The event is free and open to the public:

• Tuesday, May 8, 2012
• 6:00-8:000pm
• UW-Milwaukee Union Theater (2200 E. Kenwood Blvd, 2nd floor)

Following the film, a panel of privacy advocates will discuss its implications, including:

• Emilio De Torre, Youth and Program Director, ACLU of Wisconsin
• Stacy Harbaugh, Communications Director, ACLU of Wisconsin
• Angela Maycock, Assistant Director, Office for Intellectual Freedom, American Library Association
• Michael Zimmer, Assistant Professor and Co-Director, Center for Information Policy Research, School of Information Studies, UW-Milwaukee

Lindell is one of a community of researchers studying ways to share this sort of information without exposing private details. Cryptographers have been working on solutions since the 1980s, and as more data is collected about individuals, Lindell says that it becomes increasingly important to find ways to protect data while also allowing it to be compared. Recently, he presented a cryptographic protocol that uses smart cards to solve the problem.

To use Lindell’s new protocol, the first party (“Alice” in cryptography speak) would create a key with which both parties could encrypt their data. The key would be stored on a special kind of secure smart card. Alice would then hand over the smart card to the second party in the scenario (known as “Bob”), and both parties would use the key to encrypt their respective databases. Next Alice sends her encrypted database to Bob.

The contents of Alice’s encrypted database cannot be read by Bob, but he can see where it matches entries in the encrypted version of his own database. In this way, Bob can see what information both he and Alice share. For extra protection, Bob would only have a limited amount of time to use the secret key on the smart card because it is deleted remotely by Alice, using a special messaging protocol.

The reporter of this article contacted me, asking for my perspective on the “societal implications” of this research. My quote:

Michael Zimmer, an assistant professor at the University of Wisconsin-Milwaukee who studies privacy and surveillance, says that Lindell is working on an important problem: “There can be some great benefits to data mining and the comparison of databases, and if we can arrive at methods to do this in privacy-protecting ways, that’s a good thing.” But he believes that developing secure ways of sharing information might encourage organizations to share even more data, raising new privacy concerns.

This is an active, and important, research area. (When I was at NYU, I participated in the PORTIA Project which did quite a bit of work trying to create similar solutions for privacy-protecting data mining.) But I hadn’t really thought about the concern expressed above until reflecting on it for this story. As I told the reporter, if new information-sharing activies emerge as a result of this kind of research, there will be great pressure on ensuring any new protocol has been sufficiently tested to ensure that re-identification is truly impossible.

And, as we’ve seen, that’s a large and difficult task.

Information is leverage. Information is power. Information is Maltego.

These are the catch-phrases for a South African company that recently released an affordable, user-friendly data mining tool called Maltego, bringing powerful data-mining technology to the masses.

While targeted mostly to forensics and information security professionals, it is not hard to see how such a tool could be easily deployed to mine the vast amounts of personal and identifiable data people are increasingly sharing in the Web 2.0 world. No longer is it necessary to have the computational power or singular repository of data of Google or Amazon. With Maltego, anyone can scan “open data repositories” on the Web and compare the results with their own data.

Some examples of possible uses of Maltego is provided by a recent Forbes article:

Worried about information leaks your company? Input lists of employees from your rival companies, and Maltego can graphically depict how they might be related to your employees. It can also provide likely e-mail address, phone numbers and personal Web sites–and then use this information to add a new layers to the investigation.

…Curious what’s being written about your company on blogs? Try the Technorati.com transform, and parse out all the most common related tags and keywords. Or try the Spock.com transform, which queries a database billed as “the world’s leading people search engine.” Search yourself or your neighbors; Maltego’s approach is agnostic.

Agnostic, indeed. About the only restrictions placed on the use of Maltego is to refrain from performing illegal acts with the software, and to not use it for generating spam. Other than that, we are encouraged to use Maltego to collect and mine “information posted all over the internet” and uncover “hidden” information and relationships, whether “it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits.”

While some recognize the potential privacy and surveillance concerns with the fact anyone can download a free version of such a powerful tool (and the full-featured version is only $430), others make that old argument that there’s no need to worry since “Maltego doesn’t snoop into closed data repositories, but instead mines publicly available data.”

Another potentially privacy-invading tool cast aside becuase it merely is using data that is already public in the first place. Sigh.

According to The Times, the bill “would make it a crime… for certain Web companies to use personal information about consumers for advertising without their consent.” Looking at the actual text of the bill, it unfortunately isn’t quite that sweeping or clear cut. Much of the proposed law is based on providing users the ability to opt-out of targeted advertising. For example:

5. Third party entities that collect or use non-personally identifiable information online for online preference marketing shall post clear and conspicuous notice on its website about its data collection and use practices, and each shall give consumers an opportunity to opt-out of online preference marketing.

Opt-out will always be a weaker form of consumer protection compared to requiring users to specifically opt-in to having their activities tracked. This merely maintains the standard (U.S.) practice of allowing companies to surveill and monetize user activities as the default, making it the exception if a person seeks privacy protection. (For general comparison to E.U. privacy protections, see my essay “Privacy Protection in the Network Society: “Trading Up” or a “Race to the Bottom”?”)

Additional concern with this language is the interpretation of “clear and conspicuous notice.” Would providing this notice in a website’s terms of service suffice? Even if links to the TOS aren’t visible on the typical pages users view? (For example, Google’s TOS is found only if you click on “About Google” from its homepage or a search results page)

The bill is a bit stronger when it comes to the practice of linking generally anonymous information with personalized information, such as a name or e-mail address. For example:

14. (a) Notwithstanding subdivision four of this section, third party entities shall not merge personally identifiable information with information previously collected as non-personally identifiable information, without the consumer’s prior affirmative consent to any such merger.

While requiring affirmative consent is preferred to an opt-out regime, I worry that this consent could be similarly buried in a site’s terms of service, which users tacitly “accept” when the service is used. Google’s TOS states, for example, that users accept their terms “by actually using the Services.” No prior consent is required — if you perform a Google search, you automatically have agreed to the TOS (even if that TOS isn’t even visible from the search results page).

The bill is strongest, however, in relation to a demand I have long made on Web search providers: let me see the data you have collected about my actions. The bill states:

17. Business entities shall provide consumers with reasonable access to personally identifiable information and other information that is associated with personally identifiable information retained by the third party entity for online preference marketing uses

The press seems to have missed the importance of this section. If passed, the law would require Google, Facebook, DoubleClick, etc to provide me access to the personally identifiable information “and other information that is associated” with my user account stored in their databases.

This is a vital right for consumers to be able to protect their data privacy: having access to view your data is the first step towards regaining some control over the collection of the data in the first place.

As both a privacy advocate and someone who respects the research information scientists (such as Jim Jansen or Amanda Spink) are able to perform with these datasets, I share Soghoian’s internal dilemma:

As a privacy advocate and end user, I think the shift against sharing anonymized data is probably a good thing. After all, I don’t want some random student browsing through my search history, anonymized or not. However, if I take the end-user hat off, and put on my PhD student hat, then this is a really bad thing. Researchers depend on accurate data in order to do their work. Without the data, we don’t get new exciting research, and thus no new cool technologies. For the research community, this Netflix incident will be the final nail in the coffin of information sharing from the dot-coms.

Soghoian’s final point, that we’ve witnessed the end of the sharing of large data-sets for academic research, is troubling, if true. We need to find a way to properly anonymize data in order to prevent the squelching of valuable academic research, yet protecting the privacy and integrity of people’s online intellectual activities.

To that end, I recently attended an NSF-sponsored workshop on data confidentiality which focused on this very issue:

This workshop comes at a time when governments and organizations are struggling to expand research access to statistical and multimedia databases, while at the sametime as protecting the confidentiality of the individuals whose data are recorded and combating breaches of cyberinfrastructure security, especially those involving unauthorized record linkage and individual identification and harm. There has been a long tradition of confidentiality associated with statistical databases, but the ever-expanding cyberinfrastructure raises new and far more challenging questions about the protection of privacy associated with electronic databases involving individuals, families and other groups, and organizations.

