The Offensive Internet: Speech, Privacy, and Reputation is an essential addition to academic, legal, and professional literatures on the prospective harms raised by Web 2.0 and social networking sites more specifically. Levmore and Nussbaum (eds.) have drawn together high profile legal scholars, philosophers, and lawyers to trace the dimensions of how the Internet can cause harm, with a focus on the United States’ legal code to understand what enables harm and how to mitigate harm in the future. The editors have divided the book into four sections – ‘The Internet and Its Problems’, ‘Reputation’, ‘Speech’, and ‘Privacy’ – and included a total of thirteen contributions. On the whole, the collection is strong (even if I happen to disagree with many of the policy and legal changes that many authors call for).
In this review I want to cover the particularly notable elements of the book and then move to a meta-critique of the book. Specifically, I critique how some authors perceive the Internet as an ‘extra’ that lacks significant difference from earlier modes of disseminating information, as well as the position that the Internet is a somehow a less real/authentic environment for people to work, play, and communicate within. If you read no further, leave with this: this is an excellent, well crafted, edited volume and I highly recommend it.
I don’t like violence, vandalism, or other actions that generally cause destruction. Certainly there are cases where violent social dissent is a sad but important final step to fulfil a much needed social change (e.g. overthrowing a ruinous dictator, tipping the scale to defend or secure essential civil rights) but riotous behaviour following a hockey game lacks any legitimating force. Unfortunately, in the aftermath of game seven between the Vancouver Canucks and Boston Bruins a riot erupted in downtown Vancouver that caused significant harm to individuals and damage to the urban environment.
The riot itself is a sad event. What is similarly depressing is the subsequent mob mentally that has been cheered on by the social media community. Shortly after the riot, prominent local bloggers including Rebecca Bollwitt linked to social media websites and encouraged readers/visitors to upload their recordings and identify those caught on camera. In effect, Canadians were, and still are, being encouraged by their peers and social media ‘experts’ to use social media to locally instantiate a human flesh search engine (I will note that Bollwitt herself has since struck through her earliest endorsement of mob-championing). Its manifestation is seemingly being perceived by many (most?) social media users as a victory of the citizenry and inhabitants of Vancouver over individuals alleged to have committed crimes.
Perhaps unsurprisingly, I have significant issues with this particular search engine. In this post, I’m going to first provide a brief recap of the recent events in Vancouver and then I’ll quickly explain the human flesh search engine (HFSE), both how it works and the harms it can cause. I’m going to conclude by doing two things: first, I’m going to suggest that Vancouver is presently driving a local HFSE and note the prospective harms that may befall those unfortunate enough to get caught within its maw. Second, I’m going to suggest why citizens are ill-suited to carry out investigations that depend on social media-based images and reports.
Candace Mooers asked me a good question today about deep packet inspection (DPI) in Canada. I’m paraphrasing, but it was along the lines of “how might DPI integrate into the discussion of lawful access and catching child pornographers?” I honestly hadn’t thought about this, but I’ll recount here what my response was (that was put together on the fly) in the interests of (hopefully) generating some discussion on the matter.
I’ll preface this by noting what I’ve found exceptional in the new legislation that was recently presented by the Canadian conservative government (full details on bill C-47 available here, and C-46 here) is that police can require ISPs to hold onto particular information, whereas they now typically required a judicial warrant to compel ISPs to hold onto particular data. Further, some information such as subscriber details can immediately be turned over to police, though there is a process of notification that must immediately followed by the officers making the request. With this (incredibly brief!) bits of the bills in mind, it’s important for this post to note that some DPI appliances are marketed as being able to detect content that is under copyright as it is transferred. Allot, Narus, ipoque, and more claim that this capacity is built into many of the devices that they manufacture; a hash code, which can be metaphorically thought of like a digital fingerprint, can be generated for known files under copyright and when that fingerprint is detected rules applied to the packet transfer in question. The challenge (as always!) is finding the processor power to actually scan packets as they scream across the ‘net and properly identify their originating application, application-type, or (in the case of files under copyright) the actual file(s) in question.
We’re paying for a high-tech Broadway show that’s themed around ‘security’, but we’re actually watching the equivalent of a catastrophic performance in a low budget community theatre. The price of admission? Only millions dollars and your privacy.
As of June 1, 2009, Canadians and Americans alike require an Enhanced Drivers License (EDL), a NEXUS card, a FAST card, a passport, or a Secure Certificate of Indian Status to cross a Canadian-American land border. In Canada, only Ontario, Quebec, B.C. and Manitoba have moved ahead to develop provincial EDLs; the Saskatchewan, New Brunswick and Prince Edward Island governments have all decided not to provide these high tech, low privacy, cards to the constitutencies (Source). To apply for an EDL in a participating province, all you need to do is undergo an intensive and extensive 30 minute face-to-face interview at your provincial equivalent of the Department of Motor Vehicles. Your reward for being verbally probed? A license that includes a Radio Frequency Identification (RFID) tag and a biometric photograph. The RFID tag includes a unique number, like your Social Insurance Number (SIN), that is transmitted to anyone with an RFID reader. These readers can be purchased off the shelf by regular consumers, and number your EDL emits is not encrypted and does not require an authentication code to be displayed on a reader. Effectively, RFID tag numbers are easier to capture than your webmail password.
I learned today that I was successful in winning a Social Sciences and Human Research Council (SSHRC) award. (Edit September 2009: I’ve been upgraded to a Joseph Armand Bombardier Canada Graduate Scholarship). Given how difficult I found it to find successful research statements (save for through personal contacts) I wanted to post my own statement for others to look at (as well as download if they so choose). Since writing the below statement, some of my thoughts on DPI have become more nuanced, and I’ll be interested in reflecting on how ethics might relate to surveillance/privacy practices. Comments and ideas are, of course, welcomed.
Interrogating Internet Service Provider Surveillance:
Deep Packet Inspection and the Confluence of International Privacy Regimes
Context and Research Question
Internet Service Providers (ISPs) are ideally situated to survey data traffic because all traffic to and from the Internet must pass through their networks. Using sophisticated data traffic monitoring technologies, these companies investigate and capture the content of unencrypted digital communications (e.g. MSN messages and e-mail). Despite their role as the digital era’s gatekeepers, very little work has been done in the social sciences to examine the relationship between the surveillance technologies that ISPs use to survey data flows and the regional privacy regulations that adjudicate permissible degrees of ISP surveillance. With my seven years of employment in the field of Information Technology (the last several in network operations), and my strong background in conceptions of privacy and their empirical realization from my master’s degree in philosophy and current doctoral work in political science, I am unusually well-suited suited to investigate this relationship. I will bring this background to bear when answering the following interlinked questions in my dissertation: What are the modes and conditions of ISP surveillance in the privacy regimes of Canada, the US, and European Union (EU)? Do common policy structures across these privacy regimes engender common realizations of ISP surveillance techniques and practices, or do regional privacy regulations pertaining to DPI technologies preclude any such harmonization?
This is a full draft of the paper on Twitter and privacy that I’ve been developing over the past few weeks, entitled ‘Who Gives a ‘Tweet’ About Privacy?’ It uses academic privacy literature to examine Twitter and the notion of reasonable expectations of privacy in public, and is written to help nuance privacy discussions surrounding the discourse occuring on Twitter (and, implicitly, similar social networking and blogging sites). The paper focuses on concepts of privacy and, as such, avoids deep empirical analyses of how the term ‘privacy’ is used by particular members of the social networking environment. Further, the paper avoids delving into the web of legal cases that could be drawn on to inform this discussion. Instead, it is theoretically oriented around the following questions:
- Do Twitter’s users have reasonable expectations to privacy when tweeting, even though these tweets are the rough equivalent of making statements in public?
- If Twitter’s user base should hold expectations to privacy, what might condition these expectations?
The paper ultimately suggests that Daniel Solove’s taxonomy of privacy, most recently articulated in Understanding Privacy, offers the best framework to respond to these question. Users of Twitter do have reasonable expectations to privacy, but such expectations are conditioned by juridical understandings of what is and is not reasonable. In light of this, I conclude by noting that Solove’s use of law to recognize norms is contestable. Thus, while privacy theorists may adopt his method (a focus on privacy problems to categorize types of privacy infractions), they might profitably condition how and why privacy norms are established – court rulings and dissenting opinions may not be the best foundation upon which to rest our privacy claims – by turning to non-legal understandings of norm development, degeneration, and mutation.
Paper can be downloaded here.