Posts Categorized / Mobility

Research Ethics and the Blackberry Project

Posted Posted by michaelzimmer in Internet Research Ethics, Mobility     Comments 2 Comments

Forbes privacy columnist Kashmir Hill recently published a profile of University of Texas-Dallas developmental psychology professor Marion Underwood‘s large-scale research project titled “The Blackberry Project.”

The Blackberry Project (formerly known as the Friendship Project) is an ongoing longitudinal study examining teen behavior and sociability, which first recruited its subjects in 2003 (starting with 281 third and fourth graders from 13 Dallas public schools) and relied on yearly laboratory and home observation and surveys for data collection. Then, in 2009, the subjects (now entering 8th grade) were provided with BlackBerry devices with unlimited text and data plans paid for by the investigators. The devices were configured so that the content of all text messages, e-mail messages, and instant messages was saved to a secure server to be mined by the researchers — over 500,000 messages a month are being archived. Preliminary analyses have been published in Developmental Psychology.

The result? Hill puts it best in her headline and opening thoughts:

A Texas University’s Mind-Boggling Database Of Teens’ Daily Text Messages, Emails, and IMs Over Four Years

For the past four years, the University of Texas-Dallas developmental psychology professor has essentially wire-tapped 175 Texas teens,  capturing every text message, email, photo, and IM sent on Blackberries that she provided to them, creating a rich database that now contains millions of funny, explicit, sexual, and inane messages for academic study. Half a million new messages pour into the database every month. This summer, she’s adding Facebook content to the mix as well. The teens sacrificed their privacy for science… and a free smartphone, data plan and unlimited text messaging.

Dr. Underwood’s study has been approved by UT-Dallas’s Institutional Review Board, and she’s also received a Certificate of Confidentiality from the NIH, which are only granted after considerable scrutiny. Each participant is given a unique identification number so that all information that is collected is, according to the project website, “de-personalized”. The research data is stored securely with the help of Ceryx and Global Relay, data security providers who typically work together to store and archive electronic communication data for financial institutions. The archive is password protected and can only be accessed by a small group of selected researchers.

In short, this large-scale and long-term project has undergone considerable review, and appears to be taking privacy and security quite seriously. That said, there remain certain ethical concerns about the research worth discussing. read more

Facebook Places Privacy Falls Short, Part 2: Opting-Out

Posted Posted by michaelzimmer in Mobility, Privacy, Social Media     Comments 2 Comments

A few days ago I blogged about how I was able to check my wife into a local liquor store using Facebook Places without her permission, despite Facebook’s insistence that “No one can be checked in to a location without their explicit permission”. This check-in has remained visible in my news feed, and depending on  my privacy settings, may be viewable by any logged in Facebook user. Presumably there also is a database at Facebook that contains a record of my checking-in my wife into this location. Again, all without my wife’s explicit consent to participating in this new “feature”. (Please see that post for more details and valuable discussion, plus news coverage, of this discovery.)

Now, four days later, my wife had a chance to react to the notification she received from Facebook regarding my tagging her, and I thought I’d share a few more reactions to her attempt to opt-out of Places altogether.

First, it is important to note that until my wife took any action, my ability to check her into places in this fashion remained. She’s a busy person, and generally only checks her personal email account a couple of times a week. Today was the first chance she had to log in and view the message Facebook sent regarding my attempt to check her into the liquor store.

Notice how the email prompts you with an enticing green “Allow Check-ins” button, and only a smaller textual link to learn more about what this is all about. Remembering that I’ve been talking about Places around the house the past few days, my wife figured she didn’t want anything to do with it, so she just ignored the email altogether. I suspect many others would do the same, and as a result, there was zero opportunity here to adjust the privacy settings to prevent any future interaction with Places or fully opt-out of the feature.

Next, my wife decided to log into her Facebook account itself. She’s not all that active on Facebook, with her last meaningful update being a note in May about, coincidentally, my appearance on NPR’s Science Friday about Facebook and privacy. Thankfully, and to Facebook’s credit, upon logging in she was immediately met with a prompt to act upon my attempt to check her in to the liquor store.

