Law in the Internet Society

View   r11  >  r10  >  r9  >  r8  >  r7  >  r6  ...
YuShiFirstPaper 11 - 07 Sep 2011 - Main.IanSullivan
Line: 1 to 1
Changed:
<
<
META TOPICPARENT name="FirstPaper"
>
>
META TOPICPARENT name="FirstPaper2009"
 (Second Revision, Ready for Review)

Facebook, Google, and the Facade of Privacy


YuShiFirstPaper 10 - 19 Jul 2010 - Main.YuShi
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
(Second Revision, Ready for Review)

YuShiFirstPaper 9 - 18 Jul 2010 - Main.YuShi
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
(Second Revision, Ready for Review)
Line: 6 to 6
 -- By YuShi - 16 Nov 2009
Changed:
<
<
It is becoming increasingly difficult, if not impossible, to find people my age who do not use Facebook or Google. These two services have become such a part of young people's lives that they are now both nouns and verbs, and one who does not own a Facebook or Gmail account risks the stigma of being labeled a social anomaly. Despite the ubiquitous presence and widespread use of Facebook and Google, however, people still do not have an adequate understanding of privacy risks that such services pose. In this essay, I first discuss the average person's understanding of Facebook and Google privacy options, then explain the latent but grave threats that are not apparent to the average user.
>
>
It is becoming increasingly difficult, if not impossible, to find people my age who do not use Facebook or Google. These two services have become such a part of young people's lives that they are now both nouns and verbs, and one who does not own a Facebook or Gmail account risks the stigma of being labeled a social anomaly. Despite the ubiquitous presence and widespread use of Facebook and Google, however, people still do not have an adequate understanding of privacy risks that such services pose. In this essay, I first discuss the layperson's understanding of Facebook and Google privacy options, then explain the latent but grave threats that are not apparent to the average user.
 

The Facade of Privacy: What the Average User Knows

Line: 17 to 17
 

The Evil That Lurks Beneath

Changed:
<
<
Unfortunately, the average user is missing the point and overlooking a real source of danger. Yes, one can block his neighbor from seeing his Facebook profile, and sure, one can hide his profile from people who are not his "friends." But who is there to prevent FACEBOOK (and that includes people associated with the company, people with whom Facebook does business, etc) from having access to your information? It is certainly not the average user who naively posts everything about himself on Facebook, thinking that he has painstakingly adjusted his privacy options so that his profile is off-limit to strangers. That is tantamount to guarding the front door when the thief is already inside, and leaving the backdoor open. The people at Facebook knows more about you than you can imagine. Want proof? Facebook can predict whom you will date. They probably also know if you are gay, even if you do not tell them. If one thinks these information will always and forever be kept confidential, then he must have forgotten that Facebook is a for-profit company.
>
>
Unfortunately, the average user is missing the point and overlooking a real source of danger. Yes, one can block his neighbor from seeing his Facebook profile, and sure, one can hide his profile from people who are not his "friends." But who is there to prevent FACEBOOK - and that includes people associated with the company, people with whom Facebook does business, etc - from having access to your information? It is certainly not the average user who naively posts everything about himself on Facebook, thinking that he has painstakingly adjusted his privacy options so that his profile is off-limit to strangers. That is tantamount to guarding the front door when the thief is already inside, and leaving the backdoor open. The people at Facebook knows more about you than you can imagine. Consider this: Facebook can predict whom you will date. They probably also know if you are gay, even if you do not tell them. If one thinks these information will always and forever be kept confidential, then he must have forgotten that Facebook is a for-profit company with a spotty record of respecting privacy. For example, as recently as last year Facebook had this to say about third-party applications: "Facebook does not screen or approve Platform Developers and cannot control how such Platform Developers use any personal information." Essentially, anyone could create a Facebook application, obtain your data, and use it in whatever way he wanted.
 
