Bcc

Comments are attached.

Nick Doty
Lecturer / Researcher
UC Berkeley, School of Information

Mr. Kravitz,

Back at home near DC for the holidays, I happened to read your article "More body scanners are coming to an airport near you" in Sunday's Washington Post. I'm glad the Post is pursuing this "Agony at the airport" series and found your article to be both interesting, and having just flown home for the holidays, very relevant.

I was concerned, however, about the neutrality of how the TSA's statements were presented. In the infographic accompanying the article there is a list of "privacy safeguards", including the following:

"The TSA and manufacturers say images cannot be saved, printed, transmitted or uploaded. Once passengers are cleared, their images are erased."

Although I agree that the TSA makes such statements (both on their website and to the press), these points are strongly disputed by the Electronic Privacy Information Center, which has argued that the TSA's own procurement specifications documents contradict the TSA's statements. According to those documents, body scanners are specifically required to be built with the capability for storing images and with USB and Ethernet interfaces for transmitting data, though those capabilities should be disabled during regular use. This is a significant privacy concern considering the potential risk of security vulnerabilities and the unknown number of employees who can turn these capabilities on and off.

I recognize that limitations of space prevent you from including every relevant detail, but it seems misleading in the list of privacy safeguards to cite a TSA assurance without at least acknowledging the ongoing dispute and lawsuit.

Thanks,
Nick Doty

P.S. Also, I applaud the Washington Post on providing email bylines at the ends of articles, which enables electronic feedback even for articles in a paper newspaper. I hope that you generally find readers' responses useful.

Hey Ben,

Do you have any particular thoughts on today's Wikileaks release of confidential diplomatic cables?

I've thought about writing in depth about this myself, but I feel both underqualified and overscheduled (grading, PhD applications, syllabus writing). I figure with your experience with San Francisco Open Email, you've probably seen most of these issues in real world specific examples, as opposed to my blanket speculation.

What surprises me is that in some ways I'm more bothered by this release than by the war memos release. I feel like releasing wholesale dumps of diplomatic cables discourages future use of these internal tools for discussion of diplomatic strategy and strains international relationships in ways that are unnecessary and unhelpful.

I'm not sure if the California Public Records Act has a provision like this, but FOIA contains exemptions not just for national security and individual privacy but also "deliberative process". You can't get internal agency email discussions or meeting minutes discussing an ongoing topic using a FOIA request: Congress decided that to open up such documents to public release would discourage frank internal discussion in recorded media like email, and that would hurt the actual process of government more than it would help in the sunshine disinfectant way. Similarly, "executive privilege" is asserted by the White House for the sake of protecting and thus promoting "candid" internal exchanges in giving advice to the President. It's easy for secretive, corrupt or simply oversensitive governments to abuse these exceptions of course, but they nonetheless seem reasonable to me. Frankly, I want embassy employees (full disclosure: I once was one) to be able to freely, efficiently and effectively share their on-the-ground wisdom with others in the State Department; I want the US government to be planning negotiating strategies with foreign governments based on their personal readings of other officials; I want the Secretary of State and the President to be aware of the latest rumors, confidential reports, sensitive meetings in various countries around the world.

Perhaps my interest in this area is in the privacy question involved. Not just privacy in the narrow sense of personal individual information being disclosed to the public unexpectedly (though that's an interesting consequence as well), but privacy in the sense that the flows of information, or more specifically the lack of flows of information, can substantially affect various communicative practices that we think are valuable. Did you see any evidence in the police email project that police would be hesitant to use email for important discussions if they knew it would be made public? That investigations would regress into hard-to-search paper records and backroom conversations instead of electronic systems? In the same way that our personal relationships only really work if irrelevant or inappropriate information can be kept out of the way (sometimes a challenge on Facebook), government processes can only continue effectively if not every email and document is released in a paroxysm of radical transparency.

And I wonder even if this doesn't hurt the cause of open government. If WikiLeaks hadn't released all the cables but had just shared some of the most important ones with the New York Times and other news organizations and those organizations hadn't decided to just publish whatever was interesting but use them as starting points for investigative reporting backed up by various other sources and limited in scope, wouldn't the check on government be just as effective while the harm to the diplomatic process was minimized? If the State Department responds to these releases by keeping less information in electronic form, will the New York Times future investigations into particular important topics actually be held back by the lack of records?

Where else should we be reading about this? I think that "Against Transparency" article from Lessig is a pretty great start, but are there other (perhaps more empirical) examples people should be talking about? Are there excerpts or conclusions of your report that we should be talking more about in relation to this?

Anyway, would love to hear your thoughts. Hope all's well in the City, and that you had a pleasant Thanksgiving.

Nick

Hello all,

I had just a couple of my own comments to follow up on CDT's last call privacy comments and the "intended usage notification" thread that lingered and languished on this list a few months ago.

First of all, I'd like to second CDT's request to hear from other members of this list as to whether implementors of the API or users of the API that don't fulfill all the normative requirements in "Privacy considerations for implementors of the Geolocation API" and "Privacy considerations for recipients of location information" will be officially non-conformant with the API.

For example, Flickr's mobile website provides a "Photos taken nearby" feature which makes use of the draft Geolocation API. But Flickr apparently doesn't clearly and conspicuously disclose how long location data is retained, how location data is secured or whether location data is shared -- the "Your Privacy" link doesn't describe any uses or practices around location data. I might conclude from following another link that the "Yahoo! Privacy Policy" covers my location information, but it's never described explicitly and I couldn't definitively determine if my location information was stored or shared.

What does the WG intend by requiring recipients to "clearly and conspicuously disclose"? Is disclosure within a long Privacy Policy sufficient? Or do we expect location information to be addressed explicitly and before location information is requested? Also, will the W3C have any power to enforce or judge implementations or (ab)uses of the API?

Second (and I bring this up specifically because it might address ambiguities with the normative privacy considerations), I wasn't sure we ever came to a satisfactory conclusion on whether to allow requesters of location information to specify in their request how location information will be used, how long it will be kept or whether location information will be transmitted to 3rd parties. While Doug, Greg, Andrei and Ian proposed that allowing websites to present information about their usage would let them deceive users, Martin, Henning, Max and I thought that some additional context about how location information will be used would be valuable for user privacy.

Could we find some middle ground where requesters can't place arbitrary text which could deceive, but can fill in a timestamp for how long data will be kept and a flag for whether it will be shared? If not in V1, can we open an Issue to reconsider this question in V2? Again, this could help clarify ambiguities around "conspicuous disclosure", address concerns about privacy protection or even provide an easier step towards associating Geopriv-style permissions with location data.

Thanks,
Nick Doty
UC Berkeley School of Information

(Looping back in the digital exhibitionists, in case they have input here.)

Regarding exhibitionism and subjectivity: I'm not sure there's any way around the fact that I control this. Since it's on a web page that I control, I don't see how I could prove to you that it's automatic or genuine, even if it really were. Short of a government-implanted chip, I think there's no way to stop me from potentially lying to you about my location, and if it ever got to the point where I couldn't lie about it, hide my location at certain times, I'd be really unhappy.

But I think I see your point, that there is a difference in degree here. The more automatic the updates are (even if I have the power to turn them off, or distort them), the more realistic the image of myself is portrayed. The more I have to remember to update, choose to only in certain circumstances reveal my location, the more my persona is curated.

There's no choice but for my online persona to be curated, the same way that my "real life" persona is. But the more automatic and implicit I can make these updates, the more realistic (and richer) a persona I can present. That seems like a worthy goal -- I'll work on getting updates to happen more automatically, and on building the habit to press that button each time I look at my phone. And maybe I can document on my page when my location was last updated -- it's not real proof, but it would be a start.

On Feb 23, 2009, at 2:51 PM, Sam Maurer wrote: