Law in the Internet Society

Current Response to Unbeknown Cell and Internet Tracking

Not a good title. "Unbeknown Cell Tracking" could work in one of the other branches of our common Teutonic languages, Dutch or German say, where participles perform wonders, but it doesn't make English. It seems to mean "current responses to covert network tracking," which is too indefinite. Indeed, as we discover, two different things each called "tracking" are being conflated.

Despite the recent attention being paid to issues of customer tracking and surveillance, the proposed legislative responses and probability of a pending lawsuit success leave much to be desired. There are different options that may better address the egregious void of consumer protection that is not keeping up with technological innovation.

This is entirely obscure. Everything here is referred to rather than told, so no one but a mindreader could know at this stage what you're talking about, which is not a good state to leave the reader at the end of an essay's introduction. She will invariably proceed with you no further under those circumstances.

Recent Sources of Disclosure:

Senator Jay Rockefeller issued a statement emphasizing the need for increased consumer protection on the Internet. Rockefeller cited “disturbing” reports about Facebook’s ability to track non-members and members who have logged out of the site, stating that companies should not be tracking users without their consent. The statement followed a USA Today article regarding Facebook’s tracking practices that provides insight into how Facebook uses cookies and other technologies to track the browsing patterns of members and non-members, and suggests that the company has the ability to track members even after they log out of the Facebook website. Senator Rockefeller’s statement came shortly after media reports that Facebook and the Federal Trade Commission are close to reaching a settlement over charges that Facebook misled users about its use of their personal information. See Facebook Tracking Is Under Scrutiny, USA Today, 11/15/11.

Okay, so this is a story about how a Senator tried to attract some attention for legislation that won't move in either chamber of Congress this session, which would establish a totally non-functional "do not track list" that you don't discuss, which wouldn't do anything about the problem for which the FTC is getting ready to agree not to slap Facebook's wrist as long as they don't do again a tiny portion of the real problem that you don't explain and that no one has any intention of doing anything about. Here, "tracking" means that all the businesses have instrumented the Web so that uninformed consumers using browsers that have been peddled to them as "the Internet," and which are full of technical "features" that help people spy on them, are being spied on all the time as they move from one horrendous for-profit website to another.

Neither Senator Rockefeller—who in truth has not the slightest idea—nor you explain to the reader what is being done, or how to prevent it by using technology better. Nor do you feel it's worth pointing out that doing something about this more effective than the FTC pretend wrist-slap is why the Freedom Box is trying to exist.

Separately, Trevor Eckhart, a private security researcher, detected the Carrier IQ software while watching the packet traffic inside an enterprise network he manages. Eckhart then reviewed Carrier IQ’s privacy policy that states that its products, “work within the privacy policies of our end customers.” Eckhart found the privacy policy both “suspicious and alarming,” so he published his research on Carrier IQ and backed it up with copies of the Carrier IQ research manuals. Eckhart’s concerns were 1) whether the app tracked all data ever input and whether the data is logged or transmitted and 2) whether the data tracked can actually identify individual mobile users. Carrier IQ responded to Eckhart with a cease and desist letter and threatened to sue him for copyright infringement for his reference to their manuals. Carrier IQ apologized only after the Electronic Frontier Foundation informed them that Eckhart’s research is protected as free speech. See Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11.

And this is a story about how mobile phones that use unfree proprietary software in them that no one is allowed to change or understand have code in them that spies on the people who use the phones without their knowledge or permission, and does so in very aggressive ways. You don't explain that this is why the free software movement says that you can't really have freedom in society without free software once society is digitized. You don't say that if phones were made of free software anyone who knew how could find spyware hidden in phone software, and they could also immediately and effectively take it out, and share that fix with everybody else. That's how we achieve better levels of operational security than unfree software, protecting users' privacy, at almost no cost.

But while this might be a good way to explain the value of free software, which you don't mention at all, it hasn't anything to do with the first example, except that in both cases consumers who use stuff they don't understand are being hurt by that, because the unfree technology they don't understand is working for somebody else who understands much better than they do. As usual, that means the rich will get richer and the poor will work harder scrubbing their toilets for less. But hey, they'll eventually have enough for an iPhone.

But you don't want to talk about that. You want to talk about some legislative proposal, and maybe a court case that might happen?

Reactions to Protect or Maintain Privacy:

Legislative Proposals

Senator Rockefeller introduced the “Do-Not-Track Online Act of 2011”. The Act instructs the Federal Trade Commission to promulgate regulations that would 1) create standards for the implementation of a “Do Not Track” mechanism that enable individuals to express a desire to not be tracked online and 2) prohibit online service providers from tracking individuals who express such a desire. The regulations would allow online service providers to track individuals who do not want to be tracked only if 1) the tracking is necessary to provide a service requested by the individual (and the individuals’ information is made anonymous or deleted after the service is provided), or 2) the individual is given clear notice about the tracking and affirmatively consents to the tracking.

In developing the standards for the Do Not Track mechanism, the Act requires the FTC to take several factors into consideration, including 1) the scope of the standards, 2) the technical feasibility and costs of implementing and complying with a Do Not Track mechanism, 3) existing Do Not Track mechanisms that have already been developed and 4) how a Do Not Track mechanism should be publicized. The Act gives the FTC the power to enforce the rules pertaining to a Do Not Track mechanism by treating violations as unfair and deceptive acts or practices, and authorizes state attorneys general to bring civil actions for violations of the Act. The Act sets forth civil penalties of up to $16,000 per day for violations, with a maximum total liability of $15,000,000.

You could have just pointed in one link to the Congressional Research Summary of the legislation you took this from. But you don't explain why all of this is a charade, having no technical reality at all. You don't address any of the arguments I made when I testified on the House side on the equivalent bill in December 2010, when Facebook tried to have my testimony censored. I only mention that because I think you'd have mentioned it if you'd found it, and if you didn't find it you didn't really do the background work on the legislation that you should have done, which may explain why you don't know how to explain to the reader how totally silly and unimportant it is.

Judicial Recourse

In response to Eckhart’s revelation, mobile phone customers sued AT&T, Sprint, Apply and T-Mobile as well as Carrier IQ claiming that the tracking software installed on their phones violates U.S. wiretapping and computer fraud laws and seeking compensatory and punitive damages. See Pacilli v. Carrier IQ, U.S. District Court, District of Delaware (Wilmington). Violations of federal wiretap laws prohibit willful interception of wire or electronic communication and can result in $100 of damages a day per violation; that number combined with the 150 million phones assumed to contain the software could result in damages totaling $150,000,000,000. In order to succeed on their claim, however, defendants will have to address the fact that Carrier IQ asserts the software is designed to help improve service performance and that the company doesn’t sell personal subscriber information to third parties.

This is, meantime a completely different situation. Here you are reporting that some people have filed a complaint. No one has presented any evidence, indeed no one has even heard a motion to dismiss, so it's a little early to make any statements about the law or the facts. You say, though you don't explain why, that proving a violation of the wilful interception statute requires proving that the interceptor wasn't trying to improve service, or that the interceptor sells the information wrongly acquired to third parties. But I should think it would indeed be possible for the people you called "defendants" (you meant "plaintiffs") not to address either of these factual allegations and still state a claim on which relief could be granted. If those were the allegations contained in the affidavit of counsel accompanying defendant's motion to dismiss in this litigation, I wouldn't think counsel had much on his side.

So I think what passes for legal analysis here is sloppy, and wasn't edited well. If the essay is about this situation, instead of being about the various other things it takes up, fixing this would be very important. But I have the feeling it makes more sense to leave it out.

