Emerging Privacy and Ethical Challenges for Libraries in the 2.0 Era

Tuesday, May 4, 2010
3:00pm – 4:30pm
Golda Meir Library, West Wing, 4th Floor Conference Center
University of Wisconsin-Milwaukee
Free and open to the public

Topics to be discussed include:

• What innovative online tools and services are libraries bringing to users, and what are the potential impacts on patron privacy?
• Are there privacy considerations for providing or controlling access to digital collections?
• How do current laws & policies protect patron privacy, and are any changes coming?
• What are the broader ethical responsibilities for librarians and information professions in the libraries of the future?

Featured panelists:

• Liza Barry-Kessler : privacy lawyer and co-author Privacy in the 21st Century: Issues for Public, School, and Academic Libraries
• Kristin Eschenfelder : associate professor, School of Library and Information Studies, UW-Madison
• Peter Lor : visiting professor, School of Information Studies, UW-Milwaukee, Past Secretary General, International Federation of Library Associations (IFLA)
• Michael Zimmer : assistant professor, School of Information Studies, UW-Milwaukee

The panel discussion is free and open to the public. See you there!

Search engines have become the center of gravity of our contemporary information society, providing a powerful interface for accessing the vast amount of information available on the World Wide Web and beyond. The audacious mission of Google, for example, is “to organize the world’s information and make it universally accessible and useful.” Attaining such a goal necessarily results in significant changes to the ways in which information is created, stored, retrieved, and used. This course will critically examine the nature of search engines and their role in our information society, and reveal the unique challenges they bring to bear on information institutions, information policy, and information ethics.

The full syllabus is available on my teaching page, and I’ve pasted the weekly breakdown of topics and readings below. I will be assigning Alex Halavais’s excellent text Search Engine Society, chapters out of my edited volume Web Search: Multidisciplinary Perspectives, and will rely heavily on work by James Grimmelmann, Siva Vaidhyanathan, and other preeminent search engine scholars. Let me know if you have additional suggestions for readings (the course is intended for advanced undergraduates and MLIS students).

This will be a very fun class to teach!

With the help of the UW-Milwaukee School of Information Studies, I organized a workshop on “Identifying Challenges and Opportunities foran African Information Ethics”, featuring Johannes Britz (School of Information Studies, UW-Milwaukee), Rafael Capurro (International Center for Information Ethics, and School of Information Studies, UW-Milwaukee) and Dennis Ocholla (University of Zululand), along with a very engaged group of conference participants.

The workshop provided us the opportunity to explain our project on engaging information ethics within the African context, outline some of our ongoing efforts, and describe some of the challenges ahead. The audience pushed our thinking and provided new and excellent insights to help us achieve our vision.

The workshop was diligently live-blogged here, I’ve isolated some relevant tweets here, and I’ve pasted my introductory slides below.

I hope to have more news regarding this initiative (future conferences, grants, etc)  in the coming months.

According to Warden, he exploited a flaw in Facebook’s architecture to access public profiles without needing to be signed in to a Facebook account, effectively avoiding being bound by Facebook’s Terms of Service preventing such automated harvesting of data. As a result, he amassed a database of names, fan pages, and lists of friends for 215 million public Facebook accounts.

Warden has already done some impressive analysis of this data at an aggregate level, and I know researchers would love to get their hands on it. And like the “Tastes, Ties, and Time” Facebook project, Warden wants to release the dataset to the academic community.

But also like the “Tastes, Ties, and Time” project, Warden would be wrong to do so.

First, similar to our discussion of the ethics of collecting public Twitter streams, just because these Facebook users made their profiles publicly available does not mean they are fair game for scraping for research purposes. Yes, I have limited profile information viewable to the public, and I’ve authorized Facebook to make that information available for search engines to crawl. But the purpose of this public availability is to help people — humans, not bots — find me. The presumption is that my public profile data will only be found and viewed if someone actually searches for “Michael Zimmer” on Facebook or a search engine. In reality, my profile is only “public” if a human being takes specific and conscious action to find me.

Warden’s actions, however, violate this implicit understanding for making profiles publicly searchable. Rather than trying to find me, Warden is systematically sought everyone, letting a script to the work of seeking and harvesting my data. There is no genuine desire to find me, to friend me, and so on. He’s just collecting data. His reasons might be honest and beneficial, but that’s not what’s at issue here. The point is whether the 215 million Facebook users who now have some of their information in Warden’s database contemplated such harvesting and aggregating when they built their profile and configured their privacy settings. They almost certainly didn’t, which brings into doubt whether this data has been collected with proper consent.

Second, Warden’s release of this dataset — even with the best of intentions — poses a serious privacy threat to the subjects in the dataset, their friends, and perhaps unknown others. Warden claims to be sensitive to the privacy of the subjects in the database, and in response he has removed the identifying URL’s’s that are unique to each profile, but the dataset retains the subjects’ names (really!), locations, Fan page lists and partial Friends lists (I’m not sure what is meant by a “partial” list of friends).

So, obviously, individuals can be easily identified within the dataset. But that’s not the greatest threat with the release of this data. What is most dangerous is its potential use to help re-identify other datasets, ones that might contain much more sensitive or potentially damaging data. Recall the research that showed how trivial it was to re-identify the presumed “anonymized” Netflix database, or the ease in identifying individuals within social networks. These ease of re-identifying these datasets came from having ready access to other large sets of data where the subjects where already known. By overlaying social graphs and other intricate data-comparison methods, the “anonymous” datasets were quickly re-identified. (See Paul Ohm’s “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization” for excellent coverage of these cases and discussion of consequences for law & policy).

Warden’s rich dataset of 210 million Facebook users, complete with their names, locations, and social graphs, is just the ammunition needed to fuel a new wave of re-identification of presumed anonymous datasets. It is impossible to predict who might use Warden’s dataset and to what ends, but this threat is real.

It turns out that Facebook has asked Warden to delay releasing this data to the academic community (I’m curious as to what kind of pressure — if any — they exerted to keep him from releasing this week as originally planned). We will need to keep a close eye to see if the data is actually released, in what form, and if any steps will be taken to control and track its usage.

I argued, however, that we cannot be so quick to presume the expectations of potential research subjects. Yes, setting one’s Twitter stream to public does mean that anyone can search for you, follow you, and view your activity. However, there is a reasonable expectation that one’s tweet stream will be “practically obscure” within the thousands (if not millions) of tweets similarly publicly viewable. Yes, the subject has consented to making her tweets visible to those who take the time and energy to seek her out, those who have a genuine interest to connect and view her activity through this social network.

But she did not automatically consent, I argue, to having her tweet stream systematically followed, harvested, archived, and mined by researchers (no matter the positive intent of such research). That is not what is expected when making a Twitter account public, and it is my opinion that researchers should seek consent prior to capturing and using this data.

A healthy debate on this issue followed, and continued in a separate thread on Facebook, which included the following varied positions & responses (edited and condensed):

1. “…if the account holder tweets to the general public, then it’d seem like there’s no expectation of privacy so no consent would be necessary.”
2. (me) “But isn’t my expectation that even though my tweets are public, they’re often lost in a sea of hundreds of tweets among my followers, and I never anticipated someone would archive, mine, and perform research on them?”
3. “If you’re comfortable with your anonymity being guaranteed only by virtue of your public tweets being hidden in plain sight among millions of others, then you’d have to realize that some determined person could follow just yours, archive them, and analyze them. I like my privacy, but I don’t worry about walking around a city or campus even though …”
4. “…depends on how data are being presented – e.g. in aggregate vs specific “quotes” that could easily be traced.”
5. “Many IRBs would say yes [consent is needed], or at least would require you to get a waiver–publicizing the extremes to which IRBs go…”
6. “…IRB application is required. You could request that Informed consent be waived with the argument that you are only analyzing tweets broadcast publicly, and that you de-identify your data to eliminate potential risk to the individual”
7. “I would say if it is for research and you are dealing only with publicly available documents, then no, you need no consent. you can run that by the irb and get a waiver, but in the end, you are dealing with publicly available documents… not people, subjects. If you are dealing with subjects and not documents, then you will need irb clearance.”
8. “Tweets are publications. I think it’s absurd to even consider IRB review for anything dealing with things people have published”
9. “The questions are: 1) Are you conducting research that is intended to be published; 2) Does your research involved human participants; 3) For these human participants, will you gather data through intervention or interaction with the individual; and/or will you gather identifiable private information about them. (45 CFR 46.102(f))
   If these 3 conditions are met, your research must be reviewed by IRB. They will work with you and determine whether or not informed consent is required. In your case, if you are NOT interacting with the individual publishing the tweets, and the tweets are broadcast and searchable as public records (that is, you don’t need access to their account to view tweets posted to a limited audience), then it won’t fall under the definition of research with human subjects.”
10. “If i download all of Michael’s published papers, blog posts, twitter posts and each one he publishes thereafter… are they the same? or different? I’d argue the same, just for different audiences.”
11. (me) “What if tomorrow, I decide to take my Tweet stream private. And I delete my blog posts. Does my affirmative action to purge my documents from the “live” web mean that you (researcher) need to treat that previously archived material differently?”
12. “If the individual changes their intent regarding release of data, then by IRB standards what might previously have been considered publicly available information, then becomes private information, and your collection would likely require BOTH IRB review AND informed consent, b/c the user now has an expectation that their information is protected.”
13. “Once tweeted, a birdsong is gone forever. No deleting or taking back what’s been broadcast to the world. If someone seeks privacy, they should seek another method of communication. If from the beginning, there was some kind of inherent expectation that tweets were private messages, then the situation might be different. But the whole idea of tweeting is to voluntarily publish or broadcast. It’s different from, say, e-mailing or IMing.”

