Liminal states

The Department of Homeland Security has released revised “Real ID” regulations — 284 pages long. While according to government jargon these are the “final” regulations, the first deadline for compliance has now been pushed back to December 31, 2009, so there’s still plenty of opportunity for Congress to act and change things.

Their press release now spins the system as “preventing document fraud”, and talks more about the costs of identity theft than it does about terrorism — pretty amusing in light of Privacy Rights Clearinghouse’s Real ID Act will increase exposure to identity theft. It also trumpets substantial cost savings, which it attributes primarily to revisions giving the states “greater flexibility in issuing licenses to older Americans”. Flexibility is a good thing, but it’ll be interesting to see what new holes they’ve introduced for terrorists and identity thieves to exploit.

I’ve blogged in the past on this issue on the Stop “Real ID” Now! blog, and will be updating it with links to analyses from the press and civil liberties organizations as they come out.

The group blog THREAT LEVEL is one of my favorite things about wired, and Kevin Poulsen’s year-end roundup is a great example of why:

It was a year of soul searching at THREAT LEVEL, every day a fresh challenge to our fundamental beliefs and convictions: Alberto Gonzales made us pine for John Ashcroft; Google made us love roving surveillance cams; and Jammie Thomas’ internet spoofing defense was enough to make us secretly root for the RIAA.

As if that’s not enough, Kim Zetter’s combo of World’s Top Surveillance Societies (covering PrivacyInternational’s report) and FBI Building Vast Database of Iris, Face and Fingerprint Scans highlights why the US is classified as an “endemic surveillance” society along with China, Russia, the U.K. and others.   And Sarah Lai Stirland’s Will push polling become a factor in the early states? rounds up a bunch of stories on a popular social-engineering approach to electoral fraud.

Talk about an end-of-year bonanza!

With a two-part series on TPM Cafe’s Table for One, an article in the Mercury News on Christmas Day, and the recent settlement of a suit on text messaging, Facebook continues to become a focus for discussion of privacy issues. To some extent this is a consequence of their size and success: they’re a high-profile target. Behind this, though, lurks a pattern of Facebook unilaterally making decisions that compromise user privacy, apologizing, addressing the most egregious aspects while leaving the rest in place — and then repeating.

The TPM Cafe piece is by Ari Melber of The Nation, and starts out

When one of America’s largest electronic surveillance systems was launched in Palo Alto a year ago, it sparked an immediate national uproar. The new system tracked roughly 9 million Americans, broadcasting their photographs and personal information on the Internet; 700,000 web-savvy young people organized online protests in just days. Time declared it “Gen Y’s first official revolution,” while a Nation blogger lauded students for taking privacy activism to “a mass scale.” Yet today, the activism has waned, and the surveillance continues largely unabated.

He goes on to discuss the Beacon fiasco in terms of Facebook’s past behavior, quotes some of my faves (danah boyd and a CMU study that I believe is by Alessandro Acquisti), and in his follow-on post ties Facebook — and web services more generally — to a national surveillance state. People familiar with the privacy space won’t see anything new here; what’s significant is that this is another example of Facebook privacy making the jump out of the tech ghetto to the national political scene: TPMCafe’s the extension of Joshua Micah Marshall’s Talking Points Memo, a DC-based progressive political blog that sees itself as a muckraker in the positive sense of the word and has been very active in helping uncover and publicize recent political scandals.

The lawsuit settlement specifically relates to Facebook continuing to send text messages to cellphone numbers after they had been recycled. Facebook didn’t admit any wrongdoing, but did agree to “make it easier for recipients of text messages to block future messages originating from the social network” and “work more closely with mobile phone carriers to monitor the lists of recycled numbers and reduce the frequency of unwanted text messages.” The fact that people had to resort to a lawsuit to get action on these basic business practices paints a rather unflattering picture of the company’s arrogant attitude towards its users — and to the non-users who got the recycled numbers and then were billed for the messages.

Elise Ackerman’s Facebook alarms privacy advocates again talks about a Facebook signup icon showing up on smartphones without the owners permission. This is privacy in the classic sense of “the right to be left alone”, not being tracked; and of course this is something that phone companies do routinely, viewing phones’ “screen real estate” as a spot for advertising and product placement … so “alarm” seems somewhat overstated. Still, given the pattern above, Jeffrey Chester (of the Center for Digital Democracy) sounds on-target to me when he says “It illustrates a basic problem over at Facebook, which is their need to fatten their bank account is confounding their need to protect the privacy of their members.”

And not to sound like a broken record or anything: this kind of attention augurs well for proposals like the national “do-not-track” mechanism — and increases the probabilities that populist-oriented politicians in any party will seize on privacy as a chance to differentiate themselves this upcoming election year.

James Grimmelmann has an excellent post over at the Laboratorium. His summary:

Another member of a professorial mailing list I’m on asked whether Facebook may have violated the Video Privacy Protection Act of 1988. Nicknamed the “Bork Bill” (a newspaper published his video rental records during his confirmation hearings), the VPPA protects your privacy in the videos you rent and buy. Well, guess what? One of Facebook’s Beacon partners was Blockbuster, so some of the items that wound up in people’s news feeds were the names of videos they’d bought. Oops.

I dug a bit into the legalities of the issue, and this is roughly what I came up with: Facebook and Blockbuster should hunker down and prepare for the lawsuits. Their recent move to allowing a global opt-out may cut them off from accruing further liability, but there’s probably an overhang of damages facing them from their past mistakes.

As usual with James, it’s a very detailed analysis; the discussion is also excellent.

Looking specifically at Blockbuster’s liability, there’s an interesting parallel to my as-yet-unanswered question in the thread about Beacon’s announcement of a global opt-out about whether Beacon caused advertisers to violate their privacy policies. In the web 2.0 world, the dependencies between software components mean that service providers (Facebook in this case) can put their customers (Blockbuster) at legal risk. As Google, Yahoo, Microsoft, Amazon, eBay, Facebook et. al. compete, it will be a major advantage to whoever first seizes the high ground by providing services and platforms that are noticeably less risky. In addition to the classic considerations like security and ability to deliver on service level agreements (SLAs), this will increasingly include considerations like well-thought-out policies — and getting and listening to a broad range of perspectives, including from privacy advocates, before launching new services.