Recommendations:

The Gramm-Leach-Bliley Act (GLB), 15 U.S.C. 6801 et seq., incidentally requires that companies develop and abide by privacy notices, but GLB could do much more in the way of structuring the content that is required by them. For instance, Trevor Eckhart was quoted as saying, “This data should be subject to some kind of clear privacy policy. Without that clarification, he argues, the software is simply a rookit: unwanted, hidden, hard to delete, but running with root level access.” Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11. The current mandate issued by the GLB only requires that the company have a notice, and does not structure the format or content of the policies which can range from general blanket statements to unattainable promises that provide the user with little true understanding of the use to which their information will be put.

Maybe this is about whether to change a statute that's actually about something else (repealing the prohibition against merger of investment and commercial banking: the purpose of GLB was to create the immense danger to the financial economy that almost immediately materialized in 2008). But more likely it's about something that could be dealt with more simply. FCC surely already has all the statutory authority it needs to tell carriers they can't subsidize the placement of phones on their networks that have rootkits in them consumers don't know about. FCC could in fact tell everybody to use free software in phones, so that we'd all know exactly what our phones do, and we'd be able to take any malware out of them. Why should we amend a statute we should never have made in the first place, that repealed a very important protection against the kind of insane predatory finance capitalism that blew up in 2008, in order to deal with a problem that FCC can administratively handle, and this or other civil litigation can make so profoundly bothersome to the carriers that they will themselves move to abate?

Eckhart also went on record stating that companies should, “Let all handset owners see a copy of everything you’ve collected about them and ensure that they know when the app is running on their phones… Give them the freedom to deactivate it.” Id. While the last suggestion is in direct contention with the Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 1202, it would still be possible to comply with his first request of making the information available to the consumer so they are more educated about the what is entailed in the browsing and communication choices they make. Further, the DMCA has been widely criticized as contravening public policy, impeding competition and innovation and interfering with computer intrusion laws.

No, his suggestion is not "in contention" with DMCA, unless someone attempts to apply the DMCA to provide the consumer from overriding a technical protection mechanism to remove malware. But it's true that it would make sense for there to be a DMCA exemption for this situation, and in fact the quadrennial DMCA exemption proceeding is now going on at Library of Congress, which is actually part of the Commerce Department. Oh, and I see that there are two parties asking for such a DMCA exemption, the Electronic Frontier Foundation, and the Software Freedom Law Center, run by .... Eben Moglen. So I suppose you'd have mentioned that if you'd found it, just to be polite, and inasmuch as you haven't mentioned it I think you probably didn't find that, which means you might not have looked into this situation very thoroughly.

Other legislative options include mandating that companies cannot require consent in order to use their website though this is likely politically infeasible.

This has to do with the other situation, which is different, as I've mentioned, and it's confusing to go from one to the other suddenly without so much as a transition. And what sense would it make to say that Amazon can't require consent to use its website to buy things? Is there someone who would use Amazon's website to buy things who would not consent to use Amazon's website. Are you sure you've thought through this "politically impossible" suggestion, whose difficulties strike me as more than just political?

For companies that distribute their privacy notices online, it is quite common for them to require the customer to check a box to indicate their acceptance of the policy before they are allowed access to the site they desire to visit. See Money & the Law: Technology Raises New Privacy Concerns, The Gazette, 12/2/11. In most cases, this could be read as something close to a contract of adhesion, which is presented as a standard form on a take-it-or-leave it basis where one party does not have an ability to negotiate because of an unequal bargaining position.

And? Is there someone out there who thinks that the way we should work the Web is for everyone to establish individually their terms of service with each web service, through custom contracts directly negotiated between the parties? So there is no alternative to form agreements, though there are any number of possible arrangements for the automated negotiation of privacy requirements within the context of any given web service. Which—along with the fact that you're imagining that we live in an "opt-in" world where operators have any current reason to require consent, we actually live in an "opt-out" world in which they don't—means that privacy policies themselves are much less attractive than the technologies of web services as a domain in which to make real progress in respecting privacy. Hence, among many other similar initiatives, Freedom Box.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r2 - 21 Jan 2012 - 21:51:32 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM