Now, four days later, my wife had a chance to react to the notification she received from Facebook regarding my tagging her, and I thought I’d share a few more reactions to her attempt to opt-out of Places altogether.

First, it is important to note that until my wife took any action, my ability to check her into places in this fashion remained. She’s a busy person, and generally only checks her personal email account a couple of times a week. Today was the first chance she had to log in and view the message Facebook sent regarding my attempt to check her into the liquor store.

Notice how the email prompts you with an enticing green “Allow Check-ins” button, and only a smaller textual link to learn more about what this is all about. Remembering that I’ve been talking about Places around the house the past few days, my wife figured she didn’t want anything to do with it, so she just ignored the email altogether. I suspect many others would do the same, and as a result, there was zero opportunity here to adjust the privacy settings to prevent any future interaction with Places or fully opt-out of the feature.

Next, my wife decided to log into her Facebook account itself. She’s not all that active on Facebook, with her last meaningful update being a note in May about, coincidentally, my appearance on NPR’s Science Friday about Facebook and privacy. Thankfully, and to Facebook’s credit, upon logging in she was immediately met with a prompt to act upon my attempt to check her in to the liquor store.

Here, the two primary options are “Allow Check-Ins” and “Not Now”. There’s again a secondary text link to “Learn more”.  My wife, again, didn’t want anything to do with Places, and said out loud “how do I just turn it off”. Obviously, there’s no simple way of doing that from this prompt, as clicking “Not Now” just makes the prompt disappear, but nothing else happens. There’s no suggestion to go check out your privacy settings. Hopefully users will click “Learn more” to discover what Places is and their privacy options; but in the case of my wife (a very well-educated and web-savvy user), she just clicked “Not Now” and was left with nothing.

Thankfully, I suggested she go to her privacy settings to properly opt-out of the Places feature. But once there, she was met with what appeared to be the same array of privacy options that was launched earlier this year.

Looking more closely one notices, embedded in the light gray list of privacy options, a “Places I check into” category, withe a little question mark. Hover over that icon, and you learn what this item is about.

Following the prompt, my wife clicked on “Customize settings”, which brought her to another familiar page of privacy settings, again with no obvious indication of what new settings were added for the Places feature. After hunting, she finally noticed the “Places I check in to” and “Include me in “People Here Now” after I check in” options, which she modified.

And then she figured she was done.

Until I pointed out there were more privacy settings that required adjustment to fully opt-out of Places. Further down this page is perhaps the most important privacy setting: “Friends can check me in to Places”. She disabled this, wondering why it was practically hidden on the page, requiring one to scroll and really look for it.

Finally, I showed her how she had to go back to the main privacy settings page, then click on “Edit your settings” under Applications and Websites, and then click on “Edit settings” under Info Accessible Through Your Friends. Here, she made sure that “Places I check into” was not selected.

It took all these steps to properly opt out of Places. Not only was it confusing, but there was no guidance on how to navigate the myriad of settings required to opt-out. (I recognize there is a video and some information in the “learn more” links, but she didn’t want to learn more, just to opt-out.) Facebook provides no message when she first went into her privacy settings that there were new options that she should take a look at.

Overall, the process of completely opting-out of Places remains unintuitive and cumbersome. That’s poor privacy design, and Facebook should know better by now.

Note, too, that disabling check-ins by others does not affect previous check-ins. My wife’s name still appears in my original check-in to the local liquor store, as well as on the “friend’s activity” on the liquor store’s page, and, presumably, in Facebook’s database of who has been checked into that location. She must manually “remove tag” from each and every Places check-in that has occurred prior to her disabling the service….and no where was she proactively told she should do that. Over the days between launch and her eventual logging into Facebook to try to disable the service, I could have been checking my wife into dozens of places, each which would need to be located within her feed and removed manually.

Again, I think Facebook has done a better job designing Places compared to many of their recent product launches. But there is much to be desired for how they designed the privacy settings & user interface, and, in the end, it remains that users can be checked into places without their permission.

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]

Facebook has finally launched its location-based service: Places. Places allows Facebook users to “check in” wherever they are (or pretend to be) using a mobile device, and let’s their friends know where they are at the moment.

Facebook has tried to do a better job addressing privacy with Places compared to previous launches of new “features”. Particularly, Facebook brags that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.”

