You Might be Interested In

By now, many of you have heard of the information that is “leaking” from Facebook applications, and how this wide-ranging problem might affect your personal privacy.

On Monday, the Wall Street Journal continued its online privacy series by reporting that many popular Facebook applications leak personal information – in the form of Facebook user IDs – to online advertisers.  A Facebook user ID is a unique number issued to every user of the site, and is part of a person’s public profile: you cannot restrict access to your user ID simply by modifying your account’s privacy settings.

When you visit a web page, browsers typically report the URL of the page you were viewing before you clicked over to the current page: this is known as the “referrer” URL.  A Facebook app is often loaded on the same web page as third-party ads. When these ads are fetched (to be loaded onto the page), the application tells the advertising network the URL of the current page that is loading their ad. In the case of many Facebook apps, this URL contains the unique user ID of the person who loaded the page. This ID can then be used to identify that specific user – it is linked to public profile information like their full name.  The URL (with the ID) is sent even if the user does not click on any ads.

This is not the first time it has been the subject of discussion. It was raised in a research paper in August 2009 and – in a similar context – described in an earlier WSJ article about Facebook ads. A lawsuit has been filed in California that alleges that Facebook has shared personal data with advertisers.

Current debate around the privacy implications of referrer information has also included criticism of the statements made in the WSJ article. Some commentators found the article alarmist, and others pointed out that these issues are not specific to Facebook, but are a wider web privacy concern. Indeed, the broader privacy implications of referrer data have also been recently raised as part of a complaint to the Federal Trade Commission about Google’s use of referrer headers.

It is important to note that using referrer data is, by itself, a legitimate practice. The web standards that underpin how information and instructions are communicated across the internet allow browsers to send the referrer field as an optional part of a request to a web server. However, there is flexibility as to exactly what information is included in the referrer header, and also whether users allow their browsers to send referrer data in the first place. Harlan Yu outlined a number of solutions in a timely blog post; these include omitting IDs from the web request, using placeholder IDs instead of real Facebook IDs, and improving browsers to give people better control over the transmission of referrer data.

One prominent member of the web community co-wrote an Internet standard document that pointed out privacy concerns of referrer data:

Note: Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer…information.

The co-author? Tim-Berners Lee (considered the father of the web), in 1996. The privacy debate continues…

Understanding how we construct and manage our online reputations is crucial in our understanding of how people determine what to make public and what to keep private in online environments. The interview below, with Firefox’s Creative Director Aza Raskin, has some interesting observations on what the construction of identity and memories could look like in the future. Also, around 4:35, he talks about the work Mozilla has been doing to create a set of privacy icons in the style of Creative Commons licences to help people understand how their data is being collected and used.

We’re launching our 2010 My Privacy & Me Video Contest for 12-18-year-olds – and the first-place winners will win an iPad!

It’s the same thing this year – but a little different, too! Again, we’re asking them to create their own public service announcements about privacy. But this year, we’d like the videos to fall into one of four categories: Surveillance; Reputation Management; Targeted Advertising; or Online Scams. You can find all contest details here.

This year, teams can consist of one to three people. First-place winners in each category will win an iPad. Second-place winners will win a $200 gift card; and third-place winners will win a $100 gift card. We’ve recognized top-participating schools and teachers in the past, and we have something in store for them in 2010! The deadline is December 10, 2010.

For inspiration, sit down with your young ones and watch the 2009 winning videos. Then, have them start exercising their video-making muscles – we can’t wait to see what they’ve got!

In a move to monitor inventory in its stores, Wal-Mart will launch an item-level Radio Frequency Identification (RFID) inventory tracking program starting August 1^st, 2010.  In its first phase, the system will track individual pairs of jeans, socks and underwear.  The items will be tagged with removable RFID tags that can be read from a distance using hand-held scanners so employees will know what sizes are missing from shelves and what is in the stock room, all in a matter of seconds.  If the program is successful, it will be rolled out at Wal-Mart’s more than 3750 U.S. stores with more products.

The upside of RFID systems have been well-documented –they help retailers better control their inventory and cut costs for consumers,  create efficiencies in our health care system, increase customer convenience (enter the smart coffee mug), and save valuable time for consumers (let’s face it, the ability to push a shopping cart through an RFID reader that instantly calculates your grocery bill without removing a single item from the cart sounds down-right heavenly!).

RFID systems also continue to be rolled out new contexts: we have written about privacy issues surrounding the use of RFID in the workplace, Northern Arizona University is using their RFID enabled student cards to track student lecture attendance,  transportation systems use RFID to monitor traffic flow, our passports are being equipped with RFID chips and our pets are tracked and monitored via RFID implants.

