Aug 12, 04:28 pm: [NTEN Bay Area] Keynote

(all the dangers and annoyances of live blogging: misquotes, misspellings and general mistakes.)

Live blogging: NTEN Bay Area

Keynote speaker: Kevin Bankston, Electronic Frontier Foundation

Notes:

Quote: “I realize not all of you are worried about the government. But I think you should be.”

Laws and acts (particularly the USA PATRIOT Act) have changed what it means to have information online, specifically the government’s ability to access that information.

Need to be concerned if:

  • you are politically or socially progressive;
  • you work on the environment;
  • you serve Muslim and/or Arab populations;
  • you work or fund overseas; or,
  • you are concerned about criminal activity.

Key acts:

  • Wiretap Act of 1968
  • Pen-Trap Statute in the 70s allowed law enforcement to capture telephone numbers.
  • Electronic Communications Privacy Act of 1986 (updated wiretap act and included storage of online information)

So what does the relative lack of protection by 3rd party storage mean? This particularly impacts email which is most commonly stored by a 3rd party (gmail, hotmail, or just your ISP)

from .ppt: ”...your email provider can do Gmail-like ad-scanning without your consent.”

Sharing content with non-government 3rd parties? Providers can’t share with others unless you okay BUT you might have. Read the contract.

Unresolved: whether or not provider can respond to civil subpoenas (see: EFF’s Apple v Does)

Sharing content with government?

  • requires a warrant
  • protection drops after 180 days
  • what does that mean for email providers that encourage you (like gmail) to keep your email?

How about non-content communications records?

  • no limit on sharing except what’s in the contract
  • no notice to you that your records have been accessed (in fact, sometimes kept secret)
  • National Security Letters—completely secret, no oversight, FBI certifies to itself that the files are relevant (see: Doe v. Gonzales (scroll down on the page))

What are non-content records?

  • pretty much everything about that isn’t actually a text of your email, a log of your IM chat or a recording of a VOIP conversations
  • for example, name, address, correspondence, IP, size, timestamp, IP of visitor to your web site

Still, though, some question about what is content and what is non-content? Not a good answer. Are URLs content or non-content?

And search logs? What about those? Again, murky water but what could these reveal about you? Are these content or non-content?

Why keeping all these records?

  • default configuration of servers
  • need the info for troublekeeping and/or security
  • information may one day be useful and so keep everything
  • to able to develop materials that enhance your experience (ads, cookies, etc)
  • they are an ASP and storing the information is part of what they are providing you
  • storage is cheap; let’s keep it and mine

Is there going be mandatory data capture and retention? Maybe. Again, not clear. Trending this way in the EU.

The mega-protals—Google, Yahoo!, MSN—they keep information because it will help them to market better and offer services. It’s one-stop shopping for user but also for government, civil litigants, identity thieves and scam artists.

Quote: “Imagine that one company has a print-out of your brain.”

All the information tied together by a unified log-in.

Privacy policy? Pretty meaningless UNLESS it’s a part of your contract. If no signed contract, look at the terms of service.

So what do you look for?

Should say:

  • only disclose if required by law
  • only share if necessary for proper functioning and/or maintenance
  • only share if necessary in a life/limb emergency
  • will provide a notice to you if required by law
  • will actively protect your information

Watch out for:

  • only disclose if reasonably necessary
  • with partners and/or subsidies (anyone really)
  • as permitted by law (permitted is differernt than required)

Store everything you can store on-site, on-site. Use client-side applications as much as possible. Don’t use search-and-save or history functionality on site.

Avoid single log-in, mega-portal services. Distribute the providers you use so that you will distribute the risk.

TOR—helps to anonymize your internet travels.

If you collect infromation, take seriously what your terms of use/contract is and make sure that you have data capture and retention policies.

And, in general, encrypt email, use strong password.

(what does all this mean to all of the API and search enhancement stuff I’m posting about lately)

q. What about remembering all those passwords? A password safe?
a. Maybe, if it’s a good program so check reviews. Write ‘em down and keep them in your wallet.

q. Encrypt email? Good but hard. User barriers.
a. Yeah. saying that is tilting at emails. Email more like a postcard than a sealed letter. Network effect problem—not yet the critical mass of users to make this useful.

tagged: , , , eff

Marnie Webb  |