Another Bill of Rights

I did a collection called the Bill o’ Rights o Rama. 

Here is a new proposed one a Gamers Bill of Rights  based on another gamers bill of rights (this one looks beautiful)

Gamers are customers who pay publishers, developers, and retailers in exchange for software.

They have the right to expect that the software they purchase will be functional and remain accessible to them in perpetuity.

They have the right to be treated like customers and not potential criminals.

They have the right to all methods of addressing grievances accessible by other consumer.

They have the right to the game they paid for, with no strings attached beyond the game and nothing missing from the game.

Gamers’ Bill of Rights
I. Gamers shall receive a full and complete game for their purchase, with no major omissions in its features or scope.

II. Gamers shall retain the ability to use any software they purchase in perpetuity unless the license specifically and explicitly determines a finite length of time for use.

III. Any efforts to prevent unauthorized distribution of software shall be noninvasive, nonpersistent, and limited to that specific software.

IV. No company may search the contents of a user’s local storage without specific, limited, explicit, and game-justified purpose.

V. No company shall limit the number of instances a customer may install and use software on any compatible hardware they own.

VI. Online and multiplayer features shall be optional except in genre-specific situtations where the game’s fundamental structure requires multiplayer functionality due to the necessary presence of an active opponent of similar abilities and limitations to the player.

VII. All software not requiring a subscription fee shall remain available to gamers who purchase it in perpetuity. If software has an online component and requires a server connection, a company shall provide server software to gamers at no additional cost if it ceases to support those servers.

VIII. All gamers have the right to a full refund if the software they purchased is unsatisfactory due to hardware requirements, connectivity requirements, feature set, or general quality.

IX. No paid downloadable content shall be required to experience a game’s story to completion of the narrative presented by the game itself.

X. No paid downloadable content shall affect multiplayer balance unless equivalent options are available to gamers who purchased only the game.

The Trouble with Trust, & the case for Accountability Frameworks for NSTIC

There are many definitions of trust, and all people have their own internal perspective on what THEY trust.

As I outline in this next section, there is a lot of meaning packed into the word “trust” and it varies on context and scale. Given that the word trust is found 97 times in the NSTIC document and that the NSTIC governing body is going to be in charge of administering “trust marks” to “trust frameworks” it is important to review its meaning.

I can get behind this statement: There is an emergent property called trust, and if NSTIC is successful, trust on the web would go up, worldwide.

However, the way the word “trust” is used within the NSTIC document, it often includes far to broad a swath of meaning.

When spoken of in every day conversation trust is most often social trust.

[Read more…]

Personal Data Ecosystem talk at Digital Privacy Forum, Jan 20th, 2011 in NYC

This is my talk presented to the Digital Privacy Forum produced by Media Bistro, January 20th, 2011 about Personal Data Ecosystem and the emerging consortium in the space.

Thanks for inviting me here to speak with you today.

The purpose of my talk is to share a new possibility for the future regarding users’ personal data that most have not yet explored. It sits between the two extremes of a familiar spectrum.

On one end, “Do not track” using technology and a legal mandate to prevent any data collection.


On the other end, “Business as usual” leaving the door open for ever more “innovative” pervasive and intrusive data collection and cross referencing.

There is a third possibility that aligns with peoples’ privacy needs as well as offering enormous business opportunities.

A nascent but growing industry of personal data storage services is emerging.  These strive to allow individuals to collect their own personal data to manage it and then give permissioned access to their digital footprint to the business and services they choose—businesses they trust to provide better customization, more relevant search results, and real value for the user from their data.

With other leading industry thinkers, I have come to believe that there is more money to be made in an ecosystem that allows users to determine which businesses have access to what data,and under what terms and conditions, than there is under present more diffused, scattershot, and unethical collection systems. Today I will articulate the broad outlines of this emerging “personal data ecosystem” and talk about developments in the industry.

Those of you who know me will find it unusual for me to have such a keen focus on making money on user data and emerging business models.

I am, after all, known as the “Identity Woman – Saving the World with User-Centric Identity”. Since first learning about issues around identity technologies online in 2003, I have been an end user advocate and industry catalyst.

[Read more…]

Online Eviction – a new challenge in this recession?

This post was on slashdot today

Protection From Online Eviction?
from the our-data-our-selves dept.

AOL has been shutting down its free Web services, in some cases with little or no notice to users, and they are not the only ones. This blog post on the coming “datapocalypse” makes the case that those who host Web content should be required to provide notice and access to data for a year, and be held strictly accountable the way landlords are before they can evict a tenant. Some commenters on the post argue that you get what you pay for with free Web services, and that users should be backing up their data anyway. What do you think, should there be required notice and access before online hosts take user data offline for good?

Here are some interesting comments from it.

Why now with the Data Sharing Workshop/Summit?

Link to the Data Sharing Workshop and Summit.

There is a lot of energy right now around different ideas on how to share data across social media sites. Based on current discussions on the lists and other places, it is clear that a range of potential standards and approaches are emerging.

The energy feels a lot like it did when Phil, Doc and I called the first Internet Identity Workshop – at that time there was a cluster of people thinking about and working on different technologies around user-centric identity. We had been meeting other conferences, but we had not spent time together to really hear different proposed approaches. They all had similar ideas. We recognized this and realized that if we brought them together, it would lead to the emergence of shared understanding and interesting alignments.

At IIW 1 the first day involved participants presenting their different approaches to user-centric identity. The second day was open space – an organized way to support critical conversations that emerged out from listening to all the presentations the day before. It was on that day that the serious conversation between Brad Fitzpatrick & David Recordon’s OpenID(1), Johannes Earnst’s LID, Drummond Reed’s xri/inames all had a conversation that lead to a commitment to meet up a month later and that conversation became Yadis – a group that was joined by SXIP a few months later and then a few months later this was all folded in and became OpenIDv2.

Another outcome of the Internet Identity Workshop has not matured yet but it is coming along. The card selector metaphor, interfaces and client code to do it are starting to be tested and deployed. The cooperate between Kim Cameron and his Microsoft team with IBM and the Higgins & Bandit open source projects has been fostered at these events. The OSIS (Open Source Identity System) Project and Concordia projects are both doing workshops interoperability testing at the forthcoming RSA conference. OSIS has over 200 test in their Interop. The range of actors (standards efforts, open source projects, commercial projects and companies) collaborating is impressive.

Phil, Doc and I didn’t know that these would be an “outcomes” of the event and certainly did not have it as a “goal.” What we did know was that by getting people together to share their ideas, technology approaches and standards, some good would happen – that is, collaboration, synergy and actual investment in and diffusion of user-centric technologies. We also chose a format with open space that left an open playing field – we were not deciding who got to talk, about what or when. This explicitly neutral unpolitical way of organizing also facilitated the collaborative environment.

My goal for the 2nd Data Sharing Summit is to bring together participants from

1) the large companies with 10s of millions of users like Microsoft, Google, Yahoo!, MySpace, Facebook, AOL, Amazon, eBay etc.

2) Small and Medium sized ‘web 2.0’ sites like LinkedIn, RapLeaf, Eventful, Dopplr, Linquia, Dabble, 30Boxes, Magnolia the whole range of Web 2.0 startups that are focused on services for people that involves peoples data.

3) The Standards Guys (Both adhoc and formal) Those putting forward a range of different approaches being proposed for managing the personal data/social network problem. This includes people from the user-centric identity efforts, semantic web standards and tools,

4) Social/Legal/Policy Implications Those thinking about and addressing the social and legal implications of the emerging technologies.

Bringing this range of people together will be key ingredient to getting this gathering be fruitful – I know because of who they are and the passion they have for the topic it will be. I am not going to define ahead of time “what the fruit looks like”

My hope is that there are some similar approaches that can discover each other “now” rather then a year from now when they are ‘going to market’ and decide to cooperate and merge efforts sooner rather then later (like happened with OpenID).

I asked two colleagues who will be attending what he thought the goals were:
* To establish shared consensus about the meaning of data sharing and portability for Internet users.
* To articulate a roadmap for how this can be achieved (and for determining “when we are there”).
* To understand what parts of this roadmap are technical and which are business/social/political/legal.
* To understand which technologies are available and which are emerging to achieve the roadmap.
* To determine how to move forward on the business/social/political/legal challenges.
* get disparate orgs ot work together
* get consensus on standards – and feedback
* identify missing standards
* get testing and compatibility labs -set up!
* and from an evangelistic POV – get Opt-In include din all systems

I think all of these will move forward in the format of Open Space and the collective participation and discernment at the beginning middle and end of the conference.
You can add goals here.

When I think about this gathering the big questions include:
* how do people link their information together across platforms with different services?
* how are permissions managed?
* what are the policies that apply?
* what standards exist?
* what code / frameworks are available to do this?
* what does it mean when my blog is the center of my network?
* is there a standard way to update presence?
* how do the identity tools (openID, oAuth, card selectors, data linking) apply?
* how do semantic web frameworks apply?

I hope to create a high-level professional community that is very engaged with these issues because they want to empower their users to have a copy of their data, to be aware of how it is used and to be able to use their data in interesting ways.

I also hope that a community will emerge that will work together, compete over different options and in the end solve the challenging set of problems that need to be addressed to get data sharing to work.

Government data linked together…

From Slashdot:

a story from The Guardian about FBI interest in connectivity between its own database resources and those abroad. It’s spearheading a program labeled ‘Server in the Sky’, meant to coordinate the police forces of the United States, the United Kingdom, Canada, Australia, and New Zealand to better fight international crime/terrorist groups. The group is calling itself the International Information Consortium.

“Britain’s National Policing Improvement Agency has been the lead body for the FBI project because it is responsible for IDENT1, the UK database holding 7m sets of fingerprints and other biometric details used by police forces to search for matches from scenes of crimes. Many of the prints are either from a person with no criminal record, or have yet to be matched to a named individual. IDENT1 was built by the computer technology arm of the US defence company Northrop Grumman. In future it is expected to hold palm prints, facial images and video sequences.”

US government Official says ‘no more anonymity’

From Slashdot:

Privacy no longer can mean anonymity, says Donald Kerr, a deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguards people’s private communications and financial information. “Protecting anonymity isn’t a fight that can be won. Anyone that’s typed in their name on Google understands that,” said Kerr. Kurt Opsahl of the EFF said Kerr ignores the distinction between sacrificing protection from an intrusive government and voluntarily disclosing information in exchange for a service. “There is something fundamentally different from the government having information about you than private parties. We shouldn’t have to give people the choice between taking advantage of modern communication tools and sacrificing their privacy.” Kerr’s comments come as Congress is taking a second look at the Foreign Surveillance Intelligence Act, requiring a court order for surveillance on U.S. soil. The White House argued that the law was obstructing intelligence gathering.

bill to tie financial Aid to ‘anti-piracy measures’

mm…big brother continues to creep into college.