Here, the two primary options are “Allow Check-Ins” and “Not Now”. There’s again a secondary text link to “Learn more”.  My wife, again, didn’t want anything to do with Places, and said out loud “how do I just turn it off”. Obviously, there’s no simple way of doing that from this prompt, as clicking “Not Now” just makes the prompt disappear, but nothing else happens. There’s no suggestion to go check out your privacy settings. Hopefully users will click “Learn more” to discover what Places is and their privacy options; but in the case of my wife (a very well-educated and web-savvy user), she just clicked “Not Now” and was left with nothing.

Thankfully, I suggested she go to her privacy settings to properly opt-out of the Places feature. But once there, she was met with what appeared to be the same array of privacy options that was launched earlier this year.

Looking more closely one notices, embedded in the light gray list of privacy options, a “Places I check into” category, withe a little question mark. Hover over that icon, and you learn what this item is about.

Following the prompt, my wife clicked on “Customize settings”, which brought her to another familiar page of privacy settings, again with no obvious indication of what new settings were added for the Places feature. After hunting, she finally noticed the “Places I check in to” and “Include me in “People Here Now” after I check in” options, which she modified.

And then she figured she was done.

Until I pointed out there were more privacy settings that required adjustment to fully opt-out of Places. Further down this page is perhaps the most important privacy setting: “Friends can check me in to Places”. She disabled this, wondering why it was practically hidden on the page, requiring one to scroll and really look for it.

Finally, I showed her how she had to go back to the main privacy settings page, then click on “Edit your settings” under Applications and Websites, and then click on “Edit settings” under Info Accessible Through Your Friends. Here, she made sure that “Places I check into” was not selected.

It took all these steps to properly opt out of Places. Not only was it confusing, but there was no guidance on how to navigate the myriad of settings required to opt-out. (I recognize there is a video and some information in the “learn more” links, but she didn’t want to learn more, just to opt-out.) Facebook provides no message when she first went into her privacy settings that there were new options that she should take a look at.

Overall, the process of completely opting-out of Places remains unintuitive and cumbersome. That’s poor privacy design, and Facebook should know better by now.

Note, too, that disabling check-ins by others does not affect previous check-ins. My wife’s name still appears in my original check-in to the local liquor store, as well as on the “friend’s activity” on the liquor store’s page, and, presumably, in Facebook’s database of who has been checked into that location. She must manually “remove tag” from each and every Places check-in that has occurred prior to her disabling the service….and no where was she proactively told she should do that. Over the days between launch and her eventual logging into Facebook to try to disable the service, I could have been checking my wife into dozens of places, each which would need to be located within her feed and removed manually.

Again, I think Facebook has done a better job designing Places compared to many of their recent product launches. But there is much to be desired for how they designed the privacy settings & user interface, and, in the end, it remains that users can be checked into places without their permission.

Facebook Places Privacy Falls Short: Non-Authorized Check-Ins by Friends are Visible

Posted Posted by michaelzimmer in Mobility, Privacy, Social Media     Comments 12 Comments

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]

Facebook has finally launched its location-based service: Places. Places allows Facebook users to “check in” wherever they are (or pretend to be) using a mobile device, and let’s their friends know where they are at the moment.

Facebook has tried to do a better job addressing privacy with Places compared to previous launches of new “features”. Particularly, Facebook brags that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.”

And while many applaud Facebook for the design of Places (the best design decision, perhaps, was to make check-ins visible to friends only by default, rather than everyone), there are some serious ways in which Facebook has fallen short in fully protecting user’s locational privacy.

The folks at EPIC, EFF, and DotRights have each done a good job outlining the primary concerns, and I don’t want to repeat them all here.

But as I’ve played around with the service, I’ve uncovered a problem with Facebook’s assertion that “no one can be checked in to a location without their explicit permission.”

