Two honest Google employees: our products don't protect your privacy

Two senior Google employees recently acknowledged that the company's products do not protect user privacy. This is quite a departure from the norm at Google, where statements about privacy are usually thick with propaganda, mistruths and often outright deception.

Google's products do not meet the privacy needs of journalists, bloggers, small businesses (or anyone else concerned about government surveillance).

Last week, I published an op-ed in the New York Times that focused on the widespread ignorance of computer security among journalists and news organizations. Governments often have no need to try and compel a journalist to reveal the identity of their sources if they can simply obtain stored communication records from phone, email and social networking companies.

Will DeVries, Google's top DC privacy lobbyist soon posted a link to the article on his (personal) Google+ page, and added the following comment:

I often disagree with Chris, but when he's right, he's dead right. Journalists (and bloggers, and small businesses) need to take a couple hours and learn to use free, widely available security measures to store data and communicate.

Let me first say that I really respect Will. Many of the people in Google's policy team default to propaganda mode when questioned. Will does not do this - he either speaks truthfully, or declines to comment. I wish companies would hire more people like him, as they significantly boost the credibility of the firm among privacy advocates.

Regarding Will's comment: If Google's products were secure out of the box, journalists would not need to "take a couple hours" to learn to protect their data and communications. Will does not tell journalists to ditch their insecure Hotmail accounts and switch to Gmail, or to ditch their easily trackable iPhones and get an Android device. Likewise, he does not advise people to stop using Skype for voice and video chat, and instead use Google's competing services. He doesn't do that, because if he described these services as more secure and resistant to government access than the competition, he'd be lying.

Google's services are not secure by default, and, because the company's business model depends upon the monetizaton of user data, the company keeps as much data as possible about the activities of its users. These detailed records are not just useful to Google's engineers and advertising teams, but are also a juicy target for law enforcement agencies.

It would be great if Google's products were suitable for journalists, bloggers, activists and other groups that are routinely the target of surveillance by governments around the world. For now, though, as Will notes, these persons will need to investigate the (non-Google) tools and methods with which they can protect their data.

Google business model is in conflict with privacy by design

At a recent conference in Kenya, Vint Cerf, one of the fathers of the Internet and Google's Chief Internet Evangelist spoke on the same panel as me. We had the following exchange over the issue of Google's lack of encryption for user data stored on the company's servers (I've edited it to show the important bits about this particular topic - the full transcript is online here).

Me:

[I]t's very difficult to monetize data when you cannot see it. And so if the files that I store in Google docs are encrypted or if the files I store on Amazon's drives are encrypted then they are not able to monetize it....And unfortunately, these companies are putting their desire to monetize your data over their desire to protect your communications.

Now, this doesn't mean that Google and Microsoft and Yahoo! are evil. They are not going out of their way to help law enforcement. It's just that their business model is in conflict with your privacy. And given two choices, one of which is protecting you from the government and the other which is making money, they are going to go with making money because, of course, they are public corporations. They are required to make money and return it to their shareholders.

Vint Cerf:

I think you're quite right, however that, we couldn't run our system if everything in it were encrypted because then we wouldn't know which ads to show you. So this is a system that was designed around a particular business model.

Google could encrypt user data in storage with a key not known to the company, as several other cloud storage companies already do. Unfortunately, Google's ad supported business model simply does not permit the company to protect user data in this way. The end result is that law enforcement agencies can, and regularly do request user data from the company -- requests that would lead to nothing if the company put user security and privacy first.

The negative impact of AT&T's purchase of T-Mobile on the market for privacy

Yesterday, AT&T announced that it will be purchasing T-Mobile, the fourth largest wireless carrier in the US. While there are many who have raised antitrust concerns about this deal due to the impact it will have on the price of wireless services and mobile device/application choice, I want to raise a slightly different concern: the impact this will have on privacy.

While it is little known to most consumers, T-Mobile is actually the most privacy preserving of the major wireless carriers. As I described in a blog post earlier this year, T-Mobile does not have or keep IP address logs for its mobile users. What this means is that if the FBI, police or a civil litigant wish to later learn which user was using a particular IP address at a given date and time, T-Mobile is unable to provide the information.

In comparison, Verizon, AT&T and Sprint all keep logs regarding the IP addresses they issue to their customers, and in some cases, even the individual URLs of the pages viewed from handsets.

While privacy advocates encourage companies to retain as little data about their customers as possible, the Department of Justice wants them to retain identifying IP data for long periods of time. Enough so that T-Mobile was called out (albeit not by name) by a senior DOJ official at a data retention hearing at the House Judiciary Committee back in January:

"One mid-size cell phone company does not retain any records, and others are moving in that direction."

If and when the Federal government approves this deal, T-Mobile's customers and infrastructure will likely be folded into the AT&T mothership. As a result, T-Mobile's customers will lose their privacy preserving ISP, and instead have their online activities tracked by AT&T.

After this deal goes through, there will be three major wireless carriers, all of whom have solid track records of being hostile to privacy:

AT&T, a company that voluntarily participated in the Bush-era warrantless wiretapping program in which it illegally disclosed its customers communications to the National Security Agency.

Verizon, a company that similarly voluntarily participated in the warrantless wiretapping program, and then when sued by the Electronic Frontier Foundation, argued in court that it had free speech right protected by the 1st Amendment to disclose that data to the NSA.

Sprint, a company that established a website so that law enforcement agencies would no longer have to go through the trouble of seeking the assistance of Sprint employees in order to locate individual Sprint customers. This website was then used to ping Sprint users more than 8 million times in a single year.

The market for privacy

Today, privacy is largely an issue risk mitigation for firms. Chief Privacy Officers are tasked with protecting against data breaches, and class action lawsuits related to the 3rd party cookies that litter companies' homepages. The privacy organizations within companies do not bring in new customers, or improve the bottom line, but protect the firm from regulators and class action lawyers.

Recently, there are signs that this may be changing. Microsoft and Mozilla are now visibly competing on privacy features such as "Do Not Track" built into their web browsers. Several venture capital firms have invested cash into firms like Reputation.com and Abine who are selling privacy enhancing products to consumers.

To be clear, the market for privacy is in its infancy. As such, the government should be doing everything possible to nurture and encourage such growth. It is for that reason that the FTC should not permit the one and only privacy protecting major wireless carrier to be swallowed up by AT&T, a company that has repeatedly violated the privacy of its customers.

The FTC should lead the government's investigation into this deal, and should reject it on privacy grounds

When the FTC approved Google's merger with Doubeclick in 2007, then Commissioner Pamela Jones Harbour raised the issue of privacy in her dissent (pages 9-12). As I think history now confirms, the FTC erred in ignoring Commissioner Harbour and not considering the issue of privacy in the Google deal. However, many of her comments similarly apply to the AT&T/T-Mobile deal.

While the FTC cannot turn back the clock on Google/Doubleclick, it can and should protect the privacy of the millions of T-Mobile subscribers. The FTC should block this merger. However, even if the deal is permitted to go through, the FTC should at least extract strict privacy guarantees from AT&T that include a policy of not retaining IP address allocation or other Internet browsing logs.

If the FTC, Commerce Department and Congress want the market to provide privacy to consumers, then they need to make sure that consumers have options in this area. Without options, informed consumers cannot vote with their wallets. Companies that choose to go the extra mile to protect privacy should be rewarded for doing so, and not, when the market for privacy is so young, be swallowed up by those that steamroll over their customers' desire to keep their data safe.

An open letter to Adobe

MeMe Rasmussen
Chief Privacy Officer
Adobe Systems Inc.

Dear MeMe,

Yesterday, as you know, two researchers from Carnegie Mellon University released a study on the extent to which Flash Local Stored Objects ("Flash cookies") are used on popular websites, and in particular, how often sites engage in cookie "respawning".

Before discussing the report, I want to begin by stating that I have great respect for the two researchers, Dr Aleecia McDonald and Professor Lorrie Cranor. They both have truly stellar track records in their area of academic expertise: the study of usable security and privacy.

However, I have serious misgivings about the the motivation of this study, the role that several non-academic entities played in shaping it, its methodology, and the way that it may be used by your company and others in industry to whitewash a significant privacy issue.

