Download PDF Version

Table of Contents

• Legislative Landscape
• Tracking reports, features and collective action

Legislative Landscape

CISPA dead again

This month, the controversial cybersecurity information sharing bill CISPA passed the United States House of Representatives, but was shelved by the Senate, in a repeat of 2011’s events when CISPA was initially deliberated. This came after numerous social media campaigns by advocacy groups, lobbying by industry, and a veto threat by the Obama administration. The bill sought to make it easier for private organizations to share information with the United States government about suspected “cyber threats”. Perceived problems with the bill included the prioritization of military control of cyber threat information over more transparent civilian agencies, immunity from any damages that arise out of “hacking back” against perceived threats, and the circumvention of existing privacy protections when providing personal information related to broadly-defined cyber threats to the government.

U.S. warrantless surveillance program highlighted

Celebrations by advocacy groups after the demise of CISPA may have been bittersweet as documents recently obtained by the Electronic Privacy Information Center reveal that even without a law such as CISPA, the U.S. Justice department has been granting legal immunity to ISPs taking part in a cybersecurity pilot program to intercept communications on portions of their networks without court authorization. This practice would have been formalized by CISPA if it became law. An executive order by President Obama requires Homeland Security to expand this data sharing program to all critical infrastructure sectors.

IRS warrantless email snooping

Documents obtained by the American Civil Liberties Union (ACLU) suggest that the criminal investigative unit within the IRS has obtained emails from service providers without a warrant, contrary to the 2010 Warshak court ruling that decided email can be protected under the U.S. constitution from unreasonable search and seizure. Following the ruling, the ACLU documents suggest that the IRS has continued to obtain such emails. The IRS responded shortly thereafter, denying that it uses emails to “target taxpayers”. After pressure from the U.S. Senate to clarify its practices, IRS Acting Commissioner Steven Miller stated that to his knowledge, the IRS has not obtained electronic communications without a warrant, which contradicts information in the obtained documents. Miller further stated the IRS will clarify its policies in the future.

ECPA Amendment to restrict warrantless access to emails proposed

A new U.S. Senate bill to amend the Electronic Communications Privacy Act (ECPA) would require law enforcement to obtain a warrant before compelling service providers to release the contents of users’ electronic communications. ECPA currently permits warrantless access to previously-opened emails and those over 180 days in age, practices that would no longer be allowed except in emergency situations under the amended Act. Advocacy groups have been calling for modernizing reforms to the 1986 Act for several years.

FBI pursuing real-time social media surveillance powers

During a talk for the American Bar Association, FBI general counsel Andrew Weissman discussed his view on the limits of the 1994 Communications Assistance for Law Enforcement Act (CALEA), which allows the government to compel ISPs and phone companies to install surveillance equipment on their networks. The law does not cover cloud services or email, rendering real-time surveillance of these platforms more difficult to achieve, especially for services utilizing end-to-end encryption — something the FBI would like to change. A proposed amendment to CALEA would allow the government to dole out escalating fines to service providers that do not comply with wiretap orders.

UK criticizes proposed EU “right to be forgotten” regulation

British officials have claimed proposed updates to the EU Data Protection Regulation that would create a so-called “right to be forgotten” will create unrealistic expectations about the reach of the policy. In practice, the proposed legislation would mandate online service providers to take reasonable steps to erase digital information pertaining to a user at that user’s request. Critics point out that such a right would not be as absolute as the title suggests, as the policy would need to be balanced with freedom of expression, scientific research, and other concerns. The UK Ministry of Justice also stated concerns about clauses in the proposal that would require data operators such as online service providers to take steps to manage third parties to delete data as needed, claiming it to be another of the scheme’s practical difficulties.

Back to top

Tracking reports, features and collective action

Reddit users dig up personal information of wrongfully accused

Social media website reddit.com met a significant amount of criticism for the “witch hunt” carried out by some of its users in response Boston marathon bombing. Reddit users collectively analyzed many photographs of the scene and “doxxed” individuals thought to be suspicious, unearthing social media profiles and other personal information. The New York Post later published those individuals’ photos on its front page, alleging they were suspects in the case. After the FBI came forward and dismissed the credibility of the photos, administrators of the site apologized for the incidents and noted that while it has a policy barring the publication of personal information, the policy had been ineffective. The events highlight that crowdsourced activities do not necessarily produce ideal results, though there are many examples of crowdsourced action helping manage crisis situations.

