Now here is an interesting Twitter feed: A running report on every book being checked out of all of Harvard’s libraries. Feels voyeuristic to me, but you have to stretch your imagination to figure out how this would be an invasion of privacy. If the tweets are close to real time, maybe somebody could watch who comes out of Widener library right after “Anglo-Saxon Wills” was checked out, and maybe identify the person who is trying to challenge a millennium-old bequest. (That is a real example — at least the name of the book part.) Still, even without being able to figure out who is reading this stuff, knowing that SOMEBODY is RIGHT NOW finding a need to read that classic tome, “Documents diplomatiques. Deuxième Conférence internationale pour la répression de la traite des blanches (18 avril-4 mai 1910),” — well, I just can’t help thinking it is none of my business. The book is about the white slave trade. Am I just a prude?

Re-identification is a very sophisticated art these days. Maybe someone can figure out how to make mischief by correlating these data with some other source. I can’t think of a way off the top of my head. What think you?

Especially if it is the government that has the capability.

How many times were we told that the full body scanners at airports would be incapable of storing and transmitting images? Turns out they actually do have that capability. In one courthouse they have been used to store tens of thousands of images, apparently to reduce staffing demands (CNET report here). If something bad happens later, they can go back and check the images. The Electronic Privacy Information Center has filed suit about this.

The TSA spec document (pdf here), obtained by EPIC, says “the capability to capture images of non-passengers for training and evaluation purposes is needed,” a capability that seems to have been used by one TSA worker to tease another about the size of his genitalia (ACLU report here).

I happen to have no problem personally with full body scanners, but I am sympathetic with people who do. (This is a little a homeless person saying he has no problem with burglars. My body scan would not bring much on the image market.) Of course, what the government has accomplished by misrepresenting what the machines can do is to make it more likely that people like me will resist using them, or cooperating with any other kind of government data gathering. This should have been the lesson of the Bush warrantless wiretaps. It is one of the side effects of government growth that it becomes harder to monitor and those inside it become increasingly relaxed about infringements of publicly stated policies, as along as they judge that the exceptions either minor or due to extraordinary circumstances, and are meant ultimately to benefit the public.

So some clown, sorry, security researcher has done a scan of every Facebook profile his robot could reach and assembled a file of all their public information, and posted it for download. 100 million profiles.

I could have done it. You could have done it. No need to bother, though, because Ron Bowes did it for you.

This is one of those things that is not a technology story. It’s an ontology story, or a spiritual story, or something.

Facebook reports that it’s all public information, public because the users wanted it public. So there is no news here, in their view.
“No private data is available or has been compromised,” as they say. And they are correct technically. Why is it creepier to have your data in a file with 99,999,999 other profiles, on everybody’s laptop, when the same information about you would have turned up in a Facebook query, or a Google search for that matter? Public is public, right?

The aggregation sure makes it feel different. But that is a matter of feelings, and Facebook’s response was written by its legal team. For lawyers, everything is a binary. Things are either black or white. But privacy has lots of grey.

The Telegraph has a good report on it.

More than a year ago, when the Supreme Court upheld the FCC’s authority to fineFox Television Stations for “fleeting expletives” uttered by Bono and others, we noted that the court made only a technical ruling and some of the opinions were sympathetic to Fox’s position on the underlying and more important First Amendment question:  was the rule the FCC applied too vague, capricious, and uncertain so that it chilled speech? Technology has changed, we noted, and perhaps it is time for the rules to change too, since they were always premised on an argument that television and radio were exceptional technologies, by comparison with books, for example.

The case went back to the lower court, which took up the constitutional question, and ruled against the FCC. (New York Times story.) The judge in the case made a number of correct observations–why should the standards be different for cable TV than for broadcast TV, for example. She did not rule out the possibility of the FCC adopting rules that would be constitutional, and noted that she was bound by the Supreme Court’s 1978 Pacifica decision which made that FCC authority clear. But for the moment, the networks can relax a bit about prosecution for the occasional cuss out of the blue — for example, the one in a discussion of Middle East policy that was spoken by a US President to a British Prime Minister, and which the broadcast networks had to bleep out.

