University email & student privacy

Some time ago Linköping University proudly announced that they were outsourcing their student email to Google. Basically the students will see the university email address but “under the hood” the system will be run by Google. The BBC reports (11 June) that Trinity College Dublin is doing the same thing.

Google email (gmail) has some privacy issues:

Google automatically scans e-mails to add context-sensitive advertisements to them. Privacy advocates raised concerns that the plan involved scanning their personal, assumed private, e-mails, and that this was a security problem. Allowing e-mail content to be read, even by a computer, raises the risk that the expectation of privacy in e-mail will be reduced. Furthermore, e-mail that non-subscribers’ choose to send to Gmail accounts is scanned by Gmail as well… (wikipedia)

So an uninformed gmail user may be losing some integrity. This is bad but at the same time it can be seen as a question of choice. (Don’t get me started on the problems of uninformed choice). But now the universities are pushing students to become gmail users. In Sweden universities are publicly funded government bodies and therefore they should be more concerned about forcing citizens to become customers of a private corporation.

Generally people are not to aware of the privacy risks which technology may create. Universities should help people to understand society and it is a shame that they are now acting as a sales representative for a company providing them with customers instead of acting as an example and educating citizens about the advantages and disadvantages of technology.

Stop the SPY Act

This is an important anti-spyware campaign from the EFF:

The SPY Act is supposed to help stop spyware, deceptive adware, and other malicious software, but it is unlikely to do any good and could actually make things worse. If enacted, it would block lawsuits similar to the one EFF brought against Sony-BMG for infecting customers’ computers with privacy-invasive copy protection. Don’t let badware makers off the hook — tell Congress to go back to the drawing board and draft a more sensible law.

Both the Federal Trade Commission and Department of Justice have said that they already have the authority they need to go after badware vendors, and this bill doesn’t add any funds or significant tools for federal enforcement.

At the same time, the bill would stunt states’ enforcement, preempting most of their stricter badware laws. For acts covered by the bill, state statutes (including consumer protection laws) wouldn’t be available to consumers themselves as grounds for a lawsuit. And it leaves enforcement exclusively in the hands of federal bureaucrats, specifically barring private citizens and organizations like EFF working on their behalf from using the new law to fight back in the courts.

This is a terrible move. If Congress is serious about enacting tough laws against deceptive and malicious programs, it should create incentives that would encourage private citizens to pursue the bad guys. The federal government and state attorneys general can’t possibly take on the entire job alone.

Congress should also focus on protecting anti-badware tool companies from harassing lawsuits brought by spyware and adware vendors. After all, badware removal programs are doing far more to protect your computer than the federal government ever will. Unfortunately, this bill does nothing to help sustain these helpful tools.

The SPY Act has already passed the House, but with your help we can make the Senate understand that they need to do better.

More info:

  1. Complete the form below with your information.
  2. Personalize the subject and text of the message on the right with your own words, if you wish.
  3. Click the Send Your Message button to send your letter to these decision makers:

What Google wants

To many users Google is understood as a neutral tool. A search engine without bias in any form. While Google has never made any such claim their attitudes and appearance do nothing to dispel this common misconception. It is easy to understand how the idea that technology in itself is neither good nor bad and may be seen as neutral comes about. But such an idea fails to take into account that technology is a man-made phenomenon and as such is the result of countless decisions and perceptions of right and wrong. Therefore while the technological thing may be neutral the choices behind its design, manufacture and use are not.

One of the implementations of Google that may be seen as less than neutral is the harvesting of user searches. Google has a long tradition of recording what people search for. This practice is not without its critics but until now Google has been silent about their purpose for harvesting this data. Last week Googleâ??s Global Privacy Counsel Peter Fleischer posted three reasons why Google captures and retains usersâ?? search queries. The reasons fall into three areas:

  1. Improve our services
  2. Maintain security and prevent fraud and abuse
  3. Comply with legal obligations to retain data

This has not passed uncommented. Micheal Zimmer and Seth Finkelstein are both critical to these explanations in two excellent commentaries they explain why Google’s reasons are mainly unsatisfactory and even misguided.

