Friday, November 30, 2012

What is a Privacy Policy, and Why Do I Need One?

Before the advent of cell phones and the beginning of the Era of Mobile, most people in the United States used landline telephones when making phone calls, with service provided by AT&T, otherwise known as Ma Bell, or its many parts, namely Southwestern Bell, Pacific Bell, or one of the other Baby Bells. Local calls on your landline were free, but for anyone who watches the television show Law & Order, you'd know that the police have access to information about you that even you don't have access to; very often you'd hear the homicide detective Lennie Briscoe mention to his Lieutenant during the beginning of a case how Local Usage Details, or LUDs, for a witness or suspect matched (or did not match) the initial statement made to the police concerning the witness or suspect's whereabouts and calls to the victim in the hours and minutes leading up to and around the time of the crime. During the course of an investigation, the police identify a person of interest, a request for Local Usage Details for a specific individual is communicated to that individual's phone company by an investigating officer, and in response, a phone company employee retrieves said records and hands them over to the police, whereupon a comparison can be made by an investigator as to the veracity of what the witness or suspect may have said. LUDs also give the police a general impression about the person's calling behavior, i.e., who he or she would try to contact.

LUDs are only available to the phone company or the police; if you ever wanted to see your own local usage details, you are simply out of luck. In preparation for this blog post, yesterday, on November 29, in the afternoon, I called my phone company and asked how I might go about obtaining a log of all the local calls I made from my phone. I told the agent that I was interested in switching from flat rate service, where all local calls are free, to measured rate service, where you are allowed 60 local calls per billing period (measured rate service is cheaper). The agent I spoke to said that I would need to keep track of the local calls I make. The agent said, "We don't keep a running record of local calls you make that is accessible in mid-billing period." If you are on the measured-rate plan, at the end of your billing period, the telephone company does provide a simple count of the local calls you made in the previous billing period. However, if you wanted a log of when local calls were made, and to what numbers, the phone company agent told me I would need to get an attorney and have my lawyer subpoena the phone company for the records. LUDs are not available to you or me, unless you are willing to obtain a court order, which involves either hiring an attorney, or spending a lot of time on research and at the courthouse trying to figure out how to do it on your own (if such a thing is even possible).

Something similar to the procedure we see on Law & Order occurred recently in the war between Paula Broadwell and Jill Kelley over CIA Director David Petraeus (all three of whom are married is scandal enough). As UC Hastings professor Dr. Elizabeth Hillman so eloquently put it:

You know girls, they get jealous, and sometimes they threaten each other on email.
As Dr. Hillman explains below:
When the US government decides it wants some information, and there is a law enforcement basis for getting that information, email is a very easy-to-get-into source of private data...the government just has to ask the Internet service provider, like Google, for instance, these were Gmail accounts in this case, that the information came from, they just have to ask, and the ISP generally complies, if they consider it a reasonable request...You only go in front of a judge if you have to get a warrant, and right now we have a dated scheme of privacy protections that are in the Electronic Communications Privacy Act, which is a 1986 law. Right now, the way it's being interpreted by the courts, if an email is older than 6 months, there's no need to get a warrant from a judge. In that case, the FBI agent has the authority to make the decision, subject to the support of supervisors, depending on the extent of the resources that would be devoted to that. Information, if it's older than 6 months, is deemed not protected in the same way that other communications would be.
In this Age of Technology, companies like Google, Facebook, Apple, Amazon and Microsoft have moved up right alongside Ma Bell and its many Baby Bells in terms of the amount of information they have about how you use their equipment to try and communicate with others. These companies, along with Internet Service Providers like AT&T, Comcast, Time Warner Cable Internet, Verizon and many others, make the landscape more complex as to who has personal information about you, whether you have access to that information or not, and which information can be unlocked by a government agency requesting records and all the data associated with you. In many ways, Ma Bell's physical telephone network has evolved and been elevated from land to sky, expanding into "the cloud", as it were, encompassing the Internet and cell phone networks. Your usage of corporate products like free email and mobile devices can reveal so much more about you than a log of when phone calls were made and to what numbers. With these corporations in possession of such intimate information about you, your activities and behavior are very important when you understand under certain circumstances that information may be shared with other people. A privacy policy covers what happens with the information you entrust others with, and to a lesser extent, what will you do with the information people entrust you with.

My privacy policy for all users of my blog is, I will never share unique, identifying information about you with anyone, unless law enforcement presents me with a subpoena. However, since my blog is hosted with Google, if the government wanted information about any of my visitors, I would imagine they'd skip me and go straight to the source, to Google. Which leads me to my final, unsettling point. All our privacy concerns and handwringing over privacy policies may be moot, because everything we do and say may already be in the hands of the government. After 9/11, according to Wikipedia:

A January 16, 2004 statement by [Mark Klein, a retired AT&T communications technician] includes additional technical details regarding the secret 2003 construction of an NSA-operated monitoring facility in Room 641A of 611 Folsom Street in San Francisco, the site of a large SBC phone building, three floors of which are occupied by AT&T.

According to Klein's affidavit, the NSA-equipped room uses equipment built by Narus Corporation to intercept and analyze communications traffic, as well as perform data-mining functions.

According to Frontline:

The Patriot Act took our proposals to update surveillance authorities, and then it doubled or tripled those, and it took our proposals to update privacy protections for e-mail and such and took those out. So many of the same issues we had discussed at great length during the Clinton administration, had proposed in many instances to Congress, but my concern was it was an unbalanced package. It was all surveillance and no updating to protect civil liberties.

And when you say it took your proposal, the guts of the Patriot Act, in terms of electronic surveillance and wiretapping and eavesdropping, what did it do?

The Patriot Act did various things. Some of it was updating from a telephone-era language to Internet language. So before the wiretaps affected devices, but maybe we couldn't do wiretaps with software. Well, that didn't make sense anymore in the Internet age -- hardware, software, they should be the same.
What was your reaction to the warrantless wiretapping program that the president conceded existed?

This was enormous news. When The New York Times told us about the NSA wiretap program, for people like me, it was as though there was this alternate universe. We had thought we had a legal system and we knew what the moves were, and it turns out that the NSA was doing something entirely outside of that.

And yet the president says, "I authorized that." As a lawyer, as somebody who specialized in information technology and the law for a quarter of a century, what's your bottom-line take on this?

I was outraged. I tend to be fairly level in the way I approach things, and I had a sense of outrage that they would just disregard the law. The law said the exclusive authority for wiretaps were these other statutes, and the president looked at exclusive authority and said, "Except when I feel like it." It was as though the lessons of Watergate had been forgotten. It was as though the lessons of centralized executive power and the problems that come with that had been forgotten. And now the president just said, "I think I can do it my way."

So you're saying the president violated the law?

My view is that the president violated the law, yes.