Book review: Habeas Data

What does modern technology say about you? What can the police or other government agencies learn? What checks on their power exist? These questions are the subject of a new book from technology reporter Cyrus Farivar.

Habeas Data (affiliate link) explores the jurisprudence that has come to define modern privacy law. With interviews with lawyers, police officers, professors, and others who have shaped the precedent. What makes this such an interesting subject is the very nature of American privacy law. Almost nothing is explicitly defined by legislation. Instead, legal notions of privacy come from how courts interpret the Fourth Amendment to the United States Constitution. This gives government officials the incentive to push as far as they can in the hopes that no court cases arise to challenge their methods.

For the first two centuries or so, this served the republic fairly well. Search and seizure were constrained to the physical realm. Technological advances did little to improve the efficiency of law enforcement. This started to change with the advent of the telegraph and then the telephone, but it’s the rapid advances in computing and mobility that have rendered this unworkable.

As slow as legislatures can be to react to technological advances, courts are even slower. And while higher court rulings have generally been more favorable to a privacy-oriented view, not everyone agrees. The broad question that courts must grapple with is which matters more: the practical effects of the technology changes or the philosophical underpinnings?

To his credit, Farivar does not claim to have an answer. Ultimately, it’s a matter of what society determines is the appropriate balance between individual rights and the needs of the society at large. Farivar has his opinions, to be sure, but Habeas Data does not read like an advocacy piece. It is written by a seasoned reporter looking to inform the populace. Only by understanding the issues can the citizenry make an informed decision.

With that in mind, Habeas Data is an excellent book. Someone looking for fiery advocacy will likely be disappointed, but for anyone looking to understand the issue, it’s a great fit. Technology law and ethics courses would be well-advised to use this book as part of the curriculum. It is deep and well-researched while still remaining readable.

It has its faults, too. The flow of chapters seems a little haphazard at times. On the other hand, they can largely be treated as standalone studies on particular issues. And the book needed one more copy editing pass. I saw a few typographic errors, which is bound to happen in any first-run book, but was jarred by a phrase that appeared to have been accidentally copy/pasted in the middle of a word.

None of this should be used as a reason to pass on this book. I strongly recommend Habeas Data to anyone interested in the law and policy of technology, and even more strongly to those who aren’t interested. The shape that privacy law takes in the next few years will have impacts for decades to come.

Who gets your Facebook messages after you die?

Last month, a court in Germany ruled that Facebook should not be compelled to give access to the account of a teenager who died to her parents. The girl died after being struck by a train. Her parents, trying to determine if it was a suicide, wanted to look for evidence that she had been bullied. The initial court ruled in favor of the girls parents, but Facebook prevailed on appeal.

This is an excellent example of the “hard cases make bad law” adage, though I think the court arrived at the right decision here. The girl’s parents argued that it was the digital equivalent of a diary, which is an interitable item. I understand their argument. As a parent myself, I don’t doubt that I would make the same argument were I in their case. But I think the appeals court made the right decision here, although it took some thought to get to that.

It’s more than just a diary

The “it’s the same as a diary” argument makes sense only if you intentionally exclude the ways it’s not. Yes, people use Facebook to share personal musings and reflections the same way they might in a diary or journal. However, Facebook (and other social media) have an interactivity that a diary does not.

This goes beyond the fact that others may leave comments on posts. The owner of an account is not necessarily the originator of the content within the account. What I mean by that is that the messages may be initiated by someone else. Granting account access to the girl’s parents is not really about protecting her privacy, it’s about protecting the privacy of those she has communicated with.

But that’s the point, right?

The girl’s parents wanted to find evidence of bullying. Why should the privacy of the bullies be protected (in the very narrow context of their messages to the girl)? Because they’re probably not the only people who sent the girl messages. What if another friend had confided in the girl about personal matters? What right do the girl’s parents have to that communication? None, of course.

I have a hard time justifying why the girl’s account should be made available to anyone given the risk of harm to innocent third parties. If the situation were different – if the police or prosecutor were ask for specific searches as part of a case – that would be more reasonable, in my opinion. In that case, the structure and process of the investigation would minimize the harm of disclosure.

This is a hard problem

In the pre-digital age, it was less complicated. Conversations that didn’t happen face-to-face (or on the telephone) probably happened via letter. Any letters that were not destroyed became part of the estate. Some heirs probably destroyed them, others not. And though there are many threats to privacy these days, the electronic age has made possible a form of privacy that was hitherto unknown.

I’m certainly in favor of people being able to explicitly opt in to allowing someone to inherit their accounts. And not all accounts are created equal. When I die, I’d like to think someone would keep my meager website around in order to provide a legacy of sorts. But I’d also like to think that my death won’t result in the correspondence my friends have sent me in confidence. It’s not my privacy I want to protect after I die, it’s the privacy of my friends.

Fourth Amendment protection and your computer

Back in January, I wrote an article for Opensource.com arguing that judges need to be educated on open source licensing. A recent decision from the Eastern District of Virginia makes it clear that the judiciary needs to better understand technology in general. Before I get into the details of the case, I want to make it clear that I tend to be very pro-defendant on the 4th-8th Amendments. I don’t see them as helping the guilty go free (although that is certainly a side effect in some cases), but as preventing the persecution of the innocent.

The defendant in this case is accused of downloading child pornography, which makes him a pretty unsympathetic defendant. Perhaps the heinous nature of his alleged crime weighed on the mind of the judge when he said people have no expectation of privacy on their home computers. Specifically:

Now, it seems unreasonable to think that a computer connected to the Web is immune from invasion. Indeed, the opposite holds true: in today’s digital world, it appears to be a virtual certainty that computers accessing the Internet can – and eventually will – be hacked.

