco):
I also found a a March 26, 2007 statement written by an unnamed TSA Security Manager (likely a Mr. Jim Leonard) describing the same incident:
There is also an undated, unsigned letter, which I believe to be a report by Sergeant Sonya Westbrook:
I've scanned all three reports, and put them online.
Simply put, the reports don't match up. Either the police officer is telling the truth, and she gave my ID to the TSA agents, or the TSA agents are telling the truth, in which case the officer is wrong. Given the "new professionalism" of modern police forces rather publicly hailed by Justice Scalia, surely the police officer must be right.
Does this mean that two TSA agents lied in their official reports?
Had I known that TSA were going to get to see my drivers license anyway, I certainly wouldn't have gone through the inconvenience of refusing to show ID, being patted down, and having every item in my carry on bag searched. I believed that in exchange for the inconvenience of being heavily searched, I would get to maintain a tiny portion of my privacy. This didn't turn out to be the case.
In the days that follow, I'll be writing and sending off an official letter of complaint to TSA/DHS, for violating my civil liberties and TSA's own policies that permitted people to travel without ID). I will also ask that TSA investigate the conflicting reports, and the possibility that the TSA agents knowingly provided false statements in their official reports describing the incident.
In February of 2007, I caused an "incident" at Washington Reagan Airport. Back then, it was legal to fly without ID, something I had done over a dozen times. On this one occasion however, a TSA agent refused to permit me to do so, called over a police officer, who then compelled me to show her my drivers license under the threat of arrest. Once I had done so, the officer then handed my drivers license to the TSA agents, over my vocal protests, who then wrote down my info for their incident report.
I wrote a blog post describing that incident shortly after it happened. Days later, I wrote a letter of complaint to the Metro. Wash. Airport Authority.
In the several hundred pages that I got from my recent FOIA request to TSA, I found a few gems.
First, a statement of fact was written on on March 29, 2007 describing that incident, by a TSA Security Officer (likely a Mr. Christopher Gibilisco):
Sgt. [redacted] conducted an an NCIC check, interviewed Mr. Soghoian and cleared him to the sterile area. Sgt. [redacted] then placed Mr. Soghoian identification and boarding pass on the table in the screening area. Expert TSO [redacted] asked Mr. Soghoian permission to view the information on Mr. Soghoian documents in order to complete the required TSA incident report. Mr Soghoian agreed.
I also found a a March 26, 2007 statement written by an unnamed TSA Security Manager (likely a Mr. Jim Leonard) describing the same incident:
The MWAA Sergeant verified his credentials and tried to hand the driver's license back to the passenger who was in the process of putting his jacket on and instead placed the driver's license and the boarding pass on the screening table with the passenger's carry on property.
During the screening process no one from TSA ever have control or possession of the passenger's driver's license. The only person that had control of the driver's license during this screening was the female MWAA Sergeant and she only had the license in her possession for approx. three minutes and then placed it on the screening table. As soon as the screening was complete the passenger picked up his belongings and left to board his flight.
There is also an undated, unsigned letter, which I believe to be a report by Sergeant Sonya Westbrook:
On Sunday 02/19/07 at 0912 hrs, I was working 2n30, when a TSA agent who stated that they had an individual at the secondary screening refusing to show ID approached me. He further stated that he fit the profile of suspicious person, Based on the training that he had received (SPOT).
I approached the individual and asked him his name, which he did state. Acting in good faith, I advised the patron that he was required to show ID if he wanted to proceed further passed the screening area. When I asked for his Id He did surrender it. I ran a 29, with negative results.
I advised the the TSA agent that everything checked out, and did they need anything else, since the patron did comply. He stated that they need his information to complete a report, I then handed the DL to the supervisor, and then they handed it back to the individual. I cleared the call 0919 hrs.
I've scanned all three reports, and put them online.
Simply put, the reports don't match up. Either the police officer is telling the truth, and she gave my ID to the TSA agents, or the TSA agents are telling the truth, in which case the officer is wrong. Given the "new professionalism" of modern police forces rather publicly hailed by Justice Scalia, surely the police officer must be right.
Does this mean that two TSA agents lied in their official reports?
Had I known that TSA were going to get to see my drivers license anyway, I certainly wouldn't have gone through the inconvenience of refusing to show ID, being patted down, and having every item in my carry on bag searched. I believed that in exchange for the inconvenience of being heavily searched, I would get to maintain a tiny portion of my privacy. This didn't turn out to be the case.
In the days that follow, I'll be writing and sending off an official letter of complaint to TSA/DHS, for violating my civil liberties and TSA's own policies that permitted people to travel without ID). I will also ask that TSA investigate the conflicting reports, and the possibility that the TSA agents knowingly provided false statements in their official reports describing the incident.
Friday, March 06, 2009
FOIA Fun
One of the benefits of moving back to this blog is that I'll be able to spend a bit more time talking about things that were not appropriate/of interest to the larger audience at CNET.
Case in point....
I recently received the result of a Freedom of Information Act request that I submitted to TSA, in July of 2007, for "my file" -- essentially, any documents relating to the boarding pass incident, and the several occasions when I've been stopped by the police at airports for refusing to fly without ID.
TSA found 436 pages of documents, 151 of these were released in full, 179 were heavily censored, and 106 were outright denied to me.
I've just started digging through the papers -- and have already found some really juicy stuff, which will give me fodder for several blog posts, and a few letters to TSA, and maybe even a lawsuit if I can find willing counsel.
Highlights include outright lies by TSA/DHS employees, my social security number showing up in some shadowy TSA investigative database, and information indicating that that a Joint Terrorism Task Force as well as someone at the Bush White House were keeping tabs on my boarding-pass saga.
In the coming weeks, I'll scan some of the goodies, and post a bit of commentary to go along with them. However, in the mean time, I have a request to the Internets:
If anyone has any experience with the process of appealing a FOIA denial, or better, knows a lawyer willing to help me out (for free), please get in touch. I have a copy of EPIC's FOIA bible here, but it's not exactly easy reading.
I have 60 days from February 19th to file my appeal.
Case in point....
I recently received the result of a Freedom of Information Act request that I submitted to TSA, in July of 2007, for "my file" -- essentially, any documents relating to the boarding pass incident, and the several occasions when I've been stopped by the police at airports for refusing to fly without ID.
TSA found 436 pages of documents, 151 of these were released in full, 179 were heavily censored, and 106 were outright denied to me.
I've just started digging through the papers -- and have already found some really juicy stuff, which will give me fodder for several blog posts, and a few letters to TSA, and maybe even a lawsuit if I can find willing counsel.
Highlights include outright lies by TSA/DHS employees, my social security number showing up in some shadowy TSA investigative database, and information indicating that that a Joint Terrorism Task Force as well as someone at the Bush White House were keeping tabs on my boarding-pass saga.
In the coming weeks, I'll scan some of the goodies, and post a bit of commentary to go along with them. However, in the mean time, I have a request to the Internets:
If anyone has any experience with the process of appealing a FOIA denial, or better, knows a lawyer willing to help me out (for free), please get in touch. I have a copy of EPIC's FOIA bible here, but it's not exactly easy reading.
I have 60 days from February 19th to file my appeal.
Thursday, March 05, 2009
The end of Surveillance State
For the last year and a half, I have published a blog over at CNET, focusing on security, privacy and technology policy. Well, as of March 4, that business relationship is now over.
As my regular readers will know, for the past few months, I have been hammering the Obama Administration for its close ties to Google/YouTube. Starting back in November of 2008, I called for the "separation of Google and State," and urged the then President-elect to find a more pro-privacy way to deliver his video messages.
Looking back through the posts I have published in the past few months, nearly every single one is focused on this issue. These include:
Why Obama should ditch YouTube
Dear Obama: Use BitTorrent for your Fireside podcasts
White House exempts YouTube from privacy rules
White House acts to limit YouTube cookie tracking
White House yanks 'YouTube' from privacy policy.