Google releases latest Transparency Report

Google’s Transparency Report for the latter half of 2012 indicates a continuation of the trend for increased requests to user data, and increased requests for content removal from governments. The report highlights the fact that 17 governments requested Google remove the controversial video “Innocence of Muslims”. A Google public policy blog post notes that this period saw a large increase in content removal requests from the Brazilian government, most of it pertaining to municipal elections and alleged defamation of political candidates. The report also reveals that total government requests for user data and content removals continue to increase, while Google’s compliance rate to such requests has been gradually declining, but remains slightly below 50 percent overall.

Facebook emoticons add structured data to posts

A new feature on the Facebook platform encourages users to select from a drop down of “emoticons” that suggest what you might be feeling, watching or eating at the moment. A blog post on Slate suggests that this feature is meant to enlist users in adding structured data points to the generally unstructured data of status updates, after natural language processing proved too challenging to execute reliably. The blog posits that this structured data will help Facebook to develop a more accurate profile of users and serve them more tailored ads.

Data brokers + Facebook

The Electronic Frontier Foundation recently published an in-depth look into how Facebook interacts with data brokers to serve targeted ads to its users. The report outlines how Facebook can target ads based on broker data without directly exchanging personal information, best practices for opting out of data broker programs and protecting yourself from third-party data collection. This comes as Facebook continues to describe its relationship with data brokers, which sees it leveraging information about its user’s offline behaviours and interests in order to build its partner categories service that enables advertisers to more efficiently target interest groups on the social network.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – April 2013 appeared first on The Citizen Lab.

Subscribe and receive Social Media CyberWatch in your inbox.

Table of Contents

• Prominent Privacy Research Findings
• Legislative Updates & Responses
• Service Provider Landscape

Prominent Privacy Research Findings

New research identifies users from limited data points

A new study published in Scientific Reports demonstrates that only four data points unique to a particular time and place are enough to uniquely identify almost any individual. Data from over 1.5 million people were gathered from mobile devices to support these conclusions. The BBC reports the findings reveal that even if mobile numbers and other personal details were removed from data sets, the mobility information alone may be enough to trace back to a particular individual. This could pose a privacy risk if “anonymized” data sets were shared with third parties. Other recent social media research findings similarly show that such a small number of data points may identify a user. Another report found that Facebook ‘likes’ can form surprisingly accurate personal portraits. Among the researchers’ findings were that male sexuality can be identified with 88 percent accuracy, and U.S. political affiliation (whether Democrat or Republican) with 85 percent accuracy.

Research sheds light on why people don’t act according to their privacy wishes

A recently-published longitudinal study of privacy practices demonstrates that a sample of Facebook users had gradually become less likely to share their personal information publicly. This persisted until policy and interface changes by Facebook partially arrested the trend. Other findings from the same research team argues that the idea of treating privacy as a matter of understanding and control over one’s personal data may be a false comfort. Indeed, people often do not act in their stated best interest when making transactions involving their personal information. Furthermore, the researchers found that more detailed user control over how one’s personal information is used encourages people to share more sensitive information with larger audiences.

Back to top

Legislative Updates & Responses

Proposed CFAA revision sparks controversy

A recently-proposed revision to the U.S. Computer Fraud and Abuse Act (CFAA) that would  broaden its scope has met broad criticism from academics, advocacy groups, the popular press, many of whom criticize the current state of the law as overbroad. The 1986 Act criminalizes gaining unauthorized access to computer systems. A Los Angeles Times editorial argues that the act’s ambiguity as to what constitutes authorization makes it susceptible to abuse. For example, the prosecution of activist Aaron Swartz equated a violation of Terms of Service agreements with unauthorized access. The EFF notes that the proposed revision to the act would quadruple maximum jail sentences for the crimes Swartz was accused of. Meanwhile, law professor Eric Goldman argues the law has evolved from one meant to prevent malicious hacking to one that restricts general unauthorized access to intangible assets such as intellectual property. He proposes the CFAA and similar laws be amended to retain only restrictions on defeating security measures and denial-of-service attacks.

