By Fran Maier
We all know that 2010 was a big year for privacy. The federal government took an especially strong interest in privacy and journalists dug deeper than ever before into online data practices. More than a few companies found themselves uncomfortably in the spotlight. I know that here at TRUSTe were deeply involved in the privacy happenings at Facebook, assiduously reading the WSJ Privacy Series, and closely following the DC legislative and regulatory wranglings.
Last year we handpicked privacy stories for TRUSTe’s year-in-review post, but given the sheer number of stories in 2010 we thought, why not turn that task over to the social media community? More specifically, what did Twitter users think were major privacy stories in 2010? Using Google Realtime Search we looked at the frequency of the term “privacy” in Tweets over the last year. The results are shown below and where we found frequency spikes in the graph we dug deeper to identify the privacy story driving the discussion. You can download the graph as a PDF here: 2010 Twitter Privacy Index or click to enlarge the image below:
We recognize this isn’t a definitive list of major privacy stories in 2010, but it is one interesting and meaningful way of evaluating the privacy landscape in the past year through consumers’ eyes.
Google launched Buzz in February, offering Gmail users the ability to share content like photos, links and status messages with their friends. It failed to catch on, however, and Mashable recently named Buzz “Tech’s Biggest Flop of 2010”. It didn’t help that Buzz got off on the wrong privacy foot and caught major heat from the press and the public. The problem? Its default setting was public disclosure of users’ most frequently emailed contacts. Oops. Google had to learn the infamous opt-out/opt-in lesson: if you’re going to change consumer data user/disclosure policies for data that has already been collected it should be an opt-in decision for consumers. Google apparently took this lesson to heart: they made sharing opt-in for Buzz and now the first benefit touted by the service on its homepage is “Share publicly or privately”.
Google’s Italian Video Scandal
Later that same month Italy shocked the world by convicting three Google executives of national privacy violations for allowing an individual to upload a video of students taunting an autistic teenager to Google Video (now YouTube). The punishment? Suspended six-month jail sentences. Google called the ruling “outrageous”, but regardless of its merits the decision certainly highlighted the difference in privacy perspectives between Americans and Europeans. Case in point: I spent some time in Germany last year and was surprised to learn that privacy officers are a fairly common position in German businesses with almost guaranteed employment. Here in the United States, that role usually only exists at major national companies although that’s starting to change.
The Lower Merion School District of Pennsylvania found itself in hot water last year when it came to light that student-issued MacBooks had surreptiously captured screenshots and webcam shots in student homes. The software that allowed this remote capture was installed as an anti-theft measure, the school district argued, but it soon became clear that school officials used the data more broadly to monitor student behavior. A court ordered a cease to the data collection and this fall the school district settled separate law suits to the tune of $600,000. An expensive lesson on the (obvious) imprudence of school sanctioned spyware, but really this case should call attention to the need for strong privacy protections for new technologies. Five years ago most laptops didn’t have built-in webcams and this kind of spying simply wouldn’t have been possible. Today, geo-location functionality is the norm on all smartphones. It makes you wonder if you have any rogue apps on your phone accessing this data without your permission.
A Congressional Privacy Field Day (Year)
Last Spring saw a flurry of activity on the Hill. Hearings were held, letters of inquiries were sent, and draft language for various privacy bills was circulated. Among the most prominent was a draft bill circulated by outgoing Representative Rick Boucher (D-VA), which called for companies to provide notice to individuals and obtain their consent prior to the collection and disclosure of personal information. We covered that bill earlier on this blog, here. Representative Bobby Rush (D-IL) also introduced a bill, that would, among other provisions, establish a “safe harbor” that would exempt companies from an “opt-in” consent requirement, provided those companies participate in a universal opt-out program operated by self-regulatory bodies and monitored by FTC. We could spend an entire blog post discussing all the congressional activity on privacy in 2010, but the big question in 2011 and the 112th Congress is: will any of these privacy bills become privacy laws?
Facebook’s Spring Privacy Overhaul
In April Facebook released Instant Personalization, an Internet-wide “Like” button and the concept of the Social Graph. Facebook also made users “Likes” public information by default. These changes evoked a fierce and largely negative privacy reaction from many of its users, as well as intense scrutiny from the media and regulators who argued that the site’s privacy settings were too obtuse or inadequate to allow consumers to make meaningful choices about the privacy of their information. A month later Facebook responded with a revamped privacy control panel, reduced the amount of basic info that must be visible to everyone and gave users greater control over 3rd party applications and websites. They also provided users with the ability to opt-out entirely from Instant Personalization. They cited TRUSTe among others as encouraging the changes.
Google Street View
Street View, Google’s street photo mapping component of Google Maps has caught a lot of heat from International regulators in the past year. When European regulators discussed reducing the data retention limit from 1 year to 6 months for images collected via Street View Google responded by noting that it might abandon European Street View altogether. It was two years ago that Google began blurring faces and license plates captured by Street view, but much of the regulatory scrutiny in 2010 came from Google’s inadvertent collection of consumer data on open wifi networks by its cars that took photos for Street View. The 600 GB of data was collected over multiple years in numerous countries around the world and included sensitive information such as user names and passwords and excerpts from email communications. Investigations and litigation related to the breach are still ongoing, but just recently Google announced it had deleted all UK data involved.
In October, a freelance web application and software developer released a Firefox browser extension called “Firesheep”, which allowed Firefox users to engage in HTTP session hijacking on unsecured networks. The exploit itself was not new, but by making the exploit easy and accessible to millions of Internet users Firesheep made national headlines. Thousands of people downloaded the tool and headed down to their local Starbucks, surprised at how easily they could access the Facebook or Gmail account of the stranger sitting across from them. Firesheep raised public awareness about the dangers of unsecured browsing sessions and put significant pressure on major websites to default to HTTPS encryption.
TSA Scanners And Patdowns
As a result of increased implementations of full-body scanners at airports, new invasive TSA pat-down procedures, and leaks of stored body images collected by the scanners, the public’s privacy dissatisfaction with TSA airport security procedures grew considerably this fall. Privacy advocates were unhappy to learn that thousands of images collected from the full-body scans had been stored, despite government claims to the contrary. The TSA has looked into more advanced scanning techniques that would provide citizens with greater privacy protections, but thus far they have not materialized. The scrutiny and discussion generated this Fall by the TSA is a reminder to all of us of just how deeply personal and important privacy can be.
This is an interesting snapshot of privacy issues in 2010 – on the whole it shows that the privacy issues are wide-ranging – no longer focused on just the online experience. It’s also clear that the public’s (or press’) sensitivity to privacy issues is extremely high, especially in regard to social networking. Finally, the most important lesson, evident in so many of these top stories, is the importance of meeting, not ignoring, consumer expectations.