And while many applaud Facebook for the design of Places (the best design decision, perhaps, was to make check-ins visible to friends only by default, rather than everyone), there are some serious ways in which Facebook has fallen short in fully protecting user’s locational privacy.

The folks at EPIC, EFF, and DotRights have each done a good job outlining the primary concerns, and I don’t want to repeat them all here.

But as I’ve played around with the service, I’ve uncovered a problem with Facebook’s assertion that “no one can be checked in to a location without their explicit permission.”

While Places is largely an opt-in service — one needs to install and use it on a mobile device — anyone can be “checked-in” to any place by a friend. This can happen regardless of whether you use the service yourself. If you get checked into a place by someone, and you haven’t already authorized the service or these kinds of check-ins, you’ll receive an email asking if you want to allow check-ins by friends. Below is an email received by my wife when I tagged her as joining me at a local liquor store.

Given Facebook’s assertion that “No one can be checked in to a location without their explicit permission,” presumably my wife won’t be checked into this location until she clicks “Allow Check-ins” on this alert message.

She didn’t click, and hasn’t made any other changes to any of her Facebook settings. Yet, if any of my friends look at my Facebook feed, they’ll see the status update of my check-in at the liquor store, with my wife’s name there with me:

And her name also appears with my check-in on the location’s page automatically generated by the Places service:

So, where does this leave us?  My wife has not authorized me (or anyone) to check her into places. She doesn’t use the service. In fact, she wasn’t even at the liquor store at all.

Yet, I was able to tag her in my check-in, and all my friends now see her name linked with my check-in as if she was there. Granted, the check-in does not show up in her news feed, but it is there in mine, and I suspect if I had my privacy settings set to “Everyone”, then everyone would see my wife’s name as being checked into the liquor store.

UPDATE: I’ve tested having my settings on Everyone, and then looking at my feed from a dummy account I have (yeah, violating the TOS, I know). Here’s the screenshot confirming my wife’s name is visible alongside mine to the entire universe:

Recall Facebook’s claim that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.” My wife did not explicitly choose to become part of location sharing. She did not give any explicit permission to be associated with this location. Yet, there her name is, and anyone viewing my feed can now associate her with being at this location. It is unknown whether this association between her name/account and this location is logged within Facebooks databanks, and thereby available to be shared with marketers, handed over to law enforcement, etc.

This is a serious problem. Names and linked user accounts should not be associated — in any way — with a particular location unless they explicitly consent to it. Facebook needs to listen to its own rhetoric and make the necessary changes to protect user’s locational privacy. I should not be allowed to tag someone in a check-in unless they’ve taken the positive step of authorizing check-ins from friends. Locational privacy needs to be fully opt-in, not opt-out.

[I haven't yet checked to see if my wife's name will disappear from this existing check-in if she takes the affirmative step to disallow friends from checking her into place. I'll post an update once that happens] See this post where I detail the steps it took for my wife to opt-out, and that her attachment to this particular check-in remained.

UPDATE: TechCrunch just posted a similar discovery, and they don’t seem all that worried about it, noting that “Facebook treats this as if you were tagged in a basic status update.” But there’s a meaningful difference between simply being tagged in a status update, and having your location unknowingly disclosed in a status update. And this is the critical issue that Facebook again has misunderstood: tagging someone’s geographic location is not something to be treated like every other Facebook activity.

UPDATE: There’s been assorted media coverage of my discovery and our subsequent discussion: MSNBC.com, MediaPost, SC Magazine, CBC News.

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]

Last week, however, this all changed. Google announced two new “features” in Latitude: Location History and Location Alerts.

Location History allows users to opt-in to having Google keep a history of their locational data tracked by Latitude. Only you can see it, and you can remove items from your history, which is great. But for everyone who activates this service, there’s now a log in Mountain View of everywhere your cellphone has been, a log that could be shared with third parties in according with its privacy policy.

More people might activate Location History when they learn about Location Alerts, a service that notifies you if a friend happens to be nearby. The beauty of Location Alerts is that you won’t be altered when people are simply engaging in their routine activities (ie, you won’t be alerted every time your coworker sits down at their cubicle across from you) . Instead, it “learns” what users’ “normal” locations are, and only notifies friends if they are nearby in an unusual place or time. To make this work, you need to have Location History activated, and in the process, Google is able to create a type of “locational profile” for each user. It is unclear whether this profile might be used for other purposes (ie, targeted advertising).

Google, of course, realizes the privacy implications of all this, and again takes some steps to help mitigate these concerns. there are FAQs for each product detailing how they work and the privacy concerns; the services are op-in; users are reminded periodically when they have Location History activated (Google should do this for all products, btw).

But all this makes me wonder: did Google plan to provide these services from the start, just with a delay? Did Google learn the lessons of Facebook, who repeatedly bites off more than it can chew as it relates to users’ privacy, and decided to launch Latitude without these features, thereby winning the praises of privacy advocates (guilty), and then strategically add them 9 months later, claiming it is simply in response to user demand?

If my fears are true, it’s not quite what I had in mind when calling on Google to engage in value-conscious design in order to protect user privacy.

Over the next decade, systems which create and store digital records of people’s movements through public space will be woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future.

Here are some examples you might already have used or read about:

• Monthly transit swipe-cards
• Electronic tolling devices (FastTrak, EZpass, congestion pricing)
• Cellphones
• Services telling you when your friends are nearby
• Searches on your PDA for services and businesses near your current location
• Free Wi-Fi with ads for businesses near the network access point you’re using
• Electronic swipe cards for doors
• Parking meters you can call to add money to, and which send you a text message when your time is running out

These systems are marvellously innovative, and they promise benefits ranging from increased convenience to transformative new kinds of social interaction.

Unfortunately, these systems pose a dramatic threat to locational privacy.

And today, the New York Times has an op-ed by Adam Cohen lamenting the threats to locational privacy in our contemporary technological ecosystem:

A little-appreciated downside of the technology revolution is that, mainly without thinking about it, we have given up “locational privacy.” Even in low-tech days, our movements were not entirely private. The desk attendant at my gym might have recalled seeing me, or my colleagues might have remembered when I arrived. Now the information is collected automatically and often stored indefinitely.

It’s good to see this attention to locational privacy, but it’s equally important to recognize that these threats aren’t new: I’ve been blogging and advocating for attention to privacy in public, privacy on the roads, and locational privacy for a number of years now (and I’m certainly not the only one). I’ve also published about particular threats to privacy on the roads (here and here), and tried (with limited success) to engage with designers of new vehicle-technologies to design privacy into the new protocols.

I’m thrilled to see the EFF draw renewed attention to locational privacy. I just hope they’re not too late to start advocating for change…

• The New York Times has a story on advertisers increasingly collecting behavioral and locational data from consumers’ cellphone activities: “Advertisers Get a Trove of Clues in Smartphones”.
• The Berkman Center for Internet & Society recently hosted a talk by Albert Gidari, a partner at Perkins Coie, on the legal dimensions of cellphone tracking: “They Know Where You Are: Location Privacy in a Mobile World” (webcast) (David Weinberger’s liveblog)

Unsurprisingly, concerns have arisen regarding the privacy implications of Latitude, and I, of course, have taken issue in the past with Google’s approach to (not) protecting locational privacy (as well as cellphone tracking in general).

But this time, I think Google got it right, and designed Latitude with user privacy in mind.

Here’s a quick rundown (based on my analysis of the help pages and this video) of what Google’s done to help give users control of their information flows in Latitude:

• Only friends you have explicitly invited or accepted can see your location
• You can hide your location to everyone so no friends can see where you are (and neither will Google)
• You can hide your location to select friends
• You can share only city-level data with select friends
• You can manually select a location on the map that will be shared with friends (which means you can send the wrong location to obfuscate your location)
• And, perhaps most importantly, Google is not logging your pings to servers; they only keep you latest location on file

Now, Privacy International has made some waves with their strongly-worded condemnation of Latitude. PI’s main concern is that someone could have Latitude surreptitiously activated on their phone, allowing employers, spouses, parents, stalkers, etc to track their location. While possible, this seems an unlikely scenario (and, besides, businesses have much better ways of tracking employees, as do parents their kids). That said, I do agree with PI that it would be wise for Google to create some kind of persistent warning/reminder to users that they are sharing their location with the data-servers in Mountain View (this alrleady exists on some phones, and only after a period of inactivity).

In sum, compared to Street View and the reluctance to provide a direct link to its privacy policy, I think Google (mostly) got it right this time.

:: As an aside, Google seems to customize the maps that appear on the Latitude homepage based on the geographic location of your IP address. When I pulled up the page from my office, it showed a map of Milwaukee. When I used a proxy, it showed Cambridge. When I used an unresolvable IP, it just showed Manhattan (unless, of course, Google knows I spent my last 7 years in NYC, and that’s why it’s showing that by default! ).

