European Commission focuses attention on Facebook privacy practices

In a public expression of concern (or actually as reported, astonishment) over Facebook’s December changes in privacy policy, default user privacy settings, and the set of user information always made public, European Commissioner for Information Society and Media Viviane Reding said in a recent interview that Facebook and other social networking sites could find themselves subject to new regulation if they fail to properly protect users’ personal information. While Reding has indicated since the Commission’s 2010 session began that she is considering updates to data protection and privacy laws, with respect to Facebook the concern is partly driven by its perceived departure from a commitment made a year ago to follow European privacy principles. Should the EC want to establish tighter regulations on social networking sites, it appears to have plenty of leverage with which to do so, particularly if it takes on the task of updating core data privacy laws such as the 1995 Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and the 2002 Directive (2002/58/EC) on privacy and electronic communications, both of which contain explicit language about obtaining user consent prior to collecting or processing (using) data for just about any purpose. Companies like Facebook often argue that users explicitly consent to personal data collection and implicitly consent to any future use of the information they provide when they decide to set up an account, but these arguments fit better with U.S. regulatory frameworks than they do in the European Community. While Americans are by far the largest proportion of Facebook users, European users account for at least 20% of the overall user base, so restrictions imposed on Facebook even for this subset of its user community would likely have a significant impact on the company.

Such an effort to regulate Facebook and its ilk in the United States would be a more difficult challenge, given the emphasis under current laws on making sure companies do what they say they will do (that is, that action matches policy), but without any requirement as to the specific practices they have to adopt. (A notable exception is with respect to data collection from minors under the age of 13.) The governing law for U.S. companies is the Federal Trade Commission Act (15 U.S.C. §45), which empowers the FTC to prevent unfair or deceptive trade practices — acting counter to published privacy policies is typically considered a deceptive trade practice. Despite the fact that Facebook explicitly reserves the right to change its privacy practices and terms of service at any time in its Statement of Rights and Responsibilities, the changes it implemented in December 2009 prompted a complaint to the FTC by a group of privacy and consumer advocates, arguing that the nature of the changes violated consumer protection laws. To date the FTC has taken no action in response to the complaint, although Facebook has been discussed in FTC-sponsored forums such as the Exploring Privacy roundtable series.

Facebook has used the attention surrounding the changes in its privacy practices to spin the story into a positive tale of increased consumer awareness of personal privacy. During the second session in the privacy roundtable series, Facebook’s Director of Public Policy Tim Sparapani cited user statistics that 35% of its 350 million users were prompted by the change to actually go to the privacy settings section of their accounts and configure them. By any accounting, that’s a lot of users, but a more interesting metric might be how many current users have not taken any action (even making a decision to accept the new default settings). Perhaps if more users were made aware of how Facebook’s privacy practice facilitated third-party harvesting of personal data such as contact information, more of them would be motivated to act.

FBI seeking Web browsing records for criminal investigations

At a public meeting of the National Telecommunications and Information Administration’s Online Safety and Technology Working Group last week, representatives from the FBI argued that in order to facilitate potential criminal investigations such as child pornography, Internet service providers should be required to record the Web sites their users visit, and retain those records for two years. Greg Motta, the head of the FBI’s digital intelligence section, likened the potential for retention and use of Internet browsing records for investigatory purposes to the current requirement that long distance phone carriers retain details on calls made via their services. The intention for federal law enforcement to have access to such information is not new — as noted in press reports of the meeting, FBI Director Robert Mueller has wanted such record keeping since at least 2006, and asked the previous Congress for legislation to require it — but the current reiteration of this desire comes at a time (and under an administration) when the FTC and other government regulators are considering imposing constraints on online behavioral tracking by commercial entities. The period of time such records would be retained also stands in stark contrast to the industry trend among major search providers like Google, Yahoo!, and Microsoft to retain data for shorter and shorter periods of time.

There’s a lot to think about from FTC privacy roundtables

The Federal Trade Commission (FTC) has now completed two of its three scheduled roundtable discussions as part of the “Exploring Privacy” series. The focus of these sessions is to raise and discuss issues, not to try to resolve them, but while the logistical details of the third meeting are still to be determined, privacy watchers are already analyzing what has transpired during the roundtable discussions and making predictions about what sort of FTC action may be likely to result from them. As you might expect, the parts of the discussions receiving the greatest attention vary somewhat based on who is providing the analysis. Good examples of these different perspectives include:

The FTC has suggested previously that it hopes to publish some form of report or findings from the privacy roundtable series once it is completed, likely sometime this summer. Until that happens, the steps the FTC will take to address appropriate privacy protection regulations and balance industry concerns will remain subject to lots of speculation.

Does Google want NSA’s expertise or its secrecy?