While this might seem like an insane obsession, I strongly believe that my writing helped to bring a significant amount of attention to this issue, and thus lead to real change. Consider the following:
In the past six weeks, the White House web team has devoted a significant amount of time towards fixing privacy problems on the site. If the issue wasn't a priority for them when they started in late January, it certainly is now.
"The White House Dumps YouTube"
On Monday, I published a story documenting the fact that the White House had, with its latest weekly video address, opted to not use an embedded YouTube video on the official White House Web site.
The story set off a minor shit-storm in the blogosphere, which eventually lead to a New York Times story, and official denials by both the White House and YouTube.
Feeling the pressure, my editors at CNET rewrote the headline on my blog post, and then added a comment to the top stating that my story "significantly misconstrued the White House's policy on and use of YouTube."
The next day, I was notified that our business relationship had been terminated, and that CNET would no longer be requiring my blogging services.
Ouch.
Looking at the denials in depth
It is clear that Google (and to a lesser extent) the White House needed to issue denials, if just to save face. However, rather than addressing the specific statements in my blog post, they denied things that I never actually claimed.
Rather than actually comparing the denials to the text of my blog post, the media willingly published Google's spin-heavy version of the story.
In an effort to set the record straight, particularly with regard to CNET's statement that I "significantly misconstrued" the facts, consider the following:
Writing on the Google Policy Blog, Steve Grove wrote:
However, my original story never claimed otherwise:
Likewise, consider the statements made by the White House to the New York Times:
Again, back to my original blog post:
Looking back
While CNET goes to great lengths to state that the people writing in its Blog Network are not CNET employees, that detail often gets lost on members of the public. As a result, when I would blog something, it would be written up by other media outlets as "CNET reported that."
As an activist, this gives you a very powerful tool, since you effectively get to speak with the voice of the mainstream media. My blog gave me a soapbox which hugely amplified my voice, and permitted me to pillory companies and the government whenever I thought they were doing something they shouldn't.
In several cases, I was able to use the CNET blog to significantly shape the public debate on various issues -- such as with Google's so called "anonymization" of search log data, TSA's policies towards flying with no ID and the disclosure of identifying customer information by Internet Service Providers.
I suppose that what surprises me the most is that CNET let me editorialize on their site and with their brand for as long as they did.
Moving on
While I am clearly a bit sad about the loss of my soapbox, there is probably a silver lining in this. I am a PhD student in my third year, and I really need to start working on my dissertation soon. Blogging, even once or twice a week, takes a significant amount of time, at least when you are trying to write detailed and original analysis. It'll be nice to be able to refocus those 10 hours a week or so back on my studies.
It's likely that I'll still blog here once and a while, but now that I'm no longer contractually obligated nor paid to do so, it is likely that I'll be writing far less frequently.
Those of you who had subscribed to the CNET RSS, please re-subscribe here. And those PR hacks who keep pitching stories in the hope that I'll post your press release to CNET, please stop.
As my regular readers will know, for the past few months, I have been hammering the Obama Administration for its close ties to Google/YouTube. Starting back in November of 2008, I called for the "separation of Google and State," and urged the then President-elect to find a more pro-privacy way to deliver his video messages.
Looking back through the posts I have published in the past few months, nearly every single one is focused on this issue. These include:
Why Obama should ditch YouTube
Dear Obama: Use BitTorrent for your Fireside podcasts
White House exempts YouTube from privacy rules
White House acts to limit YouTube cookie tracking
White House yanks 'YouTube' from privacy policy.
While this might seem like an insane obsession, I strongly believe that my writing helped to bring a significant amount of attention to this issue, and thus lead to real change. Consider the following:
- In the first five days of the Obama Presidency, his web-team changed their privacy policy three times, addressing issues first highlighted on my blog.
- Before Obama had even moved in the White House, his lawyers had written up a waiver for the YouTube cookie issue (although they still refuse to release it), addressing concerns that I had raised in November of 2008. YouTube was similarly used by several agencies during the Bush Administration, although no such waiver was felt to be necessary.