The goal of this workshop is to bring together leading researchers in the area of privacy and confidentiality from diverse intellectual communities to share expertise and map out a broad research agenda to inform funding agencies and organizations responsible for database access and protection. Specific attention will be focused on understanding the tension between privacy/confidentiality and data utility, and understanding the role of auxiliary information (“extra” information known to the adversary) in defeating privacy objectives.

Among those at the workshop working on creating anonymous data-sets where researchers from Web search engine companies themselves, such as Andrew Tompkins and Ravi Kumar from Yahoo! Research, who presented their paper “On Anonymizing Query Logs via Token-based Hashing.” Similar work is being done by members of the PORTIA (Privacy, Obligations and Rights in Technologies of Information Assessment) project, of which I was affiliated.

Despite these efforts, many still maintain that truly anonymized data-sets are an impossibility. Unfortunately, they might be right. The work of Latanya Sweeney, for example, reveals that 87 percent of Americans can be personally identified by presumed-anonymized records listing only their birth date, gender and ZIP code. The researchers from Yahoo! also discussed how they could easily overcome the typical attempts to anonymize search records and server logs.

I am not a computer scientist, so unfortunately there is little concrete I can offer toward a solution to creating truly-anonymous data sets of user activities. And certainly, as a privacy advocate, I will always be quick to point out violations of user privacy even when those releasing the data have the best of intentions (as AOL and Netflix did). But I hope we can work towards a solution that benefits both communities.

UPDATE: Bruce Schneier has a related column in Wired, touching on many of these same issue.

This recent NY Times story, however, casts a cloud over any claim she might be able to make as an advocate for privacy rights. It appears that both Bill and Hillary Clinton have benefited from their close relationship to Vinod Gupta, founder of infoUSA, one of the largest brokers of personal information. You might recall that infoUSA was recently implicated in an investigation that found they had, perhaps knowingly, sold consumer data to telemarketing criminals who used it to steal money from elderly Americans.

I’m sure this story will get a lot of play due to the potential ethical violations of taking gifts during a campaign, but equally important is the nature of who the Clintons appear to be benefiting from – a privacy-violating information broker. This part of the story deserves additional attention.

…a wave of sophisticated computing and mathematical analytics that is moving into the mainstream. Fueling the trend are the digitization of information, ever faster and cheaper computing, and the explosion of online networks and data collection.

Sorry, Gray Lady, this isn’t some new thang. This has been going on or quite a while.

This is probably best argued in James Beniger’s The Control Revolution: Technological and Economic Origins of the Information Society. In this detailed history of the rise of technologies of communication and information processing, Beniger argues that modern information technologies, and with them the “information society,” began to take shape as long ago as the 1830s with the introduction of railroads, and fully materialized after 1880 with the onset of widespread industrialization. Because industrialization involved the large and fast flows of goods, it could not be managed without a high level of information technology (in which Beniger includes things like product standardization, bureaucracy and advertising, as well as the usual mechanical devices); and without proper management, it simply could not work. This need for large-scale management brought about the “Control Revolution”:

The Control Revolution developed in response to problems arising out of advanced industrialization: a mounting crisis of control at the most aggregate level of national and international systems, levels that had had little practical relevance before the mass production, distribution, and consumption of factory goods. (Beniger, 1986, p. 278)

Resolution of the problems created by advanced industrialization demanded new means of information processing and communication to control an economy shifting from local segmented markets to increasingly higher levels of organization – what Beniger labels the growing “systemness of society” (p. 278).

The growing “systemness of society” meant information began to replace industrial capital as the material base for our modern economy, and, well before the 20th century and digital computing, brought about our Information Society. According to Beniger, mass industrial processes and technology began to coalesce in the mid to late 1800s, beginning with landmark inventions such as the telegraph, typewriter, and telephone, extending into the early 1900s with the radio and, eventually, television. More recent developments such as computers, telecommunications, and presumably, the Internet, Beniger would likely argue, are not the radical milestones or emblems of the Information Society that the New York Times might suggest, but merely examples of the smooth continuation of the Control Revolution which began a century earlier. In other words, we have been submerged in this Information Society – replete with advanced information processing and data-mining – for quite a while now.