In a marked contrast from the perspective presented by Ellen Nakashima in the Washington Post on Thursday — which said that in turning to the NSA for help with information security, Google was not primarily concerned with trying to conclusively identify the sources behind the attacks it disclosed in January — a story in the New York Times suggests that identifying the attackers with more certainty is motivating factor for Google seeking NSA’s assistance. The article also points out that because the NSA has no statutory authority to pursue such an investigation, it would have made more sense for Google to approach the Department of Homeland Security, except that doing so Google might lead to the government trying to regulate Google’s services as critical infrastructure, over which DHS also has oversight authority. A different interpretation of Google’s actions, consistent with previous comments here, might be that Google went to the NSA based on a perception (one we would believe to be accurate) that the intelligence agency has greater expertise in information assurance, particularly in computer forensic analysis, and perhaps, as the Post article posited, because Google’s priority is better security going forward, rather than a more exhaustive study of the attacks that already occurred. This seems especially logical given how many of the attack vectors apparently exploited against Google in the most publicized China attacks involved non-Google application software. To be sure, Google and other companies have disclosed hacking attempts (both successful and just attempted) against their internal computing environments seeking source code and other intellectual property; because fewer details about these specific attacks have been reported, it’s hard to know how much or how little the victimized companies know about all the vulnerabilities they may be exposing to attackers.

Is Google working with the NSA a cause for concern?

In an agreement first reported in a story by the Washington Post and quickly circulated more broadly by dozens of news sources (to say nothing of bloggers and Twitters), Google will apparently seek the assistance of the National Security Agency (NSA) to improve Google’s security posture and make the Internet giant better able to defend against cyber attacks. The key information in the story comes from the ever-popular sources speaking on the condition of anonymity so the full details are not certain, but it appears Google will open up its environment and network and system operations to the NSA so that the government’s leading information assurance experts can evaluate Google’s hardware and software for vulnerabilities and monitor Google’s environment to identify the kinds of attacks or penetration methods being used against it. There’s nothing obvious about the stated purpose of the pending collaboration that would suggest the NSA would want or would be given access to Google users’ personal data, but the prospect of any routine information sharing with the government makes some privacy advocates uneasy.

To be sure, the NSA doesn’t have the best track record in this regard, what with the extensive warrantless wiretapping the agency engaged in for several years following the September 11, 2001 terrorist attacks, until the program was ruled unconstitutional. Despite the unconstitutionality of the program, the NSA and the telecommunications companies that cooperated with the NSA in the surveillance operation have to date escaped legal liability, making some fearful that the agency can in effect do whatever it wants with little change of it being held accountable for violating individual privacy protections. However, the question posed in the Post article by Ellen McCarthy of the Intelligence and National Security Alliance, “At what level will the American public be comfortable with Google sharing information with NSA?” seems almost beside the point. There is little indication that Google has any plans to share personally identifiable user data with anyone, whether related to online searches or the use of its many applications and services. Google Mail users already implicitly consent to the automated scanning of the content of their email messages by Google (in order to serve targeted ads), and the sort of network traffic analysis likely to be involved in monitoring for malware or other threats doesn’t focus on that type of data for its analysis. Concerns over routine or persistent government monitoring of private communications might be better directed to the government’s Einstein intrusion prevention program (in which the NSA plays a significant role).

Despite the attention this latest report has garnered, this is not the first time Google and the NSA have worked together. Nearly two years ago the intelligence community publicized its use of Google search engine software and hardware appliances as part of the technical solution underlying Intellipedia, a private information sharing environment based on a wiki model that has been operational for nearly four years. At the time, the relationship between Google and agencies in the intelligence community prompted some of the same concerns over just how much of Google’s data might end up being exposed to the government. On balance it seems what the government was most concerned with was the technology Google’s solutions offered, not the data the company maintained.

There is another way to look at Google’s decision to seek assistance from the NSA is that, having fallen victim to cyber attacks exploiting a variety of vulnerabilities, some not even part of Google’s computing environment. Here we have a company that has discovered, and disclosed publicly, that its security posture is less robust than it would like, and now is actively seeking ways to improve its information security. At such a time any large company might seek advice from leading security consultants and practitioners, and ask for an evaluation of its current security practices and capabilities as well as recommendations for strengthening security and mitigating risks due to identified threats and vulnerabilities. If you’re Google, your operation is very large and technically advanced, you have a market leadership position you’d like to protect, and you would presumably turn to the very best experts you could find. In the information assurance arena, NSA is the best. Even without the national publicity surrounding the latest attacks on Google and their influence on international diplomacy for the United States, it is also understandable why the NSA would be willing to help a company like Google (indeed, the Post article notes that other (unidentified) technology companies have sought assistance from NSA), and gaining access to personal email and other data from Google users just doesn’t seem a reasonable motivation behind NSA’s participation in this agreement.