Google released Street View to much criticism, given the prevalence of visible and identifiable faces and license plates captured by their fleet of camera-toting cars trolling our streets. To remove yourself from the service, Google first required submission of your legal name, e-mail address, a copy of your driver’s license or other government ID, and proof of your association with that address (letterhead, utility bill, etc). This, of course, created even more privacy concerns, and Google eventually backed down on this set of requirements, instead asking for only your name and the image location.

Later, Google loosened the requirements further, allowing anyone to request the blurring of a face or license place, even if the identifiable image isn’t you/yours. And now it seems certain version of Street View will automatically have all faces and license plates automatically blurred.

These are all positive moves by Google, but they are all reactionary. They reveal Google’s adeptness of responding to criticism over user privacy, and little initiative in proactively protecting that privacy with these kinds of products.

This isn’t much of a surprise given Google’s apparent position that since people are in public, they have no right to privacy. Consider the comments by Philipp Schindler, head of Google Northern Europe, that appeared in the German Spiegel Online (as translated by Philipp Lenssen):

The Street View feature includes only those photos taken from public grounds. The imagery is not different from anything each of us can photograph themselves – the kinds of things you’d see when you walk the streets.

Such a sentiment has no understanding of the “contextual integrity” of one’s privacy in public. Yes, someone might happen to be standing on the same street corner at the exact date and time that I am walking by and take my picture. But that is one person who was lucky enough to have good timing, and one photo in that person’s camera. Most people expect a handful of strangers to be able to view, and perhaps take note, of one’s public actions. But it is a difference in kind when those actions are digitally recorded, indexed, and viewable by millions through the world’s leading provider of information.

Further, consider the justification provided by Peter Fleischer, Google’s Senior Privacy Counsel, from this article:

The United States has “a long tradition of saying that it is legal and appropriate to take pictures from public spaces and publish them,” Mr. Fleischer said.

I am uncertain as to his claim that the U.S. (courts, presumably) have a “long tradition” supporting the “appropriateness” of publishing images from public places. Any discussion of appropriateness would certainly be contextually bound, and shouldn’t be considered a blank check to publish any and all public images online. Even so, the fact that U.S. courts say its OK doesn’t mean Google should do it. (“Don’t be…”)

Google really missed the boat on this one. Remember, Microsoft had already released a similar product with the same privacy concerns (although few noted it at the time), and to really take a leadership role in protecting user privacy, Google could have done the following:

1. Make use of their own facial recognition technology to automatically scan the Street View image database to identify and blur all faces, thereby protecting privacy and differentiating themselves from Microsoft’s offering. This should be done in all Street View products, not just the Canadian version.
2. Make reporting inappropriate images easier by placing a specific  “report this image” link on each image screen, not just a generic “help” link.
3. Think harder about privacy in public, and recognize that just because a random person can take another random person’s picture in public doesn’t mean there’s no difference in having a similar image available on Google.

Of course, its not too late to make these changes…

In a positive move, Google has changed their policy to make it easier to have sensitive information removed. Now anyone can notify Google and have an image of a license plate or a recognizable face blurred, even if it isn’t yours/you. The problem, as Nicole Ozer at the ACLU of Northern California recognizes, is that Google hasn’t changed the interface for initiating the process to make it more intuitive for people:

…there is no direct link from a Street View image to request take-down of a photo for privacy or security concerns. Individuals must know to click on the “Street View Help” link at the top of any image and then scroll down to the bottom of that box and click on “Report Inappropriate Image.” See here.

If Google is really serious about ensuring that people can protect their privacy and security by requesting take-down of images, they should add a direct link entitled “Request Take Down” or “Flag for Removal” to the top of each Google Street View image.

Like I’ve said before, privacy-enhancing changes won’t enhance anyone’s privacy if they don’t know about it or can’t figure out how to take advantage of it. Google: if user privacy is a priority, foreground it on your product interfaces.

UPDATE: I woke up this morning and remembered that Google already has employed simple facial recognition algorithms in their Image search.  If Google wanted to be serious — and proactive — about user privacy they could simply  scrub the entire Street View image database and automatically blur every face they come across. The tools are there — all it needs is the will.

Nathan Weinberg dug up a copy of the ballot initiative, which includes requirements for privacy protections (emphasis added):

Declaration of policy supporting a wireless broadband network that provides free high-speed internet access for all San Franciscans and protects user privacy.

