Teaching about Privacy and Surveillance: Real Life is not an Episode of ‘24’

Privacy is an increasingly important social implication of technology, and we spend quite a bit of time about it in our required undergraduate ethics and social implications of technology class, CS 4001. Since we’re talking about privacy, it makes sense to talk about surveillance. Since 2004, I’ve taught a class about The USA PATRIOT Act, and more recently I’ve added a class on information revealed by Edward Snowden. I spend more time preparing for those classes than for any other two or three put together—it’s confusing and complicated. There are provisions of the Patriot Act that are absolutely essential—like broadening the jurisdiction of warrants to tap phones to the entire country (rather than making you get a warrant in each state). And others that are egregious violations of our liberty—like the section 215 provision that lets the government get the records of any organization without a warrant or probable cause and bars the organization from acknowledging the search. The FBI can simply demand the membership list of a mosque—and they have done so. For the last two years, I’ve assigned my students to watch the PBS Frontline documentary United States of Secrets, about US warrantless surveillance (“The Program”) and information leaked by Edward Snowden. In our class discussion, we don’t focus on Snowden, but on other people—like NSA analyst Thomas Drake—and the tough decisions they had to make. After class on Tuesday where I carefully spell out what’s allowed under the Patriot Act and the Foreign Intelligence Surveillance Act (FISA), I feel like a bit of fool on Thursday when we discuss The Program and the fact that all those rules aren’t really followed anyway.

I do my best not to express any opinions to my class—I present the facts, and ask them what they think. And as much as possible, I emphasize tradeoffs and try to show the issues as complicated. And then I walk back from class and scratch my head—what do I actually think?

After class last week, two things became clearer in my mind. The first is about checks and balances. My children are learning about checks and balances in elementary school social studies class. Checks and balances are fundamental to how our government works. And it suddenly became evident to me that most cases of the system going too far are situations where checks and balances are not occurring. You don’t need a court order to get records with a National Security Letter (NSL). Why not? A secret court like the FISA court could do the job. And if it’s urgent, the review could take place within a reasonable time after the fact (as FISA mandates for surveillance.) It’s too much to ask any one branch of government to police themselves. The FBI needs to pursue things as aggressively as they dare, and the judiciary needs to say, “You may go this far and no farther.” Parts of the Patriot Act removed checks and balances, and procedures without checks and balances are where we get into trouble. Everything you need to know we all learned in elementary school—but somehow, we’ve forgotten it.

The second thought is about means and ends. It is possible for me to describe a fictional situation in which reasonable people would agree that that the ends justify evil means—like recording everyone all the time, or torturing someone for information. If you don’t agree with that statement, make the situation more extreme until you do. But in real life, the evidence for the need is almost never that compelling. If you demand an iron-clad case, you’ll (almost) never say the ends justify evil means in real situations. Real life is not an episode of ’24’.

Hulk Hogan and Social Media as the New Big Brother

Have you ever said anything you regret? Anything that is a little bit offensive? Anything that might get you fired? Ever get angry and vent inappropriately? Have you done that any time in the last eight years?

Last week, wrestler Hulk Hogan was released from his contract by the World Wresting Federation (WWE) because he had been recorded in a racist rant eight years earlier. Am I the only person disturbed by this? I don’t condone racism. And I’m not ready to invite Hogan over for tea. But was it a pattern of behavior over time, or just one rant? He apologized for the rant. Are we allowed to be wrong and grow and change any more? No matter what he said, should a person’s life be changed by one rant?

WWE is a publicly traded company, and they are within their rights to fire anyone for not meeting the terms of their contract. I don’t know what Hogan’s contract says, but I’m sure they have a lot of leeway. Hogan has moved over the years from being a feature attraction, to nice to have around, to now a liability—so they let him go. But this is representative of a broader trend: we are moving dangerously close to a world foretold by old science fiction novels. Where one angry moment, captured on video, changes your life. In Orwell’s 1984, it was the government that was responsible for surveillance. In 2015, it’s the public and the media—spread via social media. Social media is the new Big Brother.

OK, at least Hogan knew he was being recorded. That’s not true for the employees of Planned Parenthood who were surreptitiously recorded, and the results edited and shown out of context for political purposes. It’s not true of the employees of Acorn who similarly targeted in 2010. And it’s not true of LA Clippers owner Donald Sterling, who was recorded making racist remarks by his girlfriend in his own home. As a result of those remarks, Sterling was forced to sell the team. His case is arguably the most disturbing, because he was in his own home at the time the remarks were made. Lately it seems like we all might be recorded at any time. You have the right to remain silent. Anything you say may be used against you in the court of public opinion. 

Hulk Hogan might be a bit racist. A preponderance of reports confirms that Donald Sterling is definitely a racist—that tape was just the tip of the iceberg. But no matter how despicable Sterling is, I believe in his right to privacy in his own home. The source of these privacy violations is not the government, but the easy ability to record video and share it over social media. But the solution to our eroding privacy is not clear.

More on anonymizing tweets and Internet research ethics

Twitter research ethics are complicated, and deserve a more nuanced treatment than my short post from yesterday. I’ll take a stab here at saying a bit more:

Question 1: Is analyzing Twitter “human subjects research”?

I want to start by looking at US law. (Note that this is only applicable in the US and only applies to federally funded research, though some companies chose to voluntarily follow these rules and most universities apply the rules to all research whether it is federally funded or not.)  The policy states that several categories of work are exempt from the rules, including:

(4) Research involving the collection or study of existing data, documents, records,  pathological specimens, or diagnostic specimens, if these sources are publicly  available or if the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects.

It’s pretty clear that Twitter data (on open accounts) is existing data that is already publicly available. So legally speaking, I believe researchers are well within their rights to simply use it at will. It’s public, so you can use it. But should you?

Ethical is a higher standard than legal. As Jim Hudson and I found in our study of people chatting on Internet Relay Chat (IRC), people often misunderstand the public nature of online communications. This leads to my second question:

Question 2: If people have expectations of privacy that differ from expert opinion on what is “reasonable,” does that need to be taken into account?

I don’t think there’s a simple answer to that question. It probably has to be addressed on a case-by-case basis.  And if people’s expectations are persistent and continue to differ from the written rules, maybe the rules need to evolve.

If you do consider research on Twitter to be human subjects research, then you need to apply for IRB clearance, and you probably have good grounds to request a waiver of consent.  A waiver of consent is possible in these circumstances:

(d) An IRB may approve a consent procedure which does not include, or which alters,

some or all of the elements of informed consent set forth in this section, or waive the requirements to obtain informed consent provided the IRB finds and documents that:

1) The research involves no more than minimal risk to the subjects;

(2) The waiver or alteration will not adversely affect the rights and welfare of the subjects;

(3) The research could not practicably be carried out without the waiver or alteration; and

(4) Whenever appropriate, the subjects will be provided with additional pertinent information after participation.

In such a case, an IRB might request that the tweets be anonymized, and this would contribute to making the case that the work presents minimal risk. This sounds like a great approach for research on sensitive topics, like epidemiology for example.

Because part of my research is about people’s creative accomplishments online, I am more likely to encounter situations where anonymizing people is unethical because it denies them credit for their work.  We only name people in accounts at their written request, by marking that on a consent form.  And our projects generally use mixed methods—with a combination of analyzing people’s online postings and interviewing them.  I believe this mixed methods approach often gives better research results, and necessarily makes the work human subjects research rather than merely analysis of public information.

I personally prefer to view Twitter research as human subjects’ research and apply for a waiver of consent. Thinking through a formal IRB application and soliciting help from IRB members can help you to think through the details of how to treat your subjects in accordance with principles of beneficence, justice, and respect for persons.  Ethical is after all a higher standard than merely legal.

That said, the public nature of Twitter data is hard to deny.  Maybe the rule about pre-existing, public information needs to be rethought. Something more nuanced would serve us better.

Do we need to anonymize tweets in published accounts?

In this article about tweets being made available to researchers, the authors quote two epidemiologists saying ethical use of Twitter should anonymize tweets:

Caitlin Rivers and Bryan Lewis, computational epidemiologists at Virginia Tech, published guidelines for the ethical use of Twitter data in February. Among other things, they suggest that scientists never reveal screen names and make research objectives publicly available. For example, although it is considered ethical to collect information from public spaces—and Twitter is a public space—it would be unethical to share identifying details about a single user without his or her consent. Rivers and Lewis argue that it is crucial for scientists to consider and protect users’ 

I disagree. Of course it may be more often true for epidemiology, but it really depends on what kind of study you’re doing. As Kurt Luther, Casey Fiesler, and I have written, sometimes anonymizing users may be morally wrong because you are denying them credit for their work. (“That tweet was really funny–I want my name on it!”) Twitter is public, published material. The contents of private Twitter feeds are for followers only, but the contents of public feeds arguably are as public as a newspaper article.  If you want to take extra precautions to anonymize people, that’s fine.  But to say it’s always necessary is ridiculous. It depends on the type of study you’re doing.

Jim Hudson and I empirically studied how people often misunderstand how public their communications are. The complicated question that follows is: if user expectations are out of line with what experts would call “reasonable,” how should the scholarly community proceed? Dealing with things on a case-by-case basis is the best we can do for now.

Why teach about the USA Patriot Act if the government doesn’t even follow it?

Most fall semesters I teach CS 4001 “Computers, Society, and Professionalism.” I love the class–we cover ethics, argumentation, professionalism, and the social implications of technology. As part of the class, I always teach a lecture about the USA Patriot Act. It’s a labor of love–it takes me three or four times as long to prepare for that class than any other class in the semester, because it’s so complicated and there’s always new news to sort through. Were the “gag order” provisions found unconstitutional or not? What’s the difference between the Protect America Act (which expired) and its new incarnation in the the FISA Amendments Act?  The details go on and on.  I teach class in a studiously neutral way–There are tradeoffs between security and privacy, and where to draw the line is complicated.

PBS Frontline has come out with a new three-hour documentary “United States of Secrets” which takes on a lot of these issues. I highly recommend watching it.  What the US government has been actually recording goes well beyond what is authorized by the Patriot Act. But what I found most depressing about it was not that we are being spied on, but that some government officials apparently have been ignoring the rule of law. For example, the NSA constructed a tenuous theory to give them permission to record basically everything, and the US Attorney General signed off on it. OK, I don’t like the theory, but at least there was an attempt at legality.  But later when the Attorney General changed his mind and decided the program was illegal, the NSA just asked the White House Council to sign off on it instead. Really?  Mom said no so you ran and asked Dad?  (More like Mom said no so you ran and asked your uncle.)  And then there are the videos of the President and other officials flat-out lying to the public and to congress.  They didn’t say “I can’t discuss that”–they lied and said the surveillance wasn’t happening.

It was heartening to see the whistleblowers profiled in the film. There are plenty of good people who tried to speak up–going through every possible internal proper channel before finally going to the press. Our class covers ethical procedures for when and how to become a whistleblower, and the whistleblowers profiled followed those procedures impeccably. And these aren’t civil libertarian liberals–they are pro-defense conservatives who are appalled by what is going on. But in another depressing turn, the government then goes after the whistleblowers, turning their lives upside-down.

What’s the point of teaching students about a law if what the law says doesn’t change how the government actually operates?

Checks and Balances on Surveillance of US Citizens: The Role of Watchdog Organizations

The surveillance of US citizens by the US National Security Agency (NSA)’s PRISM program revealed in the media this week was reviewed and approved by a court (the FISA Court).  I’d like to know more about what kind of review that court actually conducts–do they automatically approve requests, or are requests given detailed scrutiny?  I’m skeptical that going on a fishing expedition through everyone’s data is wise–it seems like the antithesis of what was intended in our constitutional protections. But on the other hand, I’m somewhat comforted by the knowledge that at least some kind of court review took place.  The main safeguard of our liberty is the system of checks and balances between branches of government.  Today the ACLU published a nice blog post explaining why check and balances are the key issue in this controversy.

Are checks and balances functioning as intended?  And what about provisions of the USA Patriot Act like National Security Letters (NSLs) that circumvent checks and balances entirely?