“The MPAA is applauding top Democratic politicians for introducing an anti-piracy bill that threatens the nation’s colleges with the loss of a $100B a year in federal financial aid should they fail to have a technology plan to combat illegal file sharing. The proposal, which is embedded in a 747-page bill, has alarmed university officials. ‘Such an extraordinarily inappropriate and punitive outcome would result in all students on that campus losing their federal financial aid — including Pell grants and student loans that are essential to their ability to attend college, advance their education, and acquire the skills necessary to compete in the 21st-century economy,’ said university officials in a letter to Congress. ‘Lower-income students, those most in need of federal financial aid, would be harmed most under the entertainment industry’s proposal.'”

The Up’s and Down of electronic surveillance litigation

Creapy Creapy from Slashdot:

The US government is seeking unprecedented access to private communications between citizens. ‘On October 8, 2007, the United States Court of Appeals for the Sixth Circuit in Cincinnati granted the government’s request for a full-panel hearing in United States v. Warshak case centering on the right of privacy for stored electronic communications. … the position that the United States government is taking if accepted, may mean that the government can read anybody’s email at any time without a warrant.

On the ‘up side’ from the Washington Post:

The AT&T whistle blower Mark Klein is

in Washington this week to share his story in the hope that it will persuade lawmakers not to grant legal immunity to telecommunications firms that helped the government in its anti-terrorism efforts.

“If they’ve done something massively illegal and unconstitutional — well, they should suffer the consequences,” Klein said. “It’s not my place to feel bad for them. They made their bed, they have to lie in it. The ones who did [anything wrong], you can be sure, are high up in the company. Not the average Joes, who I enjoyed working with.”

His story as articulated by the post is as follows:

The job entailed building a “secret room” in an AT&T office 10 blocks away, he said. By coincidence, in October 2003, Klein was transferred to that office and assigned to the Internet room. He asked a technician there about the secret room on the 6th floor, and the technician told him it was connected to the Internet room a floor above. The technician, who was about to retire, handed him some wiring diagrams.

“That was my ‘aha!’ moment,” Klein said. “They’re sending the entire Internet to the secret room.”

The diagram showed splitters, glass prisms that split signals from each network into two identical copies. One fed into the secret room, the other proceeded to its destination, he said.

“This splitter was sweeping up everything, vacuum-cleaner-style,” he said. “The NSA is getting everything. These are major pipes that carry not just AT&T’s customers but everybody’s.”

One of Klein’s documents listed links to 16 entities, including Global Crossing, a large provider of voice and data services in the United States and abroad; UUNet, a large Internet provider in Northern Virginia now owned by Verizon; Level 3 Communications, which provides local, long-distance and data transmission in the United States and overseas; and more familiar names such as Sprint and Qwest. It also included data exchanges MAE-West and PAIX, or Palo Alto Internet Exchange, facilities where telecom carriers hand off Internet traffic to each other.

“I flipped out,” he said. “They’re copying the whole Internet. There’s no selection going on here. Maybe they select out later, but at the point of handoff to the government, they get everything.”

Qwest has not been sued because of media reports last year that said the company declined to participate in an NSA program to build a database of domestic phone-call records out of concern about its legality. What the documents show, Klein contends, is that the NSA apparently was collecting several carriers’ communications, probably without their consent.

Another document showed that the NSA installed in the room a semantic traffic analyzer made by Narus, which Klein said indicated that the NSA was doing content analysis.

2257 Laws, Sex Workers and Privacy

Sex on the Internet, The Realities of Porn, Sexual Privacy, and How Search Affects Them All. Google Tech Talk by Violet Blue, October 12, 2007

This is an hour long presentation by Violet Blue. It is quite interesting covering a range of issues about sex and privacy online. The most interesting one directly related to identity was 2257 laws. Go to 32:30 in the video to see her discussion of this topic.

It mandates producers of pornography document the ages of those who perform in their films and that this documentation regularly is a photo of the performer with their ‘government issued ID and Social Security Card’ thus revealing basically all the information you need to steal their identities.

The 2257 legal requirements have the potential to become a business opportunity for some enterprising identity company to meet these requirements in a privacy protecting manner.

Majority on partially divided three-judge Sixth Circuit panel strikes down as facially unconstitutional the recordkeeping requirements federal criminal law places on producers of images of “actual sexually explicit conduct” to verify the ages of those depicted in the images: Describing the federal statute at issue, the majority opinion explains, “The plain text, the purpose, and the legislative history of the statute make clear that Congress was concerned with all child pornography and considered recordkeeping important in battling all of it, without respect to the creator’s motivation.” The majority proceeds to hold the statute facially overbroad and then strikes down the law as unconstitutional.

What does ‘federally approved secure licenses” mean?

My Husband Brian who forwards me articles from the mainstream press about identity sent me this article Feds Strike ID Deal Over NY Licenses

Saturday’s agreement with the Homeland Security Department will create a three-tier license system in New York. It is the largest state to sign on so far to the government’s post-Sept. 11 effort to make identification cards more secure.

Why Can’t they Here Us? Identification Cards don’t make us m ore secure. They infringe on our rights.
Article continued…

Under the compromise, New York will produce an “enhanced driver’s license” that will be as secure as a passport. It is intended for people who soon will need to meet such ID requirements, even for a short drive to Canada.

A second version of the license will meet new federal standards of the Real ID Act. That law is designed to make it much harder for illegal immigrants or would-be terrorists to obtain licenses.

A third type of license will be available to undocumented immigrants. Spitzer has said this ID will make the state more secure by bringing those people “out of the shadows” and into American society, and will lower auto insurance rates.

Incomplete Identity: Auren on Identity at Stanford Law

I was invited by Auren Hoffman (Rapleaf Reputation 3861) to see him talk at Stanford Law school this afternoon. So I Trecked all the way down there. I had high hopes given the description . . . …

Portable Identities and Social Web Bill of Rights

The future world of portable identities, reputations, and social graphs has many pluses and concerns. These portable systems could make the benefits of personalization, once only relegated to science fiction, a reality. The Social Web Bill of Rights makes the claim that users have the right to portability. But there are privacy implications to take into account as well. We will discuss an opt-out vs. and opt-in approach on data collection, privacy, and portability.

but I was disapointed. I first met with Auren in a Starbucks before Rapleaf was launching many years ago (in internet time). I had not seen him since despite inviting him to every Internet Identity Workshop since then.

When opening the talk the Stanford student gave the the description given of Auren’s goal with rapleaf was this “Enabling people to look up the online reputation of others. Making it profitable to be ethical.”

He opened articulating the basic components of the ‘ Social Media Users Bill of Rights

You Own:

  • Your information (basic info about you -address height etc – and preferences)
  • Your Social Graph
  • Your Activity Stream

The key things for this to work control over who accesses it and the freedom to grant persistent access

He also had a slide that mentioned that it be verifiable (???) I was confused by this and was not sure where it was drawn from and was not further articulated. As a side note one of the things that Bob Blakely (currently of the Burton Group previously blogging here) talks about Privacy is “the ability to lie about yourself and get away with it”.

Ok back to Auren’s talk.

Portable (identity, reputation and social graph).
Why is this important – because of the Tyranny of wasted time ‘refilling all those forms out’.
Portability of identity (in the way he used it) was articulated as – it is just information about you that basically is self asserted.

Social Graph portability was just briefly referenced about ‘the people you are linked to’. There was no discussion of one of the main concerns – a ‘social link’ is between two people and moving that information from one context to another should have the consent of the party that a link is asserted about. Update:Having completed the post and understanding their data-aggregation model that fits into their business model they explicitly mush peoples social graphs together from different sites to create an aggregate social graph that as far as I can tell is not visible to the user. Distinguishing and keeping separate context is not what they do.

He asked rhetorically “What is your identity” and then mushed claims and preferences together as if they were all the same kind of identity information (where you live, what you buy, what movies you like, your sexual preference).

He talked about why several efforts in the past have failed. He said that Passport failed because it was an ‘opt-in’ system that very sites would integrate.

I thought this was an interesting assertion. I guess it was opt-in on the part of the relying parties – but the reason the didn’t opt-in was because there was only one Identity Provider and they didn’t want to be locked into only getting identities from them. Individuals had no choice but to get their identities from Microsoft to use the system. This whole reasoning was not articulated for the students though.

The failure of Passport he said proved the difficulty with the opt-in way.

The ‘reformed Microsoft’ vision of an identity meta system and particularly the Laws of Identity that inform the whole current conversation of portable identity were never mentioned.

Reputation he said was (sort of) context dependent. My internal reaction was “SORT OF? it is completely context dependent”.

He talked about Credit scores (opt out) as a white list and captchas that prove you are not a robot. I didn’t quite get what Captchas had to do with portable identity – it seemed to be a leap that was mad in his logic that was not articulated – if you have white lists (like credit scores) that prove you are a ‘real person’ then you don’t need captcha’s. At least that is what it seemed to me he was saying.

He said that Whuffie was a social currency from doing nice things articulated in Down and Out in the Magic Kingdom.

This part was nice the chart articulated the Benifits and Challenges of Opt-In and Opt-Out systems.

Opt-In Opt-out
Benefits User Decides Critical Mass
High Adoption Rate
Challenges Few Users
No one wants to integrate
Peoples Privacy

He continued talking about the privacy implications of portability. He articulated that companies should show people all the data they collect about them. He raised the issue about cookies and how ‘freeked people out’ when first introduced but now are normal. He also said that technogrpahics and behavioral Ad networks should share data.

He said that more data collection is inevitable – but at least we can have control over this data. We are not going to stop them taking data about us. We should require to tell us what data collect about us.

He said that privacy is a Grey Area but not reference any of Solove’s work on the subject of identity and privacy, information systems and law.

He did not suggest any tools for doing this or how we would audit and check on their collection accuracy or honesty. Omitting these made it all seem the goals of the user-bill of rights were just dreams really far off. There was the
Datasharing Summit that spoke a lot about this – there is the Higgins framework (although in its infancy it has working demonstration code) that has some core tools to do this for people and the sites that have information.

At this point we had questions and I challenged – Auren on his assertion about the draw backs of Opt-In. I said that OpenID was challenging the argument that it could not be widely adopted. He said yes AND it was only available on a very small number of sites.

Questions about the ‘right to delete’ were raised by Lawrence Lessig. Apparently in Germany there are laws about publishing information about past criminal offenses of long ago. How these translate online is a good question.

Both during his talk and in the question and answer period he talked a lot about the potential for optical recognition to track us around in physical space. It was conflated with tracking us around the internet. These are two very different systemic processes that have some similarities but a lot of differences. They were conflated in his articulation of the subject.

Improving EULA’s was touched upon but no mention of Identity Rights Agreements work was mentioned – so I put if forward and invited those attending to come to the Internet Identity Workshop.

I will say it was nice to see Lauren Gelman. Last time I saw her was at Web 2.0 Expo speaking following my talk on Identity and Web 2.0 and she was very pregnant. Now she has a 4 month old.

At this point I didn’t really know what RapLeaf did – I was about to find out. I thought it was just a tool that people used to do reputation outside of e-Bay for buying and selling…not so. It got way creepier since I last had it articulated at Starbucks.

Joseph Smar drove me to the Stanford train station and he explained the RapLeaf business. Basically they go around the internet and collect information about people that is keyed to their e-mail address. They aggregate this information and then they know about you. They then sell this information to sites who want to know about their user base.

His system is Opt-Out. I am in it twice(Rapleaf score 5 and 4 respectively). This is how they claim to help you keep your privacy.

You know as a user I am forced to give ‘real’ e-mail addresses to get accounts on services. Two of the services listed in my profile I don’t use at all (Tribe and Hi5). I don’t even remember signing into Hi5. I know my social graph in Tribe, Flickr, LinkedIn and Facebook are different and not directly transferable between them. I don’t want to be connected to ‘everyone’ in all contexts.

Surfing around to learn more about them and the reaction in the blogosphere I found some interesting things.

Download squad:

When you hover over a Rapleaf attribute with the mouse pointer, Rapleaf will now show you where it got the information that makes up an element in your Rapleaf rating–whether it was gleaned from a social networking site such as MySpace or provided by a peer who claims to know you. Yeah, all these factors contribute to Rapleaf’s estimation of your reputation, and now you can tell where the info actually came from. Useful… especially if Rapleaf got some detail wrong about you!

There is quite a bit on this blog but just one highlightThe Bankwatch:

This smacks of blackmail to me. A while back I received an email from Rapleaf noting that someone had searched for my address. In that case I knew it was me searching myself, but why am I left feeling that they are snooping on me, despite the fact I think [?] they are trying to protect me.

ZDNet:, a people search engine that lets you retrieve the name, age and social-network affiliations of anyone, as long as you have his or her e-mail address; and, a similar site to discover, en masse, which social networks to which the people in your contact list belong. To use Upscoop (proudly stating they have searched 400,000,000 profiles), you must first give the site the username and password of your e-mail account at Gmail, Hotmail, Yahoo or AOL.

By collecting these e-mail addresses, Rapleaf has already amassed a database of 50 million profiles, which might include a person’s age, birth date, physical address, alma mater, friends, favorite books and music, political affiliations, as well as how long that person has been online, which social networks he frequents, and what applications he’s downloaded.

All of this information could come in handy for Rapleaf’s third business, TrustFuse, which sells data (but not e-mail addresses) to marketers so they can better target customers, according to TrustFuse’s Web site. As of Friday afternoon, the sites of Rapleaf and Upscoop had no visible link to TrustFuse, but TrustFuse’s privacy policy mentions that the two companies are wholly owned subsidiaries of TrustFuse.

I suppose we should be happy to note that Rapleaf is not keeping track of our sexual orientation or the porn sites we visit.

They are using their information to help the political process though. (good thing I am Canadian and don’t participate in all that – not giving my e-mail address to political candidates).

From their website it articulates how you can ping their database of people to learn more about ‘your customers.’

Rapleaf’s TrustFuse product is an automated way of querying the Rapleaf system. Using Rapleaf or UpScoop is free and easy to use for consumers. If you are business, you can use Rapleaf’s TrustFuse system to learn about and serve millions of customers.

Work with Rapleaf by either:
1. Use our APIs to query your data real-time.
2. Upload the data in batch

Rapleaf’s TrustFuse product searches for information on your customers so you can provide them an enhanced user experience. You can use the API for up to 4,000 queries/day at no charge. After that, we charge a nominal amount per look-up.

So seems like campaigns are using TrustFuse from RapLeaf to figure out more about the voters that have signed up to get more information/participate in campaigns. I wonder exactly what they are finding out via the API’s.


His service is even more creepier then I imagined. It explains why he thinks that Opt-Out is the way to deal with these issues. Auren did say that if he couldn’t make it he would send someone to IIW in December. Hopefully we can have some fruitful face to face conversation.

Because she Owns Her Image

This is quite an interesting case and highlights a flaw that can occur when people who use Creative Commons work.

A Texas family has sued Creative Commons after their teenaged daughter’s photo was used in an ad campaign for Virgin Mobile Australia. The photo had been taken by the girl’s youth counselor, who put it on Flickr, and chose a CC Attribution license, which allows for commercial use. Virgin did, in fact, attribute the photo to the photographer, fulfilling the terms of the license, but the family is still suing Virgin Mobile Australia and Creative Commons.

The photographer can license the work under CC (for comercial or non-comercial purposes) but that does not mean that the person in the photo has licensed their image to be used.

They should not be suing CC but instead Virgin Mobile because they failed to get permission from her to use her image.

I actually had this happen to me. An image was taken of me at HollyHock and the next year I went to the site to check out their programs I found out I was their new poster girl. I would have given them permission to use my image had they asked but they didn’t.

Big Brother coming to NYC

NYC Real world Tracking one step closer:

New York City is seeking funding for a multi-million dollar surveillance system modeled on the one used in London. Police in the city already make use of the network of cameras in airports, banks, department stores and corporate offices — an arrangement used in cities across the country. This new project would augment that network with a city-wide grid. ‘The system has four components: license plate readers, surveillance cameras, a coordination center, and roadblocks that can swing into action when needed. The primary purpose of the system is deterrence, and then an investigative tool.’ But is it necessary? Steven Swain from the London Metropolitan Police states ‘I don’t know of a single incident where CCTV has actually been used to spot, apprehend or detain offenders in the act. Asked about their role in possibly stopping acts of terror, he said pointedly: “The presence of CCTV is irrelevant for those who want to sacrifice their lives to carry out a terrorist act.”

From the Article:

The implementation of the plan, called the Lower Manhattan Security Initiative, will require about $90 million, New York City Police Commissioner Ray Kelly said. It will cost about $8 million a year to maintain.

The city so far has raised about $25 million. Part of it has come from the Homeland Security Department and the rest from city coffers.

Donna Lieberman, the executive director of the New York Civil Liberties Union, said she was alarmed by the prospect of government and law enforcement officials having records of a person’s daily activities.

“It wasn’t that long ago that J. Edgar Hoover was up to his dirty tricks using government spying to interfere with lawful dissent, undermine critics and pursue an unlawful agenda,” she said.

However, police officials repeatedly note there is no expectation of privacy in a public area and it is not a constitutional right.

Yeah! for the Fourth Amendment

I have been worried about this for a while (see this post from Dec 2006 and way back when in August 2005 when I first was alerted to this issue) Just when things were looking really grim on the online privacy front this ruling came in…..from Wired Blogs:

The ruling by the Sixth U.S. Circuit Court of Appeals in Ohio upheld a lower court ruling that placed a temporary injunction on e-mail searches in a fraud investigation against Steven Warshak, who runs a supplements company best known for a male enhancement product called Enzyte. Warshak hawks Enzyte using “Smiling Bob” ads that have gained some notoriety.

The case boiled down to a Fourth Amendment argument, in which Warshak contended that the government overstepped its constitutional reach when it demanded e-mail records from his internet service providers. Under the 1986 federal Stored Communications Act (SCA), the government has regularly obtained e-mail from third parties without getting warrants and without letting targets of an investigation know (ergo, no opportunity to contest).

It is sort of odd that it is about penis spam but hey – freedom is freedom is freedom.

To reach its decision, the court relied on two amici curiae that presented compelling arguments for shoring up current privacy law with respect to e-mail. The article is worth reading in full.

Credit Checks by the Government ‘legal’

More privacy invasion by the Executive Branch:

Vice President Dick Cheney said Sunday the Pentagon and CIA are not violating people’s rights by examining the banking and credit records of hundreds of Americans and others suspected of terrorism or espionage in the United States.

Rep. Silvestre Reyes, D-Texas, the new chairman of the House Intelligence Committee, said his panel will be the judge of that.

National security letters permit the executive branch to seek records about people in terrorism and spy investigations without a judge’s approval or grand jury subpoena.

Just what I was afraid of.

From Slashdot: Federal prosecutors say they don’t need a search warrant to read your e-mail messages if those messages happen to be stored in someone else’s computer.
We’re looking at a future in which almost all of our private papers are in the hands of third parties and not protected by the Fourth Amendment,” said Kevin Bankston, an attorney with the San Francisco-based Electronic Frontier Foundation
I hope the EFF, ACLU, EPIC and everyone else who can possibly pile on to this one.

From the Star Tribue:

The government needs a search warrant if it wants to read the U.S. mail that arrives at your home. But federal prosecutors say they don’t need a search warrant to read your e-mail messages if those messages happen to be stored in someone else’s computer.

That would include all of the Big Four e-mail providers — Yahoo, AOL, Hotmail and Google — that together hold e-mail accounts for 135 million Americans.

Twenty years ago, when only a relative handful of scientists and scholars had e-mail, Congress passed a law giving state and federal officials broad access to messages stored on the computers of e-mail providers.

Now that law, the Stored Communications Act of 1986, is being challenged in federal court in Ohio by Steven Warshak, a seller of “natural male enhancement” products who was indicted for mail fraud and money laundering after federal investigators sifted through thousands of his e-mails.

I would like the language in the i-broker agreements for to have language that basically says they will treat personal data held as if it were in someone’s house and therefore protected under the 4th amendment.

CALEA in the news

So my legal namesake CALEA has been a source of interesting eyebrow raising for those who know its name when they are introduced to me.

Today it is in the news again.

Paul Kouroupas, vice president of regulatory affairs for Global Crossing, strongly criticized the Federal Communications Commission’s broadening of a 1994 law–originally intended to cover telephone providers–as disproportionately costly, complex, and riddled with privacy concerns. His company is one of the world’s largest Internet backbone providers.

“Our customers are large Fortune 500 companies–not too many of those companies are conducting drug deals or terrorist activities out of Merrill Lynch’s offices or using their phones in that way,” Kouroupas said at an event here sponsored by the DC Bar Association. “By and large we don’t get wiretap requests, yet we’re faced with the costs to come into compliance,” which he estimated at $1 million.

At issue is an order issued last fall by the Federal Communications Commission that set a deadline of May 14, 2007, by which most broadband and Internet phone providers are required to reengineer their networks for easier snooping by law enforcement. The move expanded the Communications Assistance for Law Enforcement Act, or CALEA, which Congress wrote to impose obligations on telephone companies, but not Internet providers.

Concerning acts of legislation

I just read a link to this on Slashdot. I am quite concerned about what it says.

In a stealth maneuver, President Bush has signed into law a provision which, according to Senator Patrick Leahy (D-Vermont), will actually encourage the President to declare federal martial law (1). It does so by revising the Insurrection Act, a set of laws that limits the President’s ability to deploy troops within the United States. The Insurrection Act (10 U.S.C.331 -335) has historically, along with the Posse Comitatus Act (18 U.S.C.1385), helped to enforce strict prohibitions on military involvement in domestic law enforcement. With one cloaked swipe of his pen, Bush is seeking to undo those prohibitions.

Public Law 109-364, or the “John Warner Defense Authorization Act of 2007” (H.R.5122) (2), which was signed by the commander in chief on October 17th, 2006, in a private Oval Office ceremony, allows the President to declare a “public emergency” and station troops anywhere in America and take control of state-based National Guard units without the consent of the governor or local authorities, in order to “suppress public disorder.”

President Bush seized this unprecedented power on the very same day that he signed the equally odious Military Commissions Act of 2006. In a sense, the two laws complement one another. One allows for torture and detention abroad, while the other seeks to enforce acquiescence at home, preparing to order the military onto the streets of America. Remember, the term for putting an area under military law enforcement control is precise; the term is “martial law.”

Section 1076 of the massive Authorization Act, which grants the Pentagon another $500-plus-billion for its ill-advised adventures, is entitled, “Use of the Armed Forces in Major Public Emergencies.” Section 333, “Major public emergencies; interference with State and Federal law” states that “the President may employ the armed forces, including the National Guard in Federal service, to restore public order and enforce the laws of the United States when, as a result of a natural disaster, epidemic, or other serious public health emergency, terrorist attack or incident, or other condition in any State or possession of the United States, the President determines that domestic violence has occurred to such an extent that the constituted authorities of the State or possession are incapable of (“refuse” or “fail” in) maintaining public order, “in order to suppress, in any State, any insurrection, domestic violence, unlawful combination, or conspiracy.”

For the current President, “enforcement of the laws to restore public order” means to commandeer guardsmen from any state, over the objections of local governmental, military and local police entities; ship them off to another state; conscript them in a law enforcement mode; and set them loose against “disorderly” citizenry – protesters, possibly, or those who object to forced vaccinations and quarantines in the event of a bio-terror event.

The law also facilitates militarized police round-ups and detention of protesters, so called “illegal aliens,” “potential terrorists” and other “undesirables” for detention in facilities already contracted for and under construction by Halliburton. That’s right. Under the cover of a trumped-up “immigration emergency” and the frenzied militarization of the southern border, detention camps are being constructed right under our noses, camps designed for anyone who resists the foreign and domestic agenda of the Bush administration.

Net Nuetrality to-Regulate or Not-to-Regulate

This NYTimes piece hightlights an interesting perspective about why regulating the Internet may not be a good idea to protect Net Nuetrality.

It’s tempting to believe that government regulation of the Internet would be more consumer-friendly; history and economics suggest otherwise. The reason is simple: a regulated industry has a far larger stake in regulatory decisions than any other group in society. As a result, regulated companies spend lavishly on lobbyists and lawyers and, over time, turn the regulatory process to their advantage.

Economists have dubbed this process “regulatory capture,” and they can point to plenty of examples. The airline industry was a cozy cartel before being deregulated in the 1970’s. Today, government regulation of cable television is the primary obstacle to competition.

Of course, incumbent broadband providers do have some limited monopoly powers, and there is cause for concern that they might abuse them. Last fall, the chief executive of AT&T, Ed Whitacre, argued that Internet giants like Google and Microsoft should begin paying for access to his “pipes”— never mind that consumers already pay AT&T for the bandwidth they use to gain access to these services. If broadband providers like AT&T were to begin blocking or degrading the content and services of companies that didn’t pay up, both consumers and the Internet would suffer.

Freedom to Network denied by House Bill – Action needed now.

This is really FREEKY – DOPA “Deleating Online Predators Act” passed the house!!!! I blogged about this before Congress Targets Social Network sites – to be blocked from Schools and Libraries I then had a blog exchange with a parent about where the line was to protect children but I never thought it would actually become law. This whole thing highlights again the need to organize ‘technical’ people…Silona Bonewald is beginning the League of Technical Voters.

Fitzpatrick’s the sponsor highlights these elemetns of the bill in his press release:

  • H.R. 5319 requires schools that receive Federal Universal Service Funding to prevent the access of children to a chat room or social networking website. Schools may disable protection measures in order to allow use by students with adult supervision for educational purposes, or by adults;
  • H.R. 5319 requires libraries that receive Federal Universal Service Funding to prevent the access of children without parental authorization to a chat room or social networking website;
  • H.R. 5319 requires the Federal Trade Commission (FTC) to create a website and issue consumer alerts to inform parents, teachers and school officials about the potential dangers on the Internet, specifically online sexual predators and their ability to contact children through social networking sites and chat rooms.

Dana Boyde wrote this post.

When i expressed my concern over DOPA, everyone told me i was being paranoid, that it would never pass, that it was too absurd. DOPA passed. By a 410-15 vote. Dear god.

and this one…
Anti Social Networking legislation

Earlier, i spoke about how the MySpace panic was likely to cause legislation proposals. Today, Congressperson Fitzpatrick proposed legislation to amend the Communications Act of 1934 “to require recipients of universal service support for schools and libraries to protect minors from commercial social networking websites and chat rooms.” This legislation broadly defines social network sites as anything that includes a Profile plus an ability to communicate with strangers. It covers social networking sites, chatrooms, bulletin boards. Obviously, the target is MySpace but most of our industry would be affected. Blogger, Flickr, Odeo, LiveJournal, Xanga, Neopets, MySpace, Facebook, AIM, Yahoo! Groups, MSN Spaces, YouTube, eBaumsworld, Slashdot. It would affect Wikipedia if there wasn’t a special clause for non-commercial sites. Because many news sites (NYTimes, CNN, the Post) allow people to login and create profiles and comment, it might affect them too.

