privacy: is it time for a revolution?

ala 2008 annual conference, sunday june 29th 1:30-3:00. although it was pretty well attended, this session should have packed a ballroom – it was excellent.

intro: should we still care about online privacy? the ala privacy revolution project is partially funded by a grant from the soros foundation to promote discussions about library privacy, motivation came form a resolution from the intellectual freedom council several years ago. panelists: beth givens (founder/director of privacy rights clearinghouse), cory doctorow (author/blogger), and dan roth (wired senior writer). liveblogging and asking questions – jessamyn west and jenny levine.

dan roth: in the 10 years i’ve been covering business privacy has never come up. will talk about privacy from a business perspective – unless i’m asking questions about it, no one talks about privacy policy in the business world. the only time this happened was in 2005 when a company lost 500,000 of its employees’ personal information – he only knew about this at the time because it was time warner and he was working for them. while investigating the privacy loss, it turned out it had happened before – they had lost backup tapes of personal information at least 4 times in one year. why don’t people care about this more? for companies, there is very little incentive for them to protect user privacy. consumers are conflicted about whether they should care about privacy or not, so companies don’t see the incentive to push the issue. when data is lost, only tiny uproars occur. look at certain companies’ relationships to privacy – ask.com had a service called ‘ask eraser’ to offer users, but they benefited very little from their efforts. consumers don’t go somewhere because of its privacy reputation – do they ask what google is doing with their toolbar data? toolbars are useful, but google is collecting all of this information and no one knows what they are doing with/about it. “it’s not something that consumers have ever said they’ve cared about, so why should companies do anything about it?” conflicting information from survey – 80 percent of marketers say they do share private and personal information (even ssns) with third parties, whereas 75 percent of ceos of the same companies say they don’t. companies, websites, services – they all count on advertising to provide services. the importance of free web services has become so prevalent that an arms race will start developing between companies to direct market using personal data – that will lead to more data mining, personal information gathering, up to a point where we will all be very easily identifiable on the web. example of a company called phorm that teams up with isps and tracks users to serve up ads for them, unlike the traditional model – phorm will track where you go and serve you adds based on gathered information about your browsing habits. this will be very popular, and there is no way to opt out. now is the time to figure out where we stand in terms of privacy. our personal information has become a form of currency, and we should figure out how to leverage it. a very small and dedicated group of people used to care about being green, now everyone does – can the same thing happen for internet privacy?

beth givens: “i spent 11 years as a librarian, i feel right at home here.” the privacy rights clearinghouse deals with informational privacy (as opposed to constitutional privacy, which the aclu, etc. focuses on). lines between the two are blurred in reality. there are a number of other organizations that deal with privacy – the electronic frontier foundation, for example. the prc provides practical information to help people protect their privacy rights, so if you as librarians get a question about how get to get rid of unsolicited credit card apps, the prc website will help. what is the current state of informational privacy? there is much work to be done. .com chief executive scott neilly once said “you have no privacy, get over it.” he was roundly criticized for saying this – he explained himself by saying someone already has all of our records, so there’s nothing we can do about it. privacy is the claim of individuals to determine for themselves what when where information is divulged about them. we don’t have an overarching privacy law, we have a selective approach – one for medical records (hipaa), one for credit reporting, etc. “it’s a swiss cheese approach and there are lots of holes.” the fair credit reporting act gives you the right of access to your credit report – make it a habit of looking at it once a year. if you find errors there are procedures you can go through to correct them. do you hear common themes? access openeess accuracy enforcement security, accountability, usage. she sums these up as the fair information practices, or the principles of fair information practices (fips for short). without a omnibus privacy protection bill on the books, existing privacy policies are actually not privacy policies at all. throwing up our hands and declaring that privacy is dead is not constructive – take every opportunity to opt out of scenarios in which your personal information will be used. there are tips on opting out on the prc website. let legislators know how important this issue is to you. closes with the statement “once a librarian, always a librarian” – she know sthe pioneering work of librarians at protecting user privacy rights. hopefully we can all do a better job of making sure our privacy is more protected as we move forward. encourage your library users to visit prc and other non-profit advocacy organizations.

cory doctorow: i’m a science fiction writer, and i have a colleague who wrote a book about a future with no privacy where people were able to achieve the “techno-triumphalist dream” of spying on lawmakers as much as they spy on us – this assumes that we will have enough power to affect legislative process of the future. we’re talking about how policy and law and technology affect privacy – coding and internet architecture itself is political: “when we build systems and programs, we end up affecing the systems and policies that grow out of them.” should we protect the privacy of people who disclose personal information like on facebook – these apps are designed with the unfortunate tendency to reward the disclosure of personal information. we often conflate the personal/private with the secret – there is a huge difference, a lot of things are private and not secret. this determination about when and where to divulge personal information is related to how much social power and protection you have. in a society in which we no longer get to choose how our personal information is used, we will actually be controlled by a centralized politburo that manages our lives. why do we give up our personal information? blame the people who have established a set of social and technological norms that expect/compel us to give up our information in order to accomplish things. the poorest people are those with the least choice over what they buy. marketers and companies manipulate the web so that divulging personal information is par for the course on facebook, bebo, etc. you have to make an explicit act of will to avoid the logins, etc. in our systems. example of rfid public transport passes in london – they compelled users to divulge information via rfid by raising the cost of paper passes. not by consumer choice, but compulsion. the problem with gathering so much information is not that the state knows our every move, but that it creates an environment where the malicious can easily access personal information from huge databases. libraries are the last bastion of protection – drm creates a word-by-word capacity to track people’s reading, etc. habits, we should resist this. libraries have a moral obligation to boycott technologies that embody curtain-twitching tendencies of spies and enables different entities to watch our patrons – this creates an information economy based on the buying and selling of information. a modern economy based on limiting access to information is about as viable as an industrial economy based on limiting access to machines. surveillance societies are those that can’t trust themselves or each other – undermines community and security. it makes our haystacks bigger and our needles smaller. all of this information culling makes truly dangerous information lost in the ever-increasing haystack. it would be great if we could catch the people who blow up public transit, but we don’t catch them by clouding things with too much surveillance, too much information gathering. premise of videocameras for surveillance is that they not crime preventers, but ineffective crime solvers. cctvs don’t make us safer. the systems that we build today that control access to information will determine the quality of the society of the future.

questions

what is really at stake here?

beth – if we don’t take steps today to protect the last aspects of a private society, we will lose it completely. example of minority report – cameras that read the unique geometry of our faces, this is not science fiction but a upcoming reality. using driver’s license information to create a face-recognizable database that tracks our movements.

dan: what happens when our health records can be read by insurance agencies or our employees? what happens when you can’t get a driver’s license because of your driving history? once all this information is out there, it’s there for good and for the taking. what happens when we are a “nation of niches,” when we all fit certain marketing profiles? having all this private information out there will speed this process up.

cory: personal information is like uranium – raw uranium ore is not dangerous, but refined it becomes very dangerous. the same is the case for gigantic information databases of personal information – “the internet will never unlearn what paris hilton’s genitals look like.” personal and compelled disclosures will not go away – it will be like smog, we won’t be able to destroy it.

dan: companies don’t know what to do with the information they collect. what does safeway do with the information they get from your safeway card? they just stare at it now, but they will figure out what to do with it someday.

cory: by divulging personal information to companies “you’re not only leading the gun and handing it to the guy you trust today, you’re handing it to a series of guys in the future.”

jessamyn – these databases of information exist and we know about them. at what point do we need to say that the horse is out of the barn in terms of protecting our privacy on a personal level, and have we reached the point where we need to turn back the clock and create a totally new strategy to protect privacy that is top down?

cory: it’s not about turning back the clock, it’s about moving the clock forward to an age where legislated privacy is finally a reality. also, new tools and technologies exist that playfully help you browse and save information that don’t share info – passively multiplayer online gaming (pmog) is an example teaches the value of being safe and smart online and doesn’t communicate your information.

jenny: she spoke to the cretor of pmog last year and he expressed interest in libraries promoting pmog, but he hadn’t gotten much response from the librarians he spoke to about it. we need to recognize this as an issue and investigate strategies.

beth: the data valdez (re: exxon valdez) is coming and is already here – security breaches are constant, and it’s a constant battle to keep information private. it will be touch to galvanize people and raise that awareness around creating legislation that protects privacy – california is a benchmark in this fight.

cory: there are cool ways of making privacy less of a luxury. there are a few other technologies that protect privacy and make a game out of it such as sxip – login manager that creates fake logins when you visit sites. login managers. on the low tech side write return-to-sender on direct mail solicitations and return them.

question: is it a good idea to make yourself invisible?

dan: corporate privacy policies are malleable, they reserve the right to change them at any time.

beth: the right of access should be very powerful.

cory: there could be more transparency on the web server side and better privacy defaults – in open source software development this needs to be more of a consideration. if you just talk to a handful of geeks for ten minutes you can make an enormous amount of change for a huge number of people.

question: how do we as librarians convince people that privacy is important?

cory: a friend of his, a hacker, built something called a hackerbot that rolled around and sniffed unencrypted wifi transcripts and showed people the passwords they had just sent. something that showed users what they had just sent unencryped via library computers would be immensely powerful (like the mileage reading displays in new cars – akin to what happens when you stomp your foot on the gas).

beth: coming up with creative ways to inform people is incredibly important. using libraries as a launching pad is a great idea.

cory: the next generation of teachers will be able to use their own old facebook profiles they can’t get rid of to teach their students the consequences of overdivulging.

question: how do we balance privacy protection and privacy leniency?

dan: requiring people to check out cory’s books.

cory: “if you don’t participate in the electoral process, it will participate in you.” regime change is important. this country was built on the ideal that we should keep ourself safe from our own government.

the question i didn’t get to ask: what about the negative implications of the privacy debate on primary/secondary education – how do we encourage technoliteracy and creative teaching when parental/administrative protectionism (whether justified or not) already limits the use of new tools such as blogs and wikis in the classroom? my experience is that privacy concerns are severely affecting the development of teaching strategies that leverage new tech-based methods, which in turn limits our ability to teach responsible information use and sharing at any level.