59 comments

[ 4.0 ms ] story [ 111 ms ] thread
When the telecoms wanted Congress to lift that pesky ISP consumer information protection, they argued that the regulations allowed Google to get ahead while they were left in the dust. Will educational companies lobby for the same kind of freedom?
I used to work in EdTech. One of the most common issues school admins told me face to face was how big tech corps were storing all of the students data with merely a promise to not exploit it. Its one ofnthe few great advertising opportunities that are left and companies are itching to get to it.
I thought that the ISP consumer information protection never went into effect, so there was nothing to lift.
This is yet another example of a need for some level of a bill of rights for our online lives/information.

Something that guarantee's proper and fair usage, with privacy. The decision making of which I'm sure would be a long and deep debate.

If someone stuck an rfid tag in your ear, and tracked where you moved and what you did, I would expect some compensation for that information. Yet we get cookies attached to our browsers, we are profiled and tagged to watch everything that we do online.

The de-regulation of the consumer information protection is important in that it is bringing attention to a bigger issue. The ISP's just want to do the same thing other companies have been doing all along.

One of the things that strikes me as so crazy we don't have this here in the US, is the UN considers it a basic human right[1].

[1] http://www.un.org/en/universal-declaration-human-rights/

Interesting. Thanks for the link.
Is article 12 what you are speaking on?

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

That seems really broad. Does this apply to private citizens and firms or only governments? If the former it seems a great deal of journalism would be illegal.

A few recent examples. When Rachel Maddow released Trumps tax returns was that a violation of article 12? What about when that "grab her by the" tape came out, Trump clearly intended that to be a private conversation and it was a "attack upon his honour and reputation" wasn't it? I don't see a line that allows for truthful attacks.

I don't know if I want to live in a country where it is illegal to report on fact in such a broad and sweeping manner.

I think what we need is acknowledgement that any sufficiently large institution is indistinguishable from government, and include only those corporations that meet the criteria of "too big to be private" (related to "too big to fail") in restrictions placed on government.
Who defines sufficiently large? There is probably a ISP that is smaller than the New York Times does this standard not apply to them?
I don't think it's possible to create a totally incorruptible system, and who defines sufficiently large is an important problem, but I think it's not a reason to dismiss the idea. Any regulation is plagued by this question and the specter of regulatory capture. Do you think it's possible to counteract the natural decay of free markets without a [del:'central'] regulatory authority?

No, that standard would not apply to a small ISP. The premise is institutions that grow strong enough are able to unduly influence and capture the regulators more easily. Corporations need to be kept small enough to regulate effectively. The existence of "too big to fail" private institutions is a threat to democracy.

EDIT: National government, itself an institution, also needs to be kept small enough that it can be contained by the regulators on it, so this is clearly not a simple problem. The issue there (in my opinion) is that the check on national government is supposed to be the states, and they are too weak to do that effectively.

I volunteer to define sufficiently large, and I say larger than 0 is sufficiently large. Why ? Because a big player can buy or control any smaller player, so if you want protection from the bigger ones, you need either to protect from everyone or change the way corporation work. I'd suggest going back to earlier times when corporations did not have the same rights as humans and were of public interest, or maybe remove the stock exchange, or limit gambling to banks' own money instead of using deposits.
I wouldn't say "indistinguishable", because governments at least theoretically serve the people's will. US law was initially quite hostile to corporations, which were considered unaccountable. Until the late 1800s, only corporations with public-interest charters were legal.
There's the general rule of thumb that one's right to privacy is inversely proportional to one's power over others. Be it political, economic, or whatever. So a Presidential candidate deserves less privacy, because they pose more of a public risk. That distinction is clear in US libel law.
That's US law, in the US truth is a sufficient argument against libel. This is the UN charter. Do you know of any other documentation that outlines article 12 in more detail? I'm coming up empty.
Well, the UN charter dates from 1948. Those were heady days. I'm sure that there's much commentary. The legacy in the EU Right to Be Forgotten is clear. And more generally, in EU enforcement of privacy rights vs corporations.
Indeed. That's also why Libel and Slander are an offense in England, even if it is true. Truth there, is no defense.

I much prefer the truth as a defense idea, which goes against the strict interpretation of the UN's charter.

And do not forget, "Grab her by the pussy" is now the presidential standard. there was some in this country that were that crude and direct about sexual assault, but those views are now given much more airtime..

