From: "John F. McMullen" <observer@xxxxxxxxxxx>
Date: March 27, 2006 12:38:51 PM PST
To: "johnmac's living room" <johnmacsgroup@xxxxxxxxxxxxxxx>
Cc: Dave Farber <farber@xxxxxxxxxxxxx>, Dewayne Hendricks
<dewayne@xxxxxxxxxxxxx>
Subject: Jeff Chester: Google's Wi-Fi Privacy Ploy
From the Nation -- <http://www.thenation.com/doc/20060410/chester>
Google's Wi-Fi Privacy Ploy
by Jeff Chester
The digital gold rush is on across America, as cities scramble to
develop free or low-cost Wi-Fi zones. These public on-ramps to the
Internet are designed to provide every citizen with a form of
always-on, high-speed Internet access--at the playground, in the
office or at home--at low or no cost.
Dozens of communities large and small, in red states and blue, are
either planning or currently constructing Wi-Fi systems. Community
leaders--from Philadelphia; Houston; Columbia, South Carolina; and
San Francisco, to name a few--recognize that creating a citywide Wi-
Fi zone is not only vital for economic development and public
safety but helps insure that Americans who can't now afford digital
communications on their own can also tap in to the riches and
convenience of the Internet. But there is no such thing as a free
digital lunch.
Consumers and public officials should have no illusions that what
is being touted as a public benefit is also designed to spur the
growth of a mobile marketing ecosystem, an emerging field of
electronic commerce that is expected to generate huge revenues for
Google, Microsoft, AT&T and many others. Soon, wherever we wander,
a ubiquitous online environment will follow us with ads and
information dovetailed to our interests and our geographic location.
Unless municipal leaders object, citizens and visitors will be
subjected to intensive data-mining of their web searches, e-mail
messages and other online activities are tracked, profiled and
targeted. The inevitable consequences are an erosion of online
privacy, potential new threats of surveillance by law enforcement
agencies and private parties, and the growing commercialization of
culture.
Mining Your Data
Consider the application submitted to the City of San Francisco in
February by search giant Google and its partner, the Internet
service provider Earthlink. One of six Wi-Fi bids being considered
by the City of San Francisco, the Google/Earthlink plan has
attracted the most attention. Under this proposal, Google would
provide a free but relatively low-speed Internet service available
throughout the city (Earthlink would operate a higher-speed service
on the same system charging users $20 a month). The costs of
operating the "free" service would be offset by Google's plans to
use the network to promote its interactive advertising services.
Everyone who uses the Google network would first be directed to a
portal page, where they would be offered an array of what Google
terms "personalized consumer products." Through those products and
other technologies, Google plans, according to its proposal, to
"target advertisements to specific geographical locations and to
user interests."
What this means is that Google and Earthlink plan to use online
files (known as cookies) and other data-collection techniques to
profile users and deliver precise, personalized advertising as they
surf the Internet. (Earthlink is working with the interactive ad
company DoubleClick, which collects and analyzes enormous amounts
of information online to engage in individual interactive ad
targeting.)
Not everyone is enthused by the Google/Earthlink model. San
Francisco was advised by a trio of privacy advocates to develop
policies that would respect personal privacy. In letters to the
city, the ACLU of Northern California, the Electronic Frontier
Foundation and the Electronic Privacy Information Center (EPIC)
urged the adoption of a "gold standard" for data privacy (pasted in
below from http://epic.org/privacy/internet/sfws22106.html),
insuring that its Wi-Fi system would "accommodate the individual's
right to communicate anonymously and pseudonymously." The groups
also suggested that the city require any Wi-Fi company to allow
users to "opt in" to any data-collection scheme. [Full disclosure:
I rent office space in Washington, DC, from EPIC].
Scary Syllables
These two syllables--"opt in"--strike terror in the hearts of
Google, Microsoft, AOL and everyone else in the interactive
marketing field. Opting in requires users to affirmatively give
permission before any data can be collected. Individuals would be
fully informed about how such information would be used (such as
profiling, sharing with others, etc.). What companies want instead
is an "opt-out" approach, in which the default is always set to
collect and make full use of our personal information.
As EPIC's West Coast senior counsel Chris Hoofnagle explained, "The
Google plan proposes to bargain away users' privacy for a trickle
of Internet connectivity." Google will have an unprecedented
ability to monitor use and build records of web activity. These
records will be a honey pot for law enforcement. Individuals'
privacy is worth more than a 300K download speed." (Other Wi-Fi
applicants in San Francisco also favor opt-out data-collection
technology. One applicant, the NextWLAN Corporation, envisions "an
e-commerce monetized, fully captive, location-aware Internet
portal." But also on the table is a proposal from the nonprofit
Seakay that offers a free service and pledges no personal
information will be collected online.
The interest San Francisco and other cities have in securing the
financial support of commercial investors for their Wi-Fi grids in
part reflects the success of the campaign run by the nation's
largest cable and phone companies, which have opposed the idea of
municipally owned and operated Internet service. Companies such as
Comcast and AT&T view these low-cost local municipal competitors as
a threat to what they believe is their rightful broadband monopoly
businesses. Already, there have been lawsuits, lobbying and
legislation against such municipal Internet services.
As a result of this pressure, cities are now seeking a more
corporate-friendly approach to provide what should really be a
public utility operated for everyone's benefit. Too many local
governments are embracing a model for Wi-Fi, says advocate and
expert Sascha Meinrath, that creates a system more favorable to
"billable moments" than one designed to truly connect communities
together.
Instead of creating yet another e-commerce stomping ground, San
Francisco and other cities should understand that real alternatives
do exist to the corporate model of municipal Wi-Fi being peddled by
Google and its cohorts. It is possible to develop community
networks that reflect our highest principles, including the right
to personal privacy, and the cost of building such networks can be
very low. There are already successful publicly supported models.
St. Cloud, Florida, a city of 30,000, has built a free Wi-Fi
service for its residents, seeing it as an important public
service. The city has been able to build and operate the network,
reduce its telecommunications costs and generate new economic
opportunities.
Building a Wi-Fi network this way brings in economic development
and saves the city money on telecommunications. At a time of
growing media consolidation and emerging threats to the future of
the Internet, America needs to create online systems that are
democratically run and commerce-neutral, that protect the privacy
of the citizens they serve.
Jeff Chester is executive director of the Center for Digital
Democracy (www.democraticmedia.org), a Washington, DC-based
nonprofit. His book on US media politics, Digital Destiny, will be
published in the fall by The New Press.
<http://epic.org/privacy/internet/sfws22106.html>
EPIC logo
Coalition Letter on San Francisco Municipal Broadband
[BY EMAIL (techconnect@xxxxxxxxx)]
February 21, 2006
Chris A. Vein
Acting Executive Director
Department of Telecommunications and Information Services
City & County of San Francisco
875 Stevenson Street, 5th Floor
San Francisco, CA 94103-0948
Re: TechConnect RFP 2005-19 / Privacy and
Municipal Broadband
Dear Mr. Vein,
On October 19, 2005, the ACLU of Northern California,
Electronic Frontier Foundation (EFF), and Electronic Privacy
Information Center (EPIC) submitted comments to TechConnect
concerning privacy issues raised by municipal broadband access.[1]
In that letter, we raised a series of privacy issues that sought to
focus attention on whether uses of the municipal broadband network
will have secure and private access to the Internet. We applaud
TechConnect for including the privacy issues we raised in RFP 2005-19.
At section 2.11 of the RFP, TechConnect requested proposers to
provide a copy of their privacy policy, to certify that it complies
with applicable law, and to explain how it will communicated to
users. TechConnect also requested proposers to explain how they
will address a series of privacy issues raised in our October letter.
In this letter, we stress that the city should consider minimum
standards for the privacy issues raised by the RFP. Privacy notices
are not enough. The short history of E-commerce has shown that
companies often issue privacy policies that are substantively weak
and extend to users few legal rights to redress privacy
violations. Minimum standards are necessary for each of the
privacy questions posed to proposers in order to guarantee respect
for users' rights.
To assist TechConnect in this process, we suggest model minimum
standards to each of the questions included in the RFP. We also
urge TechConnect to consider the safeguards recommended in EFF's
"Best Practices for Online Service Providers," which describes
legal policies and technical procedures for protecting privacy. [2]
What personal information is collected about users?
Providers should take all reasonable steps to enable use of the
network without the collection of personal information. Data
collection should accommodate the individual's right to communicate
anonymously and pseudonymously through the service.
"Operation of the network" refers to actions necessary to
technically run the network. This includes actions necessary for
guaranteeing service availability, billing, network testing, and
reasonable security measures.
How is this information used?
Providers should use information for purposes necessary to
operation of the network.
How long is this information stored?
Providers should specify a data retention schedule for all
information collected. Providers should store information only for
so long as needed to operate the network. In no event should data
be kept for more than a few weeks. Information that needs to be
kept to provide enhanced services should be the minimum necessary
to provide the service, be deleted as soon as operationally
possible, and providers should employ technical measures to shield
this information including obfuscation or aggregation.[3]
With whom is this information shared?
Providers should only share information for purposes necessary
to operate the network. Entities that receive personal information
should be held to the same privacy standards as the provider.
Is this information commercialized in any way?
Providers should not commercialize personal information
collected in the course of operating the network unless the user
opts in to such uses of data.
"Opt in" refers to affirmative consent, a situation where the
user can employ the network for basic services, and affirmatively
choose to enroll in additional services. That is, a user does not
"opt in" to the service by simply using the network. Providers
should obtain affirmative consent again where there is a material
change to information collection or use policies. Furthermore, an
expression of affirmative consent should only be effective for one
year.
Is this information correlated to a specific user, device or
location?
Providers should correlate information to specific users,
devices, or locations only to the extent necessary to operate the
network.
Are mechanisms available to allow users to opt in or opt out
of any service that collects, stores, or profiles information on
the searches performed, websites visited, e-mails sent, or any
other use of the Network?
Opt in should be the standard for services that exceed the
basic function of providing individuals with Internet access.
Are mechanisms available to allow users to opt in or opt out
of any service that tracks information about the users physical
location?
Providers should take all reasonable steps to enable location-
based services without creating a tracking or logging mechanism
that will create records of individuals' location.
Are users enumerated or assigned any unique number that can be
used to track them from session to session?
Providers should take all reasonable steps to design the system
to prevent enumeration from session to session.
Providers should obtain a user's affirmative consent before
enumerating users across sessions.
Are policies in place to respond to legal demands for users
personal information in accordance with applicable laws?
Providers should comply with legal demands for users' personal
information only after verifying the legal sufficiency of the
request, and notify the subject of the request as quickly as
possible before providing information to the requestor. A good
model is set forth by the Cable Communications Policy Act (47 USC
551). That act, which also applies to satellite television
providers, specifies a procedure where individuals are notified
before their information is revealed to others pursuant to legal
process. It was passed to protect individuals' television viewing
habits from disclosure, information that is at least as sensitive
as e-mail and web browsing records. It has been in effect since
1984, and accordingly many companies have processes to comply with
its standards.
Are users allowed access to all information collected about them?
Users should be able to access personal information collected
and maintained by the provider and its affiliates or partners.
Are users provided with a mechanism to review this information
and to correct inaccuracies or delete information?
Providers should extend reasonable opportunities for users to
correct or delete personal information collected and maintained by
the provider and its affiliates or partners.
Thank you for considering our comments. If we can be of
further help, please feel free to contact us.
Nicole A. Ozer
Technology and Civil Liberties Policy Director
ACLU of Northern California
nozer@xxxxxxxxxx
415-621-2493
Kurt Opsahl
Staff Attorney
Electronic Frontier Foundation (EFF)
kurt@xxxxxxx
415-436-9333
Chris Hoofnagle
Senior Counsel and Director, West Coast Office
Electronic Privacy Information Center (EPIC)
hoofnagle@xxxxxxxx
415-981-6400
[1] Letter from Nicole A. Ozer, Technology and Civil Liberties
Policy Director, ACLU of Northern California; Kurt Opsahl, Staff
Attorney, EFF; & Chris Jay Hoofnagle, Senior Counsel, EPIC West
Coast Office, to San Francisco TechConnect, Oct. 19, 2005,
available at http://epic.org/privacy/internet/sfws10.19.05.html and
attached as Appendix A.
[2] Attached as Appendix B. These guidelines were developed by
technical and legal experts for service providers that wish to
handle user data ethically. They are available at http://
www.eff.org/osp/.
[3] See Appendix B.