Showing posts with label DoJ. Show all posts
Showing posts with label DoJ. Show all posts

Saturday, November 06, 2010

DOJ: Consumers read and understand privacy policies

The Department of Justice has a problem. One by one, judges across the country have been chipping away at DOJ's flimsy legal theories upon which it has for years compelled phone companies to disclose individuals' historical and real-time geo-location information without a warrant.

DOJ's legal theory relies upon the third party doctrine. Essentially, what this means is that companies can be compelled, without a search warrant, to disclose any information that their customers have willingly given them.

One of the most important Supreme Court cases which shaped the this rule, Smith v. Maryland, focused on the legal process through which law enforcement agencies can obtain the phone numbers dialed by a suspect:
[W]e doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must 'convey' phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed.

. . .

[W]hen he used his phone, petitioner voluntarily conveyed numerical information to the telephone company and "exposed" that information to its equipment in the ordinary course of business. In so doing, petitioner assumed the risk that the company would reveal to police the numbers he dialed.

Since that 1979 case, the government has stretched the third party doctrine, from dialed phone numbers to essentially all non-content information transmitted by a telephone, including cell site records revealing where an individual has been.

Unfortunately for the government, the Third Circuit Court of Appeals recently eviscerated the government's legal theory, finding that there is a big difference between dialed phone numbers, and triangulated geo-location information:
A cell phone customer has not "voluntarily" shared his location information with a cellular provider in any meaningful way. As the EFF notes, it is unlikely that cell phone customers are aware that their cell phone providers collect and store historical location information. Therefore, "[w]hen a cell phone user makes a call, the only information that is voluntarily and knowingly conveyed to the phone company is the number that is dialed and there is no indication to the user that call will also locate the caller; when a cell phone user receives a call, he hasn't voluntarily exposed anything at all.

After the Third circuit decision, magistrate judges took note, asking the Department of Justice to explain the reasons why cellular information should still be disclosed under the third party doctrine, rather than requiring a search warrant based upon a showing of probable cause.

On October 25, the Department of Justice responded in a brief (pdf) filed with a federal magistrate judge in Houston:
Cell phone users also understand that the provider will know the location of its own cell tower, and that the provider will thus have some knowledge of the user’s location. Indeed, providers’ terms of service and privacy policies make clear that the provider’s obtain this information.

. . .

Use of a cell phone is entirely voluntary, and a user will know from his experience with his cell phone and from a provider’s privacy policy/terms of service that he will communicate with a provider’s cell tower and that this communication will convey information to the provider about his location.

A footnote below the first sentence includes some text from T-Mobile's privacy policy, after which, DOJ argues that the privacy policy makes it clear that users understand their location information is communicated to T-Mobile:
The first of these paragraphs demonstrates that a cell phone customer will be aware that T-Mobile obtains information regarding the customer’s location. The second paragraph demonstrates that a customer will be aware that T-Mobile collects this information. The third paragraph demonstrates that the customer will be aware that this information becomes a T-Mobile business record.

Consumers read privacy policies, because we say so

DOJ's argument is essentially this:

  1. Phone companies disclose in their privacy policies that they have access to subscribers' location information (with citation to privacy policies).
  2. (. . .)
  3. Therefore, consumers reasonably understand that their location information is transmitted to the phone company whenever their phone is on, and thus historical location information shouldn't be protect by the 4th amendment.

What is missing, of course, is a direct claim that consumers read privacy policies. The government can't actually state this claim, because it is frankly laughable. Instead, it argues that:
"[A] user will know from his experience with his cell phone and from a provider’s privacy policy/terms of service"

The implied claim is that consumers read privacy policies. How else would a user know what is in the provider's privacy policy and terms of service unless he or she read the thing? Thus, the government's legal theory still depends upon the idea that consumers, or at least most consumers, read and understand privacy policies.

The FTC and Supreme Court discuss privacy policies

The Department of Justice isn't the only part of the US government to have made official statements regarding privacy policies, and the extent to which consumers read them. The Federal Trade Commission is tasked with protecting consumers' privacy online, and officials there frequently speak about this topic.

In introductory remarks at a privacy roundtable in December 2009, Federal Trade Commission Chairman Leibowitz told those assembled in the room that:
We all agree that consumers don’t read privacy policies – or EULAs, for that matter.

Similarly, in a August 2009 interview, David Vladeck, the head of the FTC's Bureau of Consumer Protection told the New York Times that:
Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act.

Echoing both of these statements, in an official filing earlier this year with the Commerce Department, the FTC wrote that:
The current privacy framework in the United States is based on companies' privacy practices and consumers' choices regarding how their information is used. In reality, we have learned that many consumer do not read, let alone understand such notices, limiting their ability to make informed choices.

Even the Chief Justice of the US Supreme Court has weighed in the issue, albeit only in a speech before students in Buffalo, NY just a few weeks ago. Answering a student question, Roberts admitted he doesn’t usually read the terms of service or privacy polices, according to the Associated Press:
It has "the smallest type you can imagine and you unfold it like a map," he said. "It is a problem," he added, "because the legal system obviously is to blame for that." Providing too much information defeats the purpose of disclosure, since no one reads it, he said. "What the answer is," he said, "I don’t know."

Academic research on privacy policies

Academic research seems to uniformly support the FTC's arguments.

Among 222 study participants of the 2007 Golden Bear Omnibus Survey, the Samuelson Clinic found that only 1.4% reported reading EULAs often and thoroughly, 66.2% admit to rarely reading or browsing the contents of EULAs, and 7.7% indicated that they have not noticed these agreements in the past or have never read them.

Similarly, a survey of more than 2000 people by Harris Interactive in 2001 found that more than 60 percent of consumers said they had either "spent little or no time looking at websites' privacy policies" or "glanced through websites' privacy policies, but . . . rarely read them in depth." Of those individuals surveyed, only 3 percent said that "most of the time, I carefully read the privacy policies of the websites I visit."

American consumers are not alone. In 2009, the UK Information Commissioner's Office conducted a survey of more than 2000 people, and found that 71% did not read or understand privacy policies.

While the vast majority of consumers don't read privacy policies, some do seem to notice the presence of a privacy policy on a company's website. Unfortunately, most Americans incorrectly believe that the phrase privacy policy signifies that their information will be kept private. A 2003 survey by Annenberg found that 57% of 1,200 adults who were using the internet at home agreed or agreed strongly with the statement "When a web site has a privacy policy, I know that the site will not share my information with other websites or companies." In the 2005 survey, questioners asked 1,200 people whether that same statement is true or false. 59% answered it is true.

Even if consumers were interested in reading privacy policies -- doing so would likely consume a significant amount of their time. A research team at Carnegie Mellon University calculated the time to read the privacy policies of the sites used by the average consumer, and determined that:
[R]eading privacy policies carry costs in time of approximately 201 hours a year, worth about $2,949 annually per American Internet user. Nationally, if Americans were to read online privacy policies word–for–word, we estimate the value of time lost as about $652 billion annually.

Finally, even if consumers took the time to try and read privacy policies, it is quite likely that many would not be capable of understanding them. In 2004, a team of researchers analyzed the content of 64 popular website's privacy policies, and calculated the reading comprehension skills that a reader would need to understand them. Their research revealed that:
Of the 64 policies examined, only four (6%) were accessible to the 28.3% of the Internet population with less than or equal to a high school education. Thirty-five policies (54%) were beyond the grasp of 56.6% of the Internet population, requiring the equivalent of more than fourteen years of education. Eight policies (13%) were beyond the grasp of 85.4% of the Internet population, requiring the equivalent of a postgraduate education. Overall, a large segment of the population can only reasonably be expected to understand a small fragment of the policies posted.

Conclusion

As the academic research I have summarized here, and multiple statements by FTC officials make clear, consumers do not read privacy policies. As such, it is shocking that the Department of Justice would, in representing the official position of the United States Government, argue otherwise before a court

I hope that responsible persons inside DOJ will take note of this blog post, contact the court, and retract their claim. I also hope that the new White House Interagency Subcommittee on Privacy & Internet Policy will take note of this issue, and make sure that this sort of claim doesn't find its way into any future DOJ legal briefs.

Wednesday, June 10, 2009

A shot across the bow

At Computers, Freedom and Privacy last week, Google's DC policy guru Alan Davidson revealed that the company has between 1-20 employees working full time to respond to requests for private customer information from law enforcement. He also revealed that Google asks for financial compensation from the Government for the time required to satisfy these requests -- he noted that this practice is permitted by law.

Google is not alone in this. All major Internet companies receive thousands of requests per year, and as a "matter of policy", they all refuse to discuss this, or to give the public even a rough idea of how many requests they get.

A recent Newsweek article comes the closest, revealing that Facebook gets between 10-20 requests per day from law enforcement agencies.

This silence needs to end. We need transparency, sunshine, and some accountability. If users realized how often their data is disclosed to police, and how often it occurs without a warrant or any judicial oversight, many would be shocked.

So -- if you work in the privacy, legal or policy department of a major Internet provider (as I know a few of my readers do), consider this your warning.

You either need to come clean voluntarily, or the information will be forced out. Your customers have a right to know.

My first avenue of attack will be via a number of FOIA requests (see below) -- if that fails, I'll have to ramp things up a bit. The current level of secrecy is simply not acceptable.



(Sent to Criminal Division, Department of Justice)

Dear FOIA Officer:

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records concerning guidance, reference manuals and sample requests provided to law enforcement agencies by major internet companies, search engines, web mail providers, and social networks.

Background

A recent Newsweek article (http://www.newsweek.com/id/195621) revealed that:

"NEWSWEEK reviewed both Facebook and MySpace documents that let law-enforcement agencies know what information they track and how to obtain it; MySpace's guide is more robust, offering agencies templates with language geared specifically to be admissible in court. Both sites disclose that they cooperate with police in the terms that users agree to when they sign up."


Practically all Internet related businesses have a legal compliance department. Some, like MySpace, are open 24 hours per day, 7 days a week. A list containing contact information for over 100 of these offices can be found here: http://www.search.org/programs/hightech/isp/


The same Newsweek article also revealed that:

"[Facebook] says it tends to cooperate fully and, for the most part, users aren't aware of the 10 to 20 police requests the site gets each day."


It is likely that other major Internet companies receive a similar number of requests. As a result, it is not surprising that the companies have created guides and sample requests for law enforcement agencies, in order to help to streamline requests, and reduce the amount of manpower required to handle each subpoena.

My request

I request any records, including memoranda, handbooks, emails, policies and procedures provided to the Department of Justice by Internet service providers, phone and cable providers, search engines, instant messaging companies, and social networking sites. Such documents likely contain guidance and frequently answered questions related to requests for subscriber information, and may also contain sample subpoenas and search warrant applications.

At the very least, this request shall include documents provided by or relating to Apple, Google, Microsoft, Yahoo, Facebook, MySpace, America Online, AT&T, Verizon, Comcast, Sprint and T-Mobile.

The scope for this request shall include all documents created between January 01, 2005 and May 10, 2009. It is likely that the Computer Crime & Intellectual Property Section (CCIPS) within the DOJ Criminal Division will have the most relevant documents.

Saturday, February 03, 2007

FOIA Fun

Much respect to the the reporters committee for freedom of the press for their kickass FOIA letter generator .


FOIA/PA Mail Referral Unit
Department of Justice
Room 114, LOC
Washington, DC 20530-0001

Dear FOI Officer:

Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of Any and all documents (including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to "Tor", "onion routing", "onion router", and "anonymous/anonymizing proxy/proxies" . I am interested in anything that matches this description between the dates 01/01/2002 and 02/01/2007.

*edited*

Transportation Security Administration
TSA-20, West Tower
FOIA Division
601 South 12th Street
Arlington, VA 22202-4220

Dear FOI Officer:



Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of All documents including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to the storage and or data deletion policies for the data from chemical/explosive analysis of passengers, passengers bags, items and personal possessions. In particular, I am requesting information on how long TSA keeps the data generated by the machines that perform the explosive residue analysis on the swabs that TSA agents wipe on passenger's bags/objects. I am also requesting information on how long data is kept from the "puffer" machines used by TSA (these are typically made by either GE or Smiths), which shoot air at passengers and then analyze the particles that are dislodged. In addition to this data, I also request any and all information relating to how the information is matched or associated to specific passengers, in what format, and held in what databases, if it is at all. The scope of this request is for all information matching this description between the dates of 01/01/2003 and 02/01/2007.

Friday, February 02, 2007

Tor: Lies or Ignorance?

I went to a symposium on Search and Seizure in the digital age at Stanford last week.

One topic that kept popping up was the so called "Creepiness Factor" of various surveillance technologies. Just like the 'ol government standard for obscenity, we can't quite define creepy surveillance, but we know it when we see it.

One of the last speakers of the day was an Assistant US Attorney - based in Silicon Valley, and who focused on cyber crimes. I'm fairly sure that his name was Matthew Lamberti. Fairly early into his talk, it was plainly obvious that his opinions did not mesh too well with the rest of the room - at least after he quite proudly announced that he didn't think it was in any way creepy to go through someone's trash. Facial expressions around the room quickly changed.

After his talk was over, I walked up to him, introduced myself, and asked him what he thought of Tor.


(I'm paraphrasing here)

"What's that", he asked.

I explained that it was an anonymity preserving system that enabled hundreds of thousands of Internet users to browse the web and communicate anonymously.

He replied that he wasn't familiar with the technology, so he really couldn't answer my question.

----

Back in November, when I met with the Cybercrime specializing Assistant US Attorney in Indianpolis, his eyes lit up at the mere mention of Tor, and he proceeded to give me a long lecture on the evils of the technology, and how Indiana University has no business doing anything that even comes close to anonymity-promoting research.

I find it shocking, yet amazing that an Assistant US Attorney who works out of the San Jose DoJ office - who prosecutes Internet/IP crime cases all the time - in possibly the most high-tech areas in the country, and who has never heard of Tor.

Are the Indianapolis DoJ more Internet Savvy than those in Silicon Valley? Did I catch Mr Lamberti on an off day, or what?

And that's where my latest FOIA request will come in handy ;-)