Changed:
<
<
Then there is Google. Try looking at the "Web History" section under "My Account." You will probably not like what you see. Are you really comfortable with this omnipresent spy tracking every step of your internet search activity? If you use Gmail, you must have noticed the advertisements on your Gmail page. How do you think these ads are chosen if not based on the text of your emails? Does the thought of having your emails perused by others trouble you? Well, all the emails you have on Gmail have been read by Google's computers. Maybe at this time you are comfortable with having your emails read by an insentient being, but understand that your email address is now associated with certain keywords. The potential for abuse is overwhelming: what if Google compiles a list of email addresses that are associated with certain keywords and send them to a third-party or the government? That might cause, at the very least, some embarrassment.
>
>
Then there is Google. Try looking at the "Web History" section under "My Account." You will probably not like what you see. Are you really comfortable with this omnipresent spy tracking every step of your internet search activity? If you use Gmail, you must have noticed the advertisements on your Gmail page. How do you think these ads are chosen if not based on the text of your emails? Does the thought of having your emails perused by others trouble you? Well, all the emails you have on Gmail have been read by Google's computers. Maybe at this time you are comfortable with having your emails read by an insentient being, but understand that your email address is now associated with certain keywords. The potential for abuse is overwhelming: what if Google compiles a list of email addresses that are associated with certain keywords and send them to a third-party or the government? That might cause some embarrassment in the most mild cases, and perhaps legal trouble in the more serious instances.
 

So What?


YuShiFirstPaper 8 - 18 Jul 2010 - Main.YuShi
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<
(Revised and Ready for Review)
>
>
(Second Revision, Ready for Review)
 
Changed:
<
<

Apathy, Vigilance, and an Amorphous Fear

>
>

Facebook, Google, and the Facade of Privacy

 -- By YuShi - 16 Nov 2009
Changed:
<
<
By now most people in my generation probably have some degree of awareness that they do not hide behind a veil of anonymity while online, nor are their activities forgotten once they go offline. After all, these days we are inundated not only with news articles that warn of privacy invasions, but also frequently hear of stories in which people land in embarrassing situations because of something that they placed or did on the web. While many of us are no longer oblivious to the idea of online privacy invasions, I find - at least among my peers - that many people’s responses to this threat tend to be either one of nonchalant apathy or extreme vigilance. In this paper, I first describe the two contrasting types of response and argue that neither is rational; I then explore a possible explanation for why my peers are handling this issue in very different but nonetheless irrational manners. The essay concludes with my ideas for what we can do to avoid creating and perpetuating an amorphous fear.
>
>
It is becoming increasingly difficult, if not impossible, to find people my age who do not use Facebook or Google. These two services have become such a part of young people's lives that they are now both nouns and verbs, and one who does not own a Facebook or Gmail account risks the stigma of being labeled a social anomaly. Despite the ubiquitous presence and widespread use of Facebook and Google, however, people still do not have an adequate understanding of privacy risks that such services pose. In this essay, I first discuss the average person's understanding of Facebook and Google privacy options, then explain the latent but grave threats that are not apparent to the average user.
 
Changed:
<
<

Group 1. Let’s Be Paranoid

>
>

The Facade of Privacy: What the Average User Knows

 
Changed:
<
<
One day this past August, I suddenly noticed that my number of Facebook friends dwindled by at least twenty. It did not take long to figure out that many of my peers here at Columbia have deactivated their Facebook accounts in preparation for Early Interview Program (EIP). This is an example of the kinds of extreme measures that some people take in response to threats of online privacy invasion.
>
>
The average person's understanding of Facebook and Google privacy is unfortunately influenced and undermined by what they hear from these companies. Facebook, for example, seeks to portray itself as privacy-conscious by appearing to give users a plethora of privacy control options: you can exclude categories of people from seeing your profile or you can exclude certain individuals, you can hide this part of your profile or that part of your profile. By inundating users with these "privacy" options, Facebook is attempting to convey the perception that they genuinely care are vigilant about every minute detail of your privacy.
 
Changed:
<
<
As a risk-averse person myself, I am more often than not sympathetic to the “better safe than sorry” school of thought. Deactivating one’s Facebook account for EIP, however, seemed absurd even to me. Although Facebook certainly has more than its share of privacy loopholes, it does have privacy settings that one can adjust so that only a selected group of people is able to view the profile. Most of the people who deactivated their account already had their profiles set to “private” anyway, limiting their information to just their friends. The only way, then, an employer could have seen their profile would be to ask one of the student’s friends to look at it and report back any shady findings. That is by all means a highly-unlikely scenario. Circumspection is one thing, but to think that a law firm will take the effort to find out who your friends are, then to contact that friend for information about you, and finally to have your friend agree to sabotage you by consenting to deliver unseemly information about you to the firm borders on absurdity.
>
>
The average user sees the wide array of privacy options and feels like he is in control over his information. For the average user, it seems like he exercises total control over who sees what, and if that is the case, then what more is there to fear? He thinks that at worst a hacker might hack into Facebook's central database and pilfer data, but then he realizes a thief can also break into his house and steal personal information. One, of course, cannot plan for every single contingency. The average user, then, is complacent, and for the most part, feeling secure.
 
