Goodbye Privacy, We'll Miss You
Privacy will be under siege in the coming year, as large amounts of personal data become increasingly vulnerable on the Internet.
Even when not in use, your phone is keeping track of you -- where you are, who is messaging you, and even how often you check the weather or your favorite sports team. Hundreds of digital crumbs pile up over the course of a day, each offering insights into how we live -- and we give them up freely through our smartphones, computers, tablets, and entertainment systems.
The FBI probe into e-mail exchanges between General Petraeus and his biographer, Paula Broadwell, reinforce the idea that out digital activities aren't as secure as we thought. After all, if the CIA director's e-mail isn't safe from this kind of browsing, whose is?
How companies handle consumer data and its vulnerability to hackers were the center of past debates, but the locus of concern continues to expand. Beyond law enforcement, others with keys to your extensive Web records include advertisers, prospective employers, college admissions professionals, divorce attorneys, and debt collectors -- and the list expands daily.
The trend has the potential to spin out of control in 2013, but people are wising up to the benefits of limiting their information. A "Do Not Track" movement could gain traction, and legislators are ramping up measures to reign in the rising river of data that threatens to drown us all.
Spiraling Out of Control
Data capture is the name of the game as a surprisingly varied number of industries are turning their attention to the potential goldmine of your personal information. They all have different reasons for mining your Facebook, e-mail, searches and locations, ranging from ensuring public safety and your own convenience to serving the interests of justice. Key events and trends included:
Law: Law enforcement is expanding its social media units' ability to track down digital DNA via social media sites, while municipalities across the nation are also collecting massive amounts of data from automated license plate readers, or LPRs, cameras mounted on cars and in fixed locations like intersections that record license plates and location data of all cars passing beneath them.
Courtroom lawyers are accessing social media to gather evidence from anyone associated with cases to win, illustrated by Florida's high-profile Trayvon Martin case. As a result, the legal arena's interactions with social media will come under increasing scrutiny -- expect more legal battles over officers' and lawyers' access to the information treasure troves that social media have become.
Advertising: Advertisers use simple onscreen display ads to help identify information about you to target their message. These ads can tell you where the nearest Starbucks is or when your favorite store is having a sale, but this convenience comes with a price. Online advertising companies and others will continue to collect data on what people read, watch, and do on the Internet to use for their own purposes and even sell it to other interested groups like credit agencies and political campaigns.
Education: Schools are embracing technology to further learning, but one digital program in Houston's schools -- using RFID chips embedded on student identification cards to track them -- is pioneering the use of the technology with students. RFID chips transfer data between tags attached to objects for the purpose of tracking and identification and can track anything from produce shipments to property. According to school officials, these chips are readable only on school property and buses, and can help them monitor the student population more accurately.
Officials maintain the data will be kept private, but the school's policy is headed for federal court, after one student had refused to wear the RFID-embedded student ID locator.
Employers: Many workers cheer the "Bring Your Own Device to Work" trend. Securing these devices will prove a challenge, though, as the idea gains traction. In safeguarding business data on these devices, these policies can give employers considerable access to personal information. Employees who sign on and use their personal device at work are beginning to realize they are giving their bosses a way to track their locations, as well as off-hours Web browsing, personal pictures, music and e-mails.
Why Does It Matter?
Even data mined for one specific purpose can end up used for something else entirely, and the full ramifications are coming to light.
The information captured by advertisers, law enforcement and other groups is considerable, but there aren't uniform reporting measures to pinpoint the extent of personal data storage. In the analog world, police generally need your consent or a warrant to search your possessions, in compliance with the Fourth Amendment Search and Seizure provisions.
But the parameters for digital tools like LPRs, GPS and social media exploration are proving more fluid. What little statistical information investigative journalists can unearth is jarring, as well. For example, California's Riverside County Sheriff's Department captured two years of data, revealing about six million license-plate scans, according to the Wall Street Journal. Of the two million unique plates scanned, police extensively tracked -- sometimes "hundreds of times, and occasionally thousands" -- one percent of the vehicles.
And often this data, if not used, is still stored "just in case." There aren't standards governing how long this data can or should be retained, and the agencies collecting the information -- like law enforcement agencies, businesses, and large institutions like schools -- aren't the expert in safeguarding its storage.
As a result, we may unfortunately see more incidents like the theft of 780,000 online medical records in Utah. Unknown hackers got access to state computers and stole the data of hundreds of thousands of Medicaid recipients and participants from Utah's Children's Health Insurance Program. Child records are specifically valuable to criminals because their lack of a credit report or bank account makes them difficult to monitor for identity theft, leaving their data open for exploitation for years before it is uncovered.
What Lies Ahead
Advocacy groups, the industry itself and legislators are all using their own avenues to address the situation, and these efforts will likely inform the privacy debate in 2013.
Legal Remedies: Lawsuits over the collection and improper storage of this data will litter 2013. The ACLU already filed suit in connection with the LPR issue late this year, saying unregulated tracking system can be used for broad surveillance on the public and not just to see where particular cars of suspected criminals were at times in the past.
The suit is expected to create clarity how long officials can retain data and whether different departments are pooling it in state, regional, and national databases. The explanations will shape future conversations.
Consumer Advocates: The International "Do Not Track" effort, which struggled in the past, could get renewed life next year.
Last month, Peter Swire, a law profession at Ohio State University and former White House privacy official during the Clinton administration, was appointed as the new mediator for "Do Not Track" standards for the World Wide Web consortium. Swire accepted the role of co-chairman for the W3C's Tracking Protection Working Group.
Lawmakers: Initiatives that encourage the industry to self-regulate a consumer-driven solution to data access could gain momentum by legislative proposals such as amending the Electronic Communications Privacy Act, ECPA.
The Senate Judiciary Committee is mulling a requirement for the government to obtain a warrant to access a person's e-mail. The measure, which was favorably reported out of the committee, would eliminate the "180-day rule" that currently allows government agencies to access e-mails older than 180 days with only an administrative subpoena or other similar request.
COPPA: The Children's Online Privacy Protection Act, which requires verifiable consent for underage users' Internet activities, will likely be updated in 2013. Social networks like Instagram and Facebook aren't yet COPPA compliant, and don't allow users under the age of 13. Many parents create accounts for their children, or kids themselves can circumvent the fairly weak measures to keep them off these sites, but this could change in the next year.
Facebook CEO Mark Zuckerberg expressed interest in repealing COPPA, saying this would allow the now-adult social network to modify its site for young people without restricting current adult access. Even if it can't repeal the law, especially in light of increasing scrutiny over children's online privacy, Facebook will likely lobby legislators to change the federal law, which is being revised and could be finalized next year.
Data is necessary in a digital ecosystem that provides free apps and essential services, but robust debate in 2013 will continue over balancing this with people's privacy concerns, and tension between the convenience we expect from the Internet with the data we give up to keep it will shape the discussions.
Data Wars: Why Your Whereabouts Are Big Business for Carriers
Wireless carriers refuse to share location data with the consumers they collect it from, but they do give that information to advertisers, police and government officials.
AT&T, Verizon, Sprint and T-Mobile generate a lot of information from consumers' cell phone use, but their practice of making this personal information anonymous and selling it to advertisers or handing it over to the FBI and police officers has many wondering why customers can't take a look. After all, the information is theirs, isn't it?
The four largest U.S. carriers fumbled through explanations about their problematic data sharing practices when independent non-profit newsroom Pro Publica asked why the carriers did not give the data to consumers.
Sprint told the New York City-based investigative journalism site it couldn't legally release information from calls with blocked numbers, where AT&T simply said "giving customers location data for their wireless phones is not a service we provide." Verizon's response was equally anemic, while T-Mobile refused to comment.
Carriers cooperate with government agencies and the police, but until they are compelled to share location data and other tracking information with consumers, they will keep it away from them. But why won't carriers share the data -- do they have something to hide?
If the wireless industry shared the information they collect, it could alarm consumers, which could result in petitions to stop heavy data tracking. To cut the potential for more complaints, carriers may want to keep consumers in the dark about the breadth of their tracking.
They may not want to bother with the added cost and energy needed to share data with consumers. No matter their exact reason, the pattern of refusing to give consumers their personal data records shows carriers are deeply resistant to giving up the information to their users.
Advertisers, however, are a revenue generator for carriers -- one they want to keep coming back for more -- so much so that Verizon changed its company policy in 2011 to allow sales of anonymized tracking data to advertisers, particularly third-party mobile advertisers. The other carriers also engage in similar practices.
This kind of behavior upsets privacy champions in Congress like Senators Al Franken (D., Minn.) and Richard Blumenthal (D., Conn.), who introduced the Location Privacy Protection Act to prevent carriers from selling consumer data without their permission.
In addition to the information collected by carriers, there are often third-party applications pre-installed on phones silently gathering user information. Targeting this type of application, Franken asked several phone makers to remove third-party app Carrier IQ from their handsets, since the application turned out to be a potent location tracking feature on several major smartphones. Sen. Edward Markey (D., Mass.) also lambasted carriers for the Carrier IQ controversy and the industry's continued tendency to cloak their data sharing practices in mystery.
Despite some efforts at regulation in Congress, the Obama administration warned against stricter regulations for data sharing between carriers and the government, and states like Missouri are passing laws that make it easier for officials to get their hands on the information. Though the Obama administration and many lawmakers openly call for increased mobile privacy, they believe access to carrier data helps law enforcement officials increase public safety.
These carriers comply with officials who want the data because they have to, but their rationale for providing wiped data to advertisers seems to center on the fact that, devoid of personal identifiers, the information is innocuous. However, if that's the case, there's no valid reason these companies cannot give consumers access to their own data.
After all, if Sprint doesn't give up data to consumers simply because it wants to ensure the privacy of blocked numbers, as the carrier insists, certainly there could be a way to leave those numbers out of the report -- especially since it provides this information to advertisers.
The fact that all four carriers seem deeply hesitant to giving out the information suggests consumers will have a problem with it when they see it, or that the carriers need to do a better job explaining exactly what they track, collect, store and share so consumers understand their rationale. ♦
Categories: The Year Ahead