While Places is largely an opt-in service — one needs to install and use it on a mobile device — anyone can be “checked-in” to any place by a friend. This can happen regardless of whether you use the service yourself. If you get checked into a place by someone, and you haven’t already authorized the service or these kinds of check-ins, you’ll receive an email asking if you want to allow check-ins by friends. Below is an email received by my wife when I tagged her as joining me at a local liquor store.

Given Facebook’s assertion that “No one can be checked in to a location without their explicit permission,” presumably my wife won’t be checked into this location until she clicks “Allow Check-ins” on this alert message.

She didn’t click, and hasn’t made any other changes to any of her Facebook settings. Yet, if any of my friends look at my Facebook feed, they’ll see the status update of my check-in at the liquor store, with my wife’s name there with me:

And her name also appears with my check-in on the location’s page automatically generated by the Places service:

So, where does this leave us?  My wife has not authorized me (or anyone) to check her into places. She doesn’t use the service. In fact, she wasn’t even at the liquor store at all.

Yet, I was able to tag her in my check-in, and all my friends now see her name linked with my check-in as if she was there. Granted, the check-in does not show up in her news feed, but it is there in mine, and I suspect if I had my privacy settings set to “Everyone”, then everyone would see my wife’s name as being checked into the liquor store.

UPDATE: I’ve tested having my settings on Everyone, and then looking at my feed from a dummy account I have (yeah, violating the TOS, I know). Here’s the screenshot confirming my wife’s name is visible alongside mine to the entire universe:

Recall Facebook’s claim that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.” My wife did not explicitly choose to become part of location sharing. She did not give any explicit permission to be associated with this location. Yet, there her name is, and anyone viewing my feed can now associate her with being at this location. It is unknown whether this association between her name/account and this location is logged within Facebooks databanks, and thereby available to be shared with marketers, handed over to law enforcement, etc.

This is a serious problem. Names and linked user accounts should not be associated — in any way — with a particular location unless they explicitly consent to it. Facebook needs to listen to its own rhetoric and make the necessary changes to protect user’s locational privacy. I should not be allowed to tag someone in a check-in unless they’ve taken the positive step of authorizing check-ins from friends. Locational privacy needs to be fully opt-in, not opt-out.

[I haven't yet checked to see if my wife's name will disappear from this existing check-in if she takes the affirmative step to disallow friends from checking her into place. I'll post an update once that happens] See this post where I detail the steps it took for my wife to opt-out, and that her attachment to this particular check-in remained.

UPDATE: TechCrunch just posted a similar discovery, and they don’t seem all that worried about it, noting that “Facebook treats this as if you were tagged in a basic status update.” But there’s a meaningful difference between simply being tagged in a status update, and having your location unknowingly disclosed in a status update. And this is the critical issue that Facebook again has misunderstood: tagging someone’s geographic location is not something to be treated like every other Facebook activity.

UPDATE: There’s been assorted media coverage of my discovery and our subsequent discussion:, MediaPost, SC Magazine, CBC News.

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]

Google Adds Location History to Latitude: Feature Request, or Strategic Rollout?

Posted Posted by michaelzimmer in Mobility, Privacy, Search Engines, Values In Design     Comments No Comments

When Google launched Google Latitude 9 months ago, they took steps to ensure users’ locational privacy was protected. Among the most important privacy-protecting features was the fact that Google didn’t keep a log of user locations on its servers; only the most recent locational ping was stored. Not even law enforcement could gain access to a user’s location history. This design decision, apparently made in consultation with the Electronic Frontier Foundation, was a very positive step for Google, who I have taken issue in the past with regard to its approach to (not) protecting locational privacy.

Last week, however, this all changed. Google announced two new “features” in Latitude: Location History and Location Alerts.

Location History allows users to opt-in to having Google keep a history of their locational data tracked by Latitude. Only you can see it, and you can remove items from your history, which is great. But for everyone who activates this service, there’s now a log in Mountain View of everywhere your cellphone has been, a log that could be shared with third parties in according with its privacy policy.