Changed:
<
<
Yes, perhaps. But because Facebook's business model, and its incredibly bad technology, means that there's only one kind of friend, people who have been building networks of "friends" in law firms by accepting or initiating contacts inside law firms have also put all their personal lives inside those law firms, even if only their "friends" can see it. (There's no architectural reason why social sharing has to be designed that way, but Facebook offers an outstandingly bad implementation.) So there's plenty of opportunity for informal diffusion of information into unintended locales even if people know how to manage what little residual control Facebook allows them.

Group 2. Privacy Views: Apathetic

In direct contrast to the previous group, the apathetic ones know that their information is probably not secure online, but they just do not care. They have public Facebook profiles, with links to their blogs (not privatized), and even their full dates of birth shown. All their photos are, of course, also open to public viewing. People in this group usually defend their nonchalance by saying that they only post innocuous content on their personal pages, or that they are too insignificant for anyone to want to “target” them in any way that might be threatening.

With the growing sophistication of identity theft, it is na´ve to think that such complete disclosure of personal information can be forever harmless. In the summer of 2008, about 5,000 current and former Columbia undergraduates were notified that a security breach resulted in their private information being exposed for a period of time. The breached information alone may not have been enough to pose significant danger to the affected people, but if combined with additional data such as one’s hometown and date of birth (taken from public Facebook profiles), an identify thief could have wrecked substantial damage on someone’s good name. Public Facebook profiles leave the door open for such attacks, and there is no justification for why someone cannot take three seconds to modify their Facebook privacy settings so that their profiles are only visible to friends.

Identity theft is not a retail matter. Credit card numbers, SS#s, maiden names and all the other relevant data allowing fraudulent purchases or (until lately) the initiation of fraudulent loans are circulated in buckets of thousands or tens of thousands, not units, having been stolen from places where one breach yields the whole database, not photographs of someone using a beer bong. Retail intrusion such as you are imagining people could protect themselves against by changing privacy settings (which is puerile, because a real attempt against a person will involve simply hacking the Facebook account by stealing the target's almost certainly non-random Facebook password) has a direct motive behind it, and will not be deterred in the slightest by the sort of trivial "protection" Facebook affords. Putting things you wouldn't want your most motivated and most destructive enemy to know in someone else's commercially-managed, ill-secured database is a recipe for disaster unless your worst enemy is a technically-illiterate eight-year-old who spends all her time in church.

An Amorphous Fear

While a sizable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is.

Which is true because they are carefully not educated in what the threats are, which is in turn true because money and power don't want them to understand what the threats are because money means to make money, and power means to make power, out of their ignorance. Your essay, so far, does nothing whatever to disturb that process of embedding ignorance, because you haven't described for the reader what the threats actually are or what to do about them. That you can fancy you are writing seriously about privacy threats and responses while implying that Facebook-using is consonant with even minimal respect for privacy is demonstrative.

The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post,

It's much more tangible. The lamppost is visible only to people who happen to be close enough to read what's on it. The data you put carelessly on the net is visible to everyone on earth.

and it is certainly not as real as a thief breaking into one’s house and taking confidential files.

Burglary is hard and risky. Data-stealing is easy and almost entirely riskless.

Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.

So you should be providing a clear understanding of the actual threats and what to do about them. I explained both in class, and here you are obfuscating them again.

What Can We Do?

I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in an informed manner is to become as informed as possible.

But you're not informing anybody, are you?

Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from?

They get it from the one big ill-secured database run for the purpose of spying on you that you voluntarily decided to put all your social data in for no good reason. The right response is to move your social data out of that big unsecured centralized database.

By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to really understand such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.

But that would be ignorance, and you're recommending it.

My response to the first draft was that you needed a more ambitious theme, not a less informative and more obscurantist one. A naive reader facing this draft would know nothing helpful she didn't know before reading it. A knowledgeable reader could only conclude either that you are yourself ignorant or that you are deliberately white-washing Facebook. Either way, the knowledgeable reader, like the naive one, has gained nothing.

I still think what you need here is more ambition. If this is the topic, then the ambition should be to learn more facts and imagine fewer ones. In my own view, this "in the middle-ism" between what you think of as paranoia (and which isn't even moderate concern for privacy, just cluelessness) and utter heedlessness is a poorly-chosen vantage. You should be speaking from actual expertise about something you fully understand because you have learned about it in detail. I taught a course meant to enable such a vantage for you, but perhaps I did it poorly. If you want to talk more about the matter, let's make an appointment.

>
>

The Evil That Lurks Beneath

Unfortunately, the average user is missing the point and overlooking a real source of danger. Yes, one can block his neighbor from seeing his Facebook profile, and sure, one can hide his profile from people who are not his "friends." But who is there to prevent FACEBOOK (and that includes people associated with the company, people with whom Facebook does business, etc) from having access to your information? It is certainly not the average user who naively posts everything about himself on Facebook, thinking that he has painstakingly adjusted his privacy options so that his profile is off-limit to strangers. That is tantamount to guarding the front door when the thief is already inside, and leaving the backdoor open. The people at Facebook knows more about you than you can imagine. Want proof? Facebook can predict whom you will date. They probably also know if you are gay, even if you do not tell them. If one thinks these information will always and forever be kept confidential, then he must have forgotten that Facebook is a for-profit company.

Then there is Google. Try looking at the "Web History" section under "My Account." You will probably not like what you see. Are you really comfortable with this omnipresent spy tracking every step of your internet search activity? If you use Gmail, you must have noticed the advertisements on your Gmail page. How do you think these ads are chosen if not based on the text of your emails? Does the thought of having your emails perused by others trouble you? Well, all the emails you have on Gmail have been read by Google's computers. Maybe at this time you are comfortable with having your emails read by an insentient being, but understand that your email address is now associated with certain keywords. The potential for abuse is overwhelming: what if Google compiles a list of email addresses that are associated with certain keywords and send them to a third-party or the government? That might cause, at the very least, some embarrassment.

So What?

It is not the purpose of this essay to persuade people to stop using Gmail or deactivate their Facebook accounts. Rather, the aim of this paper is to let people understand that Facebook and Google's many privacy control options are merely a facade that belies a vast potential and capability for abuse. Thinking that one has his information sealed airtight just because he played around with Facebook's privacy control is like believing that one has annihilated an entire army by killing one foot soldier.

I am aware that people want Gmail because of their desire for a particular form of e-correspondence and storage, and people use Facebook due to fear of becoming a social pariah. If one values those services to such an extent that he would rather be spied on than go without those services, then that is certainly the individual's choice. It might not be the wisest choice, but at least it is an informed one.


YuShiFirstPaper 7 - 11 Jul 2010 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
(Revised and Ready for Review)
Line: 14 to 14
 As a risk-averse person myself, I am more often than not sympathetic to the “better safe than sorry” school of thought. Deactivating one’s Facebook account for EIP, however, seemed absurd even to me. Although Facebook certainly has more than its share of privacy loopholes, it does have privacy settings that one can adjust so that only a selected group of people is able to view the profile. Most of the people who deactivated their account already had their profiles set to “private” anyway, limiting their information to just their friends. The only way, then, an employer could have seen their profile would be to ask one of the student’s friends to look at it and report back any shady findings. That is by all means a highly-unlikely scenario. Circumspection is one thing, but to think that a law firm will take the effort to find out who your friends are, then to contact that friend for information about you, and finally to have your friend agree to sabotage you by consenting to deliver unseemly information about you to the firm borders on absurdity.
Added:
>
>
Yes, perhaps. But because Facebook's business model, and its incredibly bad technology, means that there's only one kind of friend, people who have been building networks of "friends" in law firms by accepting or initiating contacts inside law firms have also put all their personal lives inside those law firms, even if only their "friends" can see it. (There's no architectural reason why social sharing has to be designed that way, but Facebook offers an outstandingly bad implementation.) So there's plenty of opportunity for informal diffusion of information into unintended locales even if people know how to manage what little residual control Facebook allows them.
 

Group 2. Privacy Views: Apathetic

In direct contrast to the previous group, the apathetic ones know that their information is probably not secure online, but they just do not care. They have public Facebook profiles, with links to their blogs (not privatized), and even their full dates of birth shown. All their photos are, of course, also open to public viewing. People in this group usually defend their nonchalance by saying that they only post innocuous content on their personal pages, or that they are too insignificant for anyone to want to “target” them in any way that might be threatening.

Changed:
<
<
With the growing sophistication of identity theft, it is na´ve to think that such complete disclosure of personal information can be forever harmless. In the summer of 2008, about 5,000 current and former Columbia undergraduates were notified that a security breach resulted in their private information being exposed for a period of time. The breached information alone may not have been enough to pose significant danger to the affected people, but if combined with additional data such as one’s hometown and date of birth (taken from public Facebook profiles), an identify thief could have wrecked substantial damage on someone’s good name. Public Facebook profiles leave the door open for such attacks, and there is no justification for why someone cannot take three seconds to modify their Facebook privacy settings so that their profiles are only visible to friends.
>
>
With the growing sophistication of identity theft, it is na´ve to think that such complete disclosure of personal information can be forever harmless. In the summer of 2008, about 5,000 current and former Columbia undergraduates were notified that a security breach resulted in their private information being exposed for a period of time. The breached information alone may not have been enough to pose significant danger to the affected people, but if combined with additional data such as one’s hometown and date of birth (taken from public Facebook profiles), an identify thief could have wrecked substantial damage on someone’s good name. Public Facebook profiles leave the door open for such attacks, and there is no justification for why someone cannot take three seconds to modify their Facebook privacy settings so that their profiles are only visible to friends.
 
Added:
>
>
Identity theft is not a retail matter. Credit card numbers, SS#s, maiden names and all the other relevant data allowing fraudulent purchases or (until lately) the initiation of fraudulent loans are circulated in buckets of thousands or tens of thousands, not units, having been stolen from places where one breach yields the whole database, not photographs of someone using a beer bong. Retail intrusion such as you are imagining people could protect themselves against by changing privacy settings (which is puerile, because a real attempt against a person will involve simply hacking the Facebook account by stealing the target's almost certainly non-random Facebook password) has a direct motive behind it, and will not be deterred in the slightest by the sort of trivial "protection" Facebook affords. Putting things you wouldn't want your most motivated and most destructive enemy to know in someone else's commercially-managed, ill-secured database is a recipe for disaster unless your worst enemy is a technically-illiterate eight-year-old who spends all her time in church.
 

An Amorphous Fear

Changed:
<
<
While a sizable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is. The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post, and it is certainly not as real as a thief breaking into one’s house and taking confidential files. Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.
>
>
While a sizable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is.
 
Added:
>
>
Which is true because they are carefully not educated in what the threats are, which is in turn true because money and power don't want them to understand what the threats are because money means to make money, and power means to make power, out of their ignorance. Your essay, so far, does nothing whatever to disturb that process of embedding ignorance, because you haven't described for the reader what the threats actually are or what to do about them. That you can fancy you are writing seriously about privacy threats and responses while implying that Facebook-using is consonant with even minimal respect for privacy is demonstrative.

The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post,

It's much more tangible. The lamppost is visible only to people who happen to be close enough to read what's on it. The data you put carelessly on the net is visible to everyone on earth.

and it is certainly not as real as a thief breaking into one’s house and taking confidential files.

Burglary is hard and risky. Data-stealing is easy and almost entirely riskless.

Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.

So you should be providing a clear understanding of the actual threats and what to do about them. I explained both in class, and here you are obfuscating them again.
 

What Can We Do?

Changed:
<
<
I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in an informed manner is to become as informed as possible. Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from? By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to really understand such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.
>
>
I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in an informed manner is to become as informed as possible.

But you're not informing anybody, are you?
 
Added:
>
>
Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from?
  \ No newline at end of file
Added:
>
>
They get it from the one big ill-secured database run for the purpose of spying on you that you voluntarily decided to put all your social data in for no good reason. The right response is to move your social data out of that big unsecured centralized database.

By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to really understand such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.

But that would be ignorance, and you're recommending it.

My response to the first draft was that you needed a more ambitious theme, not a less informative and more obscurantist one. A naive reader facing this draft would know nothing helpful she didn't know before reading it. A knowledgeable reader could only conclude either that you are yourself ignorant or that you are deliberately white-washing Facebook. Either way, the knowledgeable reader, like the naive one, has gained nothing.

I still think what you need here is more ambition. If this is the topic, then the ambition should be to learn more facts and imagine fewer ones. In my own view, this "in the middle-ism" between what you think of as paranoia (and which isn't even moderate concern for privacy, just cluelessness) and utter heedlessness is a poorly-chosen vantage. You should be speaking from actual expertise about something you fully understand because you have learned about it in detail. I taught a course meant to enable such a vantage for you, but perhaps I did it poorly. If you want to talk more about the matter, let's make an appointment.


YuShiFirstPaper 6 - 02 Jun 2010 - Main.YuShi
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<
(Revised - Ready for Review)
>
>
(Revised and Ready for Review)
 

Apathy, Vigilance, and an Amorphous Fear

Line: 28 to 28
 

What Can We Do?

Changed:
<
<
I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in as rational of a manner as possible is to become as informed as possible. Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from? By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to really understand such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.
>
>
I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in an informed manner is to become as informed as possible. Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from? By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to really understand such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.
 

\ No newline at end of file


YuShiFirstPaper 5 - 02 Jun 2010 - Main.YuShi
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Changed:
<
<
(Revision 1 - Ready for Review)
>
>
(Revised - Ready for Review)
 

Apathy, Vigilance, and an Amorphous Fear

Line: 23 to 23
 

An Amorphous Fear

Changed:
<
<
While a sizeable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is. The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post, and it is certainly not as real as a thief breaking into one’s house and taking confidential files. Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.
>
>
While a sizable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is. The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post, and it is certainly not as real as a thief breaking into one’s house and taking confidential files. Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.
 

What Can We Do?

Changed:
<
<
I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in as rational of a manner as possible is simply to become more informed. Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from? By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to understand the scope of such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.
>
>
I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in as rational of a manner as possible is to become as informed as possible. Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from? By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to really understand such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.
 
Deleted:
<
<
I think this essay is peculiarly modest. You don't have much trouble seeming right given the straw men against which you contend. And the only insight you derive from the tour on which you go is that we should expect people to respond vaguely to threats that aren't made personally tangible. Yet people seem to have acquired an awful lot of paper shredders in the last decade. And even if your social psychology is correct it is not very surprising. Maybe in revision you could give the essay a more ambitious goal.

YuShiFirstPaper 4 - 08 Mar 2010 - Main.YuShi
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Added:
>
>
(Revision 1 - Ready for Review)
 

Apathy, Vigilance, and an Amorphous Fear

-- By YuShi - 16 Nov 2009

Changed:
<
<
By now most people in my generation probably have some degree of awareness that they do not hide behind a veil of anonymity while online, nor are their activities forgotten once they go offline. After all, these days we are inundated not only with news articles that warn of privacy invasions, but also frequently hear of stories in which people land in embarrassing situations because of something that they placed or did on the web. While many of us are no longer oblivious to the idea of online privacy invasions, I find - at least among my peers - that many people’s responses to this threat tend to be either one of nonchalant apathy or extreme vigilance. In this paper, I first describe the two contrasting types of response and argue that neither is rational, and then I explore a possible explanation for why my peers are handling this issue in very different but nonetheless irrational manners.
>
>
By now most people in my generation probably have some degree of awareness that they do not hide behind a veil of anonymity while online, nor are their activities forgotten once they go offline. After all, these days we are inundated not only with news articles that warn of privacy invasions, but also frequently hear of stories in which people land in embarrassing situations because of something that they placed or did on the web. While many of us are no longer oblivious to the idea of online privacy invasions, I find - at least among my peers - that many people’s responses to this threat tend to be either one of nonchalant apathy or extreme vigilance. In this paper, I first describe the two contrasting types of response and argue that neither is rational; I then explore a possible explanation for why my peers are handling this issue in very different but nonetheless irrational manners. The essay concludes with my ideas for what we can do to avoid creating and perpetuating an amorphous fear.
 

Group 1. Let’s Be Paranoid

Line: 24 to 25
 While a sizeable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is. The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post, and it is certainly not as real as a thief breaking into one’s house and taking confidential files. Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.
Added:
>
>

What Can We Do?

I think the most effective way for one to curb this amorphous fear and deal with privacy concerns in as rational of a manner as possible is simply to become more informed. Media reports about online privacy vulnerabilities, especially those appearing in mainstream sources not specifically catering to a technical audience, are often sensationalized and not descriptive. Hence when one sees a headline saying that Facebook Applications pose a grave threat, one should attempt to learn why exactly it is a threat. How do these Applications get your information? Where do they get it from? By understanding the mechanisms through which a person’s information could be pilfered, one is better able to take reasonable precautions instead of resorting to extreme measures. Paranoid behavior comes from hearing sound bites such as “you leave a track of everything you do online” without attempting to understand the scope of such statements. In the Facebook/EIP example above, if those who deactivated their profiles took time to think through the absurdity of law firms using the students’ friends to spy on their profiles, then perhaps they would simply have “privatized” their profiles instead of temporarily deactivating their account.

 
I think this essay is peculiarly modest. You don't have much trouble seeming right given the straw men against which you contend. And the only insight you derive from the tour

YuShiFirstPaper 3 - 25 Jan 2010 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Deleted:
<
<
(ready for review. thanks)
 

Apathy, Vigilance, and an Amorphous Fear

Line: 25 to 24
 While a sizeable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is. The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post, and it is certainly not as real as a thief breaking into one’s house and taking confidential files. Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.
Changed:
<
<

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" on the next line:

# * Set ALLOWTOPICVIEW = TWikiAdminGroup, YuShi

Note: TWiki has strict formatting rules. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of that line. If you wish to give access to any other users simply add them to the comma separated list

>
>
I think this essay is peculiarly modest. You don't have much trouble seeming right given the straw men against which you contend. And the only insight you derive from the tour on which you go is that we should expect people to respond vaguely to threats that aren't made personally tangible. Yet people seem to have acquired an awful lot of paper shredders in the last decade. And even if your social psychology is correct it is not very surprising. Maybe in revision you could give the essay a more ambitious goal.
 \ No newline at end of file

YuShiFirstPaper 2 - 17 Nov 2009 - Main.YuShi
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
(ready for review. thanks)
Line: 12 to 12
 One day this past August, I suddenly noticed that my number of Facebook friends dwindled by at least twenty. It did not take long to figure out that many of my peers here at Columbia have deactivated their Facebook accounts in preparation for Early Interview Program (EIP). This is an example of the kinds of extreme measures that some people take in response to threats of online privacy invasion.
Changed:
<
<
As a risk-adverse person myself, I am more often than not sympathetic to the “better safe than sorry” school of thought. Deactivating one’s Facebook account for EIP, however, seemed absurd even to me. Although Facebook certainly has its share of privacy loopholes, it does have privacy settings that one can adjust so that only a selected group of people is able to view the profile. Most of the people who deactivated their profiles already had their profiles set to “private” anyway, so that only their friends are able to access their profiles. The only way, then, an employer could have seen their profile would be to ask one of the student’s friends to look at it and report back any shady findings. That was by all means a highly-unlikely scenario. Circumspection is one thing, but to think that a law firm will take the effort to find out who your friends are, then to contact that friend for information about you, and finally to have your friend agree to sabotage you by consenting to deliver unseemly information about you to the firm borders on absurdity.
>
>
As a risk-averse person myself, I am more often than not sympathetic to the “better safe than sorry” school of thought. Deactivating one’s Facebook account for EIP, however, seemed absurd even to me. Although Facebook certainly has more than its share of privacy loopholes, it does have privacy settings that one can adjust so that only a selected group of people is able to view the profile. Most of the people who deactivated their account already had their profiles set to “private” anyway, limiting their information to just their friends. The only way, then, an employer could have seen their profile would be to ask one of the student’s friends to look at it and report back any shady findings. That is by all means a highly-unlikely scenario. Circumspection is one thing, but to think that a law firm will take the effort to find out who your friends are, then to contact that friend for information about you, and finally to have your friend agree to sabotage you by consenting to deliver unseemly information about you to the firm borders on absurdity.
 

Group 2. Privacy Views: Apathetic


YuShiFirstPaper 1 - 16 Nov 2009 - Main.YuShi
Line: 1 to 1
Added:
>
>
META TOPICPARENT name="FirstPaper"
(ready for review. thanks)

Apathy, Vigilance, and an Amorphous Fear

-- By YuShi - 16 Nov 2009

By now most people in my generation probably have some degree of awareness that they do not hide behind a veil of anonymity while online, nor are their activities forgotten once they go offline. After all, these days we are inundated not only with news articles that warn of privacy invasions, but also frequently hear of stories in which people land in embarrassing situations because of something that they placed or did on the web. While many of us are no longer oblivious to the idea of online privacy invasions, I find - at least among my peers - that many people’s responses to this threat tend to be either one of nonchalant apathy or extreme vigilance. In this paper, I first describe the two contrasting types of response and argue that neither is rational, and then I explore a possible explanation for why my peers are handling this issue in very different but nonetheless irrational manners.

