sharealike.org

At the end of 2010, I saw the “alpha release” of Mozilla’s privacy icons. As explained in that blog post, this was the culmination of efforts undertaken throughout the last year, including a workshop that was attended by some very smart folks.

In advising some students at UC Berkeley’s School of Information on their Masters Final Project, KnowPrivacy, I spent a good bit of time thinking about privacy policies and we even created our own set of “privacy icons” to reflect some of the features of the privacy policies analyzed. (See the KnowPrivacy profile for Google, for an example.) This experience taught us that online privacy is a HARD policy issue. Designing useful, comprehensible privacy icons that might actually get used is just one really hard part of a really hard problem.

I preface my remarks with all that in order to make clear that what follows is not intended as criticism, but feedback, which Mozilla has solicited all along the way.

Which Distinctions Matter?

A difficult problem facing anyone seeking to make privacy icons is that you have to decide which distinctions you are going to illustrate, typically based on what distinctions you think do (or should) matter to the audience for those privacy icons.

I disagree with three choices the Mozilla team made about which distinctions to illustrate with their privacy icons.

1. The Mozilla (alpha) privacy icons do not distinguish between the types of data collected.
• This is a mistake because most users don’t care if a site collects data on which web browser they used (and whether the site keeps such information forever) but many users do care if a site collects their credit card number (or health records or …) and intends to retain it.
2. The Mozilla (alpha) privacy icons’ distinction between your data being “given” to “advertisers” or not is too coarse-grained.
• The KnowPrivacy researchers found that many sites do not “give” information to anyone, but many popular websites allow third parties to place collection webbugs right there on the site’s home page. Privacy policies exploit this distinction to hide the fact that your information is leaking. While Mozilla’s explanation of this icon group seems to take this into account, there is no reason to expect that most users will understand this.
• The KnowPrivacy researchers also found that most popular sites share with “affiliates”, some share with “contractors”, some share with “advertisers” and some share with third parties generally. The icon group only references “advertisers” and a finer-grained set of distinctions might encourage greater transparency about these different sorts of sharing.
3. The Mozilla (alpha) privacy icons’ distinction between your data being sold or given away is not typically a distinction that users do (or should) care about.
• Users just want to know who has or might get their data and don’t really care what the monetary terms of the deal were when their data was given/sold to another party.

Stylistically, one thing I really like in the alpha release is the length-of-time icons for indicating how long a user’s data is kept. However, the KnowPrivacy researchers found that most popular websites do not disclose the length of retention, and so one can assume that, at present, only the infinite icon would get much use. However, perhaps these retention icons would be a sort of public shaming that might encourage sites to select a data retention time period and to disclose it.

Finally, I don’t mean to suggest that the Mozilla team should have just adopted the KnowPrivacy icons and called it a day. The KnowPrivacy icons were intended for an audience visiting the KnowPrivacy website, i.e., a user that is engaged in comparing and contrasting the policies of the most-visited websites. Mozilla’s use case is different and almost certainly requires a different set of icons to serve their purposes. However, my points above are intended to suggest that even for their purposes, Mozilla should strive to capture a different set of distinctions in the beta release.

If, like me, you often find yourself searching for judicial opinions online, particularly to freely-available complete versions, and especially to Federal Circuit Court and Supreme Court opinions, then you’ve probably encountered the opinions at resource.org. I particularly like to link to these versions on my syllabi, because the paragraphs are numbered and then I can specify for students precisely which parts to read, in cases where we aren’t reading the entire opinion.

I just made such searches a lot easier for myself by creating this Firefox search engine plugin that searches resource.org via Google.

I typically know the citation or party name that I’m looking for, and so this search engine plugin puts your terms in quotation marks automatically so that Google searches for exactly that search phrase on resource.org.

In using this plugin so far, I get exactly the opinion I am looking for as the first link far more often than I used to when just using Google. Try it for yourself.

• Microsoft finally open sources Windows 7 tool
  (tags: microsoft open_source)

This was harder than it should have been as the instructions could be clearer that two separate downloads are required. I’ve summarized here:

I assume you have ssh or command line access to your host. If not, you could accomplish the same thing using ftp, but you’ll have to pay attention to what directory you upload into:

1. Install Drupal 6.x
2. Download the Drupal WYSIWYG part of FCKeditor from http://drupal.org/project/fckeditor
3. Extract that in sites/all/modules (you may have to create the modules dir) with tar -zvxf fckeditor-6.x-1.4.tar.gz
4. cd to sites/all/modules/fckeditor
5. Download the FCKeditor part of FCKeditor: http://ckeditor.com/download
6. Extract that in sites/all/modules/fckeditor/fckeditor [Yes, seriously.] with tar -zvxf FCKeditor_2.6.5.tar.gz
7. Go enable the FCKeditor module in the drupal admin section, it’ll be down below all the core modules in its own section.

For the last year I advised a team of School of Information Masters students (Joshua Gomez, Travis Pinnick, and Ashkan Soltani) on their research into the privacy practices of popular websites. Today they have publicly released their findings on their website: knowprivacy.org.

They found that there is a mismatch between consumer expectations and website privacy practices and posting a privacy policy alone does not bridge that gap. In particular, they’ve shed light on the use of third-party tracking via web bugs. We were surprised to learn that many of the most-visited sites on the internet state in their privacy policies that they do not share information with third parties, but then also state that they allow third parties to place web bugs on their site. Perhaps that’s not “sharing,” but inviting the third parties in to do the collecting themselves achieves the same result: users visit one site and are unaware that information about them and that visit winds up in the hands of an unknown third party.

They also found a surprising dominance by Google in the web bug space. Google operates several trackers and at least one of their trackers appears on 92 of the top 100 most-visited sites in the United States. When one looks at a larger collection of domains (nearly 400,000) that contain at least one web bug, they found a Google tracker on over 88% of those domains. While other tracking companies have good coverage of the most-visited sites, no other company came close to Google’s dominance when the domains considered was broadened.

Through a series of Freedom of Information Act (FOIA) requests, they also received data on actual consumer complaints to the Federal Trade Commission and compared those complaints with those gathered from the California Office of Privacy Protection, Privacy Rights Clearinghouse, and TRUSTe. Here they found that consumers want control over the information gathered about them and are particularly sensitive about the public display of that information. One of the take-aways from this is that while the FTC has, in the past, thought about privacy in terms of “harm” users are largely concerned instead with a lack of control.

The full report makes sound recommendations for both website operators and regulators to try to address these issues. The group received some recognition as a finalist in the Bears Breaking Boundaries Science, Technology, and Engineering Policy competition, and a group of outside judges at the School of Information’s Final Project Showcase awarded them a James R. Chen Award for their work. Today, the New York Times has a piece on their research entitled: Google is Top Tracker of Surfers in Study.

The UC Berkeley School of Information eScholarship Repository contains publications, preprints, papers, and reports about work conducted under the auspices of the I School. Watch that space.

The Flip Video UltraHD camcorder records files in a .mp4 format. I wanted to convert them to Ogg Theora format. How do you do that? I did far too much searching for an answer to this question for the answer to be this easy:

apt-get install ffmpeg2theora

and then:

ffmpeg2theora vid00001.mp4

That outputs a file called vid00001.ogv and you’re done. Find further information about the fabulous ffmpeg2theora at its website.

As part of the fallout from Facebook’s rollout of its Beacon ad service, some users of Blockbuster’s site sued Beacon-partner, Blockbuster, in the Northern District of Texas, for among other things, violations of the Video Privacy Protection Act. Blockbuster moved to compel arbitration of the dispute, relying on the Terms and Conditions on its site. On April 15, 2009, the district court denied Blockbuster’s motion to compel arbitration, holding that:

there is nothing in the Terms and Conditions that prevents Blockbuster from unilaterally changing any part of the contract other than providing that such changes will not take effect until posted on the website. There [is] likewise… “nothing to suggest that once published the amendment would be inapplicable to disputes arising, or arising out of events occurring, before such publication.”

The court relied largely on the Fifth Circuit’s recent decision in Morrison v. Amway Corp., 517 F.3d 248 (5th Cir. 2008) (holding a similar arbitration provision illusory). The court’s decision here is reminiscent of the Ninth Circuit’s decision in Douglas v. District Court from 2007, where the court addressed whether a service provider may change the terms of its service contract by posting a revised contract on its website without providing additional notice. The Ninth Circuit held there that merely posting a revised contract to one’s website was inadequate notice and the service provider’s customers were not bound by the revised terms.

This is an encouraging trend for website visitors who are increasingly offered extremely one-sided terms on a take-it-or-leave-it basis and then find themselves purportedly subject to terms that can be unilaterally changed with only website notice. At least in these instances, courts are demanding more from website operators.

The case is Harris v. Blockbuster.

• 50 great examples of infographics – FrancescoMugnai.com
  (tags: infographics visualization)

Privacy activists rightly complained about whitehouse.gov’s use of YouTube videos for President Obama’s weekly addresses, as it allowed a private third-party company to use cookies to track visitors to a government web site. The whitehouse.gov site appears to have responded to these complaints but in so doing has adopted a flash format that is not playable using free software. See below for how it renders on a Debian Lenny GNU/Linux system using Iceweasel and gnash: The whitehouse.gov site should take one more step towards openness and privacy-preservation by using an open audio-video format such as Ogg-Theora for all its weekly addresses.