A small step toward safeguarding Facebook privacy

Originally published in the Baltimore Sun on April 20, 2013.

Millions of people put their lives on Facebook, but thanks to the site’s convoluted and ever-changing privacy policies, they often have little idea who else can see the information they provide or what the company itself is doing with all the personal data it collects. For that reason, Attorney General Douglas F. Gansler’s effort as president of the National Association of Attorneys General to partner with Facebook on a public information campaign is welcome — so long as it doesn’t give the public the impression that the problem of Facebook privacy has been solved.

On Facebook, people publish information about what they like, where they live, where they work, what their relationships are and how to contact them. People also frequently exchange personal and private messages.

Online predators, thieves and frauds have a keen interest in collecting as much personal data as they can to harm, rob or impersonate individuals. Employers and admissions officers actively seek out information that many applicants likely never thought would be public. And Facebook itself makes money from the use of the personal data it collects in ways that users may not realize or appreciate.

The threats to privacy in the digital age have clearly outpaced the government’s regulatory framework. The dominant legislation that governs Internet privacy, the Electronic Communications Privacy Act, was written in 1986, before social-networking sites like Facebook were even conceived. The ECPA says that the Fourth Amendment, which guards against unreasonable searches and seizures, applies to digital files — but only if they are not given to a third party server. Given that Facebook is a third party server with some of our most private information, the law is of little use. For the time being, safeguarding privacy is up to individual users.

The educational campaign Mr. Gansler helped arrange will consist of tips and resources to help clarify some commonly misunderstood privacy questions. The information will be available both on the websites of attorney general across the country and, more importantly, on Facebook itself. Tips include things like, “Think before you tag and check what you are tagged in,” and “Check your audience before you post.”

Soon, public service announcements, starring various attorneys general and Facebook CEO Sheryl Sandberg, will also appear on users’ news feeds, in the way that sponsored advertisements often do. That’s important because the information will be more likely to be seen by those who need it most.

It’s a nice idea, but we can’t help but observe that this is also a pretty sweet arrangement for Mr. Gansler, a man with plans to run for governor next year, and for the attorneys general in 49 other states, many of whom likely have similar ambitions. It’s unclear what their presence adds to the effort.

Indeed, the arrangement poses a greater risk than the possibility that Mr. Gansler will get a little free publicity. The use of his image — or that of one of his colleagues from another state — may suggest to the public that the government is giving its sanction to Facebook’s privacy policies or even playing some role in regulating them. If so, a campaign to get people to be more careful in their online activities might have the opposite effect.

After all, the greatest perpetrator of privacy confusion is often Facebook itself; the company’s practice of manipulating privacy settings, even after users have taken the time to set them, can become a confounding puzzle and headache. Facebook’s “targeted advertisements” are very often a result of information users hadn’t realized they released.

Mr. Gansler says he raised the issue of Facebook’s frequent privacy policy changes, but the site has made no commitment to mend its ways. The partnership, it seems, only goes so far. If this is a step in the right direction, it is a small one that serves to underscore the need for a much broader conversation about these issues.

The threat to Internet privacy

Originally published in the Baltimore Sun on January 31, 2013.

This week, the United States, Canada, and the 27 countries in the European Union “celebrated” Internet Privacy Day. However, it seems there is little to really celebrate; the past few years have given rise to the largest increase in electronic wiretapping our nation has seen. To be sure, access to information is important for fighting crime and terrorism. However, because the major laws that govern Internet privacy were written in 1986, they fail to protect the modern-day security needs of American citizens. And despite Barack Obama’s campaign promises in 2008 to repeal policies that violate civil liberties, his administration is now not only supporting them but also quickly expanding their presence within the digital world.

The 1986 Electronic Communications Privacy Act (EPCA) was enacted before social networking sites were invented, and before the everyday use of email, Internet and cellphones. Thus, there are many unsettling constitutional quandaries that Congress simply could not have anticipated 27 years ago. For example, the bill says that the Fourth Amendment, which guards against unreasonable searches and seizures, applies to digital files — but only if they are not given to a third party. Yet third-party entities such as Google, Facebook and Dropbox hold some of our most private communications on their servers. The structure of the law as it is written gives more privacy protection to a yellow memo pad on your nightstand than emails on your Yahoo account.

In September, 2012 the ACLU released a report that stated the number of authorizations the Justice Department received to use “pen register” and “trap and trace” techniques on individuals’ email and network data increased 361 percent between 2009 and 2011. A “pen register” intercepts outgoing data from a phone or email account, while “trap and trace” intercepts incoming data. The ACLU also reports that the Justice Department used these measures to spy on phones 23,535 times in 2009 and 37,616 times in 2011, an increase of 60 percent.

Additionally, Google just released a report stating its company saw requests for information from the federal government increase by 70 percent over the past three years. In more than two-thirds of those cases, Google complied and released some amount of personal data. Sixty-eight percent of the requests Google received were through subpoenas, which typically do not require a judge’s approval. According to Google’s public statements, “Government agencies make requests … seeking information about Google users’ accounts or products. In [our] report, we are generally revealing statistics about demands in criminal investigations.”