Group 1. Let’s Be Paranoid

One day this past August, I suddenly noticed that my number of Facebook friends dwindled by at least twenty. It did not take long to figure out that many of my peers here at Columbia have deactivated their Facebook accounts in preparation for Early Interview Program (EIP). This is an example of the kinds of extreme measures that some people take in response to threats of online privacy invasion.

As a risk-adverse person myself, I am more often than not sympathetic to the “better safe than sorry” school of thought. Deactivating one’s Facebook account for EIP, however, seemed absurd even to me. Although Facebook certainly has its share of privacy loopholes, it does have privacy settings that one can adjust so that only a selected group of people is able to view the profile. Most of the people who deactivated their profiles already had their profiles set to “private” anyway, so that only their friends are able to access their profiles. The only way, then, an employer could have seen their profile would be to ask one of the student’s friends to look at it and report back any shady findings. That was by all means a highly-unlikely scenario. Circumspection is one thing, but to think that a law firm will take the effort to find out who your friends are, then to contact that friend for information about you, and finally to have your friend agree to sabotage you by consenting to deliver unseemly information about you to the firm borders on absurdity.

Group 2. Privacy Views: Apathetic

In direct contrast to the previous group, the apathetic ones know that their information is probably not secure online, but they just do not care. They have public Facebook profiles, with links to their blogs (not privatized), and even their full dates of birth shown. All their photos are, of course, also open to public viewing. People in this group usually defend their nonchalance by saying that they only post innocuous content on their personal pages, or that they are too insignificant for anyone to want to “target” them in any way that might be threatening.

With the growing sophistication of identity theft, it is na´ve to think that such complete disclosure of personal information can be forever harmless. In the summer of 2008, about 5,000 current and former Columbia undergraduates were notified that a security breach resulted in their private information being exposed for a period of time. The breached information alone may not have been enough to pose significant danger to the affected people, but if combined with additional data such as one’s hometown and date of birth (taken from public Facebook profiles), an identify thief could have wrecked substantial damage on someone’s good name. Public Facebook profiles leave the door open for such attacks, and there is no justification for why someone cannot take three seconds to modify their Facebook privacy settings so that their profiles are only visible to friends.

An Amorphous Fear

While a sizeable portion of my peers do take a reasonable amount of precaution to secure their online information, the number of people who fall into the two groups described above is too significant to ignore. It is my contention that there is such an incoherence of response to online privacy concerns within a similarly-educated group because people do not truly have a precise understanding of what the threat is. The danger is not as tangible as that of writing one’s name and social security number on a sheet of paper and taping it to a lamp post, and it is certainly not as real as a thief breaking into one’s house and taking confidential files. Instead, for most of us we learn of online privacy dangers through warnings from the media and anecdotes from friends. This creates an almost mythical kind of fear, an amorphous fear that is always lurking, but one that can be dismissed as easily as it can be sensationalized. As a result, like the myriads of ways in which children react to ghost stories, people respond to the online privacy threat in ways that reflect their “gut feeling” rather than any reasoned process of thought.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" on the next line:

# * Set ALLOWTOPICVIEW = TWikiAdminGroup, YuShi

Note: TWiki has strict formatting rules. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of that line. If you wish to give access to any other users simply add them to the comma separated list


Revision 11r11 - 07 Sep 2011 - 00:44:14 - IanSullivan
Revision 10r10 - 19 Jul 2010 - 03:38:35 - YuShi
Revision 9r9 - 18 Jul 2010 - 19:00:25 - YuShi
Revision 8r8 - 18 Jul 2010 - 03:59:42 - YuShi
Revision 7r7 - 11 Jul 2010 - 14:12:35 - EbenMoglen
Revision 6r6 - 02 Jun 2010 - 23:11:16 - YuShi
Revision 5r5 - 02 Jun 2010 - 01:54:47 - YuShi
Revision 4r4 - 08 Mar 2010 - 05:05:16 - YuShi
Revision 3r3 - 25 Jan 2010 - 02:11:06 - EbenMoglen
Revision 2r2 - 17 Nov 2009 - 04:31:06 - YuShi
Revision 1r1 - 16 Nov 2009 - 05:00:56 - YuShi
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM