Law in the Internet Society

Current Response to Covert Tracking of Consumer Cell and Internet Usage

Despite the recent revelation that consumers actions online are under heavy surveillance and tracking, the proposed legislative responses and probability of a pending lawsuit success leave much to be desired because companies claim they are merely collecting the statistics to improve internal service. There are different options that may better address the egregious void of consumer protection that is not keeping pace with technological innovation, namely a conversion of the current opt-out regime to one of opting-in.

Recent Sources of Disclosure:

Senator Jay Rockefeller issued a statement emphasizing the need for increased consumer protection on the Internet. Rockefeller cited "disturbing" reports about Facebook's ability to track non-members and members who have logged out of the site, stating that companies should not be tracking users without their consent. The statement followed a USA Today article regarding Facebook's tracking practices that provides insight into how Facebook uses cookies and other technologies to track the browsing patterns of members and non-members, and suggests that the company has the ability to track members even after they log out of the Facebook website. Here, "tracking" means that all the businesses have instrumented the Web so that uninformed consumers using browsers that have been peddled to them as "the Internet," and which are full of technical "features" that help people spy on them, are being spied on all the time as they move from one horrendous for-profit website to another. Senator Rockefeller's statement came shortly after media reports that Facebook and the Federal Trade Commission are close to reaching a settlement over charges that Facebook misled users about its use of their personal information. See Facebook Tracking Is Under Scrutiny, USA Today, 11/15/11. However, there is some concern that the admonishment being paid to Facebook won't provide any real relief to victimized consumers, which is why moving the system outside a for-profit regime would be the most effective protection of complete consumer privacy. Advancements in the private sector, such as the Freedom Box, would provide consumers with an alternative to for-profit exploitation of their personal data.

Another example of consumers using products with software that is potentially harmful to their privacy interests came from Trevor Eckhart, a private security researcher, who detected the Carrier IQ software while watching the packet traffic inside an enterprise network he manages. Eckhart then reviewed Carrier IQ's privacy policy that states that its products, "work within the privacy policies of our end customers." Eckhart found the privacy policy both "suspicious and alarming," so he published his research on Carrier IQ and backed it up with copies of the Carrier IQ research manuals. Eckhart's concerns were 1) whether the app tracked all data ever input and whether the data is logged or transmitted and 2) whether the data tracked can actually identify individual mobile users. Carrier IQ responded to Eckhart with a cease and desist letter and threatened to sue him for copyright infringement for his reference to their manuals. Carrier IQ apologized only after the Electronic Frontier Foundation, in coordination with the Software Freedom Law Center, informed them that Eckhart's research is protected as free speech. See Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11.

Mobile phones that use unfree proprietary software, that no one is allowed to change or understand, have code in them that spies on the people who use the phones without their knowledge or permission, and does so in very aggressive ways. The free software movement maintains that you can't really have freedom in society without free software once society is digitized. If phones were made of free software anyone who knew how to could find spyware hidden in phone software, and they could also immediately and effectively take it out, and share that fix with everybody else. That's how we achieve better levels of operational security than unfree software, protecting users' privacy, at almost no cost.

Reactions to Protect or Maintain Privacy:

Legislative Proposals

Senator Rockefeller introduced the "Do-Not-Track Online Act of 2011". The Act instructs the Federal Trade Commission to promulgate regulations that would 1) create standards for the implementation of a "Do Not Track" mechanism that enable individuals to express a desire to not be tracked online and 2) prohibit online service providers from tracking individuals who express such a desire. The regulations would allow online service providers to track individuals who do not want to be tracked only if 1) the tracking is necessary to provide a service requested by the individual (and the individuals' information is made anonymous or deleted after the service is provided), or 2) the individual is given clear notice about the tracking and affirmatively consents to the tracking.

In developing the standards for the Do Not Track mechanism, the Act requires the FTC to take several factors into consideration, including 1) the scope of the standards, 2) the technical feasibility and costs of implementing and complying with a Do Not Track mechanism, 3) existing Do Not Track mechanisms that have already been developed and 4) how a Do Not Track mechanism should be publicized. The Act gives the FTC the power to enforce the rules pertaining to a Do Not Track mechanism by treating violations as unfair and deceptive acts or practices, and authorizes state attorneys general to bring civil actions for violations of the Act. The Act sets forth civil penalties of up to $16,000 per day for violations, with a maximum total liability of $15,000,000.

While the Act seems to make real strides in protecting consumer privacy online and on cell phones, this act has no technical reality behind it, and would merely result in a charade of consumer protection. The regulations would result in the equivalent of a "Do Not Call" list, which would simply not be useful in these different technological circumstances. These considerations lead to the conclusion that Senator Rockefeller's proposal is more of a political move, designed to engender his favor with both savvy tech companies and naive constituents simultaneously.


The Gramm-Leach-Bliley Act (GLB), 15 U.S.C. 6801 et seq., incidentally requires that companies develop and abide by privacy notices, but GLB could do much more in the way of structuring the content that is required by them. For instance, Trevor Eckhart was quoted as saying, "This data should be subject to some kind of clear privacy policy. Without that clarification, he argues, the software is simply a rookit: unwanted, hidden, hard to delete, but running with root level access." Carrier IQ Gets Scrooged for the Holidays, InformationWeek? , 12/3/11. The current mandate issued by the GLB only requires that the company have a notice, and does not structure the format or content of the policies which can range from general blanket statements to unattainable promises that provide the user with little true understanding of the use to which their information will be put. The purpose behind the GLB was mainly to address financial issues relating to the breakdown of the Glass Steagall wall and the concomitant financial danger that ensued, so it is probably not the best vehicle to address issues of consumer privacy protection. Instead, it would be more appropriate for the FCC to use its statutory authority to tell carriers that they can't subsidize the placement of phones on their networks that have rookits inside of which consumers are unaware.

Eckhart also went on record stating that companies should, "Let all handset owners see a copy of everything you've collected about them and ensure that they know when the app is running on their phones and give them the freedom to deactivate it." Id. While the last suggestion may contend with the Digital Millennium Copyright Act (DMCA), 17 U.S.C. 1202 if someone attempts to apply the DMCA to prevent the consumer from overriding a technical protection mechanism to remove malware, it would still be possible to comply with his first request of making the information available to the consumer so they are more educated about the what is entailed in the browsing and communication choices they make. Further, the DMCA has been widely criticized as contravening public policy, impeding competition and innovation and interfering with computer intrusion laws.

For companies that distribute their privacy notices online, it is quite common for them to require the customer to check a box to indicate their acceptance of the policy before they are allowed access to the site they desire to visit. See Money & the Law: Technology Raises New Privacy Concerns, The Gazette, 12/2/11. In most cases, this could be read as something close to a contract of adhesion, which is presented as a standard form on a take-it-or-leave it basis where one party does not have an ability to negotiate because of an unequal bargaining position. While there may not be room for custom contracts to be negotiated between the parties, there are a number of possible arrangements for the automated negotiation of privacy requirements within the context of any given web service that could be engineered to garner more consumer protection. Finally, privacy policies would be much more specific and detailed if we switched our privacy regime to an opt-in system, as opposed to our current opt-out framework, where consumers considering opting-in would have the correct disclosure incentives and consumers would have more knowledge of the use to which their personal data is being put.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r4 - 04 Sep 2012 - 22:02:27 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM