I recently attended the San Francisco regional nonprofit technology conference sponsored by N-TEN. Electronic Frontier Foundation attorney Kevin Bankston delivered the plenary address to the 200 nonprofits in attendance, and hit a lot of hot buttons.
In addition to the requisite primer on online privacy issues, Kevin scared the crap out of everyone by talking about all of the nefarious ways in which advocacy groups can be hurt by the same tools that they are using to drive outreach. Privacy especially matters to outreach groups with missions focused on the environment, Muslim/Arab populations, or international efforts. Government agencies have authority to search these records not only to pursue criminal activity or civil litigation, but also when gathering political intelligance.
Here are some of the essential learnings I walked away with...much of it is truly scary, conspiracy-theorist-worthy fact:
Basics of communications privacy law:
For content:
- The government needs warrants to conduct wire taps or plant bugs,
but it only needs a court order to track dial information via
"pen-trap" (e.g., what phone numbers did you dial).
- Stored communications aren't protected from review by your ISP. ISPs
have full access to your private emails. The email scanning that Gmail
does is both allowed by law, and Google could scan it without telling
you. That content can't be shared with third parties unless you
consent...although many folks have agreed to sharing their content in
their license agreements. Most users have consented to content sharing
without knowing it. More importantly, only one party
to a communication needs to have consented. (e.g., if you did not
consent to sharing information but the person you sent an e-mail to
has, then your communication is unprotected.)
- Warrants on your e-mail can be served without any notice to you -
only to your provider. You would never know that your content has been
reviewed by a government agency.
- After your e-mail is 180 days old, the government can get it via just
a subpoena. And in some jurisdictions, the government can even access
your e-mail at any time after you have opened it.
For non-content records
(This includes your personal information, IM names, e-mail destination addresses, e-mail file sizes, etc.)
- Non-content information can be shared with/sold to anyone unless you have a contract that forbids it.
- Government can access non-content information with just a subpoena.
Again, this access can be granted without any notice to individual.
Note that this is how the RIAA finds out who is file-sharing.
- National Security Letters - letters to the ISP that forbid giving
notice to users about the government's access requests - break both
first and fourth amendment rights.
- IP address/file size/time can tell you what someone was reading
online. So, there's a big controversy about whether or not URLs count
as content or non-content records.
What your records reveal
What web sites you read, who reads your web site, who you trade e-mails or instant messages with, and what mailing lists you are on are all revealed just through non-content records. ISPs and other online vendors save these records for a number of reasons:
- Storage is cheap
- Information helps to deliver service
- Vendors worry about satisfying government regulations
- Sysadmins are packrats!
Upcoming scary stuff
Mega-portals (Google, Yahoo!, MSN, etc.) are a one-stop-shop for both the government and scam artists alike. Unified logins will make it easy to bring all of your personal information together, and your online behavior can be correlated to specific activities based on cookies, account history, IP address, etc. Providers often hide risks to your data behind terms of service phrases such as:
- "Will only share info as reasonably necessary"
- "Will only share ingo with our partners"
- "Will only share info as permirred by law"
A recent CALEA regulation by the FCC mandates that ISPs and VoIP provicers make their systems easily tappable. Both the EU and the DOJ are trying to push through requirements for mandatory data retention. (This would have an impact similar to if the US Postal Service made photocopies of all of your snail mail.) Government requirements aside, many vendors do this anyway because it might given them a competitive advantage, or be useful in selling new services someday.
What you can do:
Look for phrases like these in your terms of service - they will provide much better protection:
- "Will only disclose if required by law"
- "Notice to you, if permitted by law"
Other things you can do:
- Use strong passwords (worth trying to remember)
- Avoid toolbars (though you may miss their convenience and cool factor)
- Encrypt your email (usually impractical, since it requires your recipients to use encryption)
- Download and delete e-mail within 120 days of receiving it (if you live in the 9th circuit)
- Download and delete e-mail immediately upon receiving it (if you live outside of the 9th circuit)
- Use different providers for different online services (a bit more cumbersome than consolidating accounts, but safer)
- Do everything client-side where possible - email, storage, web hosting, browser histories
Since the Internet is one big record-keeping machine, more and more records are created when operations move to the server side. Even personal files, when stored online, have less protection from government search and seizure.
Later conference sessions included many marketing and advocacy tools vendors, so many folks left the conference very confused on just what they were supposed to be doing for outreach. Online tools are an effective, inexpensive way to self-organize, but the risk vs. reward balance must be consciously made. For example, users of Flock and del.icio.us have made a decision (conscious or not) to make all of their references public information. Users of GetActive have information online that points to not only who their volunteers, activists, and donors are, but where they are. I'm not sure that the good folks at N-TEN anticipated the conflict...though it created some great dialogues in the sessions.
Ultimately, it seems that the increased organizational capacity and good outcomes of hosted services will outweigh the risks of their use...but wouldn't it be great if our national policies didn't create these risks in the first place?
Tags: christine herron spacejockeys best practices technology society eff privacy n-ten