Friday, July 31, 2009

NAI to require minimum 5 year expiration date for opt out cookies

One week ago, I published an open letter to the Network Advertising Initiative, in which I complained that the behavioral advertising opt-out cookies offered by many NAI members had been set to shamefully short periods of time -- in some cases, as short of six months.

Over the past few days, executives from many NAI member firms contacted me to let me know that they were shifting to a better policy. I outlined the updated policies of those companies in this blog post.

This morning, I was contacted by the Executive Director of the Network Advertising Initiative, who informed me that the group will be requiring that all NAI member firms set their opt-out cookies to last at least five years. I expect to see news of this posted to the NAI site in the next few days.

Depending on your perspective, you could either see this as:

1. A sign that the industry can effectively and rapidly police itself when notified of a problem, or

2. Proof that the industry has for nearly a decade offered crippled opt-outs that silently vanished just a few months after the consumer expressed their wish to not be tracked.

While it is quite fun to see the industry scrambling to perform emergency damage control in response to my blog posts, it is pretty pathetic that I had to do this at all. This multi-billion online advertising industry should not depend upon a single graduate student to keep it honest.

Thursday, July 30, 2009

My comments on the new proposed federal cookie and web tracking guidelines

One week ago, Vivek Kundra, the federal CIO, asked for feedback and input on a proposed overhaul of the rules prohibiting the use of tracking cookies on federal web sites.

I submitted my 5 page comments document today. For those of you who don't want to wait until all of the comments have been posted to the White House web site, I've embedded my submission here.

Monday, July 27, 2009

TACO 2.0 released

Update: Mozilla has approved TACO 2.0. All current TACO users should see a prompt to update the add-on the next time they restart Firefox.

I am happy to announce the release of version 2.0 of the Targeted Advertising Cookie Opt-out (TACO) Firefox add-on.

This version has been completely rewritten from scratch, primarily by Daniel Witte @ Mozilla Corp. It also includes opt-out cookies for 6 additional advertising companies: Snoobi, comScore VoiceFive, Hurra, Criteo, Coremetrics and EyeWonder.

I am waiting for the nice folks at Mozilla to read through the code and then approve it. If you lack patience, and simply cannot wait, TACO 2.0 can be installed by clicking here. Otherwise, wait a few days until Mozilla approves it, and then the 100,000 or so existing TACO users should receive an automatic update to this new version.

A total rewrite

The original TACO was essentially a fork of Google's Advertising Cookie Opt Out Plugin. Google's original tool included one cookie -- I simply modified it to include an additional 100 or so opt out cookies.

The problem is that Google's original code wasn't all that good -- it would reload all of the opt-out cookies each time a new window/tab was opened, and then force them to be reloaded again every 10 minutes, even if none of the opt-out cookies had changed.

Perhaps this isn't such a big deal for a tool that is designed to install a single opt-out cookie. However, it clearly didn't scale well.

Unfortunately, my Javascript skills are pretty horrible, and so I really wasn't up to the task of rewriting TACO by myself. Luckily, Daniel Witte, Mozilla's resident cookie guru offered to lend a hand, and eventually rewrote the entire add-on from scratch.

This new version is considerably faster, and no longer re-installs 100+ cookies into the browser each time a new tab/window is opened nor does it reinstall them again every 10 minutes after that.

Blocking third party cookies

One of the biggest complaint from TACO power-users was that the tool would not function when the user had configured the browser to block all 3rd party cookies (a suggested practice, and one which both Safari and Chrome do by default). I am happy to announce that TACO now plays nicely with blocked 3rd party cookies, and so the paranoid amongst you should feel free to go ahead and block them without having to worry about it breaking TACO.

A note about EyeWonder

Finally, blog-readers may remember that I recently pointed to EyeWonder's non-existent broken opt-out as an example of one the worst practices in the industry.

After 9 days, it looks like the company finally designed and implemented fixed the opt-out, and so users of TACO 2.0 are automatically opted out of all of EyeWonder's behavioral advertising.

Behavioral advertising opt out cookie expiration update

Updated on July 28 with news from Yahoo! and 24/7 Real Media
Update again on July 29 with news from Microsoft and Fetchback

Just a quick update regarding the open letter I published to the Network Advertising Initiative last week, regarding the shamefully short expiration dates assigned to the opt-out cookies for many of the NAI members.

Within 6 hours of the letter hitting my blog, I received an email from Doug Miller, the head of privacy at AOL, informing me that the opt-out cookies for AOL's Advertising.com and TACODA had been set to such short periods of time because of a bug and that his team had since changed them to expire in 2099.

The next day, the CEO of BlueKai contacted me to let me know that the six month expiration for his company's opt-out cookie was also a bug, and that his team was changing it to expire after 5 20 years.

Also on Friday, I was contacted by a representative from Media 6 Degrees, who informed me that the six month expiration for their opt-out cookies was an engineering oversight. They informed me that by July 31st at the latest, the company's opt-out cookies will be set to expire after 10 years.

Media 6 Degrees also made it a point to state that "[W]e agree with, and fully support, the assertion that the NAI should define and require a minimum expiration time for all member out-out cookies."

Yahoo! announced on Tuesday July 28 that they will be changing their opt out cookie to expire after 20 years. Yahoo! was even nice enough to give me a shout out in the official blog post announcing the change.

24/7 Real Media contacted me on July 28th to let me know that they have changed their opt out cookie to expire after 30 years.

On July 29, I was contacted by Microsoft's privacy team to let me know that live.com (which is not a member of the NAI) will also be shifting to five years. Atlas, Microsoft's advertising platform, is an NAI member and already had a 5 year expiration to begin with.

Also on July 30, the folks from Fetchback tweeted to let me know that as of today, their opt-out cookie is now set to expire after five years.


Not so much love from Yahoo!

While the 24 month expiration date for Yahoo's opt out cookie isn't as bad as the 6 months for some NAI members, it still isn't anything to be proud of, particularly when the company's major competitors have set an example by adopting opt out expirations of 30-60 years.

I contacted a senior member of Yahoo's privacy team, who informed me the company plans to add some language to the Yahoo opt out web page that will inform consumers of the fact that they will need to revisit the page every 2 years. However, the Yahoo executive I spoke with showed absolutely no interest in lengthening the expiration date of the company's opt out cookies.

So much for bold leadership Yahoo.

Sunday, July 26, 2009

Apple: Want anonymity? You must be a drug dealer

Anonymity can be a very useful thing. Iranian dissidents use anonymity preserving systems in order to browse the web without suffering under the watchful eye of the state security apparatus. Likewise, FBI agents investigating child pornographers browse the Web using systems like Tor, so that the bad guys don't see a fbi.gov address in the web server access logs.

Bloggers, whistleblowers, and our founding fathers all made use of anonymity in order to freely speak unpopular or dangerous information.

While anonymity is arguably as American as apple pie, that hasn't stopped Apple Corp. from continuing its war against all things anonymous.

In 2004, AppleInsider, a Mac rumor blog, published (presumably leaked) information about a forthcoming Apple product. The company went to court in order to try and force the blog to reveal their anonymous sources. AppleInsider turned to the Electronic Frontier Foundation, who successfully convinced the court to apply California's journalist shield law to bloggers. The court eventually forced Apple to pay the EFF a cool $700,000 in legal fees.

Apple still hates anonymity

Even after that rather expensive lesson, it seems that Apple still has no love for those who seek anonymity.

In a recent filing with the copyright office, Apple has argued that consumers who wish to jailbreak their mobile phones and change the device's unique serial number must be drug dealers or other criminals.
[E]ach iPhone contains a unique Exclusive Chip Identification (ECID) number that identifies the phone to the cell tower. With access to the BBP via jailbreaking, hackers may be able to change the ECID, which in turn can enable phone calls to be made anonymously (this would be desirable to drug dealers, for example) or charges for the calls to be avoided.
Remember that the only way a US consumer can legitimately use an iPhone (at least in Apple's eyes) is to sign up for service with AT&T: A company that willingly (and illegally) violated the privacy of millions of Americans by allowing the US National Security Agency to spy on their calls, text messages, emails and web browsing activity.

To therefore argue that drug dealers are the main beneficiaries of iPhone anonymity is a pretty disgraceful lie. David Hayes, Apple's bigshot IP lawyer at Fenwick and West who wrote this letter should be ashamed of himself.

Thursday, July 23, 2009

An open letter regarding opt out cookie expirations

(click for a larger picture)


Charles Curran
Executive Director
Network Advertising Initiative
62 Portland Road
Suite 44
Kennebunk ME 04043

Dear Mr Curran,

I write to you today to draw your attention to several problems related to the process through which consumers can opt out of behavioral advertising performed by Network Advertising Initiative (NAI) member companies.

In particular, I would like to draw your attention to the widely varying expiration dates for the behavioral advertising opt out cookies supplied by the various NAI member advertisers. The opt out cookies for some sites last as little as six months, while others last as long as sixty years. This variability is not communicated to consumers, and as a result, many are unlikely to know that they must revisit the NAI web site and re-opt out every six months in order to maintain total opt out coverage.

I urge you to update the NAI Self-Regulatory Code of Conduct to require that your members adhere to a reasonable minimum expiration age for opt out cookies (I suggest at least five years). I also ask that you add text to the NAI opt out page to inform consumers of the shortest opt out cookie expiration, and make it clear that they will need to re-visit the site at that time in order to renew the opt out cookies.

The Issue in Depth

The Network Advertising Initiative provides a single-stop web site through which consumers can opt out of the behavioral advertising performed by its 34 member companies.

The text on this site advises consumers that:
To opt out of an NAI member's behavioral advertising program, simply check the box that corresponds to the company from which you wish to opt out. Alternatively, you can check the box labeled "Select All" and each member's opt-out box will be checked for you. Next click the "Submit" button. The Tool will automatically replace the specified advertising cookie(s) and verify your opt-out status.

While the site makes it relatively easy for consumers to opt out, no mention is made of the fact that many of the opt out cookies have been intentionally set to expire after a few short months, and thus the consumer will need to return to the NAI web site and repeat the process with some regularity in order to maintain total opt out coverage.

I am concerned that the NAI and its member companies have done nothing to inform consumers of this important issue. As a result, many consumers may falsely believe that a single visit to the NAI web site is sufficient.

There has already been quite a bit of attention paid to the ease with which opt out cookies can be accidentally erased by users (for example, whenever they clear out their browser cookies). The NAI itself even recognizes that problem, advising visitors to its frequently asked questions page that:
Will I ever need to renew my opt-out or opt out again?

If you ever delete the "opt-out cookie" from your browser, buy a new computer, or change Web browsers, you'll need to perform the opt-out task again. It's only when the network advertiser can read an "opt-out" cookie on your browser that it can know you have decided not to participate.

Those few users who explore the NAI site long enough to read through the frequently asked questions are quite likely to be deceived by the text of this statement – which implies that opt out cookies will stay put, except in the event that the user clears out her cookies, purchases a new computer, or switches to a new web browser.


(click for a larger picture)


Opt out cookie expiration dates vary, but are often far too short

When the NAI member firms implement their opt out process, their engineers set the length of the cookie expiration. While web cookies must have an expiration date (as per the technical standard), some NAI members have erred on the side of user privacy, and set their cookies to expire after 60 years or more. Unfortunately, many other NAI members have chosen to set their opt out cookies to expire after far shorter periods of time, some as short as six months.

There is simply no legitimate reason to set such a short expiration date.

With regard to opt out cookie expiration age, BlueKai, Media6Degrees and Specific Media are the worst of all NAI members. These firms have set their cookies to expire after 6 months. AOL’s Advertising.com is a close second at just 8 months.

Most NAI members do not inform consumers of the opt out expiration

Of the 14 NAI members whose opt out cookies are set to expire in 24 months or less, BlueKai is the only firm to mention this fact in its privacy policy.

On the 6th paragraph of BlueKai’s privacy policy, the company notes that “As of May 1, 2009. BlueKai cookies will expire after six months from the date they are created.” However, this text is in the section of the privacy policy describing the company’s use of tracking cookies, which is 5 paragraphs above the section on opt outs. As a result, the few consumers who do read BlueKai’s policy are quite likely to wrongly believe that this statement only applies to the tracking cookies, and not the opt out cookie too.

The other 13 NAI members with opt out cookies that expire after a period of 24 months or less make no mention at all on their own web sites or privacy policies of this important bit of information.

My recommendations

Most consumers are unlikely to be aware of the short expiration dates of many NAI member opt out cookies. I urge you to take comprehensive steps to increase the length of the opt out cookies, and to better inform consumers of the fact that even under ideal circumstances, they will still need to re-visit the NAI web site a couple times per year in order to opt out again.

In order to provide consumers with a better opt out process, I urge you to do the following:

1. Update the NAI Self-Regulatory Code of Conduct to require that member companies adhere to a reasonable minimum expiration age for opt out cookies – at least five years.

2. Update the NAI Self-Regulatory Code of Conduct to require that member companies disclose the opt out expiration time in the privacy policy contained on their own web sites.

3. Add text to the NAI Opt Out Page to inform consumers of the expiration date of all the NAI members, so that they know when they must return in order to maintain complete opt out protection.

Saturday, July 18, 2009

Some of the worst opt-outs failures in the online advertising industry

I'll be releasing a new version of TACO in the next few days. In the process of collecting a bunch more opt-out cookies, I came across a couple examples of horribly broken opt-outs.

In order to share my amusement/frustration with the rest of the Internet, I'm presenting them here:

1. Teracent

In the 100+ online advertising firms whose opt-outs I have requested, this is the only one that I've found that requires a CAPTCHA in order to opt-out. By itself, this would merely be an annoyance. However, the CAPTCHA code on their opt-out page is broken, and thus even correctly entered answers are rejected as invalid. Thus, it is impossible to ever successfully receive an opt-out cookie from their site.



2. EyeWonder

This company has a lot going for it. Their privacy page makes all kinds of bold promises, such as the fact that their cookies comply with the Platform for Privacy Preferences (P3P). The buttons to opt-in and opt-out are fairly easy to discover, and clearly labeled. Unfortunately, both the opt-in and opt-out buttons link to non-existent pages on their website. Anyone wishing to opt-out is thus met with a 404 error.



These are not the first two horribly broken opt-out sites that I have discovered -- just the most recent. A few weeks ago, I had to email the folks at BlueKai, after discovering that the opt-out links on their web site had been broken for over two months. On the plus side - BluKai's CEO, Omar Tawakol had the links fixed within 2 hours of my initial email, after 5PM on a Friday afternoon.

This is not an attempt to argue that these companies are maliciously providing broken opt-outs on their site. Hanlon's Razor tells us to never attribute to malice that which can be adequately explained by stupidity. In this case, it far more likely to be ineptitude rather than some devious plot to stop consumers from using the opt-outs.

Why would they need to go out of their way to break the opt-outs? Even when the opt-outs are working, few if any consumers will actually discover them in the first place.

My point is that the industry is not doing a good job of policing itself, companies are not performing the most basic form of quality assurance and testing, and it is clear that they are not hiring outside auditors to independently verify that the opt-outs are working properly.

This industry is big enough, and profitable enough to not need to depend upon a single motivated graduate student to discover and police its broken opt-outs.

This is an industry that is desperately fighting the efforts of Congress to force it to switch from an opt-out model to opt-in for data collection and use... yet many of the industry players can barely provide working opt-outs.

We need comprehensive regulatory oversight of this industry, and we need it now.

Friday, July 17, 2009

Reading between Yoo's lines

Writing in the Wall Street Journal yesterday, torture/illegal wiretapping enabler John Yoo argued:
Unlike, say, Soviet spies working under diplomatic cover, terrorists are hard to identify. Yet they are vastly more dangerous. Monitoring their likely communications channels is the best way to track and stop them. Building evidence to prove past crimes, as in the civilian criminal system, is entirely beside the point. The best way to find an al Qaeda operative is to look at all email, text and phone traffic between Afghanistan and Pakistan and the U.S.
While Yoo doesn't come out and say it, the far more obvious difference between KGB spies and Al Qaeda operatives is that the Russians probably used strong encryption, and not, say, a shared Hotmail account.

The US government snooped on the communications of millions of Americans because Joe Terrorist still doesn't know how to use Pretty Good Privacy. If Al Qaeda's communications were all protected by strong encryption, it probably would have been much tougher to justify (even inside the permissive Yoo/Gonzales Department of Justice) the disgraceful warrantless interception and "other programs" which we still have yet to learn much about.