As a matter of fact, that’s a valid statement. It’s good security advice. As a matter of law, that’s a terrible reason to conclude that a warrant was not needed. Homes are broken into every day, and yet the courts have generally ruled that an expectation of privacy exists in the home.

The judge drew an analogy to Minnesota v. Carter, in which the Supreme Court ruled that a police officer peering through broken blinds did not constitute a violation of the Fourth Amendment. I find that analogy to be flawed. In this case, it’s more like the officers entered through a broken window and began looking through drawers. Discovering the contents of a computer requires more than just a passing glance, but instead at least some measure of active effort.

What got less discussion is the Sixth Amendment issue. Access to the computer was made possible by an exploit in Tor that the FBI made use of. The defendant asked for the source code, which the the judge refused:

The Government declined to furnish the source code of the exploit due to its immateriality and for reasons of security. The Government argues that reviewing the exploit, which takes advantage of a weakness in the Tor network, would expose the entire NIT program and render it useless as a tool to track the transmission of contraband via the Internet. SA Alfin testified that he had no need to learn or study the exploit, as the exploit does not produce any information but rather unlocks the door to the information secured via the NIT. The defense claims it needs the exploit to determine whether the FBI closed and re-locked the door after obtaining Defendant’s information via the NIT. Yet, the defense lacks evidentiary support for such a need.

It’s a bit of a Catch-22 for the defense. They need evidence to get the evidence they need? I’m open to the argument that the exploit here is not a witness per se, making the Sixth Amendment argument here a little weak, but as a general trend, the “black boxes” used by the government must be subject to scrutiny if we are to have a just justice system.

It’s particularly obnoxious since unauthorized access to a computer by non-law-enforcement has been punished rather severely at times. If a citizen can get 10 years in jail for something, it stands to reason the government should have some accountability when undertaking the same action.

I have seen nothing that suggests the judge wrote this decision out of malice or incompetence. He probably felt that he was making the correct decision. But those who make noise about the “government taking our rights away” would be better served paying attention to the papercut cases like this instead of the boogeyman narratives.

The easy answer here is “don’t download child pornography.” While that’s good advice, it does nothing to protect the innocent from malicious prosecution. Hopefully this will be overturned on appeal.

Privacy in the 21st century (or at least this week)

Digital privacy has been in the news this week. The first story involves a judge ordering a woman to decrypt her laptop. There has been a lot of uninformed commentary surrounding this story, and I thought I’d add my own to the pile. My initial reaction was that it was a pretty blatant violation of the Fifth Amendment, but after further reflection, I’m not so sure. I still struggle to find the right parallel to the physical world.

I don’t believe that decrypting the data is self-incrimination, in and of itself. A person can’t avoid a search warrant by simply locking the door. On the other hand, the police already have the data (in some form) in their possession. There’s no requirement that the data be in a form that the state finds convenient.

Overall, I’m not that concerned with this decision. A valid warrant should be sufficient to require a person to turn over documents in an unencrypted form. Failure to comply is rightly contempt of court. The only problem is when a person legitimately forgets the key, because it is nearly impossible to determine if they have legitimately forgotten. Still, I’m not at all convinced that this ruling is a death knell for the Fifth Amendment.

The other story in the news came from Google, who announced that they are changing their privacy policy for accounts (this does not include search, Wallet, and Chrome). This story has caused no end of hand-wringing, but it seems to me like a severe overreaction. From what I can tell, interactions with third party sites hasn’t changed. The changes mostly make it easier for Google services to share data internally.

To me, that’s part of the appeal of using the variety of services Google offers. What’s the point of a single account if the services aren’t tightly integrated? The lack of an opt-out isn’t a compelling argument to me. Anyone who doesn’t like the privacy policy doesn’t have to use the service (though I’ll admit that if you just bought an Android phone, the cost for leaving (assuming an early termination fee with the carrier) can be prohibitive). There’s an adage that states if you’re not paying, you’re the product. I’m fine with my data being more available across my Google services and hope the promised cool things come to pass. If it ever becomes unacceptable to use Google services, I’ll take my ball and go home.

Cyber security month — your private pictures aren’t

Editor’s note (*snerk*): October is National Cyber Security Awareness Month.

One of the most commonly repeated pieces of advice given about privacy on the Internet is “be careful who you allow to see your stuff.” That advice is good, but it doesn’t quite cover it.  Pictures posted on many social networking sites can be set to only be viewed by your friends, or even subsets of friends.  However, there are ways around those protections.  On Facebook, anyone who has access to the picture can copy the picture’s URL and send or post it to others. The URL allows anyone, even people without Facebook accounts to view the picture. On MySpace, there was a way to view any users pictures from a slide show, so long as you knew their ID number (which is easily obtainable).  This has since been fixed, it seems. There are also methods for finding private pictures on Photobucket and other sites.

Beyond the somewhat innocent ways of compromising your pictures, there are also more sinister ways of losing control of your content.  If you have a weak password, or reuse passwords, or let your password be known, you are open to someone compromising your account and removing, changing, or adding content.  This has the potential to be very damaging to your personal life.  And of course, anything that can be viewed on screen can be copied in a screen capture and posted anywhere.

That isn’t to say that your content shouldn’t be controlled.  It is still a wise idea to try to keep tabs on things you don’t want everyone to see.  The important thing to remember is that your private pictures aren’t, and anything on the Internet might eventually make its way into public view.