The motivation of the study, and the role played by Adobe, CDT and Reed Freeman

It is not entirely clear, at least from publicly available sources, who first came up with the idea for the study. That is, did the researchers decide to conduct the study, and seek funding from Adobe and CDT in order to help pay their costs, or did Adobe seek to repair its own reputation, write a large check to the Center for Democracy and Technology (CDT), which then passed on some of the money to these researchers in order to produce the report?

Update Feb 2: A post by MeMe on Adobe's official blog confirms that:

Adobe commissioned the Carnegie Mellon University research study ... with assistance provided by the Center for Democracy and Technology (CDT)

What is clear, from the acknowledgements at the end of the report, is that the researchers received financial support from Adobe. Looking at CDT's funding charts for 2009 and 2010, it looks like 2010 is the first year that Adobe has given any money to CDT. Was this funding tied to the creation and publication of this report?

Both Adobe and CDT are thanked by the researchers for assistance in developing the experimental protocol, and several CDT staff members are thanked for providing the researchers with assistance and feedback on their report. One other person who is thanked for his assistance is Reed Freeman, a partner at the law firm Morrison & Foerster.

Given the trigger-happy nature with which some firms fire off DMCA cease and desist letters, or call in Department of Justice, it is unfortunately quite common for privacy and security researchers to have to solicit the advice and assistance of attorneys before publishing research. I myself have several attorneys on speed-dial, and have turned to the absolutely amazing attorneys at the Electronic Frontier Foundation (EFF) on several occasions.

What puzzles me though, is why Professor Cranor did not go to the EFF for her legal questions, particularly given that she serves on EFF's board of directors. Instead, she sought and received feedback from Reed Freeman.

As far as I know, Reed has no experience or special expertise in helping academic researchers avoid lawsuits from pissed off companies. However, he does have quite a bit of experience in helping companies engulfed in privacy scandals escape the wrath of the Federal Trade Commission. For example, he represented Netflix a year ago, after the FTC took an interest (pdf) in the company's plan to share a second dataset of its customers' movie reviews.

I would love to find out the role that he played in shaping this study and the final report. Did he provide advice to these researchers on a pro-bono basis, or did Adobe pick up the likely very expensive tab for his assistance?

Research methodology

This study was a response to a 2009 study by Soltani et al, which coined the term "respawning Flash cookies" and exposed several major web properties and advertising networks engaging in the practice.

Leaving aside the potential issues that Joe Hall has raised of how the researchers chose the 500 random sites, I want to focus on one key area which suggest serious limits (and perhaps even flaws) in this study.

Consider the data collection method followed by Soltani:

Each session consisted of starting on a Firefox about:blank page with clean data directories. We then navigated directly to the site in question (by entering the domain name into the browser’s navigation bar) and mimicked a ‘typical’ users session on that site for approximately 10 pages. For example, on a video site, we would search for content and browse videos. On a shopping site, we would add items to our shopping cart. We did not create accounts or login for any of the sites tested. As a result, we had to ‘deep link’ directly into specific user pages for sites such as Facebook.com or Myspace.com since typically these sites do not easily allow unauthenticated browsing.

In the CMU study, the researchers visited the front page only of the top 100 sites, plus an additional random 500 sites. The researchers did not navigate beyond paywalls, conduct searches, click on items to add them to shopping carts, or otherwise interact with the sites. As such, any Flash cookies present on these other pages have gone undiscovered.

Naming names

One important norm in the academic privacy community, is that when researchers discover companies engaged in privacy invasive (or even just problematic) practices, they are named. Soltani et al named the companies they discovered respawning Flash cookies, Krishnamurthy and Wills (pdf) named Facebook, MySpace and a few other social networks that were leaking user identifiers via referrer headers, and Jang et al (pdf) named YouPorn, Morningstar, Charter and the dozens of other firms they discovered abusing CSS flaws to determine users' browsing history.

Similarly, when Professor Cranor, Dr McDonald and several other CMU researchers published a paper last year examining the extent to which major websites misrepresent their privacy policies via machine-readable P3P headers, the researchers identified the offending websites.

It seems curious then that this time around, these same researchers would decide to not identify the two companies that they discovered were engaged in Flash cookie respawning.

It is just a wild guess, but I suspect that the decision not to identify the offending firms was not a decision left up to the researchers. What I do not know though, is if this was a decision made by CDT, or Adobe.

Adobe's commitment to privacy

One year ago, you submitted written comments (pdf) to the FTC as part of its series of privacy roundtables. In your submission, you wrote that:

Adobe condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent.

...

Adobe is committed to supporting research to determine the various types and extent of the misuse of Local Storage. We are eager to participate in the discussion of which uses are and are not privacy friendly. We will support appropriate action, in consultation with the development, advocacy, regulatory, and legislative communities, to eradicate bad, unintended uses of Local Storage.

...

Adobe Supports the Commissions’ Use of its Authority to Police Unfair and Deceptive Acts and Practices in Commerce.

Adobe believes that existing legislation and regulation provide the Commission with robust enforcement authority against deceptive or unfair trade practices, including the use of Local Storage to re-spawn cookies users have deleted.

Adobe should identify the offending websites, or at least rat them out to the FTC

The studies published by Soltani et al, Krishnamurthy and Wills and Jang et al have all lead to class action lawsuits against the companies engaged in the various privacy violating activities exposed by these researchers. As such, it is quite reasonable to assume that had the CMU Flash cookie study identified the two firms that were caught engaging in Flash cookie respawning, class action lawsuits would have soon followed.

Given the strong tone you took in your FTC comments, and the fact that Adobe "condemns" the misuse of your technology to violate consumers' privacy, it is surprising that you have not pushed for the identification of these two companies. Surely the millions of users of Flash who have had their privacy violated by these firms should have an opportunity to seek their day in court?

Even if you do not wish to expose these firms to the threat of class action litigation, at the very least, you should turn them in to the FTC, which would then be able to investigate the firms, and prohibit them from engaging in similar privacy violations in the future.

As such, I hope you will confirm if you know the identity of the two firms discovered by the CMU researchers, and further confirm what plans you have, if any, to provide FTC staff with the evidence that was uncovered.

It is time for Adobe to be a leader on privacy. Turning these two firms in to the FTC would be a good first step.

With regards,

Christopher

Data retention push confirms DOJ hypocrisy

As I described in a lengthy blog post a couple days ago, the US law enforcement community is yet again pushing for mandatory data retention laws, which would require internet service providers to keep records detailing the IP addresses issued to their customers.

At the hearing last Tuesday, Jason Weinstein of the Department of Justice argued that the government needed this data to be able to effectively investigate serious crimes, such as terrorism and child exploitation.

In what truly is a bit of Orwellian doublespeak Mr. Weinstein told the Congressional committee that retaining this data would actually protect privacy:

Unlike the Department of Justice – which must comply with the Constitution and laws of the United States and is accountable to Congress and other oversight bodies – malicious cyber actors do not respect our laws or our privacy. The government has an obligation to prevent, disrupt, deter, and defeat such intrusions. The protection of privacy requires that we keep information from those who do not respect it — from criminals and others who would abuse that information and cause harm.

Investigating and stopping this type of criminal activity is a high priority for the Department, and investigations of this type require that law enforcement be able to utilize lawful process to obtain data about the activities of identity thieves and other online criminals. Privacy interests can be undercut when data is not retained for a reasonable period of time, thereby preventing law enforcement officers from obtaining the information they need to catch and prosecute those criminals. Short or non-existent data retention periods harm those efforts.

My absolute favorite bit of Mr Weinstein's testimony is the first sentence above:

Unlike the Department of Justice – which must comply with the Constitution and laws of the United States and is accountable to Congress and other oversight bodies

What I love, is the fact that Mr. Weinstein was able to repeat this complete and total lie, under oath, without ever once cracking a sheepish smile, or showing any sign of embarrassment.

From The Washington Post, January 19, 2010:

The FBI illegally collected more than 2,000 U.S. telephone call records between 2002 and 2006 by invoking terrorism emergencies that did not exist or simply persuading phone companies to provide records, according to internal bureau memos and interviews... A Justice Department inspector general's report due out this month is expected to conclude that the FBI frequently violated the law with its emergency requests, bureau officials confirmed.... FBI general counsel Valerie Caproni said in an interview Monday that the FBI technically violated the Electronic Communications Privacy Act when agents invoked nonexistent emergencies to collect records.