More Mistruths from Google on Privacy

When it comes to discussing the details of the company's privacy policies, Google is rarely forthcoming. Company statements, while technically truthful, are usually very deceptive to all but the expert reader. This allows Google to say one thing, while meaning another.

A fantastic example of this can be seen in statements made during a recent newspaper interview by Marissa Mayer, Google's vice president of search products and user experience:
"When you look at, for instance, search history, which is what personalised search is based on, you can actually see all of the information that Google has about you and you can understand how it's being deployed and you also can decide to opt out of the service entirely, or you can even delete various parts of the data that you don't like or you'd rather we didn't have. So there's a lot of transparency and control available to the user there, and we want to operate with a lot of transparency, because we want our users to be informed about what's going on."
The casual reader might see Mayer's comments, and wrongly believe that they can log in to the Web History page on Google's site, delete the information on their previous searches, causing the information to be deleted from Google's various log files, and thus protect their data from a subpoena submitted by a government investigator, the entertainment industry or divorce lawyer. Anyone believing this is, unfortunately, dead wrong.

Consider this snippet from the Frequently Asked Questions page for the Google Web History service:

You can choose to stop storing your web activity in Web History either temporarily or permanently, or remove items, as described in Web History Help. If you remove items, they will be removed from the service and will not be used to improve your search experience. As is common practice in the industry, Google also maintains a separate logs system for auditing purposes and to help us improve the quality of our services for users. For example, we use this information to audit our ads systems, understand which features are most popular to users, improve the quality of our search results, and help us combat vulnerabilities such as denial of service attacks.

As this page makes clear, Google does not promise to delete all copies of your old search records when you delete them using the Web History feature. No, the company will merely no longer show them to you, and will no longer use that information to provide customized search.

I'm sure this was an honest mistake on Mayer's part, right? As the company's vice president of search products and user experience, its not like she should actually be expected to understand the fine grained details of the company's policies for search and user privacy.

A pattern of deception

Unfortunately, Mayer's misstatement of the facts is not the first time that Google has given misleading statements to the press about its privacy policies.

Last September, Google announced to the world that:
Today, we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users.
The usually fantastic Ellen Nakashima at the Washington Post was the first to announce the news via an exclusive interview with Google Privacy Czar Jane Horvath. Unfortunately, Nakashima allowed her article to be used as a tool of the Google politburo.
[Horvath] said Google also would anonymize the IP addresses associated with search queries typed in by users into Google's standard search bar nine months after they have been collected. "This really just illustrates how seriously we do take data anonymization,"
Miguel Helft at the New York Times didn't do much better.

It wasn't until I took the initative to contact Google's PR team a few days later with a series of in-depth technical questions about the specifics of the policy that the the truth emerged

Writing at CNET, I revealed that:
Google announced on Monday that the company will be reducing the amount of time that it will keep sensitive, identifying log data on its search engine customers. To the naive reader, the announcement seems like a clear win for privacy. However, with a bit of careful analysis, it's possible to see that this is little more than snake oil, designed to look good for the newspapers, without delivering real benefits to end users....

Google has now revealed that it will change "some" of the bits of the IP address after 9 months, but less than the eight bits that it masks after the full 18 months. Thus, instead of Google's customers being able to hide among 254 other Internet users, perhaps they'll be able to hide among 64, or 127 other possible IP addresses .... this is a laughable level of anonymity.
Once I pointed out how useless Google's new privacy policy actually was, the tech press soon jumped onboard. The Register called it "Google Privacy Theatre", while ZDNet called it a "farce." Robert X. Cringley, wrote that "the announcement was designed to make headlines and appease regulators while doing nothing to release Google's stranglehold on your data."

Google and the Press

In this instance, Google was technically telling the truth. After all, at 9 months, the company does delete some information from their logs. It just happens that the act of deleting one or two bits of data does almost nothing to protect user privacy, and to describe it as "anonymity" is arguably false and deceptive advertising.

Unfortunately, most of the folks in the tech press are simply not up to the task of reading between the lines of Google's privacy doublespeak -- doing so usually requires the rare combination of expertise in the law as well as strong technical skills.

The true meaning of opt-outs

Don't worry though -- all is not lost. When government officials and regulators turn their gaze upon Google, they are often able to cut through the propaganda, and get to the truth. For some reason, Google seems far less able to lie to the Feds.

A fantastic example of this can be seen in the video clip embedded below, which is from the Behavioral Advertising hearing in the House of Representatives one month ago. Rep. Bobby Rush gets execs from both Google and Yahoo to admit that the companies do not allow consumers to opt out of the collection of data, but merely the use of that data. This is something that most firms are loathe to admit in public, and instead leave the consumer hopelessly trying to read between the lines of their multi-page privacy policies.

Monday, July 13, 2009

My response to Safecount

Thank you to all the people who emailed me their thoughts, and those who left comments on my previous blog post regarding Safecount's request that their cookie not be included in TACO.

After thinking things through, I sent Tom Kelly, the company's COO this response:
Hi Tom,

The feedback I received on my blog was not particularly supportive of your request.

I have thought things through, and decided to do the following:

1. I have added a note to the TACO home page, which states:

"Safecount argues that they are not a behavioral advertising company. However, they are a member of the Network Advertising Initiative, and do collect detailed data on the browsing and ad-viewing habits of Internet users. Furthermore, this data is often collected with no notice provided to the user on the web page where Safecount's tracking code has been embedded. "

2. If you or your engineers would like to spend a day or two creating the code necessary to enhance TACO, which will provide users with a list of the companies whose opt-out cookies are available and or active, and a way for users to disable individual opt-outs, I would be happy to look over such a patch, and if it is decent, consider applying it to the mainline TACO codebase.

