Fri February 8, 2013
Tracking Privacy and Ownership In An On-Line World
Originally published on Mon February 11, 2013 10:03 am
JOE PALCA, HOST:
This is SCIENCE FRIDAY; I'm Joe Palca. Do you ever get the feeling you're being watched? These days if you're not careful, your phone knows where you are, and there's a good chance somebody else does, too. Or you've noticed that the ads on sites you visit are starting to look a little too personalized, like how did they know I was planning a vacation to New Orleans.
We share bits of information, and there's a good chance someone out there is collecting it and trying to find a way to use it. So do we actually have any control over our own data? What about the things we buy? Why can't I unlock my smartphone? I bought it, right?
Well, joining me to talk about those issues and others is Khaliah Barnes. She's the administrative law counsel for the Electronic Privacy Information Center, EPIC, here in Washington, D.C., and she joins us in the studio. Welcome.
KHALIAH BARNES: Thank you, thank you for having me.
PALCA: So this is a big issue, but sometimes I wonder if people are even aware of it. Is that something you have to - I mean, do people come to you with questions, or do you have to go to them and say you should be asking questions?
BARNES: It's a little bit of both. It seems like the public is increasingly aware of various privacy threats. But also our organization, EPIC, does a lot to educate the public on pending legislation on rulemakings, on just how to navigate.
PALCA: So what is pending? What is coming up that the public needs to be aware of?
BARNES: Well, one particularly interesting public opportunity for people to comment is a federal agency, the National Highway Transportation Safety Administration, has mandated that in 2014 your car will need to be equipped with little - we call them black boxes, even data recorders.
PALCA: Like what they have on airplanes.
BARNES: Correct, and the agency is interested in having one of these recording devices for safety purposes. They want to know if your car has a crash, was it a manufacturer error. However, this technology raises obvious privacy threats because it can tell where you are going, at what speed you are going, et cetera. And you can be sure that other people are interested in that information: Your insurance companies, law enforcement, et cetera.
PALCA: Wow, yeah, you're right, those are things that are not so obvious. If you have questions for Khaliah Barnes, give us a call. Our number is 800-989-8255. You know, but that raises the question in my mind, you know, there are - this privacy question about red light cameras, for example, where people had their pictures taken because they went through a red light, isn't there a public good for having this information to be weighed against the privacy question that's raised by it?
BARNES: See, the interesting thing is modern privacy law is really about our ability to control and own our information held by others. So we choose to make certain information available. We choose to be out, you know, on the public streets, et cetera. But it matters how this information is used.
So it's - you know, it's a perfectly legitimate purpose for agencies to say, you know, was somebody speeding, did someone go through this light. But what's not an appropriate use is then to take that license plate and put it in a database and just have it just in case this license plate comes up again or just in case this person is doing something wrong.
PALCA: So are we able as a society to strike that balance? Have we struck it properly, or are we erring on one side or the other?
BARNES: Increasing, it's becoming harder to control and own our data because privacy policies, as everyone knows, are constantly changing. Your consent today may not be your consent tomorrow, and even if it was, even if you said, you know, I fully understand all of the privacy terms with Facebook, although I've never heard anybody say that, we know that in a matter of weeks and a matter of months that will change.
So it's definitely getting harder for individuals to, as you said, strike the right balance.
PALCA: I just, you know, I can't get over the fact that this data - companies seem to be being very subtle about how they sneak it in that they know something about you. Is there any way to out companies that are advertising to you and say how did you know about this?
What's a more appropriate tactic is in a case by case scenario. Yes, you can disclose my picture to these many friends, yes, you can have this wall posting. But what's not OK is me saying yeah, OK, collect this information because I want to know the nearest restaurant, and then my locational information is then given to law enforcement or another service I'm not interested in.
PALCA: I just - I can't - I mean, I have to say I totally love walking in a strange city and saying where's a bookstore, and I look at my phone, and it tells me where a bookstore is. I just - that so amazes me that it's a possibility.
BARNES: That's good, and there are definitely, of course, good uses to the technology, but what's happening is when that information is collected and further disclosed without your consent.
PALCA: Well, it's - yeah, it's keeping sense of what you're getting and what you're paying for. Well, let's see what things our callers are concerned about, and let's first go to Scott(ph) in Palo Alto, California. Welcome to SCIENCE FRIDAY.