The Washington Post, January 21, 2010:

FBI agents for years sought sensitive records from telephone companies through e-mails, sticky notes, sneak peeks and other "startling" methods that violated electronic privacy law and federal policy, according to a Justice Department inspector general report released Wednesday.

The study details how the FBI between 2002 and 2006 sent more than 700 demands for telephone toll information by citing often nonexistent emergencies and using sometimes misleading language. The practice of sending faulty "exigent" letters to three telecommunications providers became so commonplace that one FBI agent described it to investigators as "like having an ATM in your living room."

The New York Times, March 10, 2007:

Bipartisan outrage erupted on Friday on Capitol Hill as Robert S. Mueller III, the F.B.I. director, conceded that the bureau had improperly used the USA Patriot Act to obtain information about people and businesses...

The report found many instances when national security letters, which allow the bureau to obtain records from telephone companies, Internet service providers, banks, credit companies and other businesses without a judge’s approval, were improperly, and sometimes illegally, used.

Moreover, record keeping was so slipshod, the report found, that the actual number of national security letters exercised was often understated when the bureau reported on them to Congress, as required.

The Washington Post, October 24, 2005:

The FBI has conducted clandestine surveillance on some U.S. residents for as long as 18 months at a time without proper paperwork or oversight, according to previously classified documents to be released today.

These reports only detail violations of the law during the last few years. Such abuses are not a new phenomenon though - the Department of Justice has abused its powers to illegally spy on Americans as long as the agency has existed.

Furthermore, in spite of the numerous instances in which it was confirmed that FBI agents and DOJ officials violated the law and engaged in illegal surveillance, I can't think of a single instance where they (or the telecommunications carriers that collude in their crimes) have been arrested or prosecuted for doing so. Instead, they get a slap on the wrist, and then it is back to business as usual.

One rule for us, one rule for them

The push for data retention seems to be currently limited to IP address allocation records, but, if successful, it will almost certainly extend to non-content information associated with email, chat and instant messaging communications.

The hypocrisy of the government's push for such data retention is clear when compared to the extreme efforts that government agencies go to in order to shield their own communications, documents and other records from the American people.

Consider for a moment, that this president, like Bush and Clinton before him, does not send any emails. The reason for this? Because such emails would have to be retained under the Presidential Records Act. Rather than let the American people later see a record of his official communications, he simply avoids email, and instead does everything by phone or in-person.

Of course, in this day and age, most people do not have the luxury of going without email. Private citizens, corporations and government employees alike rely on email to go about their daily business. However, while the email accounts that consumers rely on increasingly keep their communications forever (due to essentially unlimited storage), companies and government agencies are increasingly embracing data deletion policies in order to limit the risk that their emails will later see the light of day, due to lawsuits or FOIA requests.

For example, starting in the spring of 2010, the Federal Trade Commission (where I worked until August of 2010) adopted a 90-day email deletion policy. Any email messages that employees did not specifically mark to be saved would be automatically deleted after 90 days. This policy creates a significant barrier for public interest groups wishing to learn about the activities of the agency.

At the FTC, all records about particular investigations are shielded from disclosure as long as the investigation is active. However, since most investigations take 6 months or more, by the time the investigation is eventually made public, many email messages will have already been deleted.

Quite simply, government email deletion policies are specifically designed to circumvent and neutralize open government laws, such as the Freedom of Information Act.

I am sure that the FTC is not the only government agency to embrace an aggressive data deletion policy, and at least right now, there is nothing that legally prohibits agencies from adopting such policies.

This would be a great issue for pro-transparency, pro-oversight House Republicans to tackle. Perhaps once the administration is forced to reveal its own official communications to the whole world, then maybe it'll be a bit more sympathetic to the efforts of privacy groups and corporations that wish to protect privacy of regular users.

DOJ's push for data retention & competing on privacy

On Tuesday, January 25, 2011, the Republican controlled House Subcommittee on Crime, Terrorism and Homeland Security held a hearing on the topic of data retention. Chairing the hearing was Jim Sensenbrenner, the author of the much-loved USA Patriot Act.

The video of the hearing is online as is the written testimony of Jason Weinstein of the Department of Justice.

Data retention is (for most people) an obscure and boring topic, even if it has a significant impact on end user privacy. As such, I want to try and analyze DOJ's latest attempt to kickstart the debate about this issue, in order to enable those watching at home to understand the politics at play.

A gentle introduction to the DOJ increased powers playbook

The Department of Justice is actually fairly predictable, and each time it calls for increased powers, it follows the same formula.

First, it will repeatedly mention one or two horrific crimes that everyone in society agrees are awful (usually terrorism and child pornography), and claim that those committing these crimes are not getting caught because of the issue at hand.

Second, the government will put out a couple examples, which have never before been disclosed to the public (even if they are several years old), in which horrible things happened because the government didn't have the information or power it now wants.

Third, the government will highlight companies that currently have particularly bad practices (but without naming those firms), and may also specifically identify one or two companies whose practices are excellent, and that should be models for the entire industry.

Fourth, the government will completely dismiss the concerns of the privacy community.

This formula has been used, just in the last couple years, to try and require emergency, warrantless disclosure of cell-tower data, mandatory registration of prepaid mobile phones, and back doors in encryption technology.

Why doesn't DOJ name names?

One of the most interesting things for me, is the practice of not naming names. That is, while the specific problematic practices may be discussed in some detail, the companies that are currently not doing what the government wants are rarely named by the government, either in testimony before Congress, or through the intentional leaks to the government-friendly journalists that are used to seed the debate.

Consider the following quote from yesterday's testimony:

"One mid-size cell phone company does not retain any records, and others are moving in that direction. A cable Internet provider does not keep track of the Internet protocol addresses it assigns to customers, at all. Another keeps them for only seven days—often, citizens don’t even bring an Internet crime to law enforcement’s attention that quickly."

Or, from a New York Times article last year:

Starting in late 2008 and lasting into 2009, another law enforcement official said, a "major" communications carrier was unable to carry out more than 100 court wiretap orders. The initial interruptions lasted eight months, the official said, and a second lapse lasted nine days.

This year, another major carrier experienced interruptions ranging from nine days to six weeks and was unable to comply with 14 wiretap orders. Its interception system "works sporadically and typically fails when the carrier makes any upgrade to its network," the official said.

The official declined to name the companies, saying it would be unwise to advertise which networks have problems or to risk damaging the cooperative relationships the government has with them. For similar reasons, the government has not sought to penalize carriers over wiretapping problems.

Even though the government could significantly increase the pressure on particular firms by naming them, it (wisely) doesn't do so. The reason is that the law gives companies a significant amount of flexibility in the way that they design their networks, the data that they voluntarily retain, and over the warrantless disclosures made to government investigators when they claim an emergency. The government knows that if it plays hardball with these firms, they are perfectly within their rights to stop voluntarily retaining data, and insist on a valid court order or other legal process whenever the government wants to investigate one of their customers.

Naming names

Even though the government won't identify the companies with "good" and "bad" data retention practices, there is nothing stopping me from doing so.

In his testimony, Mr Weinstein stated that "One mid-size cell phone company does not retain any records". If I had to guess, I would bet that Mr. Weinstein is speaking about T-Mobile, which is the largest carrier I know of that does not keep IP allocation logs.

At the ISS World surveillance conference in 2009, I made an audio recording of a panel which featured executives from several telecommunications companies speaking about their relationship with law enforcement agencies, and their own data retention practices (the audio recording of the panel is available here). At that event, a representative from Cricket Communications (a relatively small pre-paid carrier aimed at low income users) told the audience that:

"One of the challenges for Cricket, and a challenge for the law enforcement community, is that we now have broadband and internet access from the handset. And in both instances, the signal goes to our switch, and then is relayed to Level 3 Communications, which then is the conduit to the Internet. From the outside, from the point of capture of the IP address, it is the generic or regional IP address that is picked up. There is no way to come back through our firewall to see which subscriber had a per-session identification on that, and that is something that even if you go to Level 3, they’re not going to have any information either."