Such a feature would be nice, but frankly, it isn't important enough for me to spend my own time developing it. However, just to be clear, even if such an ability to disable individual opt-out cookies existed within TACO, I would have them all turned _on_ by default. That is, users would need to go into a preferences window, scroll down through 60 or so company names (since Safecount is not at the beginning of the alphabet), and then choose to disable your opt-out cookie.

As you know very well (and in fact, your business model depends upon it), few consumers ever take the time to dig through preference windows or look into privacy policies in order to learn about particular company's activities. Thus, were such a feature to exist, I highly doubt if more than a handful of consumers would ever make use of it.

In any case - I would be happy to consider such a patch, but I suspect that it probably isn't worth your engineers' time to work on it.

Cheers

Chris

Sunday, July 12, 2009

Thoughts on the DMCA exemption process

On Friday, we sent off our 11 page reply letter to the Copyright Office, in response to the questions they sent us regarding our Digital Millennium Copyright Act exemption requests for DRM abandon-ware.

There is a semi-decent chance that I will be either employed or engaged in consulting work half-time starting in September, which could make it difficult for me to blog (particularly given the style and tone that I tend to use). Thus, I want to take this opportunity now, while I still have the freedom to fully express my thoughts, to reflect on this process, and thank the many who assisted me.

First, I originally had the idea for the exemption request in May or so of last year. In the process of writing a law paper on the hacking of subsidized electronic goods by consumers, I spent a lot of time studying the cell-phone unlocking exemption that Jennifer Granick had won back in 2006. I think it would be fair to say I was inspired by her actions.

The DMCA process is one of the few ways through which an individual can actually make a difference to impact federal cyber law and copyright policy. It doesn't matter how many former Senate staffers you have working for your cause, nor are donations to PACs a necessary requirement for access. As someone with both a desire to make a difference, and a lack of money/access, the appeal was clear.

Writing up the request

My exemption submission simply wouldn't have been possible without the assistance of a skilled legal team, lead by Phil Malone at the Harvard cyberlaw clinic. While lay-persons do submit requests every year, they are never taken seriously (and when you read some of them, you understand why). The process is fairly straight-forward, but still requires some knowledge of the specifics of the DMCA.

I had the idea for both the consumer and researcher exemptions, and probably provided around 50-60% of the text in the original exemption request comment and in our reply letter. After reading Slashdot every day for the past 14 years, it was easy for me to dig up citations to all the past instances of failed media stores, a task which would have taken a clinical intern significanly more time.

I gather that most clinical clients do not participate as much, nor directly contribute as much to the final work product. However, since I know the DMCA fairly well, and knew the specifics of situation which we were examining, I think my participation helped quite a bit. Plus, it is (for a copyright policy geek) quite a fun activity.

However -- my participation alone was not enough. Phil Malone and Arjun Mehra turned my rantings of repeated industry abuse and a plea for relief into a compelling legal document. To be clear -- while I strongly encourage technologists and copyright activists to get involved with the DMCA exemption process, you really are wasting your time without the assistance of tech-savvy lawyers.

Arguing for the exemptions in DC

Before going to DC in May to argue in-person for my exemption requests, I went to a Federal Trade Commission town-hall focused on DRM. This event was something of a trial run, with many of the same characters who would later show up in DC.

The industry folks who argued on behalf of DRM at that event, were frankly, clueless shills masquerading as experts, and as such, they seemed to do a good enough job revealing their ignorance that I didn't need to do much to help.



As one copyright expert tried to warn me ahead of time, most of the people at the FTC town hall were on the "B-team", while the industry would make sure to send the "A-team" to the DMCA exemption hearing.

Unfortunately, I didn't really listen to him, and so when I did go to Washington to argue for my exemptions before the Copyright Office, I was a tad bit over-confident.

An important note for future copyright geeks: If you are considering asking for a DMCA exemption, and end up arguing for it in person, do not under-estimate Steve Metalitz, the industry's main attack dog on DMCA related issues. He is very good, and very quick on his feet. Unless you are a seasoned lawyer, do not allow him to drag you into the weeds in a discussion of the specifics of copyright law -- stick to issues of consumer harm and industry abuse.

The hearing itself was thrilling, exciting, and sort of like a court room -- with a panel of judges (well, copyright office lawyers) on a podium at the front of the room, and with the "good guys" (me) and the "bad guys" (Metalitz and someone from Time Warner) at two tables, seperated by an aisle.

My only real regret from the hearing was not having a hot-shot lawyer sit next to me, who I could defer to on legal related questions. It wasn't until the hearing was over that I looked back, and saw that both Wendy Seltzer and Fred von Lohmann had snuck into the hearing after it started, and had thus been watching it from the back row.

While I handled things pretty well, on questions relating to the specifics of section 1201, I wasn't as strong. Luckily, the Copyright Office attorneys didn't really hammer me with legal questions, and focused the questions on topics that I could actually provide expert testimony.

A word on timing and legal clinics

A DMCA exemption is a perfect, small, self-contained project for Law School legal clinics. Exemption requests are due in the fall, optional reply comments are due in the spring, the hearings are in the late spring, and then question reply comments are due over the summer. The entire process, from start to finish, is over in less than 9 months. Furthermore, it is something that can be done by a single (supervised) clinical intern.

As a result, it is not terribly surprising that university law clinics are now playing an increasingly prominent role in the DMCA exemption process.

In 2009, 3 different groups of exemptions were sought by individuals represented by the Harvard cyberlaw clinic, the Samuelson-­Glushko Technology Law & Policy Clinic at the University of Colorado School of Law, and the Glushko-Samuelson Intellectual Property Law Clinic at the Washington College of Law, American University. Clinics have played a similarly strong role in previous years.

Unfortunately, it does not appear that the copyright office realizes the role that these clinics play (and the students who provide the manpower). As a result, the DMCA exemption hearings were scheduled for May 1 at Stanford, and May 6,7, 8 in Washington DC. For those of you not (or no longer) in academia -- this is right before, or during the middle of final exams for many law students.

Had the copyright office scheduled the hearings two or three weeks earlier, they would have made the lives of the clinical students much easier. I know from my own experience that it was very difficult to get much in the way of time as I tried to prepare for the hearings from Arjun Mehra (my clinical student) and Phil Malone (who teaches classes in addition to his role running the clinic, and thus had class projects and term papers to grade).

Likewise, sending out questions during the middle of the summer, when the clinical students are off working internships is not particularly helpful. Luckily, Berkman has a few fantastic students who are interning at our cyberlaw clinic for the summer. As a result, I was able to get the help of another fantastic clinical student, Rachel Gozhansky, who helped in drafting our reply to the Copyright Office's questions.

I am not sure if the two other clinics were able to gather the student summer labor necessary in order to work on the responses to the copyright office's questions.

Given the increasingly important role that law school clinics are playing in the DMCA process, I hope that the Copyright Office will consider the realities of the academic calendar for future DMCA exemption rulemakings.

Thursday, July 09, 2009

Safecount: Please opt us out of TACO

This afternoon, I received an interesting set of emails from Tom Kelly, the Chief Operating Officer at Safecount.

Hi Christopher -

A colleague forwarded us a link to your Taco download page where we were surprised to see Safecount listed with the likes of many ad networks.

While we, and I, find your development efforts to be interesting, and nicely in line with the entrepreneurial spirit of the web, some of the classifications on your page are quite mis-leading to consumers.

Safecount is a research company and we occasionally invite certain website visitors randomly to volunteer their opinions. We don't sell any products, we don't target anyone with advertising based on behavior or attitude, and we only work with publishers who give us permission to perform research on their sites.

That's the danger of generic 4th party cookie blocking, it ends up blocking web efforts OTHER than ad revenue, behavioral targeting profiteers. Maybe you'll consider removing Safecount from your list.

Respectfully,

- tom

After asking him if I could post his email to my blog, he followed up with this:

Sure thing, Chris. My point is that, while Safecount does place cookies on user's browsers based on certain ads they've seen:

A) we don't use that info to target any marketing or advertising to them - we're not a behavioral targeting group
B) we're 100% transparent in the cookies we do place

As a matter of fact, one can go to www.safcount.net and view ALL of the info we have for their computer (not personal info). There they can also delete that data and tell us how often they'd agree to be invited to take a quick survey, including "never". We're as much about control and transparency as I think you are.

Thanks, Chris.

- tom

It has been nearly four months since the first version of TACO was first released. The latest version supports 84 different behavioral advertising firms, has been downloaded nearly 250,000 times, and is in daily use by nearly 80,000 users. That means that my tool is responsible for 6.7 million opt-out cookies (actually, it's more, due to the fact that some networks require multiple cookies for different advertising domains). Holy cow!

In those four months, this is the first time that an advertising industry executive has asked me to remove his company's opt-out cookie from TACO, and so I am honestly not quite sure how to react.

My initial reaction is to say no, for the following reasons:

1. I have created TACO for fun, as a side project. I don't charge for TACO, and I have a day job (well, actually, several). I really don't have time to evaluate each advertising company one by one to figure out if the company engages in a good or bad activity. If consumers want that level of analysis, they are free to use the "complete" or "selective" opt-out tools provided by PrivacyChoice -- which is run by a former Yahoo! advertising executive who has Seen the Light, Loves Privacy And Who You Should Totally Trust (TM).

2. Picking individual advertising industry companies who should or should not be included in TACO is a slippery slope, which will open me up to criticism, and accusations of abuse of power. TACO currently includes every generic, non-identifiable opt-out http cookie of all the online advertising industry companies that I know about. This is an easy standard to adhere to, and should protect me from accusations of bias.

3. Safecount, WPP (the mega advertising firm which owns it), the Network Advertising Initiative and others are free to make their own competitors to TACO which provide users with more choice, which provide users with less choice, which make it more or less difficult to opt out, or which make you dinner and do your laundry. TACO is open source, so they are even free to fork my code, and save themselves the weekend of coding it will take to create it from scratch.

4. Safecount is an advertising industry firm, which uses long term cookies to track the browsing and other activities of end-users. The company might not be in the behavioral advertising business, but it is certainly in the collection of consumer data business, which is still creepy.

5. Safecount has provided consumers with the ability to opt-out of its data collection/use, but then objects when tools like TACO actually make it easy for consumers to opt-out. 99% of consumers have never heard of the company, and so wouldn't even know to visit their opt-out page in the first place.

6. If the company is really "as much about control and transparency" as I am, they could switch from an opt out model to an opt in model. Let consumers who value the survey taking experience choose to have data on their browsing across multiple websites collected and analyzed. If the company switched to this model, the opt-out mechanism provided by TACO would be moot.

7. Likewise, while consumers can "go to www.safcount.net and view ALL of the info we have for their computer (not personal info)," this simply isn't good enough. It is totally unrealistic to expect consumers to visit the websites of 90-100 different advertising firms to "view the data collected on them", evaluate it, consider each company's 20+ page privacy policy, and then evaluate the kind of business and data relationship that they'd like to have with that firm.

Consumers don't opt-out of telemarketing from individual advertising firms after evaluating each firm's policy on calling during dinner hours -- No. They sign up for a single do-not call list, and are then free of the annoyance. We need the same for the online advertising industry. A single opt out for all data collection and usage.

