A couple of weeks ago, Christopher Soghoian tweeted about a short video that’s really a great summary of one of the fundamental privacy problems of cloud computing:
Corporate privacy concerns are more nuanced than government privacy concerns. You can argue that people can just switch to a competitor, as Schmidt does, but how practical is that? Some companies do quite a bit to lock you in. You can argue about creepy advertising, but there’s a real tradeoff there. Some people like seeing relevant ads in certain contexts.
Government privacy concerns are pretty straightforward. They have the guns, so to speak. Even massive corporations like Google cannot prevent the government from accessing your information if the law allows it. Given the state of data privacy laws in the U.S., this is a pretty serious problem for almost every application that uses cloud computing.
The EFF spoke with Amazon about their Silk browser, and they appear to be rather satisfied:
We are generally satisfied with the privacy design of Silk, and happy that the end user has control over whether to use cloud acceleration. But this new technology highlights the need for better online privacy protections. As companies continue to innovate in ways that make novel uses of–and expose much more personal data to–the internet cloud, it’s critical that the legal protections for that data keep up with changes technology.
Read their whole article. It breaks down the primary privacy concerns and how Amazon Silk actually handles those situations. If you don’t regularly follow the EFF, they aren’t super easy to please when it comes to protecting users’ privacy, so this is a reasonably strong endorsement.
This week Amazon introduced their latest creation: the Kindle Fire. One of the features of the Kindle Fire is a new kind of web browser called Silk. Here’s a video explaining how Silk works:
Silk effectively splits a traditional web browser into a front end that’s running on the local machine and a back end that’s running in the cloud. Chris Espinoza describes it thusly:
The “split browser” notion is that Amazon will use its EC2 back end to pre-cache user web browsing, using its fat back-end pipes to grab all the web content at once so the lightweight Fire-based browser has to only download one simple stream from Amazon’s servers. But what this means is that Amazon will capture and control every Web transaction performed by Fire users. Every page they see, every link they follow, every click they make, every ad they see is going to be intermediated by one of the largest server farms on the planet. People who cringe at the data-mining implications of the Facebook Timeline ought to be just floored by the magnitude of Amazon’s opportunity here. Amazon now has what every storefront lusts for: the knowledge of what other stores your customers are shopping in and what prices they’re being offered there. What’s more, Amazon is getting this not by expensive, proactive scraping the Web, like Google has to do; they’re getting it passively by offering a simple caching service, and letting Fire users do the hard work of crawling the Web. In essence the Fire user base is Amazon’s Mechanical Turk, scraping the Web for free and providing Amazon with the most valuable cache of user behavior in existence.
From the technical descriptions of Silk that I’ve seen, this is pretty accurate. Espinoza later updated his post to say that he doesn’t believe this is a privacy concern:
(9/28 8:45 PST Removed “privacy and.” The piece is about data mining and aggregation, there’s no argument about privacy concerns at all, but people are reading that into it.)
I disagree. Only someone who doesn’t understand the current state of privacy law in the United States would make such a statement. Essentially, by splitting the browser such that all traffic flows through Amazon, they are operating as an ISP. ISPs have numerous privacy concerns. For example, what if the government asked Amazon to provide records of every user who visited a particular website? Currently, this request would fall under something called Third Party Doctrine. Tim Lee describes it as…
the legal principle that, in effect, you lose your Fourth Amendment rights when you relinquish information to a third party. The doctrine has become increasingly important with the rise of modern technology because we now entrust a host of private data — including our email, cell phone calling data, credit card transactions, and more — to private companies, and the third party doctrine would seem to suggest that Fourth Amendment protections would not extend to such information.
The government doesn’t need a warrant to obtain records disclosed to a third party. If it sounds incredible to you that the government wouldn’t need a warrant to obtain something as sensitive as everything you’ve done online with your new Kindle Fire, understand that the government can access your banking records without a warrant because your bank is a “third party” to the data. ISPs are third parties to Internet traffic, and Amazon would be a third party for all Internet traffic on your Kindle Fire. (For more information, please read Jim Harper’s description of how this situation came to be and what we could do about it.)
Om Malik, prompted by Espinoza’s post, got this response from an Amazon spokesperson:
Is Amazon able to peer into its customer usage behavior and use that to offer services based on that data. For instance if you see thousands of your customers going to buy SeeVees shoes from say a store like James Perse at a certain price, can you guys use that data to specifically tailor the Amazon store and offer up deals on those very same pair of shoes?” – the answer is no, as you can see in our terms and conditions, URLs are used to troubleshoot and diagnose Amazon Silk technical issues. Moreover, you can also choose to operate Amazon Silk in basic or “off-cloud” mode. Off-cloud mode allows web pages generally to go directly to your computer rather than pass through our servers. As a reminder, usage data is collected anonymously and stored in aggregate, and no personal identifiable information is stored. It’s also possible to completely turn off the split-browsing mode and use Amazon Silk like a conventional Web browser.