T-Mobile's director of law enforcement relations spoke next, and revealed that his company was largely in the same position:

"[T-mobile is] in the same boat that Cricket is, in terms of determining the IP address --- determining the subscriber attached to that IP address.”

Contrast this to the approach taken by Sprint:

Nextel’s system, they statically assign IP addresses to all handsets ... We do have logs, we can go back to see the IP address … On the Sprint 3G network, we have IP data records back 24 months, and we have, depending on the device, we can actually tell you what URL they went to ... If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months ... We don’t store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte ... but ultimately, that’s why we store the data ... It’s because marketing wants to rifle through the data.

Unfortunately, representatives from Verizon an AT&T didn't appear at that conference, and so I don't have an on the record statement from those firms describing their IP allocation policies. Luckily, a slide presentation for the law enforcement community detailing Verizon's data retention policies leaked onto the Internet.


From this, it is clear that Verizon keeps logs on the individual IP addresses given to users for a 1 year period, and, even more troubling, it appears that the company retains the "destination" addresses of all sites that its users visit from their mobile handsets for 30 days.

Finally, while we do not know AT&T's data retention policy, this 2009 study by a team at Microsoft Research confirms that AT&T wireless users are at least given individual IP addresses (as compared to the NAT-based scheme that T-Mobile and Cricket use). As such, the only question is if AT&T chooses to retain these IP address allocation logs (and given the company's repeated collusion with law enforcement and intelligence agencies, I think it is fair to assume that it does keep them.)

Competing on privacy

Over the last few years, firms in a few specific markets have begun to compete on privacy. For example, just in the last month, three of the four main web browsers have each announced privacy enhancing features designed to protect their users from online tracking.

Unfortunately, even though telecommunications firms' data retention policies differ in ways that significantly impact end user privacy, these companies do not compete on these differences, and often go out of their way to keep this information secret. Were it not for the work of activists and whistleblowers inside the firms who have leaked key documents, we would never know some of these details.

This widespread lack of public information about data retention policies poses a significant problem for consumers wishing to evaluate potential service providers on their respective privacy merits. Furthermore, differences among providers operating in the same market do vary considerably, which means that the decision to pick a particular service provider can have a significant impact on a user’s privacy.

As a result of these policies, for example, a Sprint Nextel customer can be later tracked down based on an anonymous comment left on a blog, or a P2P file downloaded over the company’s cellular network, while customers of T-Mobile and Cricket can freely engage in a variety of online activities without any risk of later discovery.

This lack of public information about key privacy differences would be bad enough if the firms generally kept quiet about the general topic of privacy. However, these companies actually proudly boast about their commitment to protecting user privacy, while simultaneously going out of their way to keep the substantive details of their practices (and often, their collusion with government surveillance) secret.

Consider, for example, the following statements by Verizon:

"Verizon has a longstanding and vigorous commitment to protecting its customers’ privacy and takes comprehensive steps to protect that privacy."

"At Verizon, privacy is a key priority. We know that consumers will use the full capabilities of our communications networks only if they trust that their information will remain private."

Strangely enough, the Verizon has also argued in court that it has a First Amendment right to voluntarily provide information about its customers’ private communications to the National Security Agency. This may be a valid legal argument, but it is not the kind of position that a company that has pledged to protect users’ privacy should take. Certainly, it is not an official position that the company advertises to its customers on its website or in its privacy policy. Likewise, nowhere on Verizon's website does the company disclose the $1.8 million dollars it has received per year to provide the FBI with "near real-time access to [two years of stored] United States communications records (including telephone and Internet records)."

Why the silence on data retention matters

The fact that most companies do not compete, or even publicly disclose their data retention policies means that the government has the upper-hand in any effort to get firms to retain more data, or keep it for longer periods.

Over the last year or two, multiple wireless carriers have extended the retention period for historical cell site location information. Retention periods of six months to one year for cell site data are now common across the industry, a significant increase over the 30 days or less that the data was retained two years ago.

These companies faced no push-back from consumers or privacy groups when they extended these retention periods, because consumers were never told that it happened.

Likewise, between 2007 and 2008, MySpace and Facebook both increased their data retention periods for user login IP session data. In 2006, MySpace logged IP addresses associated with account logins for 90 days. In 2007, the company expanded its logging of this data to 1 year. Facebook logged IP addresses for 30 days in 2007, but by 2008, the company had opted to keep the logs for 90 days.

Bringing this back to the current debate -- because T-Mobile doesn't compete on privacy, and because its customers are often unaware of the advantage benefit they receive from the firm's current IP network design, the firm has no real incentive to resist pressure from the government to retain data. The only real sticking point for the company, I suspect, will be cost of modifying its network to permit it to uniquely identify and track its users. As such, I fully expect T-Mobile (and any other companies that DOJ leans on) to quietly fold, and establish voluntary data retention policies that are long enough to keep the government happy.

The History of the Do Not Track Header

Last month, both the FTC and Commerce Department published privacy reports that mentioned the possibility of a Do Not Track mechanism. Most people, even those who follow privacy issues, didn't really understand how such a mechanism would work, or where the idea came from. The goal of this lengthy blog post is to try and shed a bit of light on that.

The History of Do Not Track

In 2007, several public interest groups, including the World Privacy Forum, CDT and EFF, asked the FTC to create a Do Not Track list for online advertising. In a very savvy move, these groups named their scheme such that it instantly evoked the massively popular Do Not Call list. That is, even if the average person did not know how the Do Not Track list worked, it would sound like a good idea.

The public interest proposal would have required that online advertisers, not consumers, submit their information to the FTC, which would compile a machine readable list of the domain names used by those companies to place cookies or otherwise track consumers. Browser vendors and 3rd party software makers could then subscribe to this list, and effectively block many forms of tracking. It sounded like a great idea, but, it went nowhere, and as the Google Trends chart below shows, it was largely forgotten by the media until 2010.



What happened to bring Do Not Track back to life? FTC Chairman Jon Leibowitz.

On July 27 2010, the Senate Commerce Committee held a hearing on the topic of online privacy. In his oral testimony at the hearing, Leibowitz stated that the commission was exploring the idea of proposing a "do-not-track" list (he appears to have gone off the official script, as the phrase "do not track" does not appear in his formal written remarks.)

Once the concept (even in the abstract) of Do Not Track has been brought back to life, journalists covering the story assumed that it was the public interest groups' proposal that was now actively being considered by policymakers. However, over the space of a few months, a completely different mechanism, one which relies on web browsers sending a header, seemed to gain momentum.

This seems to have caught many in industry and the press off guard. No one knows where the idea came from, or how it managed to displace the previous public interest groups' effort. The purpose of this blog post is to try and clear that up.


Opt Out Cookies

For more than a decade, the major online advertisers have offered "opt out" mechanisms, through which consumers could signal to the companies that they did not want to receive advertisements targeted based on their online browsing habits. These opt outs worked via cookies (one specific to each ad network), which a consumer could either obtain by visiting each advertising network's website, or (if the company was a member of the Network Advertising Initiative (NAI), from the NAI website.

While certainly a step in the right direction when they were first offered, the opt out cookies have numerous flaws, the most important of which, is that as cookies, they are deleted whenever consumers attempts to protect their privacy and erase other tracking cookies. Quite simply, using the built in browser controls, consumers cannot instruct their browser to "keep the opt out cookies, but delete everything else." Consumers thus have to re-obtain these opt out cookies each time they delete their cookies, or, perhaps more likely the case, privacy conscious consumers gave up on the formal opt outs, and instead relied on frequent cookie deletion as a more reliable means to opt out.

In March 2009, Google released a browser add-on that made Google's own doubleclick.net behavioral advertising opt out cookie permanent. Thus, with the add-on installed, users could freely delete their cookies whenever they wanted without accidentally removing Google's opt out cookie. While this was a great move on Google's part, there were more than 100 other advertising networks, and so even if Google's opt out cookie persisted, these other opt out cookies would be erased whenever a consumer took steps to protect their privacy.

My Targeted Advertising Cookie Opt-Out (TACO) add-on

A few days after Google released their opt out tool I bumped into security researcher Dan Kaminsky at a conference. I'm afraid I don't remember the specifics of our conversation anymore, but generally, we spoke about flaws in the opt out system, Google's new tool, and possible technical alternatives to cookie based opt outs, including a browser header.

