Archive for January, 2009

Today I spoke at the Humphrey Institute of Public Affairs regarding privacy of data on the Internet.

One big issue at hand is, what happens to the data that you create when using the Internet.  “Data I create?  I don’t create any data when I’m on the Internet…do I?”  Yes, you do.

Currently when you do any of the following, you are likely creating data that can be tracked.

You create data…

• When you make searches at Google.
• When you look at movies at Netflix.
• When you check scores at ESPN.
• When you read customer reviews on Amazon.
• When you search for someone on Facebook.
• When you watch a video on Youtube.

All of these are innocuous, but together, they create a profile of you, and can reveal some very private data.

Let’s start with the first item:  Search terms.

Lets stipulate that the actual search term you use on a search engine is private data, similar to a request you make at the library or at a book store.   To follow on, it’s strongly possible that the results that are sent to your browser are private data.  Today, it requires a search warrant to see the contents of your computer hard drive so I can infer that the results from the search engine are private data.

“Whew, I’m safe, right?”

Nope.  In order to use the search engine, it’s possible that you’ve given “consent” to use the data you supplied and have waived any privacy rights you may have had. Further, the search results are logged before they are sent to you.  This creates a big gray area for data privacy that is not currently protected.  And from the content providers point of view, It’s NOT private data.

This goes for all type of data you send across the Internet.  The search requests you make, the stock quotes you review, the movies you download, the books you buy.  The list goes on and on.

“Wait a minute, why would someone even WANT this data?”

The motivation for companies to keep your privacy intact is two fold.  Penalties from regulatory bodies and the all important revenue.  If a company will face a penalty or lose revenue, they will likely keep your privacy intact.  But if they analyze the situation, they may conclude that selling the data is more financially beneficial than protecting your privacy.  This is not new to data that companies hold, but it’s new in context to the online world in which we live in.

Today, much online content is “free”, with only the hidden cost being you accept some loss of privacy.  We are so used to clicking “accept” that we’ve lost track of the value of what we are giving up.  It’s compounded by the good track records of the companies that are collecting data.   So far, their use of the data has not directly affected us, so who cares if someone knows what movies we like?  ”So really, nothing bad has happened so far, right?”

Right.  But that’s because the data is broken into chunks that are hard to combine.  I would guess that Travelocity and Orbitz and Expedia don’t share too much data because there is probably not an financial model that makes it profitable.  But let’s take another model and see what happens… Comcast has an on demand video solution, as does Apple and Netflix.  Should Netflix and Apple be worried that Comcast is going to start reviewing what their visitors are doing?  Does Comcast wants to have the online video business for themselves?

Luckily or not, each website you visit has only a piece of your online escapades.  The New York Post does not know what articles you read at the Washington Times.  Fidelity can’t see what stocks you traded at Etrade.  From the content providers point of view, you’re a statistic only when you visit them.

Which leads me to the next thought.  The ISPs’ point of view.

Above, I talked about data collection from each web site being possibly harmful.  That’s nothing.  Really.

The real loss of privacy will come when ISPs’ start collecting data on your browsing habits.  Think about it.  As much as Google knows what you’re doing when you visit Google, your ISP really knows what you’re doing at every website you visit.  And they can read your mail (like Google) and track your IM conversations and capture your VOIP calls… They know all that you do online and everything else about you.  SCARY.

Thankfully today, ISPs’ do only a little TRAFFIC monitoring.  ISPs’ legitimately monitor traffic to:

• To protect their revenue (keep customers online and happy).
• To protect their assets (network).
• To protect their customers (SPAM filtering).

Most ISPs’ don’t monitor the CONTENTS (data) of the traffic they manage except to comply with regulation and law enforcement.  Really, most monitoring is often “look at header info and discard”.  It’s important here for me to point out that any data collected by ipHouse is not held in order to create profiles of users.

Traditionally, ISPs’ have NOT monitored data because it was just too hard to do.   But that’s all changed.  Deep Packet Inspection technology has advanced to the point of being able to transparently evaluate traffic for specific patterns and usage without impacting the consumer experience.  This allows the ISP to deliver “tailor made” content to users.  Remember Travelocity not seeing Orbitz or Expedia data?  Forget that.  The ISP can now sell all travel related “traffic” from its subscribers to the highest bidder. Or bidders.

Deep Packet Inspection technology allows the management of traffic and/or data according to a set of policies that promote security or revenue or censorship or whatever.  The ISP sets the policy according to their desires.  “Really? My ISP can just monitor my data if they want to?”  Yes.  But there may be existing law that prevents the monitoring of data and that needs to be proven.

If the existing law is shown to not be applicable to ISPs’, it might make a lot of sense (and dollars) to monitor customer data.  But all things have a cost.  One anticipated cost is that spying wouldn’t be done just for profit.  How long would it be until ALL data is monitored and reviewed?  If ISPs’ monitor data, should they block data based on some policy for decency or obscenity? Who’s policy would that be?  Should ISPs’ be responsible for any and all security or ethical breaches (by whos standards?) that occur because of the data on their network?   Should ISPs’ send all suspicious activity to some authority for review?  Data monitoring could become mandatory.

So, should ISPs’ monitor thier customer data?  I say no. This is MY ethical position.  It’s ethically wrong to spy on people.   Further, I feel it is ethically wrong to profit from spying.  ISPs’ should NOT monitor data for profit or for government.

The power and beauty of the Internet is in its ability to bring people together across cultures, faiths and boundaries.  Once one group or government starts dictating “inappropriate” content, the Internet becomes simply a tool for that organization to push their own agenda and the “one world” quality of the Internet is lost.

Peace.

-Bil

Thoughts for comments:

• Privacy is not a technical issue and should not be addressed by ISPs’.
• ISPs’ should remain neutral to content of the data streams they manage.
• Our society should rethink privacy from a contextual integrity perspective.
• Online Privacy == Network Neutrality

Further Reading:

Paul Ohm : The Rise and Fall of Invasive ISP Surveillance

Daniel Solove : Understanding Privacy