SCOTT: Thank you very much. I've got a question about what I call analytics. You know, Google offers an interesting thing for advertisers called Google Analytics, I believe. And it breaks down a lot of data for them. And I wanted to know: When will the ball get rolling on user analytics, when all of the data that's currently being collected on us and given to other people, when that will be available, legally even, to the users to analyze their own metrics, the way they use their phones, how they travel, how they communicate because we all have our face stuck in a phone, but we know very little about the nuances, about how we create and consume data. I just wanted to get your input.
PALCA: Sure, thanks, Khaliah, what about that?
BARNES: Well, thank you for that question. There are certain - there have been certain initiatives to happen. I mean, you have Europe versus Facebook, where basically members and individuals, and Europe said hey, you're collecting all of this information, basically getting to what Scott was saying, analytics, and I want to know all of the information that you have.
But I feel, unfortunately, that it may be a long - a bit of time before the U.S. really wholeheartedly embraces that. Now you have certain laws that do allow for that information. For example when we're talking about children, we have COPPA, the Children's Online Protection - Privacy Protection Act. And parents are allowed to access the type of - the information that a website has collected about their child.
So in certain arenas, we're moving towards that, but I'm not sure when all industries will be onboard.
PALCA: How about in health care? Has that industry been out front? Have they been leading the way in this?
BARNES: In the healthcare front there have definitely been some advances, recently with the health insurance portability, accountability act, or as we love to say, HIPPA, they've recently - stronger rules have been issued about use of health information, disclosure of that information.
And what's really important, it's very subtle, breach notification because...
PALCA: What's that?
BARNES: So what happens is you give your information to a company, and maybe they experience a security breach. These rules increase when you should be notified and et cetera because oftentimes companies collect the information, they've been hacked, and maybe they're reluctant to tell youu, or maybe they tell you down the line three months and now...
PALCA: In very fine print at the bottom of a letter, yeah.
PALCA: Yeah, wow, that's - it's - well, the issues that we haven't thought about are probable even more interesting than the ones we have. Let's take another call now and go to Tyler(ph) in Dover, Delaware. Tyler(ph), can you hear me?
TYLER: I can, sir. How are you guys doing today?
PALCA: We're great.
BARNES: Good, thank you.
PALCA: What's your question?
TYLER: Well, in regards stuff like vehicular monitoring, regarding stuff like the black box scenario, as they role those out to, you know, cars in productions for consumers, are they also rolling them out for things like government agencies? We've all seen that cop, you know, kind of ease through the stop sign or maybe run through a yellow light that, you know, was five or so miles an hour over the speed limit further than we thought they would be comfortable with us going, that type of thing.
So is it a blanket rollout, I guess is my question, or is it going more to just consumers?
BARNES: Well, the mandate will be required for certain light vehicles that will be equipped with this information. Now there's not an explicit, to say, you know, this is only for consumers, this isn't for law enforcement access. If all of the cars are required to have it, then this would also be for law enforcement.
But what's interesting is at least 13 states are ahead of this. Thirteen states recognize that this technology is already being used, and they're ahead of it. They're saying the driver owns his or her data. No one should be able to access that without his or consent except for in certain circumstances. This shouldn't just be given carte blanche to law enforcement or to insurance companies.
PALCA: Tyler, I'm sorry, Tyler are you also - do you work for the government? Is this a particular professional concern of yours?
Tyler, I'm sorry. Tyler, are you also - are you - do you work for the government? Is this a particular professional concern of yours?
TYLER: I don't, actually. My current situation has me in a rental on a regular basis, and that was another spin to it as to whether or not, you know, if you're monitoring the vehicle, obviously you're not monitoring the driver of said rental car necessarily, just the way the vehicle itself is driven. That kind of falls to another outlier in the situation. But, no, my personal experience - in Delaware, for example, we have a lot volunteer fire department members. You know, you'll see the guy with the blue siren doing 95 miles an hour to go somewhere hopefully to a fire, maybe to dinner.
PALCA: I don't think we want to use this technology for that purpose, I'm just saying. Tyler, thanks very much for that call.
PALCA: Sorry. I'm still getting to know this phone system. It's a little new. This is the question he raises. It really troubles me, this idea that there is so much to be learned from what kinds of behaviors are causing car accidents, for example, that it seems a shame to shut off access to it. And that's what really - where the nexus comes I guess between privacy and public utility.
BARNES: Exactly. And we recognize that there are legitimate purposes for this type of data collection. It's absolutely imperative to have emergency response in these types of situations. But what's not good is if other parties are able to access that information outside of the scope. So you say, yes, I want you to alert emergency response personnel, and I also want to know if there is a manufacturer error with my car. But I don't want you to give this information to my insurance, and my rates go up, or I don't want you just to give this information to law enforcement just so I can get a speeding ticket later.
PALCA: So what about this - what about things that are coming - can anybody successfully - has anybody successfully challenged these kinds of things? They say, hey, my privacy was violated. They'll say, well, we told you on line 317 of the contract you signed, and they say, look, a reasonable person wouldn't have seen that, and we're going to fight it in court. Has that come up at all?
BARNES: You definitely have issues with the FTC, for example. So a company may represent that it's only going to collect a certain amount of information, and the FTC initiates an investigation, oftentimes by complaints, consumer complaints. EPIC does a lot of those to say actually you need to look closer at that. And if the FTC finds out that actually, you know, company X collected information in excess of what it was doing, or it disclosed information for purposes that it didn't initially inform consumers, there are repercussions.
In that scenario companies are forbidden from doing that behavior in the future. There are also fines involved. So yes, but it's happening so fast. And the problem with privacy - and it goes with the privacy breaches - it's oftentimes way after the fact. You didn't know that your information was collected for that reason.
PALCA: We're talking with Khaliah Barnes of the Electronic Privacy Center, EPIC, about privacy of data. I'm Joe Palca, and this is SCIENCE FRIDAY from NPR. And let's take another call now and go to George in San Francisco. George, you're on SCIENCE FRIDAY. Welcome.
GEORGE: Thank you. Ms. Barnes, it would interesting to consider whether - what the state of the art is. Do you know of any cases that have worked their way through the legal system where somebody's data provides an alibi? In other words, if somebody says, well, we know that you were on your way to San Jose midday Friday on the 9th of February, and the party says, no, I couldn't have been. I was on my home phone talking to Ms. Barnes on SCIENCE FRIDAY. And that those would be mutually exclusive, therefore one would be afforded an alibi. Has any of this information gone that far yet that you know of?
BARNES: Well, certain - the state legislation that is looking at - we'll just use the example of the black boxes in cars, recognize certain uses for that information in court proceedings, but it's under extremely - for certain state laws - narrow circumstances. So it wouldn't just be enough to say I'm interested in this information just to go on a fishing expedition, but perhaps, if that information is necessary to resolve a specific matter in the legal proceeding, perhaps.
PALCA: You know what, I had an experience that was somewhat similar to that, and it worries me a bit (unintelligible) this is going to come up very often. But what happens if the data is wrong that that is supposedly recorded on you because someone said that I had gone through a toll plaza in upstate New York, and I was nowhere near New York. And it was because there was an offset in the date, somehow the date got corrupted.
BARNES: Exactly. And access, data access and amendment of data is very - a big topic in the privacy community because you have to think about the security of the technology. Is it able to be, as we like to call it, spoofed? Is someone able to log into the system and change that Joe actually - he was going at a different rate, or is someone able to access the technology for nefarious purposes and say that you were doing something that you weren't? And then, you know, you should always have the availability to access and amend that.
PALCA: Do you do anything, by the way, about these radio frequency bracelets that they're giving out some places? How do those work, and what are the issues there?
BARNES: Yes. That comes up a lot in the context recently of students' privacy. So RFID trackers, basically they can be - they're invisible. You can't see them. But let's use the example of being put into, like an access card, an access key card, and there's a reader separately to say I know where this individual is throughout this building. But obviously there it raises privacy threats because it can, you know, it can tell you innocuous things. This person is in office A. But depending - in the context of a school it can say, you know, the student is at the nurse's office. The student is in the restroom. The student is in a counselor's office. And as the Texas case brought up, there...
PALCA: Texas cases? I'm sorry.
BARNES: Oh, I'm sorry. Yes. There was a court challenge to an RFID tracker that a student was required to wear by being on campus, and she objected to this on religious ground. So RFID tracking is - it's increasing. Lots of schools are using it, and other trackers and biometric identifiers for students.
PALCA: OK. That question actually came from one of our tweeters, Erin(ph). And thank you for that question. She was actually talking about a trip to Disneyland. Apparently they're using...
BARNES: Ah, with the bracelets. Yes, they are.
PALCA: I know there are times when I wish I had that for my children.
PALCA: But I'll take it as - they're often gone now, so I don't need to worry so much. Khaliah Barnes, thanks very much for joining us.
BARNES: Thank you for having me.
PALCA: Khaliah Barnes is with the administrative law council for the Electronic Privacy Information Center in Washington. Transcript provided by NPR, Copyright NPR.