Soon after (and likely inspired by) my conversation with Dan, I downloaded Google's tool (which the company had released under an open source license) and modified it to include the opt out cookies for several other behavioral advertising networks. I published my TACO add-on and within days hundreds of people downloaded and installed it.

A few days later, Dan emailed me, and urged me to include a browser header in TACO -- not because it would have any immediate impact (since no ad network would look for it), but because it would be a clear expression of user intent:

The reality is you can be tracked no matter what you do or don't set. However -- humor me: Just add an "X-No-Track: user-opt-out=explicit" header to all HTTP requests, and add window.tracking-opt-out=explicit to every DOM.

Oh, and put a comment in the source above it, calling it the Holy Hand Grenade :)

Trust me :)

At the time, I dismissed Dan's suggestion. I wanted to build a tool that would actually improve user privacy, and since cookies were the only way for consumers to opt out, I thought my time was best spent improving that experience. However, on the TACO home page, I noted that a header mechanism would be a far superior replacement for opt out cookies:

The use of individual opt-out cookies for each advertising company is sub-optimial (in fact, the current situation totally sucks). We shouldn't have to identify and seek out each company that might track us in order to opt out. This tool currently supports 90 different advertising networks, some of which require multiple cookies (for different domain names). As a result, this tool installs 90+ opt-out cookies into the browser (they're all generic, and contain no unique, or identifiable information). Since there are still quite a few networks that the tool does not support, it is quite easy to see that the tool could eventually install 100 or more cookies in a user's browser. This solution simply does not scale.

In an ideal universe, we would be able to set a single cookie in the browser stating our preference to be not tracked, without needing to first identify individual advertising networks. Consider, after all, the approach taken with the hugely successful do not call list. You add yourself to a single list, which all telemarketers are then required to honor.

However, for privacy reasons, cookies cannot be accessed by websites hosted in domains different than those that set the original cookie. That is, if google.com sets a cookie in your browser, microsoft.com won't be able to read it if you visit their site. For 99% of cookies (such as the session cookies used to authenticate your login to Facebook), this is a really good idea. However, for a universal opt-out cookie, this presents significant problems.

As a result, cookies are the wrong technology for a universal opt-out mechanism.

One alternative approach would be to permit the browser to send an opt-out HTTP header, which it could then transmit to every web server which the user connected. Such a scenario would require that Microsoft, Mozilla, Apple and Google sit down to design such a technical spec. It would also require that the big advertising networks agree to honor such a HTTP header based method for opt-out.

I spent much of the summer of 2009 immersed in the world of online advertising. This included numerous conference calls with attorneys at advertising networks, and evenings spent on the web, locating new advertising networks with opt out cookie I could clone, and add to TACO. This lead to several updates of my increasingly popular tool, which eventually grew to include more than 100 different opt out cookies.

However, it was never my intention to maintain a browser plugin (even a successful one) -- I am a researcher and an activist, and so my goal in creating TACO was primarily to poke the advertising industry in the eye. As such, within weeks of creating TACO, I reached out to the folks at Mozilla, and begged them to take TACO off my hands by building similar functionality into the Firefox browser.

While several individuals at Mozilla were receptive to the idea of TACO (and had installed it onto their own computers), they weren't so in love with the idea of shipping 100 different opt out cookies with their browser, or having to maintain and update the list for new add networks. Quite simply, TACO was an inelegant kludge, and didn't scale. In March of 2009, Mozilla's VP of Engineering Mike Shaver emailed me to state his own preference for a header:

Could we not just standardize/promote a header like X-Tracking-Opt-Out, and ask the tracking groups to honour it? Simpler to specify, simpler to update (the null case, in fact), forward-effective as new ad networks add support, and separated from the implications and implementation of cookies.

The Do Not Track Header

The header approach suffered from a serious chicken and egg problem. No ad network was willing to look for, or respect the header (primarily because no one was sending the header). Likewise, because no one was looking for the header, the browser vendors weren't ready to add support for it to their products.

In July of 2009, I decided to try and solve this problem. My friend and research collaborator Sid Stamm helped me to put together a prototype Firefox add-on that added two headers to outgoing HTTP requests:

X-Behavioral-Ad-Opt-Out: 1
X-Do-Not-Track: 1

The reason I opted for two headers was that many advertising firms' opt outs only stop their use of behavioral data to customize advertising. That is, even after you opt out, they continue to track you. There are a handful of firms though that do promise to no longer track you when you opt out. One big problem is that it is very difficult for consumers to figure out which company is doing what -- since they all use the term opt out.

I assumed that any header-based system would be voluntary, and so by using two different headers, I would be able to play nicely with whatever a firm was willing to do. That is, if a firm currently agreed to opt consumers out of all tracking, then the firm could look for the Do Not Track header, but if the firm refused to provide a tracking opt out, they could at least agree to respect a behavioral advertising opt out header.

In mid July 2009, the Future of Privacy Forum organized a meeting and conference call in which I pitched the header concept to a bunch of industry players, public interest groups, and other interested parties. I was perhaps slightly over-dramatic when I told them that the "day of reckoning was coming", for opt out cookies, and that it was time to embrace a header based mechanism. I told them that I planned to add the headers (enabled by default) to my TACO add-on in a future release, after which, I would be able to argue that hundreds of thousands of consumers were sending this signal that the advertising firms were ignoring.

In the end, none of the advertising firms showed any interest in the header. A couple months later, I started working at the Federal Trade Commission, and ultimately decided against including the header in TACO, as I thought it might rock the boat at my new job.

In mid 2010, when the FTC Chairman breathed life back into the discussion of Do Not Track, the header I had implemented and lobbied for somehow managed to catch the attention of privacy advocates, public interest groups, regulators and even browser vendors. Ultimately, the Behavioral Advertising Opt Out header seems to have been discarded, and instead, focus has shifted to a single header to communicate a user's preference to not be tracked.

The policy of Do Not Track

The technology behind implementing the Do Not Track header is trivially easy - it took Sid Stamm just a few minutes to whip up the first prototype. The far more complex problem relates to the policy questions of what advertising networks do when they receive the header. This is something that is very much still up in the air (particularly since no ad network has agreed to look for or respect the header).

Over the last few months, a number of privacy experts, including Arvind Narayanan and Jonathan Mayer at Stanford, Lee Tien and Peter Eckersley at the Electronic Frontier Foundation, and Harlan Yu at Princeton University have worked to come up with a solid proposal that will help to shape this more complex part of the debate.

If industry (or the FTC, Commerce and Congress) ultimately settle on the header based approach, there will likely be an intense lobbying effort on industry's part to define what firms must do when they receive the header. Specifically, they will seek to retain as much data as possible, even when they receive the header. As such, the devil will be in the details, and unfortunately, these details will likely be lost on many members of Congress and the press.

Google: Iranian Internet users deserve communications security -- Americans, not so much

From The Guardian today:

Google Earth, Picasa and Chrome will be available for download in Iran for the first time from today after the technology firm was granted a communications trade licence by the US government.

...

[Scott Rubin, Google's head of public policy and communications for Europe, Middle East and Africa] said Google had decided not to make downloads of Google Talk available in Iran because it may have security implications if dissidents used it to communicate. "We're not confident with the security we could provide to keep those conversations private," he said. "Any government that wants to might be able to get into those conversations, and we wouldn't want to provide a tool with the illusion of privacy if it wasn't completely secure."

I am actually quite pleased to see Google acknowledging 1. That it is often very dangerous to offer insecure tools that users might mistakenly believe are in fact secure, and 2. That government agencies can easily monitor the communications of users using insecure tools.

The problem of course, is that Google Talk is widely used by Google's millions of customers in the United States, Europe, Asia and the Middle east, all of whom are at risk of government surveillance.

Here in the United States, the Federal government for years abused its surveillance powers to spy on the phone calls and Internet communications of US citizens without ever seeking a court order. The FBI has abused its National Security Letter powers that were expanded under the USA Patriot Act, and for years, the agency even embedded phone company employees at its offices, who repeatedly disclosed user data in response to requests submitted on post it notes.

All this begs the question: Why is Google more concerned about the privacy of Iranian users than those millions of Google users in the United States?