A bit of historical context will help. In the wake of the Watergate scandal, we were left with a quandary: when is it OK to spy on people?  Clearly it’s not OK to spy on other political parties in the US, but what if we suspect someone is actually spying on us for a foreign power?  What if we want to spy on foreign powers? The Foreign Intelligence Surveillance Act (FISA) set up rules, and created the FISA court to make decisions about where to draw the line.  FISA sets up checks and balances between branches of government–the judiciary (The FISA Court) oversees what the federal government and law enforcement are doing and helps them figure out what is allowable. The people going after the bad guys are expected to pursue their targets with maximum enthusiasm using every tool at their disposal, and the judiciary sets limits and helps them draw the line in an appropriate place. As far as I can tell, FISA did a nice job of balancing privacy and security.

In the wake of the September 11, 2001 terrorist attacks, the USA Patriot Act eroded that balance.  It is an enormous document that legislators literally could not have read before approving.  The time between introduction of the bill and congressional approval was too short for anyone to have even read it through once. Two areas are particularly concerning to me: National Security Letters and Section 215.

When the government issues a National Security Letter (NSL), it can obtain access to all of a person’s records of any kind, even if that person is not suspected of a crime.  The information merely needs to be declared relevant to an ongoing investigation of terrorism or espionage.  Anyone receiving a request for documents under this provision is barred from telling anyone–a “gag order.”  There is no court review.  In March 2013, in a case brought by the Electronic Frontier Foundation, NSLs were declared unconstitutional and the government was barred from enforcing gag orders on them.  This is just latest in a long series of legal battles, and an appeal of this decision is expected.

Section 215 of the Patriot Act modifies FISA to allow the FBI to request “books, records, papers, documents, and other items.”  Like NSLs, the materials merely need to be deemed relevant to an investigation–the targets need not be suspected of any crime.  Fortunately, section 215 requests do undergo judicial review. However, such requests are made ex parte–the person themselves is never notified of the request and has no opportunity to oppose it.  In 2003, the ACLU brought suit against the government on behalf of a Mosque in Michigan that believes its membership records had been obtained by these means.  Slate believes that section 215 has been used to authorize PRISM.

I give a lecture each year in my class CS4001 Computer, Society, and Professionalism on FISA and The USA Patriot Act.  And it’s a labor of love–I spend more time updating my notes for that class each year than for any other half a dozen classes combined.  This stuff is insanely complicated and confusing.  (And if there are experts who see any errors in what I’ve written, corrections are greatly appreciated!)  There are provisions of these acts that are important to our safety and security.  For example, wiretaps used to be restricted to a particular (land) phone line in a particular jurisdiction.  In the age of cheap disposable cell phones, The Patriot Act allows law enforcement to get a warrant to tap the phone of a particular individual, whatever phone they are using and wherever they are located.  That’s just common sense.  The USA Patriot Act is a complicated combination of essential tools to help law enforcement in their important job, and egregious erosions of our liberty.  In a 90-minute lecture I feel like I barely scratch the surface of the topic. Although I have been able to glean a bit by reading original legislation and court documents online, much of what I have able to figure out is thanks to documents posted by the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU).  They are both bringing lawsuits on the public’s behalf, and educating citizens about the issues.

If you care about these issues, please support EFF and the ACLU.  The defense of our liberty is supposed to be done by checks and balances between branches of government.  But since those checks are sometimes lacking, our nonprofit watchdog organizations have a key role to play.

Why LinkedIn is Creepy: Asymmetry of Visibility

A friend recently shared this story: he was having trouble finding contact information for an old friend, and it occurred to him that his ex-girlfriend would be in touch. So he looked at his ex’s LinkedIn page to search through her list of contacts.  It turns out, though, that his ex has a premium LinkedIn account, which gives you a list of everyone who has looked at your profile.  She contacted him, “I see you were looking me up….”  This was NOT what he wanted. I suppose if Shakespeare were writing today, this is would be prime material for a modern Comedy of Errors.

What is uncomfortable about this situation is the asymmetry of visibility and awareness. She has a premium account, and can see more. He does not, and was erstwhile unaware that anyone had the ability to track profile views. It’s like a hidden surveillance camera. Principles of social translucence suggest that mutual visibility facilitates successful cooperative behavior. One-way mirrors are creepy.