Service providers distance themselves from CISPA as petition campaigns gain traction

The revived Cyber Intelligence Sharing and Protection Act (CISPA) has faced criticism for its broad, ambiguous language that has been argued to create exemptions to privacy laws in the name of cybersecurity. A Wired editorial argues the law would facilitate the usage of personal information collected under the act for prosecutions of crimes unrelated to cybersecurity. In response to the revised act, a campaign to stop the bill organized by advocacy groups and activists seeks petition signatures to send to the U.S. Congress. Similarly, a petition on the White House website to stop the bill has reached over 100,000 signatures, enough to mandate a response from the Obama administration. Shortly thereafter, Facebook joined Microsoft in dropping its support for the bill, the former company citing privacy concerns. Both companies have stated they favour a more “balanced” approach to security and privacy.

Back to top

Service Provider Landscape

Google shutters another “quasi-public” service

Many users of Google Reader petitioned for it to be saved after the company announced it would be shutting down the service later this year. This is just the latest of a series of high-profile service discontinuations by the tech giant. The demise of Reader particularly frustrated those who use the service to bypass Internet censorship systems. The service has been used to evade many filtering systems because the Reader software tramsits websites securely via Google’s own servers (located in the U.S.), rather than directly from third party servers which may be blocked by censors. While other RSS services that operate in a similar technical manner as Google Reader, these services will face a challenge in replicating Reader’s success as a censorship-circumvention tool because a large part of Reader’s power arguably comes from people’s trust in Google’s brand.

Microsoft releases its first transparency report

Earlier this month, Microsoft released its first Law Enforcement Requests Report, similar to the “transparency reports” released by Google and Twitter. The report reveals that Microsoft complied with 79 percent of U.S. government requests for subscriber data and 83 percent of requests from non-U.S. governments in 2012. The report’s release follows the January publication of an open letter signed by many advocacy groups requesting Microsoft to clarify what information is stored when users communicate via Skype, and to make public any government requests for that data. Microsoft’s report treats Skype as a separate category, explaining in a blog post that Skype data was collected differently due to the fact that the service was only acquired by Microsoft in late 2011. Interestingly, the report claims that Skype did not provide any customer communications content in response to 4,713 total government requests for users data, although an undisclosed amount of transactional data (such as usernames, email accounts and billing information) was provided. Furthermore, the report does not directly respond to the demand raised in the open letter about Microsoft’s relationship with TOM Online, a Chinese company that distributes modified Skype software for the Chinese market that has been found to censor and surveill its users.

Facebook expands ad targeting to include offline purchases

Facebook recently announced a partnership with several data brokers to incorporate their consumer data into the Facebook ad-targeting platform. The social media platform is now working with Datalogix, Epsilon, Acxiom, and BlueKai, companies that gather information about users through online cookies as well as through offline sources sucha as supermarket loyalty cards. Profiles assembled by brokers typically start with a name, address, and contact information, then add demographic information, hobbies, life-events, salary and more. The EFF has posted a guide on how to opt-out of these data brokers to ‘suppress’ your information from certain uses, which may or may not include sharing the information with Facebook.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – March 2013 appeared first on The Citizen Lab.

• Legislative Updates
• Personal Information & Obscurity
• Cookies & Tracking

Legislative Updates

A variety of lobbyist battles, legislative deaths and rebirths, as well as a presidential executive order all brought new changes to social media and online privacy realms this month.

Lobbying frenzy in wake of proposed EU privacy changes

Proposed changes to the EU Data Protection Regulation drew a variety of responses from privacy advocates amidst heavy lobbying from US companies against the initiatives. One proposed revision would create a “right to be forgotten” across all member states, requiring companies to delete a user’s data at their request. The proposals drew a variety of amendments, and advocacy group Europe v Facebook reported that 25% of the content of such amendments were directly copied from lobbyist papers. Additional criticism of the changes came from a US diplomat, who warned that if the proposals were passed, the resulting restrictions might provoke a trade war. These moves were preceded by statements from several privacy advocacy groups including the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU), who wrote to various United States government officials, arguing that the United States should not hinder the EU’s privacy-strengthening regulation. Meanwhile, representatives for US IT companies argued that prescriptive regulation hinders innovation and economic development.

CISPA re-introduction draws privacy criticism

The Cyber Intelligence Sharing and Protection Act (CISPA) was re-introduced this month, unchanged from last year’s version that was passed in the United States House of Representatives, but defeated in the Senate after an outcry from “tens of thousands of concerned individuals”. The Act is designed to set up a streamlined system for the private sector to report cyber threat information to federal agencies. In response to the re-introduced bill, the EFF launched an online petition urging lawmakers to oppose it. Concerned privacy advocates claim the Act’s broad language would allow organizations to disclose their customers’ personal information to the US intelligence community with little transparency, and expressed dissatisfaction that no substantive changes were introduced in the latest version.

Obama cybersecurity executive order elicits diverse responses

US President Obama issued an executive order entitled “Improving Critical Infrastructure Cybersecurity” which calls for improved cybersecurity information sharing between private entities and the government while maintaining privacy and civil liberties protections. Other key demands include a call for a frameworks to reduce cyber risks to critical infrastructure, develop a cybersecurity program to protect said infrastructure, and identify the infrastructure at greatest risk. Michigan’s Chief Security Officer Dan Lohrmann writes that the executive order has elicited a wide range of reactions. For example, security expert Eugene Kaspersky praised the order as a step in the right direction in the wake of increased cyber attacks on critical infrastructure. In contrast to their response to CISPA, privacy advocates have generally praised the executive order for its attempt to protect security while not diminishing privacy. However, critics claim the order does not account for the complex network of existing security frameworks in place and fails to provide any concrete solutions to current problems.

Canadian Internet surveillance bill killed

Canada’s controversial Internet Surveillance Bill C-30 was killed by the Harper government earlier this month, about a year after the bill’s controversial introduction, which saw Canadian Public Safety minister Vic Toews disparage opponents of the bill as supporters of child pornographers. The bill would have required digital service providers to install equipment that enabled authorities to engage in real-time monitoring of the digital activities of customers without court authorization. Vocal opponents of the bill, including Ontario’s Information and Privacy Commissioner Ann Cavoukian and Vancouver-based Internet advocacy group OpenMedia.ca, were delighted to see the bill’s demise.

Back to top

Personal Information & Obscurity

Facebook had a policy triumph in the wake of a challenge over German privacy law, while the inner workings of Google Play’s personal information disclosure to developers raised the ire of privacy advocates.

Facebook defeats German privacy challenge

Facebook defeated a legal challenge by a German privacy watchdog (ULD) over the social networking site’s policy that requires all users to register with their real names. While a ban on pseudonyms may breach German privacy law, the court ruled that as Facebook is technically headquartered in Ireland, the law did not apply. In response, a representative for the ULD argued that the ruling will encourage multinational tech companies to set up their headquarters in jurisdictions with the weakest data protection. While a unified online identity can be useful for commercial purposes, one commentator argues that pseudonyms reflect the nature of people’s fragmented online identities and help to encourage creative thought.

Google Play store provides user data to app developers

An Android application developer caused a stir when he revealed that Google sends him the email address, approximate location, and occasionally the full name of individuals who downloaded his application from the Play Store. A source familiar with Play Store operations claimed that this is intentional, and has always been their practice. As the Play Store was modelled on Apple’s App store, which does not disclose purchaser details to developers, critics are claiming that most users do not expect their personal information to be shared with anyone besides Google (whom purchasers may assume they are doing business with). Google’s main privacy policy is arguably broad enough to cover this type of sharing as being between “affiliates”, to whom personal information is provided.

Back to top

Cookies & Tracking

This month saw several notable developments in online tracking policy. These occurred in the diverse areas of international standards deliberations, web browser implementations, and social media user interaction design.

Will the Do Not Track standard resume development?

After development stalled due to bitter tensions between advertising industry and privacy advocates, the Do Not Track (DNT) web standard is said to be resuming its course, while others are less sure of its future. The working group in charge of the standard has reportedly agreed on a roadmap and several key requirements. The standard, which is already partially implemented in numerous web browsers, provides a way for browsers to inform servers that the user does not wish to be tracked. When the standard’s self-regulated development appeared to have stalled, the advocacy group Consumer Watchdog called on the Federal Trade Commission (FTC) to push for DNT legislation. While no proposed legislation has yet emerged, the resumed development does follow the release of the FTC’s mobile privacy report [PDF], which recommends an implementation of DNT for mobile browsers.