It is the policy of the People of the City and County of San Francisco that:

(1) The City should provide a wireless broadband Internet access network (‘Wi-Fi Network”) serving all parts of San Francisco equally;

(2) The Wi-Fi Network should provide free Internet access for all of the City’s residents, businesses, institutions, and visitors;

(3) The Wi-Fi Network’s free service should operate at a high speed that fully supports typical home, educational and civic uses of the Internet;

(4) The City should initially provide the Wi-Fi Network through a public-private partnership that utilizes expertise of the high technology sector and minimizes financial risk to the City;

(5) The City should ensure that any private entities with which it contracts to provide Wi-Fi service adhere to privacy policies that offer strong safeguards against the unauthorized sharing of personal information with third parties and against the unnecessary retention of information about WiFi users’ locations; and

(6) The City should approve all agreements necessary for providing a City-wide Wi-Fl Network and should implement such agreements as quickly as possible consistent with applicable law.

(7) Private entities negotiating with the City and County should consider in good faith adopting the strongest privacy safeguards against the unauthorized sharing of personal information with third parties and against the unnecessary retention of information about Wi-Fl users’ locations, adopting clear service standards for Wi-Fi users prior to finalization of a contract with the City and County, and adopting a reasonable term of contract that avoids a franchise relationship between private entity and the City and County and is beneficial to both parties.

If course, I would prefer language stronger than suggesting that the ISP “should consider in good faith” adopting string privacy safeguards. And who gets to decide what is “unnecessary retention of information”? Nevertheless, it’s good to see it out there for the voters to consider.

:::

I don’t want to be picky, but given all the (necessary) attention given to the privacy aspects of Street View, I still wonder where everyone was when Microsoft launched basically the same service last year. As I pointed out then, the same privacy and surveillance concerns emerge. Is Microsoft truly that irrelevant now that we’re no longer concerned about their ability to surveil and collect personal information?

:::

Business Week has a short profile of the company who has an exclusive agreement with Google to provide the imaging. The story includes some details of the 11-lens camera, called a Dodeca 2360, used to provide the Street View images. They note: “What makes it unique is its dodecahedron (12-sided) shape, which captures images consistently in every direction. Anyone can buy one for around $100,000, but only a handful have been sold—mostly to government agencies.” So, Google and government agencies are the only one’s who have access to this imaging technology…lovely…

:::

It has been reported that in order to have your image removed from Street View, you must provide Google your legal name, e-mail address, URL of the Street View image, a copy of your driver’s license or other government ID, and proof of your association with that address (letterhead, utility bill, etc). Of course, many consider providing this level of detailed information to Google just as harmful as the Street View image itself, especially since there doesn’t seem to be a privacy policy in place regarding their handling of this extraneous personal data.

Google eventually backed down on this set of requirements, instead asking for only your name and the image location. While some herald this as Google taking action about privacy concerns, it seems more like a poorly-thought-out knee-jerk reaction to an original poorly-thought-out policy. Given this thin requirement, little prevents me from requesting to have images removed of anyone I feel like (competitors, friends, etc). If Google really wanted to take action to help protect people’s privacy in public, they would add a link to “remove your image” on the Street View main interface, rather than hiding it 2 clicks away on a help page.

:::

Philipp Lenssen provides a translation of an interview with Head of Google Northern Europe Philipp Schindler that appeared in the German Spiegel Online, where Schnidler responds to some of the privacy concerns:

The Street View feature includes only those photos taken from public grounds. The imagery is not different from anything each of us can photograph themselves – the kinds of things you’d see when you walk the streets. Added to that, we spoke to a variety of US organizations to get a feeling if there’s potential concerns, and if so, which these are. In the cases where we found out it’s necessary to introduce special privacy protections, we reacted prior to launch. For instance, you won’t find images of accommodations for the homeless, or abortion clinics.

Those familiar with my research can predict my objections with the implicit claim that images taken in public places are unproblematic. But what bugs me about Schindler’s comment is the odd assumption that removing images of homeless shelters somehow protects the privacy of those individuals, along with his claim that abortion clinics have been scrubbed as well. I found this image of a Planned Parenthood clinic in lower Manhattan the first day this was launched!

:::

Finally, odd scenarios continue to be found within Street View, including this sequence of a violent street fight captured for posterity as the van passed by.