- Within days of Obama's inauguration, his web-team rushed out a partial fix to the cookie issue for people who didn't click "play", and then shortly after, a link to the White House privacy policy was added below each embedded video on the White House Web site.
In the past six weeks, the White House web team has devoted a significant amount of time towards fixing privacy problems on the site. If the issue wasn't a priority for them when they started in late January, it certainly is now.
"The White House Dumps YouTube"
On Monday, I published a story documenting the fact that the White House had, with its latest weekly video address, opted to not use an embedded YouTube video on the official White House Web site.
The story set off a minor shit-storm in the blogosphere, which eventually lead to a New York Times story, and official denials by both the White House and YouTube.
Feeling the pressure, my editors at CNET rewrote the headline on my blog post, and then added a comment to the top stating that my story "significantly misconstrued the White House's policy on and use of YouTube."
The next day, I was notified that our business relationship had been terminated, and that CNET would no longer be requiring my blogging services.
Ouch.
Looking at the denials in depth
It is clear that Google (and to a lesser extent) the White House needed to issue denials, if just to save face. However, rather than addressing the specific statements in my blog post, they denied things that I never actually claimed.
Rather than actually comparing the denials to the text of my blog post, the media willingly published Google's spin-heavy version of the story.
In an effort to set the record straight, particularly with regard to CNET's statement that I "significantly misconstrued" the facts, consider the following:
Writing on the Google Policy Blog, Steve Grove wrote:
[Chris's] report is wrong. The White House decision does not mean that the White House has stopped using YouTube. The White House continues to post videos to its YouTube channel, as do other agencies like the U.S. Department of Education and the State Department.
However, my original story never claimed otherwise:
The White House is still posting copies of the videos to its official YouTube channel.
Likewise, consider the statements made by the White House to the New York Times:
Now the White House is denying that it has changed its policy on videos from YouTube, which is owned by Google, or other third parties. While it chose to host President Obama’s weekly radio and video address on WhiteHouse.gov, rather than embed a video from YouTube on its site, the change was simply an experiment, said Nick Shapiro, a White House spokesman.
“As the president continues his goal of making government more accessible and transparent, this week we tested a new way of presenting the president’s weekly address by using a player developed in-house,” Mr. Shapiro said in a statement. “This decision is more about better understanding our internal capabilities than it is a position on third-party solutions or a policy. The weekly address was also published in third-party video hosting communities and we will likely continue to embed videos from these services on WhiteHouse.gov in the future.”
Again, back to my original blog post:
It is unclear whether this switch away from YouTube marks a permanent shift in policy for the White House, or whether the Oval Office geek squad is merely testing an alternate video provider. While the latest video is served using Akamai's servers, the older videos remain as embedded YouTube files.
Looking back
While CNET goes to great lengths to state that the people writing in its Blog Network are not CNET employees, that detail often gets lost on members of the public. As a result, when I would blog something, it would be written up by other media outlets as "CNET reported that."
As an activist, this gives you a very powerful tool, since you effectively get to speak with the voice of the mainstream media. My blog gave me a soapbox which hugely amplified my voice, and permitted me to pillory companies and the government whenever I thought they were doing something they shouldn't.
In several cases, I was able to use the CNET blog to significantly shape the public debate on various issues -- such as with Google's so called "anonymization" of search log data, TSA's policies towards flying with no ID and the disclosure of identifying customer information by Internet Service Providers.
I suppose that what surprises me the most is that CNET let me editorialize on their site and with their brand for as long as they did.
Moving on
While I am clearly a bit sad about the loss of my soapbox, there is probably a silver lining in this. I am a PhD student in my third year, and I really need to start working on my dissertation soon. Blogging, even once or twice a week, takes a significant amount of time, at least when you are trying to write detailed and original analysis. It'll be nice to be able to refocus those 10 hours a week or so back on my studies.
It's likely that I'll still blog here once and a while, but now that I'm no longer contractually obligated nor paid to do so, it is likely that I'll be writing far less frequently.
Those of you who had subscribed to the CNET RSS, please re-subscribe here. And those PR hacks who keep pitching stories in the hope that I'll post your press release to CNET, please stop.