EFF Releases Updated White Paper on Best Practices for Online Service Providers

Deeplink by Kurt Opsahl

Today EFF released a revised white paper on Best Practices for Online Service Providers, an update of the 2004 OSP Best Practices white paper. In the white paper, EFF offers some suggestions, both legal and technical, for the best privacy practices for collecting, storing and disclosing data that balance the needs of OSPs and their users' privacy and civil liberties.

OSPs are vital links between their users and the Internet, offering bandwidth, email, web, and other Internet services. In the process of offering services, OSPs collect and store detailed information about their users and their user's online activities.

User information can be of great interest to the government and civil litigants, leading to numerous requests from law enforcement and lawyers to hand over private user information and logs. Yet, compliance with these demands takes away from an OSP's goal of providing users with reliable, secure network services.

In the OSP Best Practices white paper, we offer information for OSPs in order to help them make sound, ethical decisions about how to safeguard private data and preserve freedom of expression online.

Summary of Recommendations

1. Develop procedures for dealing with legal information requests and providing notice to users.
2. Work with both attorneys and engineers to develop a privacy policy that fits your OSP’s practices.
3. Collect the minimum amount of information necessary to provide OSP services.
4. Store information for the minimum time necessary for operations.
5. Effectively obfuscate, aggregate and delete unneeded user information.
6. Maintain written policies addressing data collection and retention.
7. Enable SSL as much as possible throughout your site to secure users’ information and communications.
8. Understand threats to the security of sensitive information and communications on your systems, and mitigate them appropriately.
9. Follow best-practice principles for the use of cookies on your site.
10. Insist that the OSPs and other service providers you work with observe these best practices, too.

OSPs can face many other legal issues beyond user privacy, from DMCA takedown requests to defamation claims to issues with adult materials. While these are outside the scope of the OSP Best Practices paper, EFF recommends that OSPs review the EFF Bootcamp materials, which provides the basics on a number of key legal issues for Web 2.0 companies. We also recommend reading EFF’s Legal Guide for Bloggers, which provides a basic roadmap to the legal issues one may confront as an online publisher.

[Permalink]

PrivacyFinder.org: Search, but with Privacy

Deeplink by Peter Eckersley

The level of privacy offered by search engines is generally woeful. Last year, the three big players (Google, Yahoo! and MSN) made some improvements by limiting the duration for full retention of logs about who has searched and what they've searched for. That means that after a year or two, it would be harder — though probably not impossible — for the major search engines and their advertising partners to reconstruct a complete history of your searches.

Ask.com went further with their AskEraser feature, which allows users to have their logs deleted and to opt-out of being tracked (Ask.com could have done better by finding a way for opt-out to be available without a cookie).

Despite these improvements, the average Internet user still has very little privacy for their search history. We have documented the measures you can take to protect yourself, but they aren't all that simple.

So it's exciting to report that one small search engine is experimenting with ways to be an aide, rather than a threat, to privacy. PrivacyFinder is a research project at the CMU Usable Privacy and Security Laboratory (full disclosure: Lorrie Cranor, who heads the lab, is also on the EFF Board). It offers an interface to Yahoo! and Google, but with two notable improvements: an excellent logging/data retention policy, and a feature that shows the user information about sites' privacy policies along with the search results. That way, if two sites offer the same service but one of them is better from a privacy point of view, the user will see that quickly. The PrivacyFinder researchers tell us they've observed that people will, for instance, pay more for an item from an online store if they can see that it has an excellent privacy policy.

PrivacyFinder seems to be making productive use of P3P, an old privacy standard that has, in many other respects, fallen short of expectations. If you run a search on the site, you can quickly see when one result matches your standards and others don't.

Privacyfinder's logging policy is amongst the best in the industry (Ixquick is also first-rate). Privacyfinder only keeps search records for a week, unless the user explicitly opts in to being tracked. Because the CMU Laboratory wants to do research on the use of search engines, it's offering prizes for people who are willing to be tracked for research purposes. That's the way we like to see it done.

Meanwhile, several other developments are in the works. New York State legislators have been talking about taking parts of the search privacy problem into their own hands. There are rumors of new startups planning to enter the "privacy search" market. And EFF is working on a scorecard for systematically evaluating the effectiveness of various privacy measures at search engines. Stay tuned to Deeplinks for future developments!

