Google's Wi-Fi Privacy Ploy

[David Farber <dave () farber net>]

> From: "John F. McMullen" <observer () westnet com>
> Date: March 27, 2006 12:38:51 PM PST
> To: "johnmac's living room" <johnmacsgroup () yahoogroups com>
> Cc: Dave Farber <farber () cis upenn edu>, Dewayne Hendricks  
> <dewayne () warpspeed com>
> Subject: Jeff Chester: Google's Wi-Fi Privacy Ploy
>
> From the Nation -- <http://www.thenation.com/doc/20060410/chester>
>
> Google's Wi-Fi Privacy Ploy
> by Jeff Chester
>
> The digital gold rush is on across America, as cities scramble to  
> develop free or low-cost Wi-Fi zones. These public on-ramps to the  
> Internet are designed to provide every citizen with a form of  
> always-on, high-speed Internet access--at the playground, in the  
> office or at home--at low or no cost.
>
> Dozens of communities large and small, in red states and blue, are  
> either planning or currently constructing Wi-Fi systems. Community  
> leaders--from Philadelphia; Houston; Columbia, South Carolina; and  
> San Francisco, to name a few--recognize that creating a citywide Wi- 
> Fi zone is not only vital for economic development and public  
> safety but helps insure that Americans who can't now afford digital  
> communications on their own can also tap in to the riches and  
> convenience of the Internet. But there is no such thing as a free  
> digital lunch.
>
> Consumers and public officials should have no illusions that what  
> is being touted as a public benefit is also designed to spur the  
> growth of a mobile marketing ecosystem, an emerging field of  
> electronic commerce that is expected to generate huge revenues for  
> Google, Microsoft, AT&T and many others. Soon, wherever we wander,  
> a ubiquitous online environment will follow us with ads and  
> information dovetailed to our interests and our geographic location.
>
> Unless municipal leaders object, citizens and visitors will be  
> subjected to intensive data-mining of their web searches, e-mail  
> messages and other online activities are tracked, profiled and  
> targeted. The inevitable consequences are an erosion of online  
> privacy, potential new threats of surveillance by law enforcement  
> agencies and private parties, and the growing commercialization of  
> culture.
>
> Mining Your Data
>
> Consider the application submitted to the City of San Francisco in  
> February by search giant Google and its partner, the Internet  
> service provider Earthlink. One of six Wi-Fi bids being considered  
> by the City of San Francisco, the Google/Earthlink plan has  
> attracted the most attention. Under this proposal, Google would  
> provide a free but relatively low-speed Internet service available  
> throughout the city (Earthlink would operate a higher-speed service  
> on the same system charging users $20 a month). The costs of  
> operating the "free" service would be offset by Google's plans to  
> use the network to promote its interactive advertising services.
>
> Everyone who uses the Google network would first be directed to a  
> portal page, where they would be offered an array of what Google  
> terms "personalized consumer products." Through those products and  
> other technologies, Google plans, according to its proposal, to  
> "target advertisements to specific geographical locations and to  
> user interests."
>
> What this means is that Google and Earthlink plan to use online  
> files (known as cookies) and other data-collection techniques to  
> profile users and deliver precise, personalized advertising as they  
> surf the Internet. (Earthlink is working with the interactive ad  
> company DoubleClick, which collects and analyzes enormous amounts  
> of information online to engage in individual interactive ad  
> targeting.)
>
> Not everyone is enthused by the Google/Earthlink model. San  
> Francisco was advised by a trio of privacy advocates to develop  
> policies that would respect personal privacy. In letters to the  
> city, the ACLU of Northern California, the Electronic Frontier  
> Foundation and the Electronic Privacy Information Center (EPIC)  
> urged the adoption of a "gold standard" for data privacy (pasted in  
> below from http://epic.org/privacy/internet/sfws22106.html),  
> insuring that its Wi-Fi system would "accommodate the individual's  
> right to communicate anonymously and pseudonymously." The groups  
> also suggested that the city require any Wi-Fi company to allow  
> users to "opt in" to any data-collection scheme. [Full disclosure:  
> I rent office space in Washington, DC, from EPIC].
>
> Scary Syllables
>
> These two syllables--"opt in"--strike terror in the hearts of  
> Google, Microsoft, AOL and everyone else in the interactive  
> marketing field. Opting in requires users to affirmatively give  
> permission before any data can be collected. Individuals would be  
> fully informed about how such information would be used (such as  
> profiling, sharing with others, etc.). What companies want instead  
> is an "opt-out" approach, in which the default is always set to  
> collect and make full use of our personal information.
>
> As EPIC's West Coast senior counsel Chris Hoofnagle explained, "The  
> Google plan proposes to bargain away users' privacy for a trickle  
> of Internet connectivity." Google will have an unprecedented  
> ability to monitor use and build records of web activity. These  
> records will be a honey pot for law enforcement. Individuals'  
> privacy is worth more than a 300K download speed." (Other Wi-Fi  
> applicants in San Francisco also favor opt-out data-collection  
> technology. One applicant, the NextWLAN Corporation, envisions "an  
> e-commerce monetized, fully captive, location-aware Internet  
> portal." But also on the table is a proposal from the nonprofit  
> Seakay that offers a free service and pledges no personal  
> information will be collected online.
>
> The interest San Francisco and other cities have in securing the  
> financial support of commercial investors for their Wi-Fi grids in  
> part reflects the success of the campaign run by the nation's  
> largest cable and phone companies, which have opposed the idea of  
> municipally owned and operated Internet service. Companies such as  
> Comcast and AT&T view these low-cost local municipal competitors as  
> a threat to what they believe is their rightful broadband monopoly  
> businesses. Already, there have been lawsuits, lobbying and  
> legislation against such municipal Internet services.
>
> As a result of this pressure, cities are now seeking a more  
> corporate-friendly approach to provide what should really be a  
> public utility operated for everyone's benefit. Too many local  
> governments are embracing a model for Wi-Fi, says advocate and  
> expert Sascha Meinrath, that creates a system more favorable to  
> "billable moments" than one designed to truly connect communities  
> together.
>
> Instead of creating yet another e-commerce stomping ground, San  
> Francisco and other cities should understand that real alternatives  
> do exist to the corporate model of municipal Wi-Fi being peddled by  
> Google and its cohorts. It is possible to develop community  
> networks that reflect our highest principles, including the right  
> to personal privacy, and the cost of building such networks can be  
> very low. There are already successful publicly supported models.  
> St. Cloud, Florida, a city of 30,000, has built a free Wi-Fi  
> service for its residents, seeing it as an important public  
> service. The city has been able to build and operate the network,  
> reduce its telecommunications costs and generate new economic  
> opportunities.
>
> Building a Wi-Fi network this way brings in economic development  
> and saves the city money on telecommunications. At a time of  
> growing media consolidation and emerging threats to the future of  
> the Internet, America needs to create online systems that are  
> democratically run and commerce-neutral, that protect the privacy  
> of the citizens they serve.
>
> Jeff Chester is executive director of the Center for Digital  
> Democracy (www.democraticmedia.org), a Washington, DC-based  
> nonprofit. His book on US media politics, Digital Destiny, will be  
> published in the fall by The New Press.
>
> <http://epic.org/privacy/internet/sfws22106.html>
>
>
>
>     EPIC logo
>     Coalition Letter on San Francisco Municipal Broadband
>
>     [BY EMAIL (techconnect () sfgov org)]
>
>     February 21, 2006
>
>     Chris A. Vein
>     Acting Executive Director
>     Department of Telecommunications and Information Services
>     City & County of San Francisco
>     875 Stevenson Street, 5th Floor
>     San Francisco, CA 94103-0948
>
>                 Re:  TechConnect RFP 2005-19 / Privacy and  
> Municipal Broadband
>
>     Dear Mr. Vein,
>
>     On October 19, 2005, the ACLU of Northern California,  
> Electronic Frontier Foundation (EFF), and Electronic Privacy  
> Information Center (EPIC) submitted comments to TechConnect  
> concerning privacy issues raised by municipal broadband access.[1]   
> In that letter, we raised a series of privacy issues that sought to  
> focus attention on whether uses of the municipal broadband network  
> will have secure and private access to the Internet.  We applaud  
> TechConnect for including the privacy issues we raised in RFP 2005-19.
>
>     At section 2.11 of the RFP, TechConnect requested proposers to  
> provide a copy of their privacy policy, to certify that it complies  
> with applicable law, and to explain how it will communicated to  
> users.  TechConnect also requested proposers to explain how they  
> will address a series of privacy issues raised in our October letter.
>
>     In this letter, we stress that the city should consider minimum  
> standards for the privacy issues raised by the RFP. Privacy notices  
> are not enough.  The short history of E-commerce has shown that  
> companies often issue privacy policies that are substantively weak  
> and extend to users few legal rights to redress privacy  
> violations.  Minimum standards are necessary for each of the  
> privacy questions posed to proposers in order to guarantee respect  
> for users' rights.
>
>     To assist TechConnect in this process, we suggest model minimum  
> standards to each of the questions included in the RFP.  We also  
> urge TechConnect to consider the safeguards recommended in EFF's  
> "Best Practices for Online Service Providers," which describes  
> legal policies and technical procedures for protecting privacy. [2]
>
>      What personal information is collected about users?
>
>     Providers should take all reasonable steps to enable use of the  
> network without the collection of personal information. Data  
> collection should accommodate the individual's right to communicate  
> anonymously and pseudonymously through the service.
>
>     "Operation of the network" refers to actions necessary to  
> technically run the network.  This includes actions necessary for  
> guaranteeing service availability, billing, network testing, and  
> reasonable security measures.
>
>      How is this information used?
>
>     Providers should use information for purposes necessary to  
> operation of the network.
>
>      How long is this information stored?
>
>     Providers should specify a data retention schedule for all  
> information collected.  Providers should store information only for  
> so long as needed to operate the network.  In no event should data  
> be kept for more than a few weeks. Information that needs to be  
> kept to provide enhanced services should be the minimum necessary  
> to provide the service, be deleted as soon as operationally  
> possible, and providers should employ technical measures to shield  
> this information including obfuscation or aggregation.[3]
>
>      With whom is this information shared?
>
>     Providers should only share information for purposes necessary  
> to operate the network.  Entities that receive personal information  
> should be held to the same privacy standards as the provider.
>
>      Is this information commercialized in any way?
>
>     Providers should not commercialize personal information  
> collected in the course of operating the network unless the user  
> opts in to such uses of data.
>
>     "Opt in" refers to affirmative consent, a situation where the  
> user can employ the network for basic services, and affirmatively  
> choose to enroll in additional services.  That is, a user does not  
> "opt in" to the service by simply using the network. Providers  
> should obtain affirmative consent again where there is a material  
> change to information collection or use policies.  Furthermore, an  
> expression of affirmative consent should only be effective for one  
> year.
>
>      Is this information correlated to a specific user, device or  
> location?
>
>     Providers should correlate information to specific users,  
> devices, or locations only to the extent necessary to operate the  
> network.
>
>      Are mechanisms available to allow users to opt in or opt out  
> of any service that collects, stores, or profiles information on  
> the searches performed, websites visited, e-mails sent, or any  
> other use of the Network?
>
>     Opt in should be the standard for services that exceed the  
> basic function of providing individuals with Internet access.
>
>      Are mechanisms available to allow users to opt in or opt out  
> of any service that tracks information about the users physical  
> location?
>
>     Providers should take all reasonable steps to enable location- 
> based services without creating a tracking or logging mechanism  
> that will create records of individuals' location.
>
>      Are users enumerated or assigned any unique number that can be  
> used to track them from session to session?
>
>     Providers should take all reasonable steps to design the system  
> to prevent enumeration from session to session.
>
>     Providers should obtain a user's affirmative consent before  
> enumerating users across sessions.
>
>      Are policies in place to respond to legal demands for users  
> personal information in accordance with applicable laws?
>
>     Providers should comply with legal demands for users' personal  
> information only after verifying the legal sufficiency of the  
> request, and notify the subject of the request as quickly as  
> possible before providing information to the requestor.  A good  
> model is set forth by the Cable Communications Policy Act (47 USC   
> 551).  That act, which also applies to satellite television  
> providers, specifies a procedure where individuals are notified  
> before their information is revealed to others pursuant to legal  
> process. It was passed to protect individuals' television viewing  
> habits from disclosure, information that is at least as sensitive  
> as e-mail and web browsing records.  It has been in effect since  
> 1984, and accordingly many companies have processes to comply with  
> its standards.
>
>      Are users allowed access to all information collected about them?
>
>     Users should be able to access personal information collected  
> and maintained by the provider and its affiliates or partners.
>
>      Are users provided with a mechanism to review this information  
> and to correct inaccuracies or delete information?
>
>     Providers should extend reasonable opportunities for users to  
> correct or delete personal information collected and maintained by  
> the provider and its affiliates or partners.
>
>     Thank you for considering our comments.  If we can be of  
> further help, please feel free to contact us.
>
>     Nicole A. Ozer
>     Technology and Civil Liberties Policy Director
>     ACLU of Northern California
>     nozer () aclunc org
>     415-621-2493
>
>     Kurt Opsahl
>     Staff Attorney
>     Electronic Frontier Foundation (EFF)
>     kurt () eff org
>     415-436-9333
>
>     Chris Hoofnagle
>     Senior Counsel and Director, West Coast Office
>     Electronic Privacy Information Center (EPIC)
>     hoofnagle () epic org
>     415-981-6400
>
>     [1] Letter from Nicole A. Ozer, Technology and Civil Liberties  
> Policy Director, ACLU of Northern California; Kurt Opsahl, Staff  
> Attorney, EFF; & Chris Jay Hoofnagle, Senior Counsel, EPIC West  
> Coast Office, to San Francisco TechConnect, Oct. 19, 2005,  
> available at http://epic.org/privacy/internet/sfws10.19.05.html and  
> attached as Appendix A.
>
>     [2] Attached as Appendix B.  These guidelines were developed by  
> technical and legal experts for service providers that wish to  
> handle user data ethically.  They are available at http:// 
> www.eff.org/osp/.
>
>     [3] See Appendix B.

Weblog at: <http://weblog.warpspeed.com>



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/