It will be interesting to see what the government does now. It could appeal, but the case seems like a loser, and an appeal all the way to the Supreme Court could backfire, since Justice Thomas signaled that there may well be five votes for overturning Pacifica and costing the government all of its regulatory authority over televised speech.

In other speech control news:

A judge in Pennsylvania signed an order, drafted by a defense attorney, requiring newspapers to expunge their archives of all mention of the defendants’ arrest. The defense attorney actually has part of the logic right: “What’s the sense in having your record expunged if anyone can Google you and it comes up?” He’s right that expungement orders have been blown to bits. He’s just wrong that the way to fix that problem is retroactive censorship of the printed word. It’s a problem that can’t really be fixed, in the U.S. anyway. What was this judge thinking?

Also, a couple of notes on anonymity. I was reading Richard Clarke’s book Cyber War, which makes a compelling case for a more controlled version of the Internet by riding roughshod over civil liberties concerns. Having described the Internet as basically a hippie invention (“the Internet as we know it today is deeply imbued with the sensibilities and campus politics of [the 1960s]“), Clarke scornfully distances himself from any respect for anonymous speech, or reading.

The “open Internet” people believe that if you wish to read The Communist Manifesto, or research treatments for venereal disease, or document China’s human rights violations, or watch porn online, your access to that information will not be free if anyone knows that you are looking at it.

So much not just for Vint Cerf, but for the professional and legal standards governing libraries in most states in the U.S. He comes off sounding just like the Chinese government in its latest “explanation” about how it will control the Internet. “We will make the Internet real name system a reality as soon as possible,” a Chinese official said recently, referring to a requirement that Chinese will in the future have to use their actual names in all Internet communications, no anonymous postings or emails allowed. Just what Clarke would like to see happen here.

In the world of social media, it is hard to get the privacy defaults right, because the whole point of social media is to connect with other people. So you want to make that easy, so people don’t have to fight the system. And of course there is a network effect so the designers tip toward connecting more people to each other rather than less, where there is a choice. They don’t always get the design right, as the Google Buzz fiasco showed.

But then things happen that are just bugs, or unanticipated reactions between multiple databases and applications. In which category it seems the current problem with Microsoft Messenger falls. InfoWorld explains it thus:

Consider this sobering scenario: You and your boss use Windows Live Messenger (or MSN Messenger or Windows Messenger) to keep in touch. One day, you get a job offer from Snidely Whiplash at a competing company across town. You and Snidely have a brief IM conversation, using Messenger. Innocent and private, yes? Well, no.

The next time your boss logs into Hotmail — not Messenger, mind you, but Hotmail — your boss glances at the initial Hotmail screen and sees that you and Snidely have become “friends.” That’s what the notice says: “Woody Leonhard and Snidely Whiplash are now friends.”

Or think wife and girlfriend, instead of boss and competitor. Any two people with whom you are IM’ing who should certainly not be made aware that they are both part of your social circle.

This problem persists no matter how you have the privacy settings set. It’s the sort of high-stakes privacy glitch that undermines people’s trust in the entire Internet. Who knows what will go wrong with the next release of your favorite communications app?

A fascinating case has been before the US Supreme Court this spring. Opponents of a gay civil union statute in Washington state petitioned to place its repeal on the ballot so voters could have the last word. Backers of the law asked the Secretary of State to declare the names of the petitioners a public record and post the names on the Web. The petitioners sued the state to prevent publication, saying they feared harassment.

