Privacy in the Cloud, or Why Won’t Social Media Let Me Be Anonymous?!
I maintain several personalities on social media. I am a different person on Facebook than I am on Twitter than I am on Google+ than I am on LinkedIn, and I like to keep it that way. And even within particular media, I maintain multiple personas with different names and different passwords. I do this to keep my work life separate from my personal life, to be more efficient, to freely explore new technologies, and to reflect different interests. I also do this to explore the potential freedom to be anonymous on the Internet – to not be confined by gender, race, political belief, geographical area. Not to be profiled, categorized, boxed.
Imagine my surprise and concern when Google decided to combine my Gmail, Blogger, Google+, Google Talk, and other accounts as if they were all one undifferentiated account. And as if different names and passwords didn’t matter. And I discovered that Google had been archiving all my searches. And I found that Facebook had all along been keeping all my status updates. And I still cringe each time I log in and see a prompt asking me to complete my profile. Did you go to X high school? Since I don’t recall ever including that information anywhere on Facebook, How does it know?
And I am fed up with Facebook ads. Despite my best efforts at anonymity – I have no sex, geographic location, workplace, or other specific info in my profile, Facebook ads reveal that Facebook made a profile of me that does not match the profile I created for Facebook. Facebook apparently targeted me based on who I Friended, who Friended me, who tagged me in photos, the photos I posted, and what I’ve Liked. Facebook sends me political ads, when the persona I created is decidedly apolitical. And Facebook is convinced I’m in a particular city because it keeps sending me targeted ads for it. Never mind that I’ve resolutely not filled in the city where I live. Why won’t Facebook let me be a citizen of the Internet?!
Twitter also profiles me, but in different ways. I have one account where I maintain the same unexpressed geo-location. However, Twitter is targeting suggestions for who I should follow based on location. And people are following me based on that location. Twitter, like Google, is not keeping information from my different accounts separate. With Google, I’m concerned also whether, in some iteration, search results may be limited to where I am located with resources within my geographic area appearing on the first screen of results. This would be problematic especially as my work as a foreign and international law librarian involves locating resources beyond my local physical boundaries.
The result is that, on the Internet, I am who the social media I’m on say I am. Despite my efforts to maintain my privacy by creating a separate persona for each account, these social networks have created a package of information about me to sell to advertisers, and they gathered that information from all of the activity on all of my accounts. And I see ads only for what Facebook and Twitter think I am. I’m concerned that this social media profiling is keeping me from accessing information, keeping information from me, and limiting the potential I have to see and explore the world.
Developing laws and policies on privacy rights in the cloud could help strengthen my control over how my personal data/information is used by Google, Facebook, Twitter, and other social media and enable me to anonymously search the Internet. Below are selected U.S., foreign, and international resources on the topic.
- Natasha Singer, “Data Protection Laws, An Ocean Apart,” New York Times, 3 February 2013.
- Natasha Singer, “You for Sale: Your Online Attention, Bought in an Instant,” New York Times, 17 November 2012.
- Online Privacy Law: Part One (European Union), Part Two (selected jurisdictions) (Law Library of Congress, Global Legal Research Center, June 2012). Covers Australia, Canada, France, Germany, Israel, Italy, Japan, Netherlands, Portugal, Spain, Sweden, and the United Kingdom.
- Mobile Privacy Disclosures: Building Trust Through Transparency (FTC Staff Report, February 2013).
- Cloud computing, cookies y protección de datos (Seminario APEP-Derechotics, Valencia, Spain, 18 January 2013)(links to audio recordings).
- Privacy Risks and Public Benefits of Big Data (“Big Data and Big Challenges for Law and Legal Information” symposium, Georgetown Law Library, 20 January 2013; see also bibliography and archived video recording).
- Excerpts from the Bibliography (prepared by Marylin Raisch):
- Michael Bernstein, Blurry in Germany, OntheMedia.org (Aug. 12, 2011), http://www.onthemedia.org/2011/aug/12/blurry-germany (A podcast about privacy concerns over Google Street View in Germany and Europe, with contrasts to American concepts of privacy. Note that Google Street View currently blurs several types of sensitive images, including humans; see http://maps.google.com/help/maps/streetview/privacy.html.).
- Graham Greenleaf, Global Data Privacy Laws: 89 Countries, and Accelerating, Privacy L. & Bus. Int’l Rep., Feb. 2012,available athttp://ssrn.com/abstract=2000034.
- Graham Greenleaf, The Influence of European Data Privacy Standards Outside Europe: Implications for Globalization of Convention 108, 2 Int’l Data Privacy L. 68 (2012), available athttp://ssrn.com/abstract=1960299.
- François LeSieur, Regulating Cross-Border Data Flows and Privacy in the Networked Digital Environment and Global Knowledge Economy, 2 Int’l Data Privacy L. 93 (2012), available athttp://idpl.oxfordjournals.org/content/2/2/93.
- Privacy and Security for Cloud Computing (Siani Pearson & George Yee, Springer, 2013).
- Baker & McKenzie’s Global Privacy Handbook (2012 edition, with feature articles). Available in PDF.
- Fighting Cyber Crime and Protecting Privacy in the Cloud (European Parliament, Directorate General for Internal Policies, Policy Department C: Citizens’ Rights and Constitutional Affairs, 2012).
- A Global Reality: Governmental Access to Data in the Cloud : A Comparative Analysis of Ten International Jurisdictions (Hogan Lovells, 23 May 2012, updated 18 July 2012).
- Lothar Determann, “Social Media Privacy: A Dozen Myths and Facts,” 2012 Stanford Technology Law Review 7. Also author of Determann’s Field Guide to International Data Privacy Law Compliance (Edward Elgar Publishing, Inc., August 2012).
- Julie Brill, “Privacy & Consumer Protection in Social Media,” 90 North Carolina Law Review 1295 (2012)(Commissioner, U.S. Federal Trade Commission).
- User Data Requests (Google Transparency Report)(requests for disclosure of Google user data from governments and courts around the world).
- Watched (The Wall Street Journal Privacy Report).
- ECPA Reform: Why Now? (Digital Due Process on the Electronic Communications Privacy Act (ECPA)).
- Cloud Computing for Lawyers (Nicole Black, American Bar Association, Law Practice Management Section, 2012).
- Guidance on the Use of Cloud Computing (Information Commissioner’s Office (ICO), UK, February 2012).
- Policy Position on Online Behavioural Advertising (Office of the Privacy Commissioner of Canada, June 2012).
- Privacy in Cloud Computing (International Telecommunications Union (ITU), March 2012).
- Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (aka Consumer Privacy Bill of Rights or Consumer White Paper, The White House, February 2012).
- Emil Protalinski, “Germany: Facebook Like Button Violates Privacy Law,” ZDNet, 19 August 2011.
- Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (Federal Trade Commission, Dec. 1, 2010).
- Privacy and Data Protection: Report (South African Law Reform Commission, 2009)(includes comparative legal analysis).
- Françoise Gilbert, Global Privacy and Security Law (Wolters Kluwer Law & Business/Aspen Publishers, 2009- ).
- Global Privacy and Security Law (Bureau of National Affairs (BNA), 2004).
Journals, Newsletters, Blogs
- The Computer & Internet Lawyer (Aspen Publishers)
- Electronic Commerce & Law Report (Bloomberg BNA)
- Global Privacy Newsletter (Baker & McKenzie)
- International Data Privacy Law (Oxford University Press/Oxford Journals Online)
- Privacy and Information Security Law Blog (Hunton & Williams)
- Privacy & Security Law Report (Bloomberg BNA)
- Privacy Laws and Business International Report
- The Information Privacy Law eJournal (SSRN Legal Scholarship Network (LSN))
- World Communications Regulation Report (Bloomberg BNA)
- World Data Protection Report (Bloomberg BNA)
Organizations
- Article 29 Working Party (European Union)(see its Opinion on Cloud Computing)
- Protection of Personal Data (European Commission, DG Justice)(including reform of the EU data protection legal framework)
- Center for Democracy & Technology (CDT)(check “Surveillance and Security”)
- Center for Digital Democracy (CDD)
- Digital Due Process (coalition of privacy advocates, companies, and think tanks)
- Electronic Frontier Foundation (EFF)
- Electronic Privacy Information Center (EPIC)(check Cloud Computing & Online Tracking and Behavioral Profiling)
- International Association of Privacy Professionals (IAPP)
- International Conference of Privacy and Data Protection Commissioners (includes Personal Data Control and Regulatory Unit)
- International Conference on Computers, Privacy and Data Protection (CPDP)
- Pew Internet & American Life Project (see “Cloud Computing”)
- Practising Law Institute (PLI)(annual Institute on Privacy and Data Security Law, Cloud Computing, and Information Technology Law)
- Privacy International (UK-based)
A colleague used to have a good example of the danger of merging data from multiple sources.
In the days when birth control pills were very new, a programmer at a database company found he had partial access to a drugstore’s records. He selected the names of everyone who had such a prescription but found he didn’t have permission to see their addresses. He then joined his database with one from the local library, who also used the same company, and thereby created a list of women by name and address … to stalk.
As far as I can tell, the recommendations from LinkedIn for possible connections is pulled–at least partially– from my email. I thought for a while they were just friends of friends (or in this case, contacts of contacts, but there are definitely people not connected through others who *are* contacts in email. My guess is I typically have both open via browser at the same time and so it pulls that data in. I have no proof of this of course, but it is the only way I figure it could know.