Google is a US company, is subject to US law, and must disclose communications to the government when law enforcement and intelligence agencies follow the appropriate legal process. As such, no one expects Google to refuse to comply with the law (especially, as Eric Schmidt has acknowledged, the government has guns, and Google does't).

What would be nice though, would be if Google was equally as committed to not giving its US customers the illusion of security and privacy, when, as the firm has acknowledged here, its Google Talk product is simply not capable of delivering anything approaching reasonable security.

Microsoft: Competing on privacy?

Last week, Dean Hachamovitch, the Corporate VP at Microsoft in charge of Internet Explorer was interviewed on stage at the Consumer Electronics Show (CES) in Vegas. He was there to discuss the next version of the company's browser, and spent most of his time talking about his firm's commitment to privacy. Clearly not a fan of subtlety, Hachamovitch wore a t-shirt with the word "private" printed on it in large letters (the IE logo took the place of the letter e).



A few years ago, advertising executives within Microsoft puled rank and forced the IE team to sabotage an otherwise pretty cool anti-tracking feature in IE8. After the company was rightfully savaged by the Wall Street Journal earlier this summer when it exposed the tale, Microsoft has now decided to offer a far more effective anti-tracking tool in IE9.

As I explained at length in a blog post last month, Microsoft has decided to try to compete on privacy, likely because it is an area which one of its main competitors (Google) is rather weak. During his interview at CES, Hachamovitch himself was quite happy to take potshots at Google, and the fact that the firm's advertising business is dependent upon facilitating, not stopping tracking of users.

Q: A cynical journalist might suggest that you’re embracing privacy and wearing a shirt because Firefox et al are eating your lunch.

A: Paying Windows customers want a great experience that includes privacy, including through their browser. But another way to view people who use browsers is that they’re objects to be boxed and sold. We don’t believe that. We believe Windows customers should have a great experience with their browser.

Q: As opposed to?

A: Well, Chrome, for instance, is funded by advertising.

While I of course believe that Microsoft's new found religion on privacy is motivated by a desire to compete against Google, I see no reason to think that its commitment to "privacy" is anything but genuine. The problem lies with Microsoft's definition of privacy.

When Microsoft talks about the ways that it is innovating and shipping technologies designed to protect its users privacy, it is talking about online tracking, not law enforcement and intelligence agencies that regularly request and obtain private user data. However, as proven by the NSA warrantless wiretapping scandal, and the FBI's repeated abuse of its own surveillance powers, the threat to user privacy from the government is very real. Likewise, as Twitter demonstrated through its bold actions in fighting to have a court order for wikileaks related data unsealed last week, companies can play a vital role, if they choose to do so, in protecting users.

The problem is that Microsoft, like so many firms, has a very narrow definition of privacy. To quote from my latest law journal article:

With few exceptions, the companies to whom millions of consumers entrust their private communications are committed to assist in the collection and disclosure of that data to law enforcement and intelligence agencies – all while simultaneously promising to protect their customers’ privacy.

When these firms speak about their commitment to protecting their customers’ privacy, what they really mean is that they will protect their customers’ data from improper access or use by commercial entities. The fact that these firms have a limited definition of privacy is not made clear to consumers, who may mistakenly believe that the companies to whom they entrust their data are committed to protecting their privacy from all threats, and not just those from the private sector.

It would be bad enough if Microsoft were just ignoring privacy threats from the government, but as I will now explain, the company has repeatedly gone out of its way to assist law enforcement and intelligence agencies in their effort to investigate users. It has put the interests of the government over the privacy of its regular customers.

How Microsoft sacrifices user privacy in order to assist the government

When asked in 2007 by the New York Times if the company was considering a policy to log no search data at all, Peter Cullen, Microsoft’s chief privacy strategist argued that too much privacy was actually dangerous. "Anonymized search," he said, "can become a haven for child predators. We want to make sure users have control and choices, but at the same time, we want to provide a security balance."

Similarly, the company proactively appends the IP address of each Hotmail user's personal computer in the headers of every outbound email. This is not required by any technical standard, and is a purely voluntary act on Microsoft's part. As far as I am aware, Microsoft and Yahoo are the only two major email providers that do this, and the end result is that law enforcement agencies can determine the IP address of the user who sent any Hotmail originated email and thus go directly to the user's ISP to determine their identity, without having to go to the trouble of contacting Microsoft first.

Microsoft has also developed computer forensics software which it freely distributes to government agencies, allowing them to easily extract private data from seized Windows computers. As the company states on the webpage for the COFEE forensics tool, "If it's vital to government, it's mission critical to Microsoft."

Finally, the most frustrating thing for me personally, is Microsoft's position on disk encryption. Microsoft considers BitLocker disk encryption a "premium" feature, and restricts it to only those consumers who buy the Ultimate version of Windows 7. For consumers using the copy of Windows 7 Home Premium that came with the new PC they bought at Staples, the cost of the Ultimate upgrade is $139.95.

In contrast, Google has opted to ship disk encryption enabled by default on its new Chrome OS platform, and both Apple and Ubuntu Linux both include encryption with their systems by default (to be enabled with a single checkbox during or after installation).

The end result of Microsoft's decision is that few regular consumers use BitLocker, and instead, those who do wish to use some form of disk encryption generally seek out third party software, like TrueCrypt.

I would be extremely surprised if Microsoft has extracted much additional profit through this decision. So much so that I suspect that money is not the reason for doing this. Instead, I suspect (and have heard rumors from insiders at Microsoft suggesting so) that it is an intentional move designed to limit the widespread adoption of encryption by regular users.

The man who either made this product decision, or played a significant role in influencing it is Scott Charney, Microsoft's Corporate VP in charge of Trustworthy Computing. Before coming to Microsoft, Charney was a prosecutor in the Department of Justice and served as Chief of the Computer Crime and Intellectual Property Section (CCIPS).

Easy to enable (or worse, deployed by default) disk encryption would seriously frustrate the investigative abilities of the law enforcement community, including many of his former colleagues.

What this means

Based on its current actions, it is clear that Microsoft is not interested in protecting its users from government intrusions into their privacy. Yes, the company has played a significant role in the Digital Due Process coalition, and executives have testified multiple times before Congress in the last year supporting the reform of the Electronic Communications Privacy Act (these actions on Microsoft's part are not entirely altruistic. Updating electronic privacy law would give consumers and businesses more of a reason to entrust their private data to Microsoft's cloud services). However, such reforms (while an improvement) will only require that a judge approve the disclosure of data held in the cloud. If a judge says OK, the data will still be handed over.

As a software and technology company, Microsoft is in a fantastic position to actually offer solid protection to end users and embrace privacy by design. It can make use of limited (or zero) data retention periods, use encryption wherever possible, by default, to make sure that seized data is useless to anyone but its owner, and instead of building forensics software to extract data from Windows computers, the company should be hardening Windows so that all forensics software tools are unable to extract anything of value.

The problem for Microsoft (and so many other large companies), is that pissing off national and state governments isn't good for business, particular when they are some of your largest customers. Furthermore, for a firm that is so actively engaged in Washington DC, any moves that seriously frustrate law enforcement interests would likely consume political capital that could otherwise be used lobbying for things that will actually improve the company's profits.

As such, I don't seriously expect Microsoft to fully embrace privacy, or to deploy any technology that will seriously frustrate law enforcement agencies. I'm not going to waste my time trying to argue that the company should do this. What I will argue though, is that the company should not be permitted to loudly advertise its commitment to privacy, when it is clearly not the case. The company's claims, quite simply, are false and deceptive. At the very least, the company should have to clarify its definition of privacy, and acknowledge, prominently, that it has opted to not protect users from government threats.

This is where the FTC (or other countries' consumer protection agencies) can and should play a role, if they wished. While companies have no obligation to protect their customers from government surveillance, they are at least obligated to make truthful statements when describing their products, particularly when the firms proudly advertise privacy as a major feature.

Thoughts on Mozilla and Privacy

Mozilla has followed Microsoft's lead, and committed to embracing some form of a do not track mechanism in the Firefox browser as soon as early 2011. While this is of course great news, the browser vendor still has a long way to go, particularly if it wants to be able to compete on privacy.