It’s a wonderful puzzle. Both sides claim their free speech rights are at stake: the one side holding that the names are really part of the legislative process for which transparency is essential; and the other side arguing that their capacity to speak freely requires a level of anonymity. It’s an Internet-created issue, because although petitions have been around for centuries, until now it would have been impossible to publish them quickly enough to influence an election, and to sort and analyze them effectively enough to be a serious privacy threat.

The court’s decision is at once one-sided and inconclusive. By an 8-1 vote the court decided the immediate question before it: Petitions are, generally speaking, public. But the near-unanimity is only superficial, and may not even settle the question of the case at hand. Most, but not all, of the 8 allowed that there might be circumstances—some credible risk of harm, for example—under which petitioners would have a right to keep their names from being published. So the case goes back to a lower court, but may rise back up again.

What is most interesting is that the views of the justices cut obliquely across the usual liberal-conservative lines. In fact, the justice who is the most dismissive of any privacy right, and the sole justice who would have made privacy the norm, not the exception, are the two most conservative justices, Scalia and Thomas, who rarely split their votes on anything. Scalia called for “civic courage, without which democracy is doomed,” and added that he does “not look forward to a society which … exercises the direct democracy of initiative and referendum hidden from public scrutiny and protected from the accountability of criticism.” Thomas held with equal conviction that routinely publishing the names of petition signers would unacceptably chill free speech through a loss of “associational right to privacy.”

A case of the Internet confusing the traditional alignments on free speech issues.

Is it really a threat to our national security that people can pay cash for prepaid cell phones? That is the thought behind federal legislation that has been introduced in the Senate by Democrat Chuck Schumer and Republican John Cornyn. To buy a phone you would have to provide identification and the retailer would have to retain the information for 18 months. In Schumer’s words,

This proposal is overdue because for years, terrorists, drug kingpins and gang members have stayed one step ahead of the law by using prepaid phones that are hard to trace. We caught a break in catching the Times Square terrorist, but usually a prepaid cell phone is a dead end for law enforcement. There’s no reason why it should still be this easy for terror plotters to cover their tracks.

Of course, as they say, if you have done nothing wrong you have nothing to worry about.

As Jim Dwyer points out in the New York Times, a lot of people other than gangsters and terrorists like the anonymity of prepaid phones. Tipsters contacting journalists, and journalists calling tipsters who don’t want to be receiving identifiable calls. Battered women. Cheating spouses.

It’s an old story. We can make it harder for the bad guys to hide by enabling the government to track everything we do. Where do we draw the line and say we’d rather take the risk–when the tradeoffs are so hard to quantify, and the worst case scenarios so terrifying?

It’s coming, I’d guess; as is registration for Internet services, already the law in South Korea. When the left (which is happy with more social intervention and control) and the right (which foresees the end of civilization in the bungling Times Square bomber) line up, the libertarian arguments don’t have much traction.

But wait: In Mexico you have to register your cell phone, and there is widespread resistance! I wonder why.

As the government pushed citizens to register their phones, the newspaper El Universal sent a reporter out to the notorious black market bazaar in Mexico City known as Tepito and found that for $12,000 a person could buy the complete data set for every registered voter in Mexico — their names, addresses, dates of birth, driver’s license and social security numbers. The vendors said their best customers included organized crime and police agents.

The technical term for that is “repurposing” data.

A couple of days ago Mark Zuckerberg had an opinion piece in the Washington Post explaining that Facebook would be doing another rev on its privacy policies. Here are some key sentences:

The biggest message we have heard recently is that people want easier control over their information. Simply put, many of you thought our controls were too complex. Our intention was to give you lots of granular controls; but that may not have been what many of you wanted. We just missed the mark.

We have heard the feedback. There needs to be a simpler way to control your information. In the coming weeks, we will add privacy controls that are much simpler to use. We will also give you an easy way to turn off all third-party services. We are working hard to make these changes available as soon as possible. We hope you’ll be pleased with the result of our work and, as always, we’ll be eager to get your feedback.