UPDATE: While the NYTimes seems to be celebrating the rise of data-mining in this article, they simultaneously publish an article warning that companies are selling vast these databases of personal information to thieves, despite evidence their services are used for fraud:

Vast databases of names and personal information, sold to thieves by large publicly traded companies, have put almost anyone within reach of fraudulent telemarketers. And major banks have made it possible for criminals to dip into victims’ accounts without their authorization, according to court records.

The banks and companies that sell such services often confront evidence that they are used for fraud, according to thousands of banking documents, court filings and e-mail messages reviewed by The New York Times.

Although some companies, including Wachovia, have made refunds to victims who have complained, neither that bank nor infoUSA stopped working with criminals even after executives were warned that they were aiding continuing crimes, according to government investigators. Instead, those companies collected millions of dollars in fees from scam artists.

This is criminal.

…advocates of geotagging, like Stewart Butterfield, co-founder of the photo-sharing Web site Flickr, contend that linking pictures to maps can lend a new dimension to photography. For one thing, it can help people make some sense of the mounds of photos accumulating on their hard drives.

”The value may not be immediately apparent. But 10 years from now, nobody who’s geotagging their photos is going to regret it,” Mr. Butterfield said. ”Most people have just one or two or three iconic photos of their grandparents. Now people are going to have tens of thousands of photos, and when that happens, every little bit of context helps.”

Abstent from the discussion, however, are concerns over privacy, data-mining and the levels of surveillance enabled by these tools. My next project…

Jetera would start with an airline’s information on individual passengers on board a given flight, drawing the name, address, credit card number and loyalty club status from reservations data. Through a process, for which it seeks a patent, the company would match the passenger’s identification data with the mountains of information about him or her available at one of the mammoth credit bureaus, which maintain separately managed marketing as well as credit information. Jetera would tap into the marketing side, showing consumer demographics, purchases, interests, attitudes and the like.Jetera’s data manipulation would shape the entertainment made available to each passenger during a flight. The passenger who subscribes to a do-it-yourself magazine might be offered a video on woodworking. Catalog purchase records would boost some offerings and downplay others. Sports fans, known through their subscriptions, credit card ticket-buying or booster club memberships, would get “The Natural” instead of “Pretty Woman.”

Privacy is (sort of) dealt with at the end of the article:

Jetera sees two legal issues regarding privacy and resolves both in its favor. Nothing Jetera intends to do would violate federal law or airline privacy policies as expressed on their websites. In terms of customer perceptions, Jetera doesn’t intend to abuse anyone’s privacy and will have an “opt-out” opportunity at the point where passengers make inflight entertainment choices.If an airline wants an opt-out feature at some other point in the process, Jetera will work to provide one, McChesney says. Privacy and customer service will be an issue for each airline, and Jetera will adapt specifically to each.

Unbelievable.

I certainly don’t have the training to analyze this decision from a legal perspective, but one commenter illuminates concerns with such a ruling:

This ruling is very troubling for the following reasons:

* The 4th amendment only applies to the government. According to this ruling, if a commercial entity collects information about you without a warrant the government may then search that information without any judicial review. Completely circumventing the 4th amendment. It is like saying to the police, “Well, you can’t look at the phone records of someone without a warrant—unless you pay someone to impersonate said person and get them for you and then query their database.”

I can just imagine the advertisements now: “4th Amendment getting in the way? We’ll get around it for you! http://privacy-schmivacy.us”

* Surrendering information to any given entity should not be the same thing as surrendering personal information to the government. Just because I’m willing to fill out some company’s form doesn’t mean that I would do so if I expected the government to gain free access to that info without just cause and judicial oversight.

* Information contained in commercial databases is often inaccurate. If law enforcement starts using credit histories, employer databases, and other data stores to query information no one will be held accountable if that information is not correct. At least with a government-run database the citizen can petition to have information about them disclosed and/or corrected.

* An innocent person that is wrongfully accused of a crime may never know the true source of incorrect data in any given non-government database. In a government-run database, all data comes from cited public sources (such as court documents, police reports, DOT records, etc).