After writing this all down, I think I am even more convinced that leaving Safecount in the list of opt-outs provided by TACO is a good idea.

However, I suppose a reasonable case can be made that the company is not a behavioral advertising firm -- and so I am open to at least changing the language on the TACO page to note that Safecount is merely an advertising firm that collects detailed information on the browsing and web viewing activity of Internet users.

Blog readers -- do you have any thoughts on this? Please leave a comment.

Copyright geeks: please provide feedback

Dear Copyright Experts of the Internets,

Tomorrow (Friday) at 5PM EST, we must submit our reply to the Copyright Office's questions regarding our request for two exemptions to the Digital Millennium Copyright Act.

Over the past week, we have worked feverishly to prepare the following draft, which I now feel is in pretty good shape.

However, we would love comments and suggestions.

Soghoian Response to DMCA Questions (draft)

Tuesday, July 07, 2009

Guess the party: Why privacy is different

By and large, the US political parties have fairly predictable positions on most issues. The GOP is pro life, pro torture, and pro gun. The Democrats are pro choice, mostly anti-torture, and usually anti-gun.

However, privacy is one of those rare issues for which the parties don't seem to have official positions. As a result, you get extremely interesting statements from various members of Congress.

Case in point, consider the following three short video clips from the June 18th hearing on behavioral advertising in the House Energy And Commerce Committee. Watch the clips, and see if you can guess the parties of the the three House members. I suspect that many of you will be quite surprised.



Click here for a video of Rep. Stearns' full opening remarks.


Click here for a video of Rep. Boucher's full opening remarks.


Click here for a video of Rep. Barton's full opening remarks.

(Thanks to Dan Jones from the Berkman Center for helping me to turn the House video feed into something YouTube friendly.)

Monday, July 06, 2009

Praise for AT&T's gutsy defense of customer privacy

I'm about to do something I never thought I would do: Praise AT&T for taking a strong stand on privacy by refusing to disclose a customer's communications records to the government without a court order.

Fresh from Wikileaks

On April 30th, a fascinating email showed up on Wikileaks, purporting to be from a Special Agent in the Florida Computer Crime Center, writing to other law enforcement colleagues to complain about his experience in trying to obtain identifying information on AT&T and Yahoo customers.

There is no way to verify the authenticity of the email message, however, a quick Google search reveals that Mike Duffey does indeed work for the Florida Computer Crime Center.

While the email is worth reading in full, I'll summarize it here.

Warning: the details of this case are not very nice -- if you don't think terrorists, drug dealers and pedophiles deserve the benefit of due process and 4th amendment rights, you may want to stop reading now -- or you'll just get angry and or upset.

On June 24, Special Agent Mike Duffey and his team were investigating a tip off regarding a gentleman who had reportedly bragged about molesting his six year old daughter on a Yahoo chat room and via Yahoo instant messenger.

Duffey's colleagues were able to find a MySpace page which listed the same Yahoo account in its contact information, and soon began to try and locate identifying information on several suspects.

First, Duffey's team contacted MySpace, claimed exigent circumstances, and were able to obtain the suspects' subscriber information and 30 days worth of historical IP address information, revealing the Internet address where the suspects had used to access their MySpace accounts. MySpace responded to Duffey's request within 20 minutes, and within 45 minutes had provided the agents with all the information they requests, all without requiring a subpoena or any other form of court order. The police simply claimed that this was a case of life or death, and MySpace handed over the information, no questions asked.

Second, Duffey's team contacted Yahoo in order to try and learn which IP addresses were used during the alleged chat room confession. Yahoo took three hours to respond to Duffey's request, at which point, the company rejected the "exigent circumstances" argument. In a follow-up conversation with Yahoo employees, Duffey was told that the company would be unable to provide any IP address information until 48 hours after they occurred. A further seven hours later, Yahoo provided 48 hour old IP address information, which, like the MySpace logs, pointed to an AT&T customer as the source.

Third, Duffey's team then contacted AT&T, who like Yahoo, refused his attempt to claim exigent circumstances. AT&T told him that they would not provide any information without a subpoena, which in Florida, must be issued by a court clerk.

Seven hours after initially contacting AT&T, Duffey obtained a subpoena, after which, AT&T immediately provided him with the name and address of the customer whose IP address had shown up in the most recent MySpace logs.

Two hours later, the suspect was arrested at his home, and quickly confessed.

Analyzing the law

The Electronic Communications Privacy Act strictly regulates service providers' sharing of customer information the government.

As Susan Brenner has described in greater depth:
18 U.S. Code § 2703(c) says that a government entity can “require a provider of electronic communication service . . . to disclose a record or other information pertaining to a . . . customer . . . (not including the contents of communications) only when the government” does one of the following: gets a search warrant; uses a subpoena or court order; or “has the consent of the . . . customer to such disclosure”...

8 U.S. Code § 2702(b)(8) says an ISP service provider can give information “to a governmental entity, if the provider . . . believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency”.

The difference between § 2703 and § 2702 is that § 2703 deals with law enforcement’s ability to compel an ISP to provide subscriber information, while § 2702 sets out the conditions under which an ISP can voluntarily share such information.

So essentially, by claiming exigent circumstances, Special Agent Mike Duffey gave MySpace, Yahoo and AT&T the legal protection to voluntarily disclose their customer's information to the police.

MySpace jumped at the opportunity to share this data, Yahoo spun its wheels before eventually coughing up some data, while AT&T ultimately refused, as it was legally permitted to do so. That is, while the exigent circumstances enable an ISP to voluntarily share data on their customers, § 2703 still prohibits the government from compelling the production of customer records without a court order. Until the government produces a subpoena, the ISP can always lawfully say no.

Exigent Circumstances

Why should AT&T refuse to provide critical information to police in what is clearly a life and death situation involving a small child and a pedophile?

Well, it turns out that law enforcement doesn't have the best track record when it comes to its use of exigent circumstances. As the EFF's Kurt Opsahl described back in 2007:
We already knew that the FBI’s use of “exigent circumstances” letters was illegal. DOJ’s Inspector General Fine already condemned them in a well-publicized IG report that outlined how hundreds of requests were made where there was no immediate danger of death or serious physical injury and, in any event, “the letters did not recite the factual predication necessary to invoke [the emergency] authority.”
Now I'm sure that in this case that the Florida police were telling the truth. However, in the past, both local police and federal law enforcement officers have been repeatedly caught fudging the truth in order to obtain these so called exigent circumstances. Furthermore, there is a fairly large body of case law in which police put people's lives at risk in order to create exigent circumstances -- in such cases, the courts have rightfully thrown out the searches.

AT&T is likely going to take a lot of heat for refusing the exigent request if and when it hits the news. Who knows, perhaps that is the reason this email was leaked in the first place.

It is thus important that members of the privacy community rally around AT&T and support the company for its legally justified insistence upon a court order in this case, no matter how much we all continue to detest AT&T's completely illegal in the NSA warrantless wiretapping program.

Perhaps subpoenas take an excessive amount of time to get. Certainly, it took the officers in this case more than 7 hours in order to obtain theirs. I am sure there would be no objection to speeding up this process -- perhaps by allowing police officers to submit their requests to the clerk of the court via a special website, for example? There is no reason why inefficiencies and wasted time in the subpoena process cannot be eliminated -- rather than permitting police to simply ignore the process altogether and claim exigent circumstances.

In this case, the police waited more than three hours for Yahoo to respond to their initial request -- which, if the system worked, should be more than enough time to obtain a subpoena.

Shining the light on a shadowy practice

Those of you who might be shocked by MySpace's total willingness to disclose customer records without a court order should not be -- it is quite possibly the norm in the industry.

While it is not known to the general public, practically every Internet company gets requests, daily, from law enforcement agents wishing to dig up information on that company's customers. In order to deal with these requests, these firms all have "legal compliance" departments, some of which are open 24 hours a day, 7 days per week. A full list of these can be found here.

Of course, these firms don't like to discuss the fact that they routinely disclose their customer's private information to law enforcement. See, for example:

"We do not comment on specific requests from the government. Microsoft is committed to protecting the privacy of our customers and complies with all applicable privacy laws. In particular, the Electronic Communications Privacy Act ("ECPA")
protects customer records and the communications of customers of online services."

“Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws.”

Q: How many subpoenas for server log data does Google receive each year?
A: As a matter of policy, we don’t provide specifics on law enforcement requests to Google.

Facebook is the only company to even discuss the topic and provide ballpark numbers, telling Newsweek just a few weeks ago that the company receives between 10-20 requests from police every day. That is, somewhere between 3600-7300 requests per year.

Wolves watching the sheep

Who is responsible for judging the requests for customer information from law enforcement, in order to determine if they are appropriate, lawful and do not request excessive information?

In many cases, it is former law enforcement agents and prosecutors.

The Chief Security Officer at MySpace, Hemanshu Nigam, is a former deputy district attorney from Los Angeles County, where he specialized in child exploitation and rape prosecutions.

Who is Google's new Senior Counsel in charge of Law Enforcement and Information Security? Richard Salgado, a former Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice.

What about Google's Privacy Counsel? That would be Jane Horvath, formerly the Chief Privacy Officer at the US Department of Justice under Alberto Gonzales,

What about Microsoft? The company's Senior Director for Global Criminal Compliance, Online Services Security & Compliance is Susan Koeppen and like Google's Salgado, she was formerly a Senior Attorney at Computer Crime and Intellectual Property Section of the United States Department of Justice.

This is not to say that these companies do not follow the law -- I am sure they follow it to the letter. Merely that when the police and FBI call up these companies to request customer information, the person on the other end of the phone is often very sympathetic to their point of view -- because often, they are former colleagues.

While there are certainly former staffers from the Electronic Frontier Foundation and other public interest groups working for Google and some of the other firms, you can bet your bottom dollar they are not let anywhere near sensitive issues like subpoenas, search warrants and national security letters where the companies might not be as pro-privacy as it they like people to believe.

Facebook is perhaps the only company to break from this norm -- by hiring a "privacy hawk" and former ACLU lawyer to be the company's point man on privacy issues.

A need for transparency

While it is clear that all Internet companies receive requests, what is unclear is the way they respond to them -- that is, do Google and Microsoft voluntarily disclose data whenever law enforcement officers claim exigent circumstances, or do they, like AT&T, push back and demand a subpoena?

The policy approach taken to these situations likely depends upon the people receiving and responding to the requests...and as I described above, they are often former colleagues of those agents who are attempting to circumvent the requirement for a subpoena in the first place.

What we need, desperately, is transparency. All Internet companies should follow Facebook's lead, and provide at least some aggregate numbers on the number of requests that they receive every year from law enforcement agents.

Furthermore, they should disclose how many of those requests the companies provide the relevant information without first requiring a subpoena or court order, and instead voluntarily disclose it after receiving an exigent circumstances letter.

We need transparency, and we need it now.

(H/T to Pogowasright for first spotting the letter on Wikileaks.)

Disclosure: I haven't discussed this case with anyone from AT&T nor have I ever received any funds from the company.