The Web's Bushiest Site

If you happened to visit my blog on the 18th you know that I participated in the SOPA/PIPA black out. I was firmly on the opposition side because those bills are are simply bad policy. They are vague, burdensome of distributors, cruel in punishment, and lack judicial oversight. In fact, had they passed, I’m sure the resulting law would have been struck down in a fairly quick court challenge of constitutionality.

As a 25 year old that is socialized to Internet culture, there are a few generational/cultural divides that I observed during the public debate on SOPA/PIPA. These divides have come up in the past, they will come up again, and understanding them will be key to developing online intellectual property policy:

1.) Remix vs Hollywood – The backlash to SOPA was so strong because, in part, a whole culture felt threatened by a powerful industry from a different culture. Internet culture, and by extension the culture of Millennials, lives and breathes on remixing existing IP as a form of expression. Thus, many saw this bill as an attack on their form of expression.

2.) Market of Ease – Netflix and iTunes have done more this decade to curtail piracy than law or the RIAA/MPAA because they developed a business model from the consumer perspective. They knew that consumers wanted and expected easy and cheap access to media in the Internet age, and have been wildly successful because they are selling this ease of access to consumers. What happens when the industry does not sell easy access but instead dictates obstacles that a consumer must overcome? The consumer becomes a customer of pirates, because the ease of access offering of pirates is superior to anything else on the market. In the wake of the MegaUpload takedown it has been astonishing to see how many people outside of the US relied on pirating sites for access to American media because, in many international markets, there is no other provider of easy access to media.

A few weeks ago IBM released its 5 in 5 predictions – five technology trends that the company’s top scientists and executives predict will transform our lives within five years. Below is the video for prediction number 4 by Paul Bloom: The digital divide will cease to exist.

Being a tech and policy nerd, this one caught my attention. What is interesting about this prediction is the list of obstacles left out. Bloom is right to predict that the technology will exist in five years to eliminate the digital divide and do all sorts of cool things. That’s because the technology already exists.

Mr. Bloom fails to discuss what will change about the other obstacles of the digital divide – economics, politics, education – and how those changes will lead to increased access and use of Internet technology. These obstacles are very difficult. They involve competing demands for limited resources, tumultuous histories, complicated interests, and resource intensive practices. Technical innovation can help in addressing these obstacles. But in the end these obstacles are the result of human systems, not technical ignorance.

I am happy to see IBM involved in the digital divide discussion. The discussion needs technical leaders to supply technology, reduce costs, and customize products to varying cultures. However, the digital divide is about a lot more than just the technical difficulties of mobile Internet access. I hope IBM can learn from the mistakes of the One Laptop Per Child project and recognize that technological determinism is not a sound approach to solving the divide.

Last week Facebook enabled a new level of preference sharing, in which the site shares information about the music you’re listening to and the movies you’re watching on certain services that allow you to login via Facebook. As is common, the change has a number of people concerned about privacy, since it pushes a new and unexpected set of information about people into the public. Among these concerns, the Numbers Rule Your World blog at Junk Charts has argued that Internet researchers are among the few groups that will benefit from these changes.

I have to disagree with the idea that Facebook’s forced sharing is for the benefit of researchers. For starters, Facebook has never cared about appeasing researchers. They have usually been cold to the academic community, and the codes of their site (computer and legal) make it nearly impossible to gather data from the service for research.

Lets put aside Facebook’s relationship with research, and instead focus on the ethics of research. Ethical researchers won’t be very happy with this arrangement. It violates the research ethic of keeping information private and anonymous unless there is a compelling research interest to do otherwise. Ethical researchers wouldn’t be happy with forcing the information into the public so it can be observed, since it violates the core of research ethics: respect for individuals. While there are web researchers who don’t adhere to this ethic, there are many who do and apply it to their own research and the work of others. Even when data is out in the open, this ethic causes researchers to question the morality of collecting and analyzing public data without user consent, as seen in the case of Harvard’s 2006 Facebook study.

If Facebook actually wants to provide data to researchers, it would do so in a way that respects the ethics of research. Provide researchers with a means to request anonymous, private data about users who have consented to this form of searching. Don’t shove individuals’ data into the spotlight.

A couple of weeks ago the Interactive Advertising Bureau, one of the largest industry groups and self-regulatory bodies in online advertising, instated a new code of conduct for its members. In summary, the new code requires any IAB member site that collect information about users to display the logo to the right as an indication to users that collection is occurring, and to provide users with information about what is being collected and why.

While the new code of conduct has taken flack for not actually providing clear notice, this latest action by the IAB does bring some attention to the organization’s (beta) Opt-Out page. The Opt-Out page provides users with a way to request that IAB members not collect information about them for advertising purposes. The page, located at http://www.aboutads.info/choices/, is pretty simple to use: all you need to do is visit the page, make sure you are on the “All Participating Companies” tab, select the companies that you don’t want to have track you (or click “Select All Shown” to opt-out of tracking from all IAB advertisers), and then click Submit Your Choices at the bottom. Once you submit your choices, a cookie will be placed on your computer informing the companies you selected that you do not wish to be tracked. Aside form the Opt-Out page, the site includes information about online advertising (with an industry spin of course) such as how to adjust the privacy settings in your browser and the self regulatory principles of the IAB that are worth checking out.

Does it Work?

So the page is easy to use, but does it actually increase your privacy? Well, there are a few factors to consider that show the weaknesses of the opt-out page:

It applies to IAB members – which are a lot of advertisers to be sure, and includes most of the biggest advertising companies. Still, there are a lot of other companies and sites out there that are not IAB members, and thus are not affected by this Opt-Out page.

It relies on companies respecting your decisions – Between the IAB’s own enforcement and the threat of FTC legal actions, IAB companies have plenty of reason to not track you if you tell them not to. Unfortunately, the history of Internet privacy is full of examples of sites or companies not respecting the wishes of consumers, even when they have said they would. For that reason, some skeptisim is reasonable here, and personally I’m not yet ready to trust the intentions or ability of the IAB to respect my privacy decisions. This opt-out page allows you to ask that companies shutoff their tracking, which is different from the approach tools such as Ghostery take, which actually blocks information from being sent, and is an approach I’m more willing to trust right now.

It uses cookies – If you are concerned about privacy on the Internet, you probably have your browser set to not accept cookies/delete cookies when you close the browser/or delete cookies often. That means the Opt-Out page is pretty useless to the privacy concerned, since any choices set via the page will be lost within a short amount of time. This is a problem that engineers and policy makers have been discussing since Do-Not-Track became a big deal, and in my opinion it reveals a problem with how cookies are managed by browsers. The current cookie management model of the major browsers is built on an all or nothing choice – either have all cookies on and retained, or have all cookies off and deleted. Despite years of messaging about how bad cookies are, the IAB’s Opt-Out page shows that not all cookies are bad. Browsers need a more sophisticated cookie management system that allows a user to select which cookies can be kept for a long time and which should be deleted right away. Until that happens, the Opt-Out page might as well not exist, and users should instead use opt-out plugins like TACO.

It only applies to one browser on one machine – This limitation applies to many privacy protection tools, but it is an important one. If you submit opt-out requests in Firefox on your home PC, then tracking will still occur on IE on that PC, or Firefox on your laptop.

So Should I Use It?

The short answer is no.

Unfortunately, the Opt-Out page isn’t a reliable tool for privacy protection, mostly because of the cookie problem discussed above. This is especially unfortunate since this page is likely the result of hours of discussion involving IAB companies, the FTC, and consumer groups, and represents what I would like to believe is an honest effort by the industry to address privacy concerns.

Given the level of discussion and work going into Do-Not-Track, it is likely that the IAB’s Opt-Out page will merge with a browser based Do-Not-Track manager. Until that happens, privacy concerned consumers will have to continue to rely on third party tools to prevent companies from tracking them all around the Internet.

Its funny how quickly the weather has changed from summer to autumn, and how perfectly the fresh chill of fall arrived with the start of the school year. The University of Minnesota’s semester started a week ago. Friends are already talking about all of the reading they have to do. The days are getting shorter, the nights are getting cooler, and like geese who know it is time to migrate south I feel an instinctive need to buy books and flock to a lecture hall.

For nineteen of the last twenty years I have been in school. The one year I wasn’t in school, I spent fall applying to schools. For the vast majority of my years, school has been the structure of my life. It has set my schedule, defined commitments, created my goals, and provided me a social life. Through all those years, the structure of school has been remarkably consistent: September was always the “beginning of the year”; classes always lasted 4 or 9 months; my goal was always to understand a new topic or at least write passable papers and exam responses; and my friends were always among my classmates or housemates. Given all these years of repetition, its no surprise my natural response to fall is to think of school.

So I’m entering this September feeling a little sad and very anxious. Nostalgia is fueling the sadness, as this weather makes me think of friends and fun from past school years. But the sadness is little because I know I can and will see my old friends again. The anxiety comes in large part from the loss of this familiar structure. What schedule do I plan my life around now? I don’t know if I’ll be working on today’s projects and job for four months or four years.  How do I manage the myriad goals now presented to me? And as an introvert who works from home and coffee shops, where do I meet new friends?