I much prefer the truth as a defense idea

The problem with truth as an absolute defence is that as the courts famously remind us, "the truth" is not the same standard as "the truth, the whole truth, and nothing but the truth".

The extra parts can be rather important when someone's reputation is at stake. For example, consider the difference between "John was accused of being a paedophile" and "John was accused of being a paedophile, though the investigation was soon dropped after no supporting evidence was found and it turned out that his accuser was an ex-girlfriend with a track record of psychiatric problems including making false allegations of serious criminal behaviour to get people she didn't like into trouble".

This is also why the EU "right to be forgotten" ruling wasn't nearly as crazy as some people have been suggesting, BTW.

I'm a big supporter of the RTBF and I wish we had it here in the United States. The law does, actually, set fairly clear lines in most of the places people seem to be concerned, in terms of prohibiting "forgetting" information deemed important to public interest, for instance about celebrities or severe crimes. It explicitly highlights outdated or incorrect information as being suitable to be forgotten.

I think corporations here in the US that are against it managed to set a pretty good FUD campaign about right to be forgotten, and I think a lot of people bought into it.

> Does this apply to private citizens and firms or only governments?

Human rights apply to humans. Firms and government are not human, not even alive or have any tangible existence.

I don't know about those Trump examples, but it seems to me that usually an elected official is a public figure and as such privacy laws do not apply. Then again human rights and legality are two different things, some human rights may be considered illegal in some places.

it seems like we fail by restricting the majority of those rights. very sad.
The UN can make whatever they want a right. They don't really have any way to enforce these rights.
[The UN] don't really have any way to enforce these rights.

However, the countries that belong to the UN do. If enough of them are willing to put their money where their mouth is, which is going to be a matter of local political pressures as much as anything, the picture changes.

This is true, and I wasn't claiming anything further. However, according to Wikipedia, the United States was one of the 48 countries who voted to proclaim the Universal Declaration of Human Rights. There were 8 abstentions, but none opposed.

The Universal Declaration of Human Rights is a document which is globally accepted, therefore, to represent what human rights should be. The fact that the US, the supposed "land of the free", falls short of this, is just particularly sad.

Since "this" as defined by the U.N. means "No one shall be subjected to arbitrary interference with [personal] privacy", not "absolute right to privacy", we do indeed have "this" in the U.S: https://en.wikipedia.org/wiki/Privacy_laws_of_the_United_Sta...
There have to be teeth to the law in order to "have" it, though. Case in point: Gregg Steinhafel is still sitting pretty.
The European Union has some rules on personal data which are worth reading:

http://ec.europa.eu/justice/data-protection/

There's also an interesting difference in philosophy here: the EU and its member states have, reasonably consistently, been moving in a direction of more privacy and safeguards for personal data in recent years, and this has been significantly influenced by a perception that the tech industry can't or won't self-regulate to a level that was in the spirit of the previous laws.

Now, the EU doesn't always get this right. Some of the rules already agreed at that level, which will in due course become enforceable in member states, are obviously awkward or outright broken to anyone familiar with the actual technologies involved. There are some obvious contradictions (a cynic might use the word "hypocrisy") particularly in areas around potential surveillance by government agencies.

Still, compared to the kind of laissez-faire attitude adopted particularly in the US, the EU is practically living in a different world, and the difference is getting wider almost by the day. Moreover, I suspect a significant fraction of the US public would prefer a more EU-style arrangement (witness the arguments in the EFF report here). Obviously a lot of US businesses would not, though others, particularly those whose reputations rely more directly on being secure or trustworthy in some sense, might disagree.

Unfortunately, given the lobbyist-centric and partisan nature of current US politics, it seems inevitable that this fundamental divide will cause increasing amounts of grief all round, and the unknowns are more about who will be hurt more.

To my knowledge those privacy and safeguard were there since the beginning, originating in a 1978 french law passed in reaction to a government attempt to create a centralized database of all french citizen. This law created the french CNIL[1] in charge of data protection, the first of its kind but soon to be replicated in other countries.

In 1980 work began on a data protection directive[2] which would pass 15 years later after giving birth to 1981's Convention for the protection of individuals with regard to automatic processing of personal data[3]

At the turn of the 2000's through lobbying of various industries and government (including the french government) reversed direction and managed to pass a data retention directive at the European level. This got challenged at all steps from locals to the highest European Court of Justice which invalidated the directive for being contrary to fundamental human rights.