What we see here are numerous, intelligent researchers not in complete agreement about wither consent is necessary, about whether one’s tweets are “publications” not needing IRB review, or whether Twitter-based research is dealing with “human subjects” that does require strict scrutiny. There’s also some question about how to deal with the fact that users might make information private after an initial release, something our current forms of communication allow more than in the past.

What do you think? If readers have had experience with related research ethics issues, and how their IRB dealt with is, please email me or leave a comment.

Aside: Interestingly, Adam Fish, who I’ve friended on Facebook, saw that discussion and wanted to repost the thread on his blog. Respectful of the delicate nature of re-posting other conversations and moving them from the controlled environs of Facebook to a public blog, he contacted me to ask permission. He didn’t, apparently, contact each of the commenters to ask for their permission. I felt it necessary to get consent from everyone in that thread before authorizing its re-posting. When I asked each of them, all agreed (with some edits), and some took the position that the Facebook conversation was de facto public, even though technically only a certain set of users (friends of the participants) could in reality see the thread.

[image from TPorter2006]

This is my first time at CSCW, and looking at the set of papers for this workshop, it should be an excellent experience. I’ve submitted a brief analysis of the “Tastes, Ties, and Time” Facebook dataset release (my larger paper is going through its final edits for publication). You can download the short analysis here: Subject Privacy and the Release of the “Tastes, Ties, and Time” Dataset.

The organizers also asked me to provide some brief comments on the ethical issues related to archiving and releasing research data. I’ve created a few slides with some provocations that will hopefully spark some discussion on these matters. You can view these slides here:
Zimmer CSCW 2010

Use information to provide our users with valuable products and services.

Develop products that reflect strong privacy standards and practices.

Make the collection of personal information transparent.

Give users meaningful choices to protect their privacy.

Be a responsible steward of the information we hold.

The principles are further explained in a video on the Google Blog (interestingly posted by an engineer, not one of Google’s legal/policy folks).

I like these principles; they are something every organization should commit to and strive for. The problem is, Google hasn’t adhered to them quite as closely as they’d want you to believe. Let’s consider each:

1. Use information to provide our users with valuable products and services. This isn’t so much a privacy principle as it is a disclaimer for what Google purports to do with all the data it collects about its millions of users. Google tracks what we do in order to know whether our search for “Paris Hilton” is about the blond or the hotel. This principle merely presents the value proposition for Google’s potential violation of user privacy.

2. Develop products that reflect strong privacy standards and practices. A very important goal, but the product featured in Google’s video, off-the-record chats in iChat, isn’t providing the kinds of privacy protections that most consumers or advocates clamor for. Certainly, being able to control (to an extent) whether my chats are logged is a way to protect my privacy, but what about IP logging or behavioral targeting? Perhaps Google doesn’t want to bring up its current data retention policies given Microsoft’s recent announcement. And perhaps it doesn’t want to actively promote one of its truly innovative privacy protecting product — the Google Advertising Cookie Opt-Out Plugin — since the more users who install the plugin, the less valuable its advertising platform becomes.

3. Make the collection of personal information transparent. Despite what Google claims about Dashboard, there remains an enormous lack of transparency regarding the collection of user information (Google Analytics comes immediately to mind). If Google was committed to transparency, it wouldn’t have resisted placing a link to its privacy policy on the homepage. If Google was committed to transparency, its behavioral targeting system would be opt-in and would provide a conspicuous link to “Ad Privacy Preferences”.

4. Give users meaningful choices to protect their privacy. Google touts the ability to report problems in Street View and the removal of one’s search history as examples of this principle. Of course, the Street View example has a horrid history, and removing your search history only removes it from that product’s interface, not from Google’s main server logs. That’s a limited choice, not a fully meaningful one.

5. Be a responsible steward of the information we hold. I have faith that Google is indeed being responsible with our information, and that it is keeping it secure. But while security is often necessary to ensure privacy, it certainly isn’t a sufficient condition, and the gaps in the preceding principles overshadow Google’s good stewardship.

In summary, I do give Google much credit for the steps they’ve taken in recent years to improve its privacy practices and communication. But too often its rhetoric is too self-congratulatory, and fails to recognize serious gaps in its approach to user privacy.

These principles are vital, and I hope Google continues to strive to meet them. There is much work still to be done.

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information.  In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it  – with whom are they sharing it?  Most of all, individuals are asking ‘How can I protect my information from being misused?’  These are reasonable questions to ask – we should all want to know the answers.

To celebrate, I’ve taken some steps to make MichaelZimmer.org even more privacy-friendly:

• I have replaced the commonly used ShareThis widget with Sociable. Both allow readers to easily post and share stories from my blog to various social networking sites, but Sociable does it without the use of web cookies or web bugs. Sociable simply automatically creates the necessary links, that’s it. No one is tracking what you decide to share, or where you do it.
• I have ended my use of StatCounter for basic tracking and measurement of who visits this site, how they got here, and what they do while here. StatCounter’s privacy policy is pretty simple, but the service is dependent on a persistent cookie. While nearly everyone on the planet uses some kind of web analytic tool to track users, until I can find one that doesn’t rely on cookies or web bugs, I can live without it.
• I’ve updated the site’s Privacy Policy to reflect these changes (the old policy is here).

You can validate these changes by installing the Ghostery Firefox extension, which alerts you about the web bugs, ad networks and widgets on every page you visit. Nothing should appear when you visit MichaelZimmer.org, but you’ll be amazed to learn how other sites & advertisers are tracking users.

Enjoy Data Privacy Day, and let me know what you’re doing to get involved.

Internet Research 11.0 – Sustainability, Participation, Action
October 21-23, 2010
University of Gothenburg/Chalmers University of Technology
Gothenburg, Sweden

The full call for papers is here.

I am proposing a panel for IR.11 titled “On the Philosophy of Facebook“. Facebook’s Mark Zuckerberg has built his social networking empire on the belief that “information wants to be shared“, a particular philosophy of information that directly impacts the values built into the design of Facebook, ranging from its user interface, privacy policies, terms of service, and method of governance. This panel will explore the philosophy of Facebook and its broader implications for norms of privacy, identity, governance, sociability, and online life generally.

Ideal papers will provide philosophical, conceptual, and/or critical insights into Facebook and social networking generally.

If interested in joining this panel, please email me a 250-500 word abstract, and a brief biography, by February 13.

Recall that in early 2007, Google announced it would “anonymize” its user search logs after 18-24 months. Later that year, Google reluctantly decided to add an expiration date to its web cookie, while Ask.com (unsuccessfully) tried to gain market share by giving users almost complete control over whether any data is collected. Then, in 2008, under pressure from EU regulators, Google announced it would anonymize its search logs after 9 months. Later, Microsoft endorsed the EU’s  Article 29 Working Party’s position that search companies should anonymize data retention logs after 6 months, but only if the other major search engines follow suit. None did, but Yahoo did agree to anonymize its logs after 90 days.

Microsoft has now decided to take the lead in search privacy and agree to the European Union’s demand that data retention be cut to six months. Previously, Microsoft de-identified its search logs immediately, but didn’t purge the IP address until 18 months. Now, de-identification still takes place immediately, and the IP addresses are completely removed in 6 months. Here’s the chart included with Microsoft’s announcement:

Microsoft’s bold move puts significant pressure on Google. Currently Google merely “anonymizes” IP addresses on its server logs after nine months, arguing it must retain user logs to improve their services, fight spam and abuse, and comply with legal obligations. I, of course, have been critical of this reasoning on various occasions, and now Microsoft appears to be confirming that long-term data retention isn’t necessary to run a successful search engine.

Google, the ball is in your court.

(Hat tip to Jules Polonetsky at the Future of Privacy Forum)