Firefox to block third-party cookies by default

Perhaps in response to the stalled Do Not Track development, an update to the popular Firefox web browser will see it blocking cookies from third-party URLs by default. This move will bring it in alignment with the Safari browser’s similar default setting. When a web browser displays a website, any cookies loaded from a different domain are treated as “third-party origin”. Typically, third-party cookies are used to track individuals across different websites and serve them ads tailored towards an interest profile, a practice known as Online Behavioural Advertising (OBA). Nevertheless, a web browser will still save third-party cookies if the browser visited that third-party in the past. Jules Polonetsky, a leading privacy expert, posits that the move may provide an opportunity for ad companies to be more explicit about how and why they track users, re-framing a practice that largely operates in the background.

Facebook re-targeted ads to adopt AdChoices icon

In response to pressure to be more transparent about its ad re-targeting program, Facebook is reportedly introducing the AdChoices icon to indicate when an advertisement is “re-targeted”, displayed to the user based on information collected about the his/her web browsing history. The disclosure is a step towards transparency, but is not an obvious one; the small icon will only appear alongside a re-targeted advertisement only after a user hovers over it. Jeffery Chester of the Center for Digital Democracy was not impressed by the move, arguing that merely informing users that an advertisement is targeted does not amount to disclosure of how that information is harvested in the first place.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – February 2013 appeared first on The Citizen Lab.

Facebook Inc. (FB), Google Inc. (GOOG) and Microsoft Corp. (MSFT) may face stricter privacy rules requiring them to let users shift data to competitors in the European Union under proposed changes to a draft law.

People need control over their personal data, according to a report published yesterday recommending amendments to the rules proposed by the Brussels-based European Commission.

Social networks should let users move information “from one platform to another” and obtain details of what data companies hold on them, free of charge, said Jan Philipp Albrecht, a German Green Party politician leading the effort in the European Parliament.

EU data-protection watchdogs for the first time would be empowered to fine companies as much as 2 percent of yearly global sales for “intentionally or negligently” violating the rules under the commission proposal. Google, Facebook and other Internet companies have faced investigations by regulators around the world as authorities grapple with how to better police corporate use of personal data.

For the full article, see here.

The post Facebook, Google may face tougher EU curbs on data usage appeared first on The Citizen Lab.

The German government a while ago answered questions about expenditures by the federal ministry of home affairs for private service providers – hardly noticed by the English speaking world. The parlamentary enquiry (“Minor interpellation”) no. 17/10077 by Jan Korte, MP of The Left party, has now been translated into English.

The answers were far more detailed than one would expect.

There’s 43 pages (this includes questions), 20 of which are tables that list who was contracted, how much money was paid, what for and how each paid item was used. Even though 12 out of 30 answers were defined as classified information – e.g. questions regarding Germany’s domestic and foreign intelligence services or the Federal Office for Information Security (BSI) – there’s still some interesting news to be found.

The German ministry for home affairs and thus the German police clearly state that they are monitoring Skype, Google Mail, MSN Hotmail, Yahoo Mail and Facebook chat if deemed necessary. Money is spent on trojan viruses and we can be quite certain which company produces the IMSI catchers used by German police. We know how much money was spent by the Federal Police on border control biometrics, on passenger information systems and telecommunications surveillance. Digitask, a company whose reputation was clearly damaged after its trojan virus was found and analysed by the Chaos Computer Club in 2011, seems to still be a regular contractor of German authorities. Altogether more than a billion Euro was spent on private services by German police and other public authorities in the realm of the ministry of home affairs in the years 2002 – 2012.

For the full article, see here.

The post German police monitors Skype, GoogleMail and Facebook chat appeared first on The Citizen Lab.

A new report shows just how porous China’s infamous Great Firewall might be for local Internet users determined to access banned websites.

The country’s censors have deemed Facebook and Twitter unfit for local viewing, but that hasn’t stopped millions of Chinese from using the social-networking services, according to researcher GlobalWebIndex. There are 63.5 million Facebook users in China, up from 7.9 million two years ago, even though Facebook is officially banned there. Twitter has equally impressive numbers, with 35.5 million users in China, triple the number from 2009.