More people might activate Location History when they learn about Location Alerts, a service that notifies you if a friend happens to be nearby. The beauty of Location Alerts is that you won’t be altered when people are simply engaging in their routine activities (ie, you won’t be alerted every time your coworker sits down at their cubicle across from you) . Instead, it “learns” what users’ “normal” locations are, and only notifies friends if they are nearby in an unusual place or time. To make this work, you need to have Location History activated, and in the process, Google is able to create a type of “locational profile” for each user. It is unclear whether this profile might be used for other purposes (ie, targeted advertising).

Google, of course, realizes the privacy implications of all this, and again takes some steps to help mitigate these concerns. there are FAQs for each product detailing how they work and the privacy concerns; the services are op-in; users are reminded periodically when they have Location History activated (Google should do this for all products, btw).

But all this makes me wonder: did Google plan to provide these services from the start, just with a delay? Did Google learn the lessons of Facebook, who repeatedly bites off more than it can chew as it relates to users’ privacy, and decided to launch Latitude without these features, thereby winning the praises of privacy advocates (guilty), and then strategically add them 9 months later, claiming it is simply in response to user demand?

If my fears are true, it’s not quite what I had in mind when calling on Google to engage in value-conscious design in order to protect user privacy.

New Attention to Locational Privacy Threats

Posted Posted by michaelzimmer in Mobility, Privacy     Comments 1 Comment

Recently, the EFF released a report named “On Locational Privacy, and How to Avoid Losing it Forever“, introducing some of the basic threats to locational privacy:

Over the next decade, systems which create and store digital records of people’s movements through public space will be woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future.

Here are some examples you might already have used or read about:

  • Monthly transit swipe-cards
  • Electronic tolling devices (FastTrak, EZpass, congestion pricing)
  • Cellphones
  • Services telling you when your friends are nearby
  • Searches on your PDA for services and businesses near your current location
  • Free Wi-Fi with ads for businesses near the network access point you’re using
  • Electronic swipe cards for doors
  • Parking meters you can call to add money to, and which send you a text message when your time is running out

These systems are marvellously innovative, and they promise benefits ranging from increased convenience to transformative new kinds of social interaction.

Unfortunately, these systems pose a dramatic threat to locational privacy.

And today, the New York Times has an op-ed by Adam Cohen lamenting the threats to locational privacy in our contemporary technological ecosystem:

A little-appreciated downside of the technology revolution is that, mainly without thinking about it, we have given up “locational privacy.” Even in low-tech days, our movements were not entirely private. The desk attendant at my gym might have recalled seeing me, or my colleagues might have remembered when I arrived. Now the information is collected automatically and often stored indefinitely.

It’s good to see this attention to locational privacy, but it’s equally important to recognize that these threats aren’t new: I’ve been blogging and advocating for attention to privacy in public, privacy on the roads, and locational privacy for a number of years now (and I’m certainly not the only one). I’ve also published about particular threats to privacy on the roads (here and here), and tried (with limited success) to engage with designers of new vehicle-technologies to design privacy into the new protocols.

I’m thrilled to see the EFF draw renewed attention to locational privacy. I just hope they’re not too late to start advocating for change…

Quick links: Cellphone privacy

Posted Posted by michaelzimmer in Mobility, Personal Tech, Privacy     Comments No Comments

A couple of stories popped up on my radar this morning related to cellphone privacy:

With Latitude, Google Actually Got it (Mostly) Right

Posted Posted by michaelzimmer in Mobility, Privacy, Search Engines     Comments 2 Comments

This week, Google launched Google Latitude, a new Google Maps feature that lets users share location data with friends, using either a mobile phone or through an interface on iGoogle. (see how it works here)

Unsurprisingly, concerns have arisen regarding the privacy implications of Latitude, and I, of course, have taken issue in the past with Google’s approach to (not) protecting locational privacy (as well as cellphone tracking in general).

But this time, I think Google got it right, and designed Latitude with user privacy in mind.