To be sure, not all information requests are controversial, since these numbers reflect not only requests for “content” emails but also for basic subscriber information, which is not protected under the Fourth Amendment to begin with. Yet, while big companies like Google, Yahoo and Microsoft demand warrants for content requests, it is likely that smaller companies with less money for legal battles do not.

Google is not the only company facing a surge of government information requests. Verizon told Congress in 2007 that it received at least 90,000 such requests each year. And Facebook told Newsweek in 2009 that orders were arriving at the company at a rate of 10 to 20 a day. The number of requests and subpoenas has surely increased since then, but ultimately there exists no clear public mechanism to monitor exactly what information the government requests and receives from Internet companies. This is problematic.

The Obama administration has been too quiet on matters regarding digital security, and in situations where officials have spoken out, they’ve advocated for a greater ability to collect information, rather than less. In December, the administration reauthorized an extension of the Foreign Intelligence Surveillance Act, which allows the government to monitor overseas phone calls and emails without obtaining a court order for each intercept. While the law excludes Americans, there remains a lot of troubling obscurity as to the nature and execution of these powers. Additionally, the FBI has said that revising surveillance laws to make it easier to wiretap people who communicate online rather than by telephone is a top and urgent priority.

The FBI contends it is not seeking new, invasive powers but rather looking to keep its existing powers relevant in the modern age. However, the Obama administration, Congress and even the FBI have to work vigorously to protect the civil liberties and privacy of American citizens. As Internet Freedom Day (Jan. 18) and now Internet Privacy Day (Jan. 28) come and go, it is imperative that we actively seek to establish a clear and constitutional legal framework for the digital era.

The Threat To Internet Privacy

This editorial appeared in the Baltimore Sun on January 31, 2013.

This week, the United States, Canada, and the 27 countries in the European Union “celebrated” Internet Privacy Day. However, it seems there is little to really celebrate; the past few years have given rise to the largest increase in electronic wiretapping our nation has seen. To be sure, access to information is important for fighting crime and terrorism. However, because the major laws that govern Internet privacy were written in 1986, they fail to protect the modern-day security needs of American citizens. And despite Barack Obama’s campaign promises in 2008 to repeal policies that violate civil liberties, his administration is now not only supporting them but also quickly expanding their presence within the digital world.

The 1986 Electronic Communications Privacy Act (EPCA) was enacted before social networking sites were invented, and before the everyday use of email, Internet and cellphones. Thus, there are many unsettling constitutional quandaries that Congress simply could not have anticipated 27 years ago. For example, the bill says that the Fourth Amendment, which guards against unreasonable searches and seizures, applies to digital files — but only if they are not given to a third party. Yet third-party entities such as Google, Facebook and Dropbox hold some of our most private communications on their servers. The structure of the law as it is written gives more privacy protection to a yellow memo pad on your nightstand than emails on your Yahoo account.

In September, 2012 the ACLU released a report that stated the number of authorizations the Justice Department received to use “pen register” and “trap and trace” techniques on individuals’ email and network data increased 361 percent between 2009 and 2011. A “pen register” intercepts outgoing data from a phone or email account, while “trap and trace” intercepts incoming data. The ACLU also reports that the Justice Department used these measures to spy on phones 23,535 times in 2009 and 37,616 times in 2011, an increase of 60 percent.

Additionally, Google just released a report stating its company saw requests for information from the federal government increase by 70 percent over the past three years. In more than two-thirds of those cases, Google complied and released some amount of personal data. Sixty-eight percent of the requests Google received were through subpoenas, which typically do not require a judge’s approval. According to Google’s public statements, “Government agencies make requests … seeking information about Google users’ accounts or products. In [our] report, we are generally revealing statistics about demands in criminal investigations.”

To be sure, not all information requests are controversial, since these numbers reflect not only requests for “content” emails but also for basic subscriber information, which is not protected under the Fourth Amendment to begin with. Yet, while big companies like Google, Yahoo and Microsoft demand warrants for content requests, it is likely that smaller companies with less money for legal battles do not.

Google is not the only company facing a surge of government information requests. Verizon told Congress in 2007 that it received at least 90,000 such requests each year. And Facebook told Newsweek in 2009 that orders were arriving at the company at a rate of 10 to 20 a day. The number of requests and subpoenas has surely increased since then, but ultimately there exists no clear public mechanism to monitor exactly what information the government requests and receives from Internet companies. This is problematic.

The Obama administration has been too quiet on matters regarding digital security, and in situations where officials have spoken out, they’ve advocated for a greater ability to collect information, rather than less. In December, the administration reauthorized an extension of the Foreign Intelligence Surveillance Act, which allows the government to monitor overseas phone calls and emails without obtaining a court order for each intercept. While the law excludes Americans, there remains a lot of troubling obscurity as to the nature and execution of these powers. Additionally, the FBI has said that revising surveillance laws to make it easier to wiretap people who communicate online rather than by telephone is a top and urgent priority.

The FBI contends it is not seeking new, invasive powers but rather looking to keep its existing powers relevant in the modern age. However, the Obama administration, Congress and even the FBI have to work vigorously to protect the civil liberties and privacy of American citizens. As Internet Freedom Day (Jan. 18) and now Internet Privacy Day (Jan. 28) come and go, it is imperative that we actively seek to establish a clear and constitutional legal framework for the digital era.