After the first-day debate over the Do Not Track header at the Computers, Freedom, and Privacy 2011 conference (see “CFP 2011: “Do Not Track” Debate,” 14 June 2011), I managed to sit in on two other talks. The first, about teen attitudes toward privacy, was refreshing in that it’s clear that teenagers aren’t clueless; they have significant — if different — beliefs about maintaining a public/private split in their lives. The second, about data retention policies, is one of those CFP conference topics that can make the most rational of us start lining our hats with tinfoil.
Teens and Privacy -- First, Danah Boyd of Microsoft Research presented her ethnographic research on teen use of Facebook. Despite adult (and mostly parental) fears that “kids today” are letting it all hang out online, with no thought to personal privacy, her research shows that teenagers are acutely aware of the distinction between public, semipublic, and private spaces. Facebook is one of the few places where teens are allowed to enter into a semipublic space, and they do so with a great deal of thought and effort about cultural norms that apply in each of these spaces.
For example, Facebook posts and comments are used to create a semipublic arena for a group of peers who are mostly known to each other in real life. The norms and social rules for online spaces are largely negotiated between peers through extensive offline discussions; the transgressors aren’t usually their peer group, but parents and teachers using Facebook as a means of remote surveillance. One student Boyd interviewed said that she begged her mother to stop commenting on her Facebook posts; the appearance of an adult had the effect of chasing away comments from her friends. But since she was close to her mother, she invited her to send private messages when her mother wanted to comment on her activities.
Boyd’s research also dispels other common myths, such as the “pandemic” of teen sexting. Many of her interviewees report that the first time they’re exposed to sexting is when they borrow a parent’s cell phone, and come across texts and images sent by the adults that they’d really rather not see.
If you’re interested in significantly more detail about how teenagers think about online privacy, read Boyd’s draft paper “Social Privacy in Networked Publics: Teens’ Attitudes, Practices, and Strategies” (PDF).
Data Retention Policies -- Were you disturbed by the kerfuffle about your iPhone seemingly storing your recent location information (see “Apple Addresses Location Controversy Questions,” 27 April 2011)? If so, you probably don’t want to see this mashup of data collected by Deutsche Telekom about German Green Party board member Malte Spitz, who sued the firm for the data they had stored about him, then turned the information over to Zeit Online for publication.
It turns out that all cell phone companies need to have location information about your cell phone in order to route information back to you, and most store these records for a lengthy period of time. In the European Union, this is required by law; a 2006 EU directive requires telecommunications companies and email providers to keep various records for 6 to 24 months, depending upon the data in question. In the United States, there are no federal laws in place requiring data retention, so it’s largely up to the policies of individual companies — but a bill currently in the House of Representatives would require Internet data to be stored for 18 months, as a means of combatting child pornography, or so the sponsors claim.
Notably, the U.S. regulations above refer only to laws that are publicly known. It’s still rather unclear the extent of the information being captured under the PATRIOT Act, and whether such activities fall under any kind of oversight. So take your pick: either your monolithic telecommunications conglomerate has large amounts of data on you, or your monolithic government does. Most likely, both.
And if you’re wondering why this might be an issue, research by the MIT Media Lab shows that with access to recent data, your future activities over the next 12 hours — such as who you’ll meet, where you’ll be, and what you’ll be doing — can be predicted with 80- to 95-percent accuracy. Which raises the rather creepy idea that AT&T or the NSA might know what you’ll be doing before you do.
The EU legislation is up for review in 2012, and several bodies in the European Parliament are on record as stating that data retention policies, at best, cannot be proven to have a protective function. In the United States, the picture is much murkier, as no one has any information on which companies and government institutions have this data, or how long it is being retained — especially in regards to national security collection. But insofar as this debate is being held in public, Lee Tien from the Electronic Frontier Foundation says that the discussion is entirely “data-free,” with no research or claims being made as to the efficacy of any such measures for national security or anti-crime purposes.