DataWatch

Google announced today on its official blog that it will change its online terms within a month and those changes will become effective on March 1. According to the blog, the changes are made in response to regulatory pressure for shorter privacy policies. However, from the blog post, it also appears that Google will be transferring more of its users’ information between its various services. We will continue analyzing the changes and provide a more detailed explanation. Stay tuned!

In cyber language, a lot of news are not news. One of such is that Facebook has some privacy practices that users complain about. They not only allegedly sell or make available either directly or indirectly your private information, they also store and/or make public, private data about their users without first seeking the users’ consent. Thirdly and pretty annoyingly, they change their privacy policy arbitrarily without notifying the users, thereby giving users no opportunity to change their online behaviors to suit their needs in tune with the new policy.

There is a difference between the desirable and the available, especially whenever it concerns privacy practices. While we desire utmost privacy and the strictest frugal dissemination of our private information, we release as much information as we think is necessary to create a visible online profile, thereby making ourselves vulnerable.

What online companies do with that information depends on their policies which users agree to and what the privacy law in the country wherein they operate says. In the USA, the law of privacy is a creation of common law, pioneered by early works of Supreme Court Justices Earl Warren and Louis Brandeis – the latter an alumnus of Harvard Law School – who both wrote “The Right of Privacy” in 1890. The development of privacy laws over the years, especially with the advent of the cyberspace, has resulted in a standard requirement of “Full Disclosure Opt-Out”. By this, websites are under a duty to disclose to their users what information they obtain about them and how that information is used. Any user who does not want to be thus treated may Opt-Out by specifically requesting that he be excused from such a privacy practice. This is a default setting for most privacy policies, including Facebook’s.

Thus, in practice, Facebook has done nothing unlawful, since Facebook is an American company and have complied with the minimum standard requirement of “Full Disclosure Opt-Out”. Also, since the Terms of Use contain a clause that says Facebook can amend their Privacy Policy at anytime without first recourse to the users, they seemed to be within their right.

The situation in Europe is different, however. By the ePrivacy Directive approved by the European Commission in November, 2009, European Internet consumers can only have their private information tracked or stored if they choose to, as opposed to opting out if they do not want to. This is known as the “Full Disclosure Opt-In” requirement. I have described this earlier as “good for privacy, bad for business”. A US company willing to deal with European consumers may “self-certify” by enrolling into the US-EU Safe Harbor program hosted by the US government at their website. Thus, such a website offers a different level of protection to European consumers.

Another aspect of privacy law which deserves a mention in this peculiar case of FTC vs Facebook is the issue of government intervention in the privacy of individuals. Government has no business dictating to or directing an individual how he should live his private life. This was summarized by Justice Brandeis’ dissent in the case of Olmstead v. U.S., 277 U.S. 438, 478 (1928)  as the “right to be left alone”. In 1967, the US Supreme Court overturned its ruling in Olmstead and held that recording by police of conversation in public telephone booth was a violation of the Fourth Amendment, because the speaker had a reasonable expectation of privacy in the booth. See Katz v. U.S., 389 U.S. 347, 350 (1967). The Court quoted “right to be let alone” from Warren & Brandeis’ 1890 article, instead of from Brandeis’ dissent in Olmstead, a case on the same issue. Maybe the Court was embarrassed to reverse its earlier position in Olmstead. (Ronald Standler, 1997)

But while Congress cannot tell users how to live their private lives, the government has an obligation to provide protection to the vulnerable class of the society who may not be able to make informed decisions about the manner they live their private lives, especially as it concerns the public sphere. In other words, though the government is not allowed to invade the private sphere of their citizens, they have the duty to ensure that the public sphere is sane for everyone to co-habit. The cyberspace has been severally referred to as the public sphere, just as public parks, the highways, the airways and the waterways. Thus, as the government has the duty to ensure that every road user has equal rights to use the highways, they also have an obligation to ensure that Internet users enjoy their rights on the cyberspace. That is why the FTC has continuously taken measures to ensure that privacy practices on the Internet are within legal bounds, even if there is no regulation or enactment to the effect.

According to AP Technology Writer Barbara Ortutay, Google’s attempt to plant a social network called Buzz within its widely used Gmail service invited the FTC to crack down on the move eight months ago for alleged privacy abuses. Like Facebook, Google also agreed to improve its privacy practices and submit to external audits for the next 20 years. In fact, as a response, the Buzz is now an abandoned project and has been replaced with Google Plus.

The FTC also filed charges against Twitter, alleging that it didn’t do enough to protect users’ accounts from computer hackers. The online short-messaging service struck a settlement with the FTC in June 2010 to resolve the privacy concerns and improve its security of users’ private and personal information.

Facebook are the latest to suffer a similar fate, and so tow the same line. In vindication of Private Citizen’s position and displeasure at the indiscriminate manner in which companies change their privacy policies, the AP reports that much of the FTC’s complaint against Facebook centers on a series of changes that the company made to its privacy controls. The revisions automatically shared information and pictures about Facebook users, even if they previously programmed their privacy settings to shield the content. Among other things, people’s profile pictures, lists of online friends and political views were suddenly available for the world to see. They were also alleged to have shared users’ personal information with third-party advertisers from September 2008 through May 2010 despite several public assurances from company officials that it wasn’t passing the data along for marketing purposes. They reported further that FTC also alleged that Facebook displayed personal photos even after users deleted them from their accounts.

Although Facebook denied any wrongdoing, their agreement with the FTC requires the company to obey privacy laws or face a fine of $16,000 per day for each violation. As mentioned above, privacy law on the Internet is two-pronged. The “Full Disclosure Opt-Out” in the US and the “Full Disclosure Opt-In” requirement in European countries made accessible to American companies through the US-EU Safe Harbor program.

The agreement has been unanimously approved by FTC’s commissioners. The FTC is however accepting public comments through Dec. 30 before deciding whether to finalize the settlement, which is foreseeable.

What is in it for you?

The agreement, though in the interest of Facebook users, does not make Facebook overtly responsible to the user in a major way. Federal Trade Commission (FTC) lawyer Lesley Fair blogs that the Settlement merely requires Facebook to implement a comprehensive privacy program, complying with Privacy Laws (as unclear as that may connote) and submit to external audit of its privacy practices by the FTC for the next 20 years. More importantly, Facebook shall not misrepresent its privacy practices. Lesley Fair stated further that once a company abides by its privacy policies (no matter how good or bad such practice is) and does not misrepresent same, it is safe from an FTC crackdown. However, you can be sure to receive an e-mail from Facebook whenever they intend to change the privacy policy.

Going Forward

What would have been more desirable is for a positive enactment by the Congress that once and for all gives a code of conduct to online companies. We should not be too proud to follow the good examples laid by Europe. The US-EU Safe Harbor will be unnecessary if the laws have similar provisions. The energy deposed towards the Stop Online Piracy Act, E-PARASITE Act or the PROTECT-IP Act, and so on, which effort has been geared towards protecting the interest of a powerful minority Intellectual Property companies for over a decade, can be divested in something more productive that will benefit a greater number of people. Beneficial incentives, like those given to Internet Service Providers under the Digital Millennium Communications Act, can also be provided to online websites who practice flawless privacy policies. On the flip side, criminal responsibility can be meted out to bad practices.

A copy of the Settlement can be found here.

This past week, The New York Times modified its Privacy Policy for at least the second time this calendar year. As with the Google+ policy changes that were also recently rolled out, the ambiguous language provides The New York Times with flexibility–and thus discretion–in how it can apply its state policies.

The previous version of the policy allowed The New York Times to “exchange or rent” its print subscriber’s names and mailing addresses with other “reputable companies that offer marketing information or products through direct mail.” The policy included a link to another part of the policy that listed the opting-out process for each use of personal information.

However, the new policy could significantly expand the types of information The New York Times can exchange or rent, by including its right to do so with “certain other information, such as when you first subscribed to The New York Times.” Unfortunately, the new language’s example is neither restrictive or particularly illustrative, and as such is so ambiguous as to prevent users from being sure what kinds of information The New York Times is claiming a right to use.

The policy also now, helpfully, includes the procedure for opting-out of the “exchange or rent” clause within the same paragraph. However, there is no automated service to do so, and users must write an email or letter:

If you prefer that we do not share this information, you may opt-out by e-mailing us at opt-out@nytimes.com, or write to us at Customer Care, P.O. Box 217, Northvale, NJ 07647-0217.  If you are a current print subscriber, please remember to include your account number and phone number in the body of your e-mail or letter, and if you choose to opt-out via e-mail, please include “Opt-out” in the subject line.

PrivateCitizens advocates for clear language in privacy policies, and we feel it would not be onerous for The New York Times to list the personal information that it plans to–or has already started–exchanging or renting. This is especially true as the information is limited to what the company knows about its print subscribers, and not to the multitude of data points collected for its online subscribers.

Here is the link to the comparison between the cached and live policies, and below are the static images of substantive changes.

Today and yesterday, Google+ revised its Privacy Policy and User Content and Conduct Policy for the first time in this young social network’s history.  The changes demonstrate several of our objections to privacy policies:

1. they include ambiguous language;
2. they give Google+ a lot of discretion;
3. the policies change frequently (the User Content and Conduct Policy has changed twice in two days); and
4. the users are unaware of the changes (as well as the substance of the original policies).

Our intention is not to sneer at Google.  In fact, we love Google’s services and these problems can be found in many privacy policies across the web.  But we want Google to take note that its current policies are not good for the Internet and, consequently, not good for Google.  As our project develops, we will provide plain English translations of the legalese found in privacy policies.  In the meantime, we encourage Google to apply its innovative strength to this problem to keep its users informed.

While you can see the full changes in the highlighted documents below, here is the essence. The Privacy Policy was mainly revised to address the new Google+ Pages that are now offered to businesses. The User Content and Conduct Policy had little substantive changes.  However, the reorganization of that policy brought to our attention the following language, previously found at the bottom of the document and now moved to the top:

“We may modify these policies so please check back here. Also, when applying our policies, we may make exceptions based on artistic, educational, or documentary considerations, or when there are other substantial benefits to the public from not taking action.”

This language illustrates the main problem with privacy policies and terms of use: they are ambiguous.  What is an “artistic” exception?  “Educational” for what purpose?  What is meant by the term “documentary”?  G+ users cannot possibly give informed consent based on this policy because frankly the policy is not informative.  As a related point, the policy gives Google wide discretion not to enforce its policy if, for example, a user accesses another user’s account without her permission. It leaves G+ users with little predictability, especially as Google “may” and does modify these policies.  This is a problem.

November 7 changes to G+ Privacy Policy:

November 7 changes to G+ User Content and Conduct Policy:

November 8 changes to G+ User Content and Conduct Policy: