News/Issue: Email Privacy (i know your a dog, you know your a dog, and everyone else does too)
In the most recent "Loose Wire", Jeremy Wagstaff's technology column for the Wall Street Journal, he writes about a number of creepy programs that haunt electronic mail systems by tracking information. He writes,
Scary stuff, and it gets even more frightening. He goes on to detail several such programs. One particularly troubling aspect of a program called DidTheyReadIt is its ability to track roughly where the recipient physically responds to the email.
Take, for example, the idea of software that checks whether someone has read your email. It sounds like a simple enough function: Send someone an email and then receive word, either via a separate email or program, when they've read it. Is that like sneaking a peek over a colleague's shoulder at work to see whether they've opened your mail yet, or is it no more creepy than sending something registered mail, so you know it arrived safely? And, depending on where you stand on that, how about if the sender could check how long it took the recipient to open the mail after it was sent? Or for how long he or she read it? What if all this was done without the recipient knowing?
My chills don't come from individuals reading my emails... I don't particularly want John and Jane Doe tracking when I open the musical E-Greeting card they send me for Christmas, but I'm not going to lose any sleep over it. Its corporations and employers that worry me. And its not just a slippery slope for a few reasons:
1. Trick or Treat: I've had a long standing discussion/argument with one of my friends about the right to privacy. His position, based on fairly extensive reading he's done (I'll figure out some of his sources, but its late right now and he's in new york and i don't want to call him) is that there is no right to privacy, or at least, not in the way its usually conceived. Technology, he argues, is advancing at such a rapid pace that surveillance techniques are outstripping any ability to catch up with the threats to privacy. You can try to use counter-surveillance techniques, but you'll lose that battle fairly quickly. The best thing to do is try to receive something in return for the invasion (example: i let gmail scan my email for advertising keywords, in return i get a gig of email to play around with).
In this vein of reasoning, the architecture that will govern the internet is the market- privacy will be balanced by incentives. One may disagree with the position, which creates the tough question of 'ok, what other options are there?' (a question i will address in a later post, but don't hold your breath, the other options might be pretty lame)
2. Boo: Ok, so our assumptions about corporations and privacy rights are probably fairly dismal... and this is the issue that I think should concern us the most. If programs like these continue to gain in popularity and public acceptance (Microsoft Outlook and Gmail as well as a few others have some features that allow tracking, but I don't believe they have anything that allows the sort of stealth tracking that concerns us here), then the legal precedents put into place for corporate email may extend into the private realm.
Why? The reasonable expectation of privacy, which is one of the founding pillars of a lot of legal work done in the realm of internet privacy. In Gerald Biby v. Board of Regents at the University of Nebraska et. al. and United States of America v. Eric Neil Angevine, the courts determined that students and faculty have no reasonable expectation to privacy using university computers. In cases involving Pillsbury, Microsoft, Diebol, and other corporations, the rule is generally that there is no reasonable exception of privacy of email sent across work systems (also you often forfeit your privacy by agreeing to the terms and agreements of corporate email systems). I'm lazy and don't want to link all the cases, but you can get a summary of a relevant cases at the internet library of law and court decisions' page on email privacy.
One interesting exception is Timothy McVeigh (no relation to the Oklahoma City Bomber). He was enlisted in the United States Navy as a distinguished officer for 17 years, and was discharged after someone saw the word "gay" on an AOL profile of McVeigh's. A chronology of the battle can be found here.
Ok, so certainly discrimination is a problem (which is why policies like 'Don't Ask Don't Tell' create considerable room for abuse), but do you really have a reasonable expectation of privacy on your AOL profile? Take for example a prospective employee. Googleing the person's name seems to be the quickest way to partially confirm relevant information (past work experience, academic records, ect.). What if, as I've seen happen, the employer stumbles across the employees personal blog or webpage, which has pictures of him/her doing illicit substances or acting illegally? Is that unreasonable?
3. Skeletons in the Closet: Even the so-called socially progressive companies are shifting the balance of privacy away from the consumer. In a piece by Mark Rasch of SecurityFocus in The Register entitled "Google's Gmail: spook heaven?" he concisely argues that,
Even though the configuration of the Gmail service minimizes the intrusion into privacy, it represents a disturbing conceptual paradigm - the idea that computer analysis of communications is not a search. This is a dangerous legal precedent which both law enforcement and intelligence agencies will undoubtedly seize upon and extend, to the detriment of our privacy.So yea... not good. The Electronic Frontier Foundation and EPIC's words to San Francisco are a pretty good way to start looking at integrating privacy concerns into what may become the dominant architecture of the internet in the near future.
To conclude? Right now, the market is the dominant force shaping the privacy debate, and while the occasional backlash against anti-privacy forces, its a losing battle. Privacy is not an intrinsically valued right on the internet - it is valued so much as there is a 'reasonable expectation' that it be valued - and technology is changing this criteria. So what might be better? Well, as long as we've accepted a market-based approach to privacy, lets make some clear standards of negotiation... let me have very clear opt-in protocols set up.
This is similar to the conclusion Lessig reaches in Code v. 2.0. I want to go further, focusing in on one of the caveats Lessig makes to the brand of privacy regulation he subscribes to- abuse. Privacy protects, but it also allows people and corporations to do a whole lotta unscrupulous things- a few examples of which I will go into further detail in my next post.