We have also heard that some people don’t understand how their personal information is used and worry that it is shared in ways they don’t want. I’d like to clear that up now. Many people choose to make some of their information visible to everyone so people they know can find them on Facebook. We already offer controls to limit the visibility of that information and we intend to make them even stronger.

There are two threads here. The first is that the privacy controls were too granular and too complex. Certainly true, as the NYT graphic beautifully illustrated. Second is that not everyone wants lots of stuff public. Certainly true also. Glad they are addressing both problems. Or are they?

The tonal problem remains, I am afraid. The implication is that we geniuses at Facebook thought everything was cool, the problem was with the users. “Many of  you thought our controls were too complex.” Well, no; they were too complex. The point of privacy settings is so people, ordinary people, can keep stuff private. It shouldn’t take hundreds of clicks to do that. You are a consumer oriented company now, and the customer is always right. Imagine if a washing machine had a hundred knobs on it and had to be retrofitted. Would Whirlpool say “Many of you thought our controls were too complex”? Why didn’t Facebook run some user tests first?

And then there is the problem of defaults. Zucerberg’s post contains no hint that the defaults are wrong. In fact, there is deceptive language that suggests that the defaults are other than they are. “Many people choose to make some of their information visible to everyone.” No; “choose” suggests opt-in; the fact is opt-out. You, MZ, chose, on behalf of all of us, that some of our information will be visible to everyone, unless we do something to hide it. Big difference.

At least the programmers got cracking and fixed the data leakage Ben Edelman pointed out. But this was a kind of design bug that never should have happened in the first place. It wasn’t a coding error; they just failed to have some smart person looking over the engineers’ shoulders for privacy issues with their implementation. Again, some process failure is evident here.

Finally, the character-of-the-leader issue isn’t helped by the report that came out a couple of months ago that Zuckerberg, while still at Harvard, had used failed Facebook login attempts to guess email passwords of student journalists. Now there is a place where you really can only trust your web site. How would you ever know that when you type the password for one site into another, that the second isn’t grabbing the key you typed to see what it might unlock?

So the question will remain in the minds of lots of people: Can Facebook be trusted with personal information? I am betting there will be increasing Congressional interest in that question.

The more I learn about Facebook’s privacy problems, the more I am confirmed in my original guess about the root cause. It just looks like the company is being run by adolescents, or twenty-somethings whose idea of profitable fun and games is more appropriate for badly behaved teens.

So Mark, here is some unsolicited advice from your old college professor. It’s amazing what you’ve accomplished. A social network with 400 million people, how cool is that? But now you’ve got to grow up. There is a flesh and blood human being behind every profile. Those are real guns you are playing with now, loaded with ammo.

I had to read Ben Edelman’s post twice to be sure what it described was as simple as it seemed to be. Facebook claims — and has claimed repeatedly, including on occasions when its claim has been challenged — that when you click on an ad that appears on a Facebook page, the advertiser does not learn your Facebook identity, and all the profile information that lies behind it. Of course, the advertiser will know something about you, because it will have given Facebook some demographic parameters to limit who is shown the ads. So if the advertiser bought advertising space on Facebook and said it wants its ads shown only to people under 30 in the Boston area, when somebody clicks on an ad, Facebook will know that the person is under 30 and in the Boston area. But it shouldn’t know that the person is samjones478 or whatever; that would reveal a great deal more about the person who clicked, especially if samjones478 had accepted Facebook’s new default publicity settings (what Facebook misleadingly calls its “privacy settings”).

As recently as six weeks ago, Facebook was declaring flatly that it doesn’t share your identity with advertisers. “We don’t share your information with advertisers unless you tell us to (e.g. to get a sample, hear more, or enter a contest).” said Facebook’s Barry Schnitt. “Any assertion to the contrary is false. Period.” And that is a consistent line, not a Blumenthalian momentary lapse of precise language.

Turns out, it just isn’t true. When you click on an ad while you are viewing your own profile, or a page linked to from your profile, your username is part of the URL. The advertiser, before taking action on your click, can check your profile and customize its offer based on the personal information it finds there.

How useful is that information to an advertiser?

Well, consider the study Jeremy Bailenson did at Stanford at the time of the 2004 presidential election. Voters were shown pictures of the candidates, but only one of the candidates was actually shown accurately. The other candidate’s picture was morphed with a small amount of the subject’s own face (the subjects were on camera during the experiment). Voters’ preferences shifted significantly toward the candidate with whom the voters’ face had been morphed — and not one subject noticed the deception.

Since Bailenson talked about this at the Berkman Center last year, I have been thinking that images of our faces are a gold mine for advertisers. Now we have a too-good-to-be-true source of high quality facial images. Before serving an ad, the advertiser could just grab our profile photo and morph a little bit into a face appearing in the ad, to make it more effective.

Back to the main point. Facebook’s data on us is very valuable commercially. The changes to the privacy policies are not about creating a better social experience for us. They are about monetizing what Facebook knows about us. Fair enough; they are a business. But Facebook needs to be open about what it is doing. It needs to stop baiting and switching. And it absolutely needs to stop lying, which seems to be the appropriate term given that Facebook has continued to claim that it is not sharing user information even though it was put on notice months ago that it was doing exactly that.

Postscript: A friend pointed me to this account of IM’s from Zuckerberg back in his college days:

Zuck: Yeah so if you ever need info about anyone at Harvard

Zuck: Just ask.

Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend's Name]: What? How’d you manage that one?

Zuck: People just submitted it.

Zuck: I don’t know why.

Zuck: They “trust me”

Zuck: Dumb fucks.

A fabrication? Possibly. But it sounds right. The company issued a reassuring statement but would neither confirm nor deny the authenticity of the instant messages. But there is sweet irony in the idea that Mark’s own age-19 misjudgment about openness would come back to bite him as his company struggles to persuade its 400 million users that it truly does deserve to be trusted with their private information.

Lots of news items today on the privacy front.

The new Conservative-Liberal Democrat coalition government in England has launched a remarkably aggressive campaign to unwind the ubiquitous surveillance that was put in place through the years of the Labour government. The deputy prime minister refers to a “culture of spying on its citizens” and says “It is outrageous that decent, law-abiding citizens get treated as if they have got something to hide.” In the U.S. the politics of surveillance seem to be the reverse of the attitudes in England. Here it is the left that complains about the violations of individual liberty occasioned by surveillance, either governmental or commercial, and it is the right that defends surveillance, either as an aid to law enforcement and national defense, or as a free exercise of unrestrained capitalism.

Here, thanks to Larry Denenberg, is a terrific CBS News segment on the privacy risks due to copy machines, which in the modern era are nothing more than scanners attached to computers — with hard drives. Those hard drives hold huge amounts of data, which doesn’t get deleted between jobs. Just as in the case we report in Blown to Bits about the data that can be recovered from the hard drives of used personal computers, a LOT can be recovered from the disk drives of used copiers. I feel rather foolish that this never occurred to me. What happens to your office copier when it breaks down and is replaced, or worse, is traded in for a newer model? Do years of office documents go with it, unencrypted? Among the more interesting things about this video is the revelation that there actually is a proper auto-delete feature available on Sharp copiers — a few extra lines of code for an extra $500, which is about the price of an entire PC today, with Windows installed.

Thanks to Hanspeter Pfister for pointing me to this terrific graphic on how Facebook’s privacy policies have become weaker over the years, and this site that helps you check and modify your own Facebook privacy settings. The New York Times graphic from a few days ago on Facebook privacy also is worth a thousand words (or 5,830, which is actually how long Facebook’s privacy policy now is).

Finally — I was on Emily Rooney’s Greater Boston show last night with Tim Wong, until recently of the Berkman Center, talking about the backlash against Facebook’s new privacy model.