The lack of structure is stressing me out now, but I know that will pass. The comfort of school comes with a lot of restrictions, restrictions that I have outgrown. I recognize the freedom I’m now living in. Once I embrace it, I know I’ll be able to define my life the way I want to. Without a school provided structure, I’m free to set my schedule, my commitments, my goals, and my social life. I have the freedom to create my own structure. But right now, that freedom is a little scary.

“… there is no way we should do business with companies that have agreements with stealth provisions and that aren’t intelligible. So how are we going to change the world? Make clarity, transparency, and simplicity a national priority.”

A year and a half ago, Alan Siegel described in less than 5 minutes why the problems of privacy and consumer trust run rampant on the Internet. That legalese that every website presents you doesn’t actually inform you of anything. It is a tool of websites to obtain legal authorizations and protection.

Privacy policies were not meant to be used this way. The FTC originally promoted privacy policies as a tool for informing consumers of the benefits and risks of using websites. Over the years they have evolved into dense blocks of text that are not only useless to consumers, they are harmful to consumers.

Why aren’t clear notices a national priority? Siegel thinks they should be. The FTC has stated again and again that consumer notices should be clear and easy to understand. Unfortunately, industry self-regulation bodies and Congress don’t seem to be as interested in presenting consumers with clear and transparent information.

Why aren’t clear notices a national priority? I think we should ask the DMA’s Consumer, Ethics, and Privacy department, or IAB President Randall Rothenberg. More importantly, we should ask that question to our Representatives and Senators. We might also want to ask, why is it OK for businesses to trick consumers? Why aren’t consumers treated with respect by our businesses and our government?

Chris Hoofnagle of UC Berkeley recently did a Q & A with the San Francisco Chronicle about federal policy regarding online privacy. He highlighted the rapid changes that occur in tracking practices and the great disadvantage most users experience in protecting their privacy online. Noting that when a user performs a privacy protecting action many sites either work around the protection or just completely ignore the user’s desire, Hoofnagle argues that federal policy should turn its attention towards data retention limits as a means of establishing privacy as an online default. I agree that retention limits should be implemented in some form, but I must respectfully disagree with the implied belief that it is time to give up on user involvement in privacy protection.

As new technology continues to challenge our definition and valuation of privacy, our society needs to have a public discussion on how privacy should react to technology and vice verse. In order to match our democratic values, this discussion needs to be as inclusive as possible. To this end, federal policy needs to raise public awareness of online privacy issues and educate citizens about new threats to privacy, as well as the benefits and consequences of lost privacy. If federal policy shifts to focus on regulations defined by law and rule makers, citizens will lose their place in the discussion of privacy and technology. Furthermore, by giving up on the idea that citizens are involved in creating their online privacy environment via choice and consent, they will be deprived of one of the only situations in which citizens are educated about online privacy and asked to think critically about its value. Our society is still coming to terms with the degradation of an important value. It is all the more important that as many people as possible develop a thoroughly considered opinion on privacy and be able to voice that opinion. Defining what privacy means as a social norm in this nation, and how regulation will reflect that norm, needs to be a nationwide effort, not the function of a handful of industry and government representatives.

The fact that companies disregard the voiced privacy choices of users should not be an impetus for removing users from the privacy protection system; it should be the subject of policy initiatives that fix the broken system. Many FTC enforcement actions regarding privacy have punished deceptive actions.  In my opinion, a company action that disregards a voiced privacy choice by a user is just as  deceptive as a company action that contradict its own privacy policy because users have a reasonable expectation that if a company offers opt-outs and accepts P3P or Do-Not-Track messages then it will respect the voiced privacy decisions of a user.  P3P failed not because of technical limitations. It failed because companies were not punished for lying to users via the protocol. This type of behavior should not be tolerated in matters of commercial interaction nor matters of privacy.

So lets keep our focus on P3P and Do-Not-Track. When companies choose to ignore those technical solutions lets not call that a failure of technology. Lets recognize it for what it is, companies hearing consumers and ignoring their voices.

I just put up a page with information on how you can stop websites and advertising networks from tracking you. As time goes on, I’ll update this page when I find new information or tools related to tracking.

Check out the page here.

Local Shared Objects, aka Flash Cookies, are pieces of data that Flash enabled websites save to your computer. Like the browser cookies that we are all familiar with, Flash cookies can save your preferences and keep you logged in to websites. Like browser cookies, they can also be used to track where you have been on the Internet – allowing sites to know if you have been visiting their competitors; allowing advertisers to build a data portfolio of your interests; and generally allowing anybody to piece together, to some extent, your browsing history.

Many websites use Flash for functions such as games, streaming video, displaying advertisements, and interactive menus. In addition, many websites use Flash to save backups of their browser cookies via Flash cookies. This is because browsers currently are unaware of Flash cookies, so their privacy settings and cookie deletion functions have no impact on Flash cookies. Additionally, anti-spyware programs currently do not search for these cookies. Thus, if you delete cookies though your browser or anit-spyware program, many Flash enabled websites can simply recreate the deleted browser cookies via the information saved in Flash cookies.

How to Get Rid of Them

Your browser can’t stop or delete Flash cookies. Fortunately, Adobe does provide a way for you to control some Flash cookie settings through the Flash Settings Manager (more information about the Settings Manager can be found here.) Changes made in the Flash Settings Manager apply to all browsers installed on your computer/OS, so fortunately you don’t have to repeat the following for Firefox, IE, Safari, Chrome, etc… Also, changes take effect immediately, so you don’t have to worry about saving settings or clicking any “Apply” or “OK” buttons.

In order to protect your privacy though the Settings Manager you must do two things: prevent new flash cookies from being saved to your computer; and delete existing flash cookies as well as the list of flash-enabled websites that you have visited.

Prevent New Flash Cookies

Step One: Go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html, the Global Storage Settings Panel.

Step Two:  On the slider presented under “Global Storage Settings”, drag the selector all the way to the left. The text to the right of the slider should read “None”, as below.

Delete Existing Flash Cookie Folders

Step One: Go to the Website Privacy Settings Manager at http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html . Here you will see a list of all websites you have visited that have tried to or have successfully saved flash cookies to your computer, and you will have options to set individual privacy settings, delete website data individually, or delete all website data.

Step Two: Assuming you wish to delete all website data (include the folders and list entries for all websites,) click “Delete all sites”.

Step Three: Confirm that you wish to delete all website data.

Step Four: Repeat. Unfortunately, even though we have prevented sites from being able to save Flash cookies, Flash will still create a folder/list entry for any site that tries to save Flash cookies in the future. Thus, you will regularly (weekly) have to repeat steps 1 – 3 to prevent websites from tracking where you have been on the Internet.

The following is based on a comment I made on Digg yesterday. I don’t usually base blog posts so heavily on comments to social networking sites, but in this case I feel the comment on Digg captures my feelings on how many media outlets are damaging the public discourse and democratic process in the United States.

First some background. In a couple of segments on Fox News’s Fox and Friends morning show the hosts attempted to establish Iman Rauf, the leader of the attempt to build the controversial Islamic community center in lower Manhattan, as a terrorist sympathizer by discussing the possible financing of the community center by Middle Eastern figures and groups. The Daily Show quickly took Fox News to task over this by pointing out the logical fallacies Fox and Friends employed in order to convey its message of distrust. I’ve embedded the Daily Show clips in case you haven’t seen them, and they are also linked here: 8/19 segment and 8/23 segment.

This whole controversy centers on Fox News, and the comment below is in response to Fox News’s reporting, but the same comment can apply to any number of liberal and conservative media outlets that attempt to promote a particular ideology instead of simply reporting the facts in an unbiased manner.

The Comment:

The issue isn’t that Fox News is bashing their owner, or even that they are bashing a particular person. It’s that they are making serious accusations and advocating an ostentatious opinion on very flimsy logic that they are touting as full proof. If you are going to claim that somebody is a terrorist you better damn well have solid evidence of such. Showing that a person may have received money from somebody with a funny sounding name is not solid evidence; it’s an organization stretching to reach a conclusion based on the limited information they are willing to share. Stewart is bashing Fox for its poor logic and proving that logic’s fallacy by showing how that logic leads to an unfavorable situation for Fox News.

The other logical fallacy that this ordeal highlights is Fox News’s tendency to paint everything as only black or white, and to use very broad strokes. Fox’s narrative for years has been that someone/thing is either good or evil and that these are mutually exclusive categories. For years Fox has also categorized most Muslims, and virtually all Arabs, as evil while categorizing conservative Americans as good. The problem with this logical framework is that no person, group, or organization is exclusively “good” or “evil.” From the perspective of a given group (Fox News) some individual (Waleed bin Talal) is likely to perform actions that the group supports and that the group opposes. Within Fox’s logic that makes the individual both good and evil, but due to the mutually exclusive nature of the categories an individual can not be both good and evil. It’s a contradiction and it shows the fundamental flaw of trying to forever brand a person or group based on one action or political stance.

Furthermore, it shows the flaw of trying to paint things in such extreme lights. Very, very few people are truly good or evil. The vast majority of people are simply acting in self interest. Sometimes these interests conflict with other people. That doesn’t mean one person is inherently good while the other is evil. It also doesn’t mean that the two people have to hate each other or forever be in conflict. If the two people remain calm they can probably work out a mutually beneficial solution. But when the two people each have their own cheer squads making inflammatory statements, hatred results and solutions can’t be created.