Here’s a quick rundown (based on my analysis of the help pages and this video) of what Google’s done to help give users control of their information flows in Latitude:

  • Only friends you have explicitly invited or accepted can see your location
  • You can hide your location to everyone so no friends can see where you are (and neither will Google)
  • You can hide your location to select friends
  • You can share only city-level data with select friends
  • You can manually select a location on the map that will be shared with friends (which means you can send the wrong location to obfuscate your location)
  • And, perhaps most importantly, Google is not logging your pings to servers; they only keep you latest location on file

Now, Privacy International has made some waves with their strongly-worded condemnation of Latitude. PI’s main concern is that someone could have Latitude surreptitiously activated on their phone, allowing employers, spouses, parents, stalkers, etc to track their location. While possible, this seems an unlikely scenario (and, besides, businesses have much better ways of tracking employees, as do parents their kids). That said, I do agree with PI that it would be wise for Google to create some kind of persistent warning/reminder to users that they are sharing their location with the data-servers in Mountain View (this alrleady exists on some phones, and only after a period of inactivity).

In sum, compared to Street View and the reluctance to provide a direct link to its privacy policy, I think Google (mostly) got it right this time.

:: As an aside, Google seems to customize the maps that appear on the Latitude homepage based on the geographic location of your IP address. When I pulled up the page from my office, it showed a map of Milwaukee. When I used a proxy, it showed Cambridge. When I used an unresolvable IP, it just showed Manhattan (unless, of course, Google knows I spent my last 7 years in NYC, and that’s why it’s showing that by default! :) ).

"Is My Cellphone Spying on Me?" Eagle Eye DVD Commentary

Posted Posted by michaelzimmer in Mobility, Personal Tech, Privacy, Professional     Comments No Comments

Following up, the DVD for the hit action/thriller movie “Eagle Eye” has been released. The second disc of the 2-disc special edition includes the commentary “Is My Cellphone Spying on Me?”, featuring reflections on technology and surveillance by the actors and producers of the film, Marc Rotenberg of the Electronic Privacy Information Clearinghouse, and myself.

As I noted in the UW-M news story about the commentary:

My hope is that movies like this can raise awareness of the privacy and surveillance implications of new technology, and prompt a dialogue. We need to find ways to benefit from these emerging technologies without threatening the liberties we enjoy.

And, yes, I talk to fast when I get excited about a topic.

"Should we be scared?": Privacy & technology (WUWM "Lake Effect")

Posted Posted by michaelzimmer in Internet, Mobility, Personal Tech, Privacy, Professional     Comments No Comments

I recently taped an interview with Milwaukee’s public radio affiliate, WUWM, and it aired today. The topic was privacy and technology, focusing mostly on how to balance the speed and ubiquity of new technology, the conveniences they provide, and the strains they place on personal and informational privacy. You can listen to it here.

Interestingly, I was asked a question I don’t often get: “Should we be scared?”

My reply was basically that fear is not the proper response, but we do need to be concerned and we need to take action, by raising awareness, pushing for more transparency, giving users more control over the flow of their data, providing opportunities to resist, and working to foster the privacy-conscious design of new technologies.

What do others think? Should we be scared?

Commentary for the "Eagle Eye" DVD

Posted Posted by michaelzimmer in Internet, Mobility, Personal Tech, Privacy, Professional     Comments 2 Comments

UW-Milwaukee has issued a nice press release regarding my contribution to the DVD bonus material for the action/thriller movie “Eagle Eye,” which features sophisticated surveillance technologies as one of its plot devices.

The closing paragraph pretty much sums up where we are on the project:

At this point, with “Eagle Eye” flying high at the box office, Zimmer isn’t sure when the DVD will come out or how much of his interview will be on the final version. Still, he says, it was a fun experience and an opportunity to educate the public about some of the issues the movie focuses on. ”My hope is that movies like this can raise awareness of the privacy and surveillance implications of new technology, and prompt a dialogue. We need to find ways to benefit from these emerging technologies without threatening the liberties we enjoy.”

I’m hoping to get a stand-alone copy of the interview to distribute for educational purposes. I’ll keep everyone posted….