This didn't happened by chance, it took years of dedication and hard work to get there. And it got the attention of a bunch of very dedicated internet geeks who got themselves into politics to defend the internet and privacy. This gave rise to association of people such as la quadrature du net[4] who has been active at the national level up to the European level.

So now the politicians at the European level have a significant amount of backup from concerned citizens and netizens who provide all technical knowledge and background required to understand the significance of technical piece of legislation.

But a most significant difference with the US is World War 2 took place in Europe. (which kinda gave birth to the EU as to prevent Germany and France going to war again a joined union of coal and steel production deal was made which laid the foundation for the European union[5]. The point is Europe and in particular Germany one of the most influential country in the European Union has first hand experience of what the effect of mass surveillance can be and the importance of privacy. WW2 and nazism industrial attempt at genocide explains why the french were outraged by the government attempt at a centralized database of french citizen identified by social security numbers, and why Germany opposed the data retention directive.

The situation is a bit different in the US, when google or the like publicly oppose a bill they're defending their own interest not the general public. When an individual organize people to successfully oppose a bill, he gets pushed to suicide under government pressure probably using the data the govt agencies have on him as Aaron Schwartz story shows.

There's also the economic standpoint, most of the major internet companies are from the US so it makes sense for the EU to defend their population from those and maybe give an advantage to European companies while on the other hand the US has no foreign market dominant companies to defend from and instead has incentive to protect those companies and further extend their domination.

Different histories, different incentives hence different approaches to privacy.

[1]: https://en.wikipedia.org/wiki/Commission_nationale_de_l%27in...

[2]: https://en.wikipedia.org/wiki/Convention_for_the_protection_...

[3]: https://en.wikipedia.org/wiki/Data_Protection_Directive

[4]: https://www.laquadrature.net/en

[5]: https://en.wikip...

I would disagree that a bill of online rights is needed, rather a bill of universal unalienable rights would be enough.

Oh and the good news is that such a declaration of human rights already exists so most of the work is already done.

I'm not aware of this deregulation of consumer information protection, can you provide context on this as a web search drives me to the FTC website.

I'm not sure what you mean by ISP wanting to do the same thing other companies have been doing, AFAIK ISPs have been involved is collecting data and exploiting it for profit for as long as commercial ISPs exist.

(comment deleted)
Not to take away from your point (if anything, it underscores your position), but you do realize nobody needs to stick an RFID tag in most people's ears. Most people willingly carry a tracking device around. I'm using mine to write this comment.
Yep, I meant to allude to this... and agree 100%.
>If someone stuck an rfid tag in your ear, and tracked where you moved and what you did, I would expect some compensation for that information.

How many centimeters away from your ear is your mobile phone right now?

I'm reminded of Cambridge Analytics' claims about profiles for everyone in the US. So now profiles will include stuff from parents' social media: prenatal sonograms, baby pictures, first step videos, etc. Also logs from interactions with toys. And their social media. Plus the educational records.

I can't imagine that will work out well for them :(

I agree with the EFF's position but what the EFF, I, and others with the same point of view lack is an elevator pitch on the harm of losing privacy (or the benefits of privacy). The EFF and I generally assume know the risk is well-known, but it's not. When people ask me, 'what's the harm?' or 'so what?', I don't have an effective answer prepared.

So what is an effective answer? Requirements: Short, high-impact, memorable (it must spread), crystal clear for the completely non-technical, not easily refuted.

In my opinion: it's permanent. Simple as that. Even if the info is harmless in isolation today, any new bit that can be identified as you becomes part of your aggregate.

Ten years from now, or tomorrow, People You Don't Like could be in charge of any given agency or company, and deny you things then based on what you did today that was perfectly legal or ethical.

There are more extrapolations from that but it should be enough to be short but get the gears turning.

Nobody cares. What I hear? "So what?"
(comment deleted)
Insurance companies mining as much data as possible to find reasons to deny claims. There is a very good chance that they will be (are already?) able to infer prohibited information to raise prices.

If they are concerned with racial issues (or similar), try pointing out how data analysis can hide institutional racism (or other biases) - even unintentionally - into the algorithms behind finance, criminal sentencing/parole, future employment opportunities, etc.

Even if none of that happens to apply, there are two big reasons they should care. First, the unknown. In the circus we call our current political environment, do they really want a future $POLITICAL_ENEMY to have a detailed map of who they are, what they do, what they like, where they move during the day and who was with them (COTRAVELER), and anything else modern machine learning techniques can find?

The final reason is... because it isn't always about them. Other people might be in worse situations and it's important to stand with them by normalizing sufficient privacy. In his essay[1] on why he wrote PGP, Philip Zimmermann said

>> "What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity."

This is similar to the concept of herd immunity[2] with vaccines. Vaccines are not 100% protection and some people cannot take them for various reasons. Those people still benefit from the general vaccine use producing fewer opportunities for infection. Similarly, when enough people protect their privacy, there is less incentive to abuse data thanks to lower profits and increased political costs.

[1] https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html

[2] https://en.wikipedia.org/wiki/Herd_immunity

I've made the "insurance companies" argument before, most recently with the isp regulation rollback (visit webmd and watch your rates go up). I just can't sell it (but I don't seem to be able to sell much of anything, sadly- that's a different story lol).

Do you know of any evidence where that has happened? I wanted to say that those things they blamed on Obamacare were actually because they were posting pictures of themselves at barbeques on facebook- but it's hyperbole to my knowledge.

The "getting rid of envelopes for mail" argument might work on some.

Even history tells us that some tiny bit of harmless personal information may be disastrous in the wrong hands when circumstances change, especially combined with automated data processing.

In the 1930s The Netherlands recorded the religious affiliation of every citizen inside their resident register (stored on punch cards for use with Hollerith machines). After the Nazis invaded the Netherlands they were able to easily find out who was Jewish, had Jewish parents or grandparents. The consequences those people had to face are well known.

Source (german): https://de.wikipedia.org/wiki/Judenkartei#Niederlande

" Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre. "
While the right to be forgotten can recall "sanitization" or some kind of censorship, kids should be able to have their histories and everything associated with them pre-adulthood expunged. As kids we all did silly and regrettable things. It'll be a shame if we allow those things to follow people thought-out their lives.

As kids we're exploring all kinds of ideas --some good, some regrettable, but we should be able to explore them without fear these crumbs of exploration will follow us in to the future as if we were fully mature and aware as we explored ideas.

Yes, this!

In criminal law, that used to be the norm.

> As kids we're exploring all kinds of ideas --some good, some regrettable, but we should be able to explore them without fear these crumbs of exploration will follow us in to the future as if we were fully mature and aware as we explored ideas.

Why shouldn't everybody be allowed to explore ideas without consequence?

When you are a kid you can get into the wrong crowd and easily want to explore stupid things (bullying, drugs, bias, prejudice, etc.) Adults don't have the luxury or excuse of youth to say, "it was a stupid thing to say, but my thoughts were immature and my mind and self are still developing". There are some things that one as an adult should not "get away with" where non-adults should, in my estimation.
Adults don't have the luxury or excuse of youth to say, "it was a stupid thing to say, but my thoughts were immature and my mind and self are still developing".

Perhaps we should, at least more than we do in practice today. I'm not sure enforcing conservative views or limiting open debate on controversial subjects is good for either the individuals involved or society as a whole.

Right to remember in the public sphere, right to be forgotten in the private sphere.

Negating the first is Animal Farm. Negating the second is the Panopticon.

Finally, a "for the children" argument that doesn't take away rights. Given the situation, my emotional state is hopeful, but not sanguine.
...before this, I'm not sure I've ever seen a "for the children" argument that supported individual rights. And perhaps worse, I never even noticed until this moment.

It's a bit funny, I regularly argue for youth rights, but standard "for the children" arguments are purely rights-restrictive.

One thing that is rarely mentioned in the online privacy discussion is how it stands to influence elections in 20 years.

Right now we take ideological issue with statements of candidates past preachers or professors. Imagine when a simple leak will spill every horrible thing a candidate said during their teenage years to friends on Facebook messenger or aim. It will be a lagging indicator of privacy policy, but one that stands to influence American politics in a couple of decades.

That already doesn't matter. Trump openly said he molested women.. No one cares apparently.
Lots of people cared. Just not quite enough or in the right parts of the US, unfortunately.
Zuckerberg got leaked offering to give personal info of harvard students and calling those dumb f*cks for giving him this information through thefacebook, but it didn't have any kind of impact, people still flock to facebook to give away all their private data.

So I doubt this kind of leak will have a significant impact.

If you have access to a school-provided tablet, see if it's doing a MITM on SSL/TLS connections. Go to some web site like a big bank, and examine the site's certificate in detail.