Because it affects both libraries and schools, it will dramatically increase the digital divide. Poor youth only gain access to these sites through libraries and schools(1). With this ban, poor youth will have no access to the cultural artifacts of their day. Furthermore, because libraries won’t be able to maintain separate 18+ and minor computers, this legislation will affect everyone who uses libraries, including adults (2).

This legislation is horrifying and culturally damaging. Please, all of you invested in social technologies, do something to make this stop.

This was one woman’s thoughts while at BloGher:

And so while I was pleasantly surprised to see how many people showed up for the edublogging session, and how they really wanted to talk about all kinds of Web 2.0 and learning topics (and how challenging so many of them felt sifting through the Web to find helpful sites on pedagogy and technology integration, on places for teachers to gather) I was dismayed by the lack of substantive talk about what’s going on with the Internet and kids. And in fact there were very very very few teens in attendance. And teens of color?

Maybe I just felt uneasy in a crowd of women who were basically having a ball blogging and meeting other women who blog and whose lives have changed through finding this means of expression. Maybe I’m too wrapped up in the future, on trying to reform education. Maybe I should have sat down with a couple of Yahootinis and stopped thinking about DOPA. But I can’t…it’s too big…

(Found Congressman Inslee’s remaks from 7/26/06 via

Mr. INSLEE. Mr. Speaker, I hate to spoil this garden party, but this is not, in truth, suburban legislation, it is substandard legislation. And the reason for that is that it is, in effect, a good press release, but it is not effective legislation addressing a huge problem threatening our children.

The reason I say that is, after sitting through many hearings in the Commerce Committee about this enormous problem, I reached one conclusion. After listening to those thousands of children who are being abused on these horrendous occasions across this country, I concluded that this legislation would not save one single child one single time.

What we learned is that the problem is not in our schools. These kids are not hanging in the library with these sexual predators. They are hanging around in their dens, in their basements, in their living rooms, and in their upstairs bedrooms. That is where we have to get to the problem.

If you look at the problem here on this chart, only 10 percent of the abused kids are online and hardly any of them from schools. A tiny, tiny, infinitesimal portion. This will not solve the problem.

Now, there are things we can do, but, unfortunately, this legislation doesn’t do a single one of them. I used to prosecute cases, so I know a little bit about law enforcement. I raised three kids, so I know a little bit about the terror of worrying about your children. But what this legislation does not do is the three things we need to do.

Number one, we have to give resources to law enforcement to prosecute these horrendous monsters. We had detective after detective come to our hearings and say, give us some money; we can prosecute these people. This doesn’t give them a penny.

Number two, we need to protect the data. What the detectives told us is that this data, once it disappears, they can’t find the culprits. Now we could require the data to be maintained for a year or two, like we are trying to do. This bill doesn’t do that.

Third, what this bill could do is provide some real meaningful tools for our schools to educate our children on how to avoid these monsters on the Internet. This doesn’t do that.

The three effective things that we could do to really save our kids is not done in this legislation.

Now, why is this such a pathetic wave at trying to do something? Why has Congress failed so miserably here? There is a reason for that. The reason is we want press releases, without having to do the hard work to do legislation. That is why we didn’t go through the Commerce Committee to have a markup on this bill so they could rush this thing to the floor and have their suburban agenda.

Well, speaking as a parent who represents 650,000 people, and probably 200,000 parents in suburbia, I think suburban parents, urban parents, rural parents, big-city parents and little-city parents deserve real legislation to stomp out the monstrosity that is going on on the Internet and not these little press releases. We can’t go home and just say that we are heroes without having really done something.

When I go home, I am going to tell my constituents that, yes, maybe there are some headlines, but there wasn’t real relief. And I look forward to the day when this Congress gets down to the nitty-gritty and really does something about this terrible problem.

Announcing The Virtual Rights Symposium on Digital Identity & Human Rights

This is the first of what we hope to be an annual event about Digital
Identity and Human Rights covering social issues, policy and
legislation in this arena.

The goal is to foster international cooperation on virtual rights
through high quality dialogue and deliberation between legislators,
researchers, service providers, and citizens.

The symposium will begin in September with interaction online both
synchronous and asynchronous. It will peak with a meeting in Costa Rica November 17-18th and continue online afterwards.

Virtual Rights Association is organizing the event in cooperation with Costa Rica University and the Berkman Center. Chair Jaco Aizerman please contact him at =jaco or

Please go to thewebsite at Virtual Rights to see the current version of the agenda.

Catalyst: Government Adoption of Federated Identity

This is drawn from David Temoshok’s Talk. He is the Director of Identity Policy and Management GSA Office of Government Policy

Homeland security directive 12
“Policy for Common Identification Standard For Federal Employees and Contractors” – August 2004

HSPD 12 Requirements

1. Secure and reliable forms of personal identification that are:

  • Based on sound criteria to verify an individual employee’s identity
  • Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
  • Rapidly verified electronically
  • Issued only by providers whose reliability has been established by an official accreditation process

2. Applicable to all government organizations and contractors except National Security Systems
3. Used for access to federally-controlled facilities and logical access to federally-controlled information systems
4. Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure
5. Implemented in a manner that protects citizens’ privacy

Expanding Electronic Government

Needing Common Authentication Services for

  • 280 million Citizens
  • Millions of Businesses
  • Thousands of Government Entities
  • 10+ Million Federal Civilian and Military Personnel

You can learn more on the GSA website –