While these systems can be really useful and save us time and money, they also raise some serious privacy concerns.  While the RFID tags in the Wal-Mart example are removable, not all RFID tags are (some are as small as a speck of dust and are virtually invisible).  RFID tags can be tracked and hacked, may not be easy to turn off and can be read at a distance, potentially allowing tags to be read outside the original system for purposes limited only by human ingenuity.

As the tags get cheaper and the size of the tags gets smaller, extending the reach and uses for such systems will likely evolve too. Perhaps most concerning is that RFID systems have the potential to track individuals and could do so without their knowledge or consent.  As a recent article notes:

“Location-aware apps are scary enough, based on GPS with the broad range they offer. But for the most part you still have to sign up for those. RFID is being implemented all around you…it can track infants to senior citizens with Alzheimer’s. In between it can track your clothes, your purchases, your car – even you. RFID is on the verge of tracking us all, cradle to the grave.”

As we and others in a number of jurisdictions continue to wrestle with questions about RFID and privacy, the evolving application of RFID systems serve to highlight the fascinating convergence of emerging technologies and human creativity.

Do you know how your location information is used?  A recent survey commissioned by security company, Webroot, asked 1,645 social network users in the U.S. and UK who own location-enabled mobile devices about their use of location-based tools and services.  The survey found that 39 percent of respondents reported using geo-location on their mobile devices and more than half (55 percent) of those users are worried about their loss of privacy. 

A few notable concerns over security and privacy: 49 percent of women (versus 32 percent of men) were highly concerned about letting a would-be stalker know where they are and nearly half (45 percent) are very concerned about letting potential burglars know when they’re away from home (a very real risk outlined nicely by Pleaserobme.com)

The growing popularity of geo-location tools and services (including offerings by industry giants such as Twitter, Apple, Facebook and Google) means that location information is being collected on a colossal scale and the real and potential uses for this information are just starting to work themselves out – from iPhone photos tagged with GPS coordinates to location-based gaming platforms such as Scvngr that enable mobile users to create their own location-based games.

This increase in the collection and use of location information can also pose unique risks for users.  The survey summary notes that a surprising number of respondents engaged in behaviors such as sharing location information with people other than friends that could put them, and their private information, at risk.  A blogger recently wrote about her experience with location sharing gone wrong and Foursquare was recently blasted for unintentional data leakage via their popular location-based service. 

As we note in our recent submission to Industry Canada’s Digital Economy Consultation, good privacy practices can support innovation by reinforcing confidence in users that they have the right to control their personal information and that the technology they use is secure.  With location information, the usual privacy concerns abound and with each cool, new service that hits the market. How to communicate these risks to consumers is something that occupies a great deal of our time.  Dealing with the privacy concerns of location information during the design phase for new services would help businesses avoid expensive (both financial and reputational) after-the-fact privacy fixes and might even provide those privacy-friendly businesses with a significant competitive advantage

We’ve just sent in our submission to the Digital Economy Consultation, available online here.

In our submission, we argue that privacy isn’t an impediment to innovation. Rather, we believe privacy can support innovation by reinforcing confidence in users that they have the right to control their personal information and that the technology they use is secure. Too often privacy is left out of the design stage, and fixes after the fact can be expensive. We recommend that privacy become an integral part of the business models that rely on technology. We want to see a privacy culture that complements Canada’s digital advantage and, in our submission, we put forward a number of recommendations on how the federal government can help build one.

First of all we recommend strengthening privacy protections within the federal government. We’ve written previously about the need to reform the Privacy Act, but we think the federal government can go even further in being a model user of technology – for example, we’d like to see the federal government make Privacy Impact Assessment (PIA) analysis a requirement as part of preparing Memoranda to Cabinet for program approvals. We’d also welcome the federal government’s use of state-of-the-art authentication and protection technologies. Other countries are already exploring this, including the United States, where they are looking at how open-source products and standards can be used to provide identity verification.

The consultation on the digital economy includes a discussion on the importance of digital skills. We increasingly view privacy literacy and online reputation management as part of a suite of digital citizenship skills necessary for success in the digital economy. To this end, we recommend making privacy literacy an integral component of digital citizenship and would like to see the federal government fund research to support digital citizenship programs.

We also recommend providing tools to help small and medium-sized enterprises (SMEs) – and in particular SMEs that are technology innovators – better understand privacy so that privacy is considered at the outset of the design stage, and built into the end product.

Finally, we’d like the federal government to fund “privacy positive” research and development – for instance, network and security technologies that incorporate privacy protections.

With only a handful of days left, we encourage you to read our submission, and the submissions and ideas of others and offer your comments.

In case you missed it, we are embarking on a collaborative redesign of youthprivacy.ca. We are inviting input from people both within government and external to government, and the first meeting is fast approaching. Our first meeting will focus on the content of the website, discussing what should appear on youthprivacy.ca, asking questions about how the website can best serve the public through tailoring its content, and doing some preliminary brainstorming regarding how this content should be presented.

If you are a content expert or have thoughts to share, we invite you to attend our first rethinking youthprivacy.ca meeting on July 7 at 10:30 am. If you would like to attend, please contact us today! If you cannot attend in person, teleconferencing will be available.

If you are interested in helping us out with usability or the more technical aspects of our redesign, or if you know someone who might be interested in this collaborative interdepartmental initiative, stay tuned for more information, because we will want to meet with you soon!

Meeting details:

Wednesday, July 7, 2010

10:30 – 11:30 am

112 Kent Street, Suite 300

Ottawa, ON

A few dedicated OPC staffers spend much of their time visiting schools and talking to young people about why privacy is important.  If you believe a popular line of thinking, privacy may seem to be a lost cause in the age of online social networking and “anything goes” disclosure. We who talk to youth on a regular basis, however, are always pleasantly surprised that a generation that is growing up online shows such interest and enthusiasm about protecting their information.  It’s nice when research findings reflect our day-to-day observations that many young people are in fact proactive about protecting their online privacy.

The Pew Research Center’s Internet and American Life Project recently published a report entitled “Reputation, Management, and Social Media” in which it found that “younger users are far more active and deliberate curators of their online profiles when compared with older users.” This infographic shows other interesting report findings about how people interact and conduct themselves online.

Much of the debate around online privacy seems to revolve around binary choices: if you post information online then you can’t expect it to be private; if you join a social networking site then you must want to share your information with everyone.  But the reality is much more nuanced. As danah boyd and others have argued, people want to share information with people they themselves have chosen, via privacy settings. PEW found that 71% of social networking users ages 18-29 have changed the privacy settings on their profiles to limit what they share with others online, and 58% keep some people from seeing certain updates. Contrary to what some tech moguls might want you to believe, online privacy among young people is alive and well.

Over the course of the year, the Office of the Privacy Commissioner of Canada is hosting consultations with Canadians on issues that pose a serious challenge to privacy. In an attempt to learn more about the privacy implications of new industries, the focus of the consultations has been on online tracking, profiling and targeting of consumers, and the increasing prevalence of cloud computing.

Following the first such consultation in Toronto, a second event was held in Montreal on May 19^th, 2010. The event was a resounding success, due in part to the fact that the panels had a lively audience both on and offline.

Did you miss the event? You can still watch the webcast here, and you can check out what was happening on Twitter for each panel below.

Panel 1: Frontiers of Consumer Information Datamining and Analytics

Frontiers of Consumer Information Datamining and Analytics Panel

Panel 2: Online Identity and Reputation

Online Identity and Reputation Panel

Panel 3: Online marketing methods: gaming, advertising, applications and social networks

Online marketing methods: gaming, advertising, applications and social networks panel

There has been a long-standing debate between privacy advocates and government officials about the extent of government interest in the information transmitted across domestic and international networks. The passage of USA PATRIOT Act intensified this debate and prompted concern from a more general audience as well. Ever since, the digerati and online crowd have been whispering and wondering about the interface between search engines, particularly Google, and law enforcement and national security bodies.

In brief, this comes up in classrooms and at conferences in roughly the following exchange:

Q. “So, should I worry about what Google knows about me?”

A. “Maybe, but I’d worry more about what the government gets out of Google, then matches with what they already know about you.”

Around this issue, researchers like Chris Soghoian in the US (as well as Ben Hayes and Simon Davies overseas) have been pushing for greater transparency from both companies and government on the use of broad data production powers.  Last week, to their great credit, Google took a big first step and published an interactive map on the numbers and types of data requests they recieve from governments around the world.  This coincides with another important US private sector push – Digitaldueprocess.org – that is asking for clear, consistent and accountable measures to be put in place when government ask companies to ‘check up’ on their customers.

We commend Google and others involved for this significant first step, look forward to improvements and more details as they tweak the reporting model and sincerely hope other companies (and, ahem! governments) follow suit.