[Permalink]

Latest Test for DMCA Safe Harbors: Warner Sues SeeqPod

Deeplink by Fred von Lohmann

Warner Music Group has sued SeeqPod (complaint, 500k PDF), a "Web 2.0" music search engine (combined with embedable playlists, etc, etc) that has been gaining in popularity in recent months.

This is the latest in a string of lawsuits against Web 2.0 companies. Together, the suits represent an attack by the entertainment industry on the DMCA safe harbors that protect hosting services and search engines. Other similar cases have been filed against YouTube, MP3Tunes.com, Veoh, PornoTube, and Divx/Stage 6.

The SeeqPod case is different, however, because it is among the first that directly tests how copyright law applies to search engines. Despite the success of search engines like Yahoo and Google, there has been remarkably little case law developed on the copyright front. Part of the reason is because Congress stepped in with the DMCA safe harbors in 1998, creating some degree of certainty where the background legal concepts (e.g., contributory infringement) did not. In addition, by endorsing a notice-and-takedown regime, the DMCA safe harbors created a solution for many copyright owners that is cheaper than litigation.

But now, as search engines become more specialized and capable, certain copyright owners have become increasingly dissatisfied with the notice-and-takedown bargain struck in the DMCA. That's what these lawsuits are really about -- the defendants are complying with the letter of the law, but copyright owners are now trying to change the rules in court.

Of course, the SeeqPod case may settle (as a similar case brought by Warner against iMeem did). But the copyright issues will not be going away anytime soon (in particular, keep your eye on the remand in the Perfect 10 v. Google case, where the DMCA safe harbor issues may take center stage).

UPDATE: LA Times reporter Jon Healey has an interesting post about the case over at his Bit Player blog, suggesting that SeeqPod is unfairly trying to evade royalty obligations that its competitors must pay. We spar more over this in the comments over there.

[Permalink]

Subpoenas and Your Privacy

Deeplink by Fred von Lohmann

My latest piece for Law.com, entitled "Could Future Subpoenas Tie You to 'Britney Spears Nude'?" (their title, not mine), discusses all the information about you being stored by Google, Yahoo, AOL and other Internet intermediaries. Google, for example, has confirmed that if given an IP address, it can produce a list of every Google search query ever sent from it.

All that information is becoming an irresistible target for lawyers wielding subpoenas. The spat between Google and the Department of Justice that came to light a couple weeks ago is just the tip of a much bigger subpoena iceberg. As the New York Times reports today, AOL is receiving more than 1,000 subpoenas each month seeking information about AOL users. Although today the vast majority of those subpoenas are from law enforcement agencies, an increasing number are from civil litigants trying to dig up information about their adversaries.

Complete text of "Could Future Subpoenas Tie You to 'Britney Spears Nude'?" after the jump.

[Read the entire post]

DOJ Gone Google-Fishin'

Deeplink by Kurt Opsahl

The DOJ's demand for one week worth of search histories has raised the concern that the government will go fishing into the data set, looking for searches and for keywords that worry the government. Even if IP numbers or other identifying data is not provided, what is to prevent the government from returning to Google with a second subpoena?

Over the weekend, Newsweek has reported that:

Though the government intends to use these data specifically for its COPA-related test, it's possible that the information could lead to further investigations and, perhaps, subpoenas to find out who was doing the searching. What if certain search terms indicated that people were contemplating terrorist actions or other criminal activities? Says the DOJ's [spokesperson Charles] Miller, "I'm assuming that if something raised alarms, we would hand it over to the proper [authorities]." (emphasis added)

If Mr. Miller is accuarate, this shows that the DOJ's civil division is not afraid to venture beyond the confines of the underlying COPA case (and the protective order), and data mine the deeply personal data provided by Google (and the other search engines) to find suspicious searchers to subject to scrutiny by the criminal division.

Not only is this dangerous plan Constiutionally suspect, it raises the possibility that innocent people will be suspected based on false assumptions about their searches (think about whether all the Amazon or TiVo recommendations based on your habits really captured what you were looking for). It's time for the DOJ to give up this dangerous experiment in abusive and overreaching discovery, and assure the public that the government will not use your search histories as a investigative tool.

[Permalink]