Employee's Privacy: No Monitoring

This comes straight from the latest EDRI newsletter:

The Welsh Government, through Carmarthenshire College, was found in breach of human rights by the European Court of Human Rights (ECHR) for having monitored one of the college employee’s e-mails, internet traffic and
telephone calls.

As the College is publicly funded, Lynette Copland sued the government for infringing Art.8 of the European Convention on Human Rights that says “everyone has the right to respect for his private and family life, his home
and his correspondence”.

The government argued that the monitoring was carried out in order to establish whether Copland had extensively used college resources for personal communication, but the court ruled that: “The court is not convinced by the government’s submission that the college was authorised under its statutory powers to do ‘anything necessary or expedient’ for the purposes of providing higher and further education, and finds the argument unpersuasive”.

Copland claimed that her correspondence had been monitored for about 18 months by the headmaster of the college who even contacted some of the people with whom she had communicated to ask for the nature of their communications. The government admitted the monitoring but stated it had lasted only a few months.

The Court ruling was that “According to the court’s case-law, telephone calls from business premises are prima facie covered by the notions of ‘private life’ and ‘correspondence’ ” and that “It follows logically that emails sent from work should be similarly protected under article eight, as should information derived from the monitoring of personal internet usage.”

“The applicant in the present case had been given no warning that her calls would be liable to monitoring, therefore she had a reasonable expectation as to the privacy of calls made from her work telephone. The same expectation
should apply in relation to the applicant’s e-mail and internet usage.”

The college had no policy to inform employees they might be monitored and Copland had received no warning on this.

“The ruling is important in that it reinforces the need for a statutory basis for any interference with respect to private use of a telecommunications system by an employee… The lawful business practice regulations [part of RIPA] allow an employer to monitor and intercept business communications, so the Court is implying that private use of a telecommunications system, assuming it is authorised via an acceptable use policy, can be protected.” said Dr Chris Pounder, a privacy specialist at Pinsent Masons.

The Court awarded Copland 3,000 Euros in damages and 6,000 Euros in costs and expenses.

European Court of Human Rights – Copland vs. The United Kingdom (3.04.2007)
http://www.bailii.org/eu/cases/ECHR/2007/253.html

EU court rules monitoring of employee breached human rights (5.04.2007)
http://www.theregister.co.uk/2007/04/05/monitoring_breached_human_rights/

Court of Human Rights protects the private use of the Internet (4.04.2007)
http://www.heise.de/english/newsticker/news/87867

Monitoring of employee breached human rights, says European court
(4.04.2007)
http://www.out-law.com/page-7936

Change of State

Do you read First Monday? Well to be honest I don’t usually have the time to read through every issue but I get the email alert for every new issue – its out on the first Monday of every month – and I tend to browse through the titles and find something interesting to read each month.

First Monday is one of the first openly accessible, peerâ??reviewed journals on the Internet, solely devoted to the Internet. Since its start in May 1996, First Monday has published 795 papers in 132 issues; these papers were written by 951 different authors. In addition, eight special issues have appeared.

This month has a focus on Wikipedia which is naturally interesting but what really caught my eye was a chapter from Sandra Braman’s book Change of State: Information, Policy and Power.

Thanks to MIT Press and Sandra Braman, First Monday is pleased to present an excerpt from Sandraâ??s latest book Change of State: Information, Policy, and Power. This book examines the implications of the change of the governments from welfare states to informational states. Sandra describes how information policy in areas as diverse as intellectual property, border protection, privacy, and research funding affect issues such as identity, the nature of technological systems, and organizational structures.

The table of contents for Change of State follows with a link to chapter 9, â??Information, Policy, and Power in the Informational State.â??

The book is naturally amerocentric but promises some interesting ideas. It looks like another book to add to the reading list – check it out.

Technology and Human Rights

On Friday it’s time for me to give a lecture on Technology and Human Rights for the local masters course on human rights. The nice part about this lecture is that it gives me the opportunity to collect and explore different strands of my work and present them to a new audience. My interest in this area began some time ago and resulted in 2005 in the collected edition Human Rights in the Digital Age which I edited together with Andrew Murray.

Discussing technology and rights can at times feel a bit banal. Human rights activists struggle to free people from torture and death so isn’t technology a small waste of time? There is no way in which it would be fair to compare technology and rights to the work of activists against the death penalty. But there is a major problem if all issues must be resolved in the order of magnitude. Speech rights may be less important to someone facing the death penalty but this does not mean that we should ignore speech rights until we have managed to abolish the death penalty.

For the lecture on Friday I am planning to look at three different areas.

The first area is going to be the use of the Internet as a “place” for political participation. I want to discuss the Internet as an area of political discourse and in particular show its possibilities and its fundamental flaws and limitations. This area should include freedom of speech and freedom of association.

The second area is privacy. In particular I want to focus on the merging of online and offline data. Or to put it another way the combination of spatial information (where you are) with the information traces stored in databases (who you are) to show the advanced control mechanism being created.

The final area is the aggregate use of technology. In this section I want to show the audience that with each piece of technology we may implement for our comfort we also form and shape our lives. In particular we also shape the way in which our lives may be controlled by others. This incremental implementation of technology does not bring large protests since no large rights are threatened overall. However the net long term result is darker than anything Orwell would have dreamed about.

Eric Drooker

The overall goal is to make the audience a bit paranoid about technology – to make them question the choices we are all making in our rush towards a more convenient way of life. Not bad for a Friday…

Privacy Attitudes

One of the problems faced by researchers working with privacy is the fundamental question of why people do not care about privacy? It is easy to see either from studies or by simply looking at peopleâ??s behaviour that privacy is not a big thing for many people.

Oh course if you were to ask the question: Is you privacy important to you? Then most people would reply that their privacy was important. But if we look at the way in which people act with their privacy then we get the real picture. There is a radical difference between the way in which people want to be perceived (i.e. privacy conscious) and the way in which they act.

What does this mean? Well some of the discrepancy between the peopleâ??s theoretical and real standpoints can be explained by the lack of knowledge and awareness of the privacy threats. So for example, it is difficult to blame people for being unconcerned with their privacy simply because they us gmail or similar services.

A similar argument can be made to cover those who have no choice but to use less private alternatives. But wait! before you begin to argue that there is always a choice not to use the technology at all, I want to point out being a Luddite is not an option for many people and neither is it for you, considering where you got a hold of this text.

Why is peopleâ??s perception of privacy a problem? Well if we argue the right to privacy (and I often do) then the fact that people do not care about privacy makes this a problem. Can there be a human right if it is unwanted? For a long time I used the smoker analogy.

Smokers want to be healthy but still do not quit smoking despite all the information available. This is not meant to be understood as smokers do not want to be healthy, nor does it invalidate their right to healthcare. The problem with privacy however is that either you have it or you donâ??t.

Recently Paul Saffo wrote about the online habits of the young be warning them that they will come to regret their openness and online presences:

Which is why I pity teens today, for in a few decades their sophomoric musings will deliver a vast embarrassment utterly unknown to earlier generations. It is not that their words are any sillier than earlier generations; rather teens today have had the misfortune of being the first generation to record their thoughts in cyberspace where those thoughts will remain perfectly preserved until some wag drags them out at a school reunion or the authorâ??s children discover the IM affections that passed between mom and dad.

Saffo’s post seems to come as a reaction to (or proof of concept) the peice by Emily Nussbaum in the New Yorker “Kids, the Internet, and the End of Privacy: The Greatest Generation Gap Since Rock and Roll“.

Basically people (many of them young – but by no means all) are putting their lives online – innermost thoughts, bad poetry, homespun politics, private erotica and everything else that was previously covered by privacy. Add to this the number of cameras and videos that surround us – almost one in every pocket. We have a situation where every embarassing situation is recorded and transmitted to the rest of the disinterested world. The material is also stored away for no reason to resurface at a later date – even though I think most of it will be lost on trashed computers long before the future.

So the concern is: children doing things today with technology will live to regret it later.  And it will be a lot worse than when “we” were young since there will be texts and photos around to prove it.

I disagree.

The mass of material produced today will sink into obscurity. Yes some material (potentially embarassing) will remain to be found. But this change will not create the scandal that such material cuases today. Finding an embarrasing image from the teenage past of a prominent figure of today is hardly newsworthy – but it is considered to be news. In twenty years it will not even be news.

The self publication of ones teenage life and angst will not create a generation of people neurotic about the fact that someone may remember them or their thoughts, it will create a generation of people who can say that they were teenagers in much the same way as all other teenages were.

What about privacy?

This is not the death of privacy. Privacy is a “floating” value. Ideas of what is, and what should be, private change in culture, time and space. The only shock that we are seeing here is the death of the privacy concept as it has been understood by the “others” or “outsiders” – in other words it is the attempt of those outside the group to dictate norms on those inside the group.

Bad Vista

The Free Software Foundation has launched a new campaign called BadVista (www.badvista.org). The campaign has two gaols (1) to expose the harms inflicted on computer users by the new Microsoft Windows Vista and (2) to promote free software alternatives that respect users’ security and privacy rights.

The part about Vista which bugs me is that Microsoft is attempting to sell this as something new. But from the users point of view there is nothing really new here. Vista is actually all about control: firstly, Microsoft’s control over users and secondly, the support department’s control over the customers/clients/users. For the cost at which Microsoft is selling it you would think that Vista would flop. But if you believe that you have forgotten about Microsoft’s tradition of marketing by FUD (playing on the Fear, Uncertainty and Doubt of the users).

FSF program administrator John Sullivan writes: “Vista is an upsell masquerading as an upgrade. It is an overall regression when you look at the most important aspect of owning and using a computer: your control over what it does. Obviously MS Windows is already proprietary and very restrictive, and well worth rejecting. But the new ‘features’ in Vista are a Trojan Horse to smuggle in even more restrictions. We’ll be focusing attention on detailing how they work, how to resist them, and why people should care.”

I think that the BadVista campaign will provide interesting reading… for those of you who want to catch up on Vista and its problems here are some related Vista articles

FIN24, Windows Vista: Fact or Fiction, 15 December 2006

eWeek, Vista, why bother?, 14 December 2006

CRN Test Center – CRN, 25 Shortcomings Of Vista , 4 December 2006

Surveillance Report

The Surveillance Studies Network (some information here) has released its â??A Report on the Surveillance Societyâ?? (editor: David Murakami Wood, authors: Kirstie Ball, David Lyon, David Murakami Wood, Clive Norris & Charles Raab)

The report consists of five sections entitled:

Introducing the Surveillance Society
A Survey of the Surveillance Society
A Week in the Life of the Surveillance Society 2006
Glimpses of Life in the Surveillance Society 2016
Regulating the Surveillance Society

Download the report as a PDF here.

The BBC website has a short readable list of ways in which surveillance takes place in addition to a news article on the new report.

In relation to this see also Privacy International and the results of their international survey. This survey showa that the UK is among the nations which have the worst protection of privacy rights. Or to put it in a more positive light â?? the UK is one of the leading surveillance states.

Expression, not Repression

Amnesty is one of those organisations which you know you should support more than you already do. They have also moved into the digital domain and are supporting all kinds of online expression. In an attempt to prevent online censorship they launched their irrepressible campaign.

Part of irrepressible is a technical solution that breaks censored texts into small pieces and maintains them online. Read more about how to help here.

If you cannot do more then at least sign their petition:

I believe the Internet should be a force for political freedom, not repression. People have the right to seek and receive information and to express their peaceful beliefs online without fear or interference.

I call on governments to stop the unwarranted restriction of freedom of expression on the Internet â?? and on companies to stop helping them do it.

Amnesty International will also be present at the Internet Governance Forum in Athens next week. Again they will be â??â?¦stressing the importance of protecting free expression and privacy onlineâ??

Read their press release here.