Politics 117: The Regulation of the Internet Privacy.

Politics 117: The Regulation of the Internet

Privacy

Is this a safe Facebook entry?

I love my cat Henry!

Kudos to my roommate for acing

the GREs!

Woah . . . I got really #$@#D!%

up last night!

My professor sucks!

Half of employers in U.S. scan social networking sites to see what you say.

• 45 percent in 2009, versus 22 percent in 2008• Most popular sites to watch are

– Facebook– LinkedIn– MySpace– Twitter

Nine things to stop doing on Facebook

• 1. Stop using a weak password– A strong password includes letters, numbers,

different cases, and symbols• Bad: ilovehenry• Good: i1oveHenry

• Bad passwords lead to Facebook scams like the “help I’m in London and my wallet was stolen” scam!

2. Stop leaving your full birth date on Facebook

• Lots of banks, credit card companies use your DOB as a security ID

• Best practice: don’t leave any of it at all• But if you can’t do that, just leave the month

and day, not year

3. Use your privacy controls!

• Go to whatever privacy controls Facebook is now deploying, and use them

• Best practice: everything should be just available for your “friends only” (not “friends of friends”)

• Check what applications you are using

5. Keep your children’s names off of captions

• Don’t mention the names of your kids

• Don’t identify them by name on photos or captions

• If someone else does, use the remove tag to delete the mention

6. Think twice about mentioning where you are• Especially if you are going

on vacation• It’s like putting a “nobody’s

home” sign on your front door

• Are you still ok with your 400 friends knowing where you are?

7. Don’t let children go on Facebook unsupervised

• You don’t want your kid going on Facebook and saying “Mommy is at work right now, but I’m here watching TV.”

8. Don’t say bad things about your peers on Facebook

• Could catch up to you via searchers and your friends

• Makes you look like an unpleasant person

• Generally, don’t say or be critical of people

9. Other issues

• Think about how political and critical of others you want to get on Facebook

• Give some thought to how much you want to be on Facebook every day

• Consider how many apps, causes, and features you want to access on Facebook

Best practices• Use Facebook to positively to

network with friends and associates• Use Facebook privacy settings

aggressively• Use e-mail, Instant messaging,

texting, etc for your more raunchy side

• Do anonymous commenting if you’ve got some really outrageous to say

• Assume that anything you write could be broadcast to the whole world

• Watch your privacy settings and monitor any changes in Facebook policy

Big social network fears• Your user data, including your

name and browsing patterns, will be sold to third party vendors

• Your ability to control how much of the user data you want processed and interpreted will be compromised

• Your security data, including your logins, passwords and financial information, will be stolen

Cookies

• Web sites place a “cookie,” an ID number in your web browser/computer

• The site then keeps track of your purchases, visits, patterns and associates it with that number

• When you come back, the site remembers what you did before thanks to the Cookie

Cookie examplessession-id-time 954242000 buybuybuy.com/session-id 002-4135256-7625846 buybuybuy.com/

UserID A9A3BECE0563982D www.goto.com/

Hyper Text Transfer Protocol header information

• The HTTP protocol sends the site you are visiting– The pages you visited– When you visited them– The IP address of your

server– The name of the server you

are working from– The web page from where

you arrived (the referrer)

Site can associates all that header data with your cookie ID#, plus

• Purchases• Social interactions• Uploads• Downloads• Account preferences

Problem #1: Securing your PII

• Personally Identifiable Information• “information which can be used to distinguish or trace

an individual's identity either alone or when combined with other public information that is linkable to a specific individual.”– Your name– Date of Birth– Your home address– Your telephone number– Your e-mail– Your gender

AT&T labs study 2009: PII leaking to “third party” application providers

• AT&T: “The results of our study clearly show that the indirect leakage of PII via Online Social Networks (OSNs) identifiers to third-party aggregation servers is happening.”

• “In addition, two of the OSNs directly leak pieces of PII to third parties with one of the OSNs leaking zip code and email information about users that may not be even publicly available within the OSN itself.”

EFF/Epic complaint (December 2009): too much publicly available information:

“every application and website, including those you have not connected with”

Then:• a user’s name and• a user’s network.

Now:• users’ names,• profile photos,• lists of friends,• pages they are fans of,• gender,• geographic regions, and• networks to which they

belong.

EPIC: Facebook in Iran

• Iranian Facebook commentators discovered that their posts were public on public Facebook pages

• Iran security agents checking Facebook accounts– “One Facebook user who traveled to Iran said that

security officials asked him whether he owned a Facebook account, and to verify his answer, they performed a Google search for his name, which revealed his Facebook page. His passport was subsequently confiscated for one month, pending interrogation.”

The big issues

• What are the default privacy settings?

• How easy is it to change the settings and to know that they can be changed?

• Can all the settings be changed to absolutely private?

• Can you control what data gets to third party applications?

Then there’s the problem of “flash cookies” ; cookies that you cannot delete

Two pro-active legislative strategies• Expand “opt-in”

requirements for all social websites– The site must ask

permission from you up front for everything private

• Expand the age of consent rules for social networks to collect private data

Boucher/Stearns draft Privacy legislation

Must have opt-in to use• Medical records, including medical history,

mental or physical condition, or medical treatment or diagnosis by a health care professional

• Race or ethnicity• Religious beliefs• Sexual orientation• Financial records and other financial

information associated with a financial account, including balances and other financial information

• Precise geolocation information

Must allow you to opt-out of allowing use• The first name or initial and last name• A postal address• A telephone or fax number• An e-mail address• Unique biometric data, including a fingerprint or

retina scan• A Social Security number, tax identification

number, passport number, driver's license number, or any other government-issued identification number

• A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account

• Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used to collect, store, or identify information about a specific individual or a computer

The Children’s Online Privacy and Protection Act (Coppa)

• Regulates general and children’s web sites that serve children under thirteen

• Parental consent required before data on children (younger than 13) given to third parties, including:

• (A) a first and last name; • (B) a home or other physical address

including street name and name of a city or town;

• (C) an e-mail address; • (D) a telephone number; • (E) a Social Security number; • (F) any other identifier that the

Commission determines permits the physical or online contacting of a specific individual; or

• (G) information concerning the child or the parents of that child that the website collects online from the child and combines with an identifier described in this paragraph.

Video 43.03

Reactive legal strategies• Case of Sarah Palin hacker

(David Kernell)– Guilty of

misdemeanor computer intrusion and felony obstruction of justice (deleting records)

– Sentenced to one year in prison

– Relevant laws:• Stored Communications Act• Computer Abuse and Fraud

Act• Communications Privacy Act

Reactive legal strategies

• Case of Britney Binger hacker– Hacked into Playboy

bunny account to get Grady Sizemore photographs

– Used personal data on Facebook page to get into Yahoo! E-mail

– Charged with “gross misdemeanor”

Grady Sizemore in a self-reflective moment