The new numbers might seem to represent a big win for the U.S. companies. All of a sudden, we no longer should think of China as a big miss for the social-media players. Indeed, the GlobalWebIndex numbers mean that China is Facebook’s third-largest market, behind the United States and almost tied with No. 2, Brazil, according to social media research company Socialbakers.

For the full article, see here.

The post China Great Firewall can’t stop Facebook appeared first on The Citizen Lab.

A new app is being tested in Nashville, Tenn., that can check in people on Facebook and send them offers using facial-recognition cameras.

Called Facedeals, the new service uses cameras installed at businesses’ front doors to read people’s faces as they enter. If the people who come in are users of the app, they will be checked in, and based on their “like” history, they would receive a customized offer.

To use the app, people first have to sign up. The app will then work with users to verify pictures of them to get a better reading of their face.

Once that process is done, you can just go about your day and you’ll be checked in any time you go to participating businesses, according to Redpepper, the company behind the service.

“Personalized deals can now be delivered to your Smartphone from all participating locations—all you have to do is show your face,” the company said online.

The cameras are little blue boxes designed in a style that looks very much like Facebook’s. They need Wi-Fi and require a 110-volt wall outlet.

Facedeals is currently limited to Nashville, but Redpepper said it will be expanding to other cities worldwide in the future.

Whether the service actually takes off is hard to determine because even though users have to sign up to participate in the program, many people likely won’t appreciate that there will be cameras scattered around their city actively scanning their faces.

For the full article, see here.

The post Facedeals checks you in with facial-recognition cameras appeared first on The Citizen Lab.

On March 9 of this year, a piece of Facebook software spotted something suspicious.

A man in his early thirties was chatting about sex with a 13-year-old South Florida girl and planned to meet her after middle-school classes the next day.

Facebook’s extensive but little-discussed technology for scanning postings and chats for criminal activity automatically flagged the conversation for employees, who read it and quickly called police.

Officers took control of the teenager’s computer and arrested the man the next day, said Special Agent Supervisor Jeffrey Duncan of the Florida Department of Law Enforcement. The alleged predator has pleaded not guilty to multiple charges of soliciting a minor.

“The manner and speed with which they contacted us gave us the ability to respond as soon as possible,” said Duncan, one of a half-dozen law enforcement officials interviewed who praised Facebook for triggering inquiries.

For the full article, see here.

The post Social networks scan for sexual predators, with uneven results appeared first on The Citizen Lab.

Tech giants who are otherwise competing fiercely for market share in mobile media and technology are now holding hands, in expectation of congressional efforts to regulate data privacy in the fastest-growing segment of their business.

Facebook Inc., Apple Inc. and Google Inc. have all signed onto a tech sector effort to forestall government oversight of consumer privacy on mobile devices. The three companies are working together to assemble voluntary privacy guidelines for the industry. All three companies have made high-profile stumbles on safeguarding users’ personal data, in the past.

Facebook in June was the latest company to sign a California pact agreeing to require mobile app publishers to display privacy disclosures prior to download.

For the full article, see here.

The post Apple, Facebook look to forestall mobile privacy laws appeared first on The Citizen Lab.

Facebook has apologised after it mistakenly deleted a free speech group’s post on human rights abuses in Syria.

The social network on Friday removed a status update by Article 19, which campaigns for freedom of speech, that linked to a Human Rights Watch report detailing alleged torture in the Arab country.

Dr Agnes Callamard, the executive director of Article 19, accused Facebook of acting like “judge, jury and executioner” in the way it removes material from the website.

Facebook did not explain to Article 19 why it had deleted the material, but told the Guardian that the post was mistakenly removed after being reported as containing offensive content.

The original status removed from Article 19′s Facebook page read: “@hrw publishes a shocking report into #torture in #Syria including geo-tagged detention centres http://ow.ly/bZ6Yl ^OS”.

The link directed people to a report by Human Rights Watch detailing 27 “torture facilities” which the group claims are being run by Syrian authorities.

For the full article, see here.

The post Facebook apologises for deleting free speech group’s post on Syrian torture appeared first on The Citizen Lab.