Notice that Amazon says they can’t “peer into customer usage behavior and use that to offer services based on that data.” If this reminds you of Dropbox’s original privacy claim that “All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password,” then you’re not alone. Christopher Soghoian showed that Dropbox could access your files. There are no technical limitations preventing Amazon from using customer usage behavior for whatever they want, just as there were no technical limitations preventing Dropbox from accessing your files. Amazon’s Silk browser will know what websites you visit and what you do on those websites. Amazon will have access to this data. What proof will users have that Amazon isn’t doing whatever they want with that data? Amazon’s terms and conditions basically amount to trust, but “trust me” isn’t enough. This data is too important: emails, financial records, medical records, relationships with friends, and everything else people do on the Internet.
Even if all your browsing data was anonymized prior to being sent to Amazon, anonymous data collection can still violate privacy principles. Bruce Schneier wrote a great article for Wired about anonymized data sets that were publicly released back in 2007. He made this point, which I think is particularly relevant for Amazon’s new Silk browser:
Like everything else in security, anonymity systems shouldn’t be fielded before being subjected to adversarial attacks. We all know that it’s folly to implement a cryptographic system before it’s rigorously attacked; why should we expect anonymity systems to be any different? And, like everything else in security, anonymity is a trade-off. There are benefits, and there are corresponding risks.
Security advocates don’t accept encryption algorithms that aren’t publicly available and haven’t gone through rigorous testing. Privacy advocates shouldn’t accept anonymization algorithms that aren’t publicly available and haven’t gone through rigorous testing. Arvind Narayanan and Vitaly Shmatikov demonstrated this well with the Netflix datasets.
Amazon also said that users could optionally cause Silk to operate as a conventional browser that wouldn’t use Amazon’s cloud to speed up the experience, but this option isn’t enabled by default. Defaults matter. Human psychology demonstrates this in numerous venues. Defaults are also particularly important for technology. The FTC has begun recommending a privacy by design approach, originally described by Ontarioʼs Information and Privacy Commissioner Anne Cavoukia, for technology companies like Amazon. Think tanks concur with this assessment. For example, the Center for Democracy and Technology said the following (emphasis mine):
The FTC should release a set of recommendations outlining the role that Privacy by Design can play in implementing a new set of comprehensive FIPs. These recommendations should emphasize the role of privacy impact assessments, privacy threshold analyses, the integration of PETs into product development, end-to-end lifecycle protection for data, and privacy as the default or as a clear, easy-to-understand alternative.
If Silk is set to the split-browser, cloud-based mode by default, then Amazon isn’t actively practicing privacy by design. No other browser operates like Silk. [Edit: This isn't true. As Charlie pointed out in the comments, Opera Mobile and Opera Mini use a split-browser architecture.] This is new and different, and it has important implications for privacy. Therefore, the privacy by design approach would be to operate as a conventional browser by default and provide users with an option to enable the split-browser, cloud-based mode if they wanted. However, it doesn’t appear as if that’s Amazon’s intention based on their comments to Om Malik.
Amazon has created a new technology with their Silk browser, and they should be applauded for building something new and different. Their Silk browser may speed up the web dramatically for Kindle Fire users, but users should know that there are tradeoffs involved to achieve that speed. In this case, the tradeoff is privacy. If the speed increase is substantial enough, then there are probably many people who would make that tradeoff when using their Kindle Fire. They could do their banking, emailing, or other sensitive surfing at a computer using their preferred security and privacy settings on a desktop browser. However, Amazon isn’t practicing privacy by design, and their terms and conditions are almost deceptive. Amazon should clearly state the technical safeguards put in place to ensure that user data is only used for trouble shooting, and the Silk browser should operate conventionally by default.
If you’re going to steal large amounts of personally identifiable information, then you’re almost always better off doing so digitally rather than attempting to steal paper records. People notice when boxes and boxes of records go missing. In fact, the entire plot of The Firm hinges on a rather intricate attempt to make paper copies of records that would comparatively trivial to steal in a digital world.
Because of the problems of paper records, it’s really rare that you see huge paper-based violations of HIPAA. But apparently, it’s not impossible:
When Athens native Bobby Roberts placed a bid of more than $1,000 for the contents of a delinquent storage unit in Florence, he said he thought he was buying medical equipment and maybe old office files.
But on Sept. 10, when he opened the 20 or so boxes in the unit at Climate Guard Self Storage on Florence Boulevard, he discovered the boxes were filled with personal medical records from Digital Diagnostic Imaging Inc. Some were from as recently as 2009, while others dated to 2002.
Included on those records were not just medical details but patients’ Social Security numbers, addresses, phone numbers, insurance information and driver’s licenses.
Obviously, Roberts didn’t steal the records, but this is still a violation of HIPAA and the fault of the company that abandoned the records. Covered entities can’t just abandon paper-based records in a storage facility. It looks like Roberts is attempting to do the right thing with the records, but imagine what would have happened if someone else had won that auction.
Barnes & Noble Inc, which won the customer information of its bankrupt competitor Borders Group Inc at auction, says it should not have to comply with certain customer privacy standards recommended by a third-party ombudsman.
In court papers, Barnes & Noble said on Wednesday that its own privacy standards are sufficient to protect the privacy of customers whose information it won during an auction last week for Borders’ intellectual property assets.
Another fun snippet from the article:
Barnes & Noble rejected the consent requirement as “completely unrealistic.” The retailer proposed narrowing the recommendations to allow it to use its own privacy policy to govern the customers, which it said provides as much protection as Borders’ policy, if not more.
The stringent recommendations set out by Baxter could cause the assets to lose value, and puts the transaction as a whole “at risk,” Barnes & Noble said.
Assets. Oh Barnes & Noble, you know how to sweet talk your customers… Or are they even your customers if you had to buy their data from a defeated rival?
It’s a clever privacy work-around. Just as Facebook allows advertisers to specifically target certain kinds of users based on their profile information (without actually providing that profile information to the advertisers), banks plan to allow advertisers to send deals and coupons to their customers based on what they’ve bought before. That way, no user data actually leaves the network — instead, deals just enter the network. Each time a customer cashes in on one of those deals, the bank gets a commission.
Definitely read the whole post.
The idea of this as a ‘privacy work-around’ doesn’t completely sit well with me. There are a lot of folks who would consider this a privacy violation, but there are also a lot of folks who wouldn’t. Many bank customers would welcome these discounts since none of their personal information is being provided to advertisers, especially if it reduced some of the flat fees associated with their accounts. Still, I would probably prefer if these services are Opt-In rather than Opt-Out.
Tim Lee wrote about a new law in Tennessee that affects communications privacy over on Ars Technica. Most of the article deals with the First Amendment issues, but there’s an interesting development for communications privacy near the end of the article:
Another provision of the legislation governs law enforcement access to the contents of communications on social networking sites. The government can get access to “images or communications” posted to a social networking site by offering “specific and articulable facts,” suggesting that the information sought is “relevant and material to an ongoing criminal investigation.”
This section, too, faces constitutional problems. Julian Sanchez, a privacy scholar at the Cato Institute, tells Ars that “this is a lower standard than the federal Electronic Communications Privacy Act requires” for unread communications. More importantly, because Tennessee is in the Sixth Circuit, it is bound by that court’s Warshak decision, which held that the Fourth Amendment requires the government to obtain a full search warrant in order to access e-mail communications. “That case dealt with e-mail,” Sanchez said, “but there’s no good reason to think a private message on a social network site is any different.”
Electronic communications privacy continues to be under-protected from law enforcement access. The standard described by this law is stunningly low.
Accurate bookmarks work best with a single canonical URL for any given page on the web, but analytics (given only a URL) work best if you either 1) mask your url with a shortener, like bit.ly, or 2) add tracking parameters, like Urchin. Looks like Pinboard is going to take them both on for the sake of decent bookmarking:
Today I finally started stripping utm_* query parameters from all URLs arriving in Pinboard. They create needless URL bloat, erode user privacy, make it more difficult to identify duplicate content, and benefit ad publishers at the expense of everyone else. Out they go!
[snip]
Soon: death to URL shorteners!
Of course, the ironic part of this is that since Pinboard itself is a third-party, you have to trust that they will protect the privacy of your stored bookmarks. Too bad this feature isn’t built in to browser-based bookmarking…
(Note: I’m ignoring Hashbangs in URLs because, although they are controversial for bookmarking, they aren’t explicitly used as tracking features.)
Upset about invasive screening techniques at the airport, the Lone Star State was considering a bill that would make a TSA patdown that involves touching “the anus, sexual organ, buttocks, or breast of another person including through the clothing” a misdemeanor, allowing Texas law enforcement to arrest TSA officials and charge them with sexual harassment. It would have meant that TSA officials could be fined $4,000 and spend up to a year in jail for doing their jobs of feeling up prospective fliers.
Texas ended up folding in the end. Still, I would rather see more states fighting for their rights and the rights of their citizens. Also, I love Ben Brooks’s suggestion to pass a law requiring airports in Texas to opt-out from using the TSA.