Do Not Track

At a presentation earlier this week, Mozilla's new CEO announced that the Firefox browser would soon include enhanced privacy features, stating that "technology that supports something like a Do Not Track button is needed and we will deliver in the first part of next year." This is great news for users of Firefox, and I look forward to seeing Mozilla taking an active role in the Do Not Track debate as it continues to evolve in Washington, DC.

Of course, Mozilla is not the only browser vendor to make a major privacy announcement in the last month -- just a few weeks ago, Microsoft revealed that the forthcoming beta of IE9 would include support for an ad tracking blacklist. In order to fully analyze Mozilla's announcement, and the organization's reasons for doing so, one must consider it in light of Microsoft's recent announcement, as well as the recent press coverage that both companies have received over their internal deliberations regarding privacy features.

Should Mozilla compete on privacy?

Years ago, when there were just two major browsers, Mozilla had a clear identity. Firefox was the faster, more stable, more secure, standards-compliant browser, with a large number of rich 3rd-party add-ons, including AdBlock Plus. Compared to the sluggish, buggy, popup-ad plagued Internet Explorer browser that is pre-installed on each new Windows PC, the decision to install Firefox was a no-brainer. Those consumers still using IE weren't doing so by choice, for the most part, but were using it because they didn't know there were other options -- hell, as this video demonstrates, they likely didn't even know what a browser is.

Fast forward to 2010, and the browser market has significantly changed.

Apple's 7 year old Safari browser totally dominates the company's iOS platform (primarily due to the company's terms of service which long banned competing browsers), comes pre-installed on all Macintosh computers, and has even made its way on to quite a few Windows computers by sneakily leveraging the iTunes software security update process.

Even more interesting has been the rise of Google's two-year old Chrome browser. It matches Mozilla on standards compliance, supports its own 3rd party extension ecosystem (including AdBlock software), and more importantly, it handily beats the currently shipping version of Firefox on both speed and stability. This has lead to a significant number of tech-savvy users ditching Firefox for Chrome.

The reason I mention this isn't to take a position on which browser is faster or more stable -- merely that Mozilla is now under increasing competitive pressure from Google and Apple, competition that simply didn't exist when IE was the only other game in town.

More than ever, Mozilla needs to be able to differentiate its product, and compete on features that it can win on -- beating Google on speed may be possible, but it'll be tough. Beating Google on privacy should be easy though...

Competing on privacy means more transparency

[Warning, browser vendor insider baseball below]

A few weeks ago, the Wall Street Journal revealed that Mozilla had "killed a powerful new tool to limit tracking under pressure from an ad-industry executive." The feature would have made all 3rd party tracking cookies "session cookies" by default (and thus cause them to be deleted after users shut down their browser).

[Full disclosure: I chat regularly with the WSJ journalists covering the web privacy beat, I provided them with background information on this story, and tipped them off to the communication between Simeon Simeonov and Mozilla.]

After post-publication complaints from Mozilla, the Journal added a correction note to the bottom of the article, stating:

Mozilla Corp. said it removed a privacy feature from a development version of its Firefox Web browsing software on June 8 because of concerns inside the company that the feature would spur more surreptitious forms of tracking and hamper the performance of companies that provide Web statistics and host content for other companies. The removal occurred before a conversation between advertising industry executive Simeon Simeonov and Jay Sullivan, Mozilla's vice president of products, which took place on June 9. A Nov. 30 Marketplace article about the removal incorrectly said that the feature was removed on June 10 in response to the concerns raised by Mr. Simeonov during his conversation with Mr. Sullivan.

Even after the correction, the article was not well received by members of the Mozilla Corporation. Asa Dotzler, Mozilla's Director of Community Development, described the Journal article as "bullshit" and "a complete fabrication designed to smear Mozilla and generate controversy and pageviews."

According to Dotzler:

The real timeline was this: Mozilla engineers prototyped the feature and put it into testing. Mozilla engineers discussed what kind of impact it might have on the Web and concluded that not only would it not be very effective and have some undesirable side effects, but that it would drive advertisers to build worse experiences where users had even less privacy and control. So Mozilla scrapped the feature and started work on designing a better feature. Later, some advertising reps met with Mozilla to let Mozilla know what they were up to on the privacy front and to talk with Mozilla about what it was up to.

I have had a few back and forth emails with Asa over the last few days, and have been frustrated by the experience. In any case, I disagree with him, and I actually believe that the WSJ's original timeline is pretty solid.

My understanding is that the timeline is something like this:

May 12, 2010: Mozilla developer Dan Witte files a bug in the Mozilla bug database, proposing a change to the 3rd party cookie handling code.

May 19: Dan creates patch to implement proposed change, uploads patch to bug tracking system for discussion/review.

May 24: Code review and approved by Mozilla developer Shawn Wilsher.

May 28: Dan's patch is merged into Firefox developer tree.

June 3: Word of patch reaches Jules Polonetsky of the Future of Privacy Forum, who blogs and tweets it.

June 4: Simeon Simeonov emails Mozilla CEO John Lilly, after seeing Jules' blog post.

(How do I know Simeon contacted John? Because Simeon called me up at 1:45PM EST on June 4 to tell me he had done so, after which, we spent 20 minutes debating the impact it would have on the ad industry and user privacy).

June 4, 7PM PST: Mozilla VP of Engineering Mike Shaver posts note to bug report, noting that it is a pretty major change, one that he was not aware of, and that there should be "a fair bit of discussion" about it.

June 8: Patch reverted.

While the WSJ's correction notes that the patch was reverted by Mozilla before Simeon Simeonov and Jay Sullivan, Mozilla's vice president of products, spoke on June 9, the story also mentions an earlier communication that took place between Mozilla's CEO and Simeon -- an email communication which no one at Mozilla has directly denied. This occurred several days before the patch was reverted, and 10 hours before Mozilla VP of Engineering Mike Shaver first commented on the patch.

Let me be clear - I do not believe that Mozilla buckled under pressure from the advertising industry. What I do believe, however, is that Mozilla's senior management had no idea about the existence of this patch, that it had been merged into the Mozilla developer tree several days before, or the major impact it would have on the Internet advertising industry until Mozilla's CEO was contacted by an advertising industry executive.

Once Mozilla's CEO received the email, he likely forwarded it to several people within Mozilla, and I suspect there were dozens of emails sent back and forth between management and the engineers about the patch and its impact on the Internet. As outsiders, we (Mozilla's users) are not privy to those conversations -- instead, we simply see Mike Shaver's comment about there needing to be more discussion about the issue, and then a few days later, a brief note is posted to the bug to say that the patch was reverted.

Yesterday, Mitchell Baker, the Chair of the Mozilla Foundation posted a note to her own blog, taking issue with the Journal article. In her response, Baker claimed that the WSJ story was "not accurate in any shape or form", adding that "decision-making at Mozilla is based on the criteria in the Mozilla Manifesto".

One of the principles in the Mozilla Manifesto is that "Transparent community-based processes promote participation, accountability, and trust."

Again, let me be clear - I think there are legitimate reasons for the decision to revert the 3rd party cookie handling patch, and that Mozilla's entire approach to cookies should be rewritten to better protect user privacy. However, I think it is pretty difficult for Mozilla's executives to argue that the decision to revert the patch was done according to the criteria in the Mozilla Manifesto. Simply put, a large part of the discussion happened behind closed doors, in email messages between Mozilla employees, none of which have been made public. There was very little transparency in the process.

There is a pretty significant missing part of the puzzle here, and I think that Mozilla has a responsibility to shine a bit more light on the internal discussions surrounding this patch.

Conclusion

I am a proud and happy Firefox user. I am on good terms with several Mozilla employees, and I have even developed a successful Firefox add-on, which was downloaded more than 700,000 times before I sold it earlier this year. The computer I am typing this blog post on was paid for with the profits from that sale. I want Mozilla to continue to enjoy great success.

I have watched over the last year or two as Google has eaten away at Mozilla's speed and performance advantage, and so I desperately want Mozilla to find an area in which it can out compete Google. I really do believe that privacy is that area.

However, for Mozilla to win on privacy, it needs to put users first, 100% of the time, and it needs to be very open about it. As an organization that receives the vast majority of its funding from an advertising company (Google), Mozilla needs to hold itself to the highest standard of ethics and permit its users to know the reasoning behind design decisions, particularly those that will impact Google and the other advertising networks.

DOJ: Consumers read and understand privacy policies

The Department of Justice has a problem. One by one, judges across the country have been chipping away at DOJ's flimsy legal theories upon which it has for years compelled phone companies to disclose individuals' historical and real-time geo-location information without a warrant.

DOJ's legal theory relies upon the third party doctrine. Essentially, what this means is that companies can be compelled, without a search warrant, to disclose any information that their customers have willingly given them.

One of the most important Supreme Court cases which shaped the this rule, Smith v. Maryland, focused on the legal process through which law enforcement agencies can obtain the phone numbers dialed by a suspect:

[W]e doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must 'convey' phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed.

. . .

[W]hen he used his phone, petitioner voluntarily conveyed numerical information to the telephone company and "exposed" that information to its equipment in the ordinary course of business. In so doing, petitioner assumed the risk that the company would reveal to police the numbers he dialed.

Since that 1979 case, the government has stretched the third party doctrine, from dialed phone numbers to essentially all non-content information transmitted by a telephone, including cell site records revealing where an individual has been.

Unfortunately for the government, the Third Circuit Court of Appeals recently eviscerated the government's legal theory, finding that there is a big difference between dialed phone numbers, and triangulated geo-location information:

A cell phone customer has not "voluntarily" shared his location information with a cellular provider in any meaningful way. As the EFF notes, it is unlikely that cell phone customers are aware that their cell phone providers collect and store historical location information. Therefore, "[w]hen a cell phone user makes a call, the only information that is voluntarily and knowingly conveyed to the phone company is the number that is dialed and there is no indication to the user that call will also locate the caller; when a cell phone user receives a call, he hasn't voluntarily exposed anything at all.

After the Third circuit decision, magistrate judges took note, asking the Department of Justice to explain the reasons why cellular information should still be disclosed under the third party doctrine, rather than requiring a search warrant based upon a showing of probable cause.

On October 25, the Department of Justice responded in a brief (pdf) filed with a federal magistrate judge in Houston:

Cell phone users also understand that the provider will know the location of its own cell tower, and that the provider will thus have some knowledge of the user’s location. Indeed, providers’ terms of service and privacy policies make clear that the provider’s obtain this information.

. . .

Use of a cell phone is entirely voluntary, and a user will know from his experience with his cell phone and from a provider’s privacy policy/terms of service that he will communicate with a provider’s cell tower and that this communication will convey information to the provider about his location.

A footnote below the first sentence includes some text from T-Mobile's privacy policy, after which, DOJ argues that the privacy policy makes it clear that users understand their location information is communicated to T-Mobile:

The first of these paragraphs demonstrates that a cell phone customer will be aware that T-Mobile obtains information regarding the customer’s location. The second paragraph demonstrates that a customer will be aware that T-Mobile collects this information. The third paragraph demonstrates that the customer will be aware that this information becomes a T-Mobile business record.

Consumers read privacy policies, because we say so

DOJ's argument is essentially this:

1. Phone companies disclose in their privacy policies that they have access to subscribers' location information (with citation to privacy policies).
   
2. (. . .)
   
3. Therefore, consumers reasonably understand that their location information is transmitted to the phone company whenever their phone is on, and thus historical location information shouldn't be protect by the 4th amendment.
   

What is missing, of course, is a direct claim that consumers read privacy policies. The government can't actually state this claim, because it is frankly laughable. Instead, it argues that:

"[A] user will know from his experience with his cell phone and from a provider’s privacy policy/terms of service"

The implied claim is that consumers read privacy policies. How else would a user know what is in the provider's privacy policy and terms of service unless he or she read the thing? Thus, the government's legal theory still depends upon the idea that consumers, or at least most consumers, read and understand privacy policies.

The FTC and Supreme Court discuss privacy policies

The Department of Justice isn't the only part of the US government to have made official statements regarding privacy policies, and the extent to which consumers read them. The Federal Trade Commission is tasked with protecting consumers' privacy online, and officials there frequently speak about this topic.

In introductory remarks at a privacy roundtable in December 2009, Federal Trade Commission Chairman Leibowitz told those assembled in the room that:

We all agree that consumers don’t read privacy policies – or EULAs, for that matter.

Similarly, in a August 2009 interview, David Vladeck, the head of the FTC's Bureau of Consumer Protection told the New York Times that:

Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act.

Echoing both of these statements, in an official filing earlier this year with the Commerce Department, the FTC wrote that:

The current privacy framework in the United States is based on companies' privacy practices and consumers' choices regarding how their information is used. In reality, we have learned that many consumer do not read, let alone understand such notices, limiting their ability to make informed choices.

Even the Chief Justice of the US Supreme Court has weighed in the issue, albeit only in a speech before students in Buffalo, NY just a few weeks ago. Answering a student question, Roberts admitted he doesn’t usually read the terms of service or privacy polices, according to the Associated Press:

It has "the smallest type you can imagine and you unfold it like a map," he said. "It is a problem," he added, "because the legal system obviously is to blame for that." Providing too much information defeats the purpose of disclosure, since no one reads it, he said. "What the answer is," he said, "I don’t know."

Academic research on privacy policies

Academic research seems to uniformly support the FTC's arguments.

Among 222 study participants of the 2007 Golden Bear Omnibus Survey, the Samuelson Clinic found that only 1.4% reported reading EULAs often and thoroughly, 66.2% admit to rarely reading or browsing the contents of EULAs, and 7.7% indicated that they have not noticed these agreements in the past or have never read them.

Similarly, a survey of more than 2000 people by Harris Interactive in 2001 found that more than 60 percent of consumers said they had either "spent little or no time looking at websites' privacy policies" or "glanced through websites' privacy policies, but . . . rarely read them in depth." Of those individuals surveyed, only 3 percent said that "most of the time, I carefully read the privacy policies of the websites I visit."

American consumers are not alone. In 2009, the UK Information Commissioner's Office conducted a survey of more than 2000 people, and found that 71% did not read or understand privacy policies.

While the vast majority of consumers don't read privacy policies, some do seem to notice the presence of a privacy policy on a company's website. Unfortunately, most Americans incorrectly believe that the phrase privacy policy signifies that their information will be kept private. A 2003 survey by Annenberg found that 57% of 1,200 adults who were using the internet at home agreed or agreed strongly with the statement "When a web site has a privacy policy, I know that the site will not share my information with other websites or companies." In the 2005 survey, questioners asked 1,200 people whether that same statement is true or false. 59% answered it is true.

Even if consumers were interested in reading privacy policies -- doing so would likely consume a significant amount of their time. A research team at Carnegie Mellon University calculated the time to read the privacy policies of the sites used by the average consumer, and determined that:

[R]eading privacy policies carry costs in time of approximately 201 hours a year, worth about $2,949 annually per American Internet user. Nationally, if Americans were to read online privacy policies word–for–word, we estimate the value of time lost as about $652 billion annually.

Finally, even if consumers took the time to try and read privacy policies, it is quite likely that many would not be capable of understanding them. In 2004, a team of researchers analyzed the content of 64 popular website's privacy policies, and calculated the reading comprehension skills that a reader would need to understand them. Their research revealed that:

Of the 64 policies examined, only four (6%) were accessible to the 28.3% of the Internet population with less than or equal to a high school education. Thirty-five policies (54%) were beyond the grasp of 56.6% of the Internet population, requiring the equivalent of more than fourteen years of education. Eight policies (13%) were beyond the grasp of 85.4% of the Internet population, requiring the equivalent of a postgraduate education. Overall, a large segment of the population can only reasonably be expected to understand a small fragment of the policies posted.

Conclusion

As the academic research I have summarized here, and multiple statements by FTC officials make clear, consumers do not read privacy policies. As such, it is shocking that the Department of Justice would, in representing the official position of the United States Government, argue otherwise before a court

I hope that responsible persons inside DOJ will take note of this blog post, contact the court, and retract their claim. I also hope that the new White House Interagency Subcommittee on Privacy & Internet Policy will take note of this issue, and make sure that this sort of claim doesn't find its way into any future DOJ legal briefs.