How to deal with stalkers taking photos of you

I spoke to Kieno Kammies on 567 CapeTalk radio this morning about a troubling trend. As you can hear from the segment, below, the concern is partly about people being photographed in suspicious ways in public. One example is a person following women around shooting video of them or taking photos without their knowledge. This isn’t so much about a person taking a photograph of a scene that happens to include women walking past but actually targeting those women.

Whether this is a privacy issue depends very much on the subject matter and the context. In this respect it comes down to legitimate expectations of privacy in the case of adults and appropriate consent when it comes to children (at least in terms of the Protection of Personal Information Act). The law that is likely to be more appropriate here is the Protection from Harassment Act which targets forms of harassment which the Act defines as follows:

harassment” means directly or indirectly engaging in conduct that the 5 respondent knows or ought to know-

(a) causes harm or inspires the reasonable belief that harm may be caused to the complainant or a related person by unreasonably-

(i) following, watching, pursuing or accosting of the complainant or a related person, or loitering outside of or near the building or place where the complainant or a related person resides, works, carries on business, studies or happens to be;

(ii) engaging in verbal, electronic or any other communication aimed at the complainant or a re.lated person, by any means, whether or not conversation ensues; or

(iii) sending, delivering or causing the delivery of letters, telegrams, packages, facsimiles, electronic mail or other objects to the complainant or a related person or leaving them where they will be found by, given to. or brought to the attention of, the complainant or a related person; or

(b) amounts to sexual harassment of the complainant or a related person;

<

p>The harm the Act protects against may be “any mental, psychological, physical or economic harm”.

This Act is designed to be user friendly and the Regulations describe which forms to use for which steps and who to approach at each step. The Department of Justice and Constitutional Development has a comprehensive page with links to the Act, the Regulations and the various forms. The process was designed in such a way that you don’t need an attorney to assist you (although you can have one helping you) and you need not know the harasser’s identity either. The Act creates a mechanism whereby the police may be instructed to investigate and identify the suspected harasser.

This legislation can be used for a various activities which fall into the “harassment” definition including stalkers like the ones described in the segment as well as cyber-bullying and more.

Your email providers don’t require a warrant to read your email

Our email providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

The Verge recently published disturbing news about Microsoft’s respect for its users’ privacy:

It came out yesterday that the company had read through a user’s inbox as part of an internal leak investigation. Microsoft has spent today in damage-control mode, changing its internal policies and rushing to point out that they could have gotten a warrant if they’d needed one. By all indications, the fallout is just beginning.

Your provider is watching you

As disturbing as this is, there is a bigger picture. As The Verge’s Russell Brandom goes on to point out –

But while Microsoft is certainly having a bad week, the problem is much bigger than any single company. For the vast majority of people, our email system is based on third-party access, whether it’s Microsoft, Google, Apple or whoever else you decide to trust. Our data is held on their servers, routed by their protocols, and they hold the keys to any encryption that protects it. The deal works because they’re providing important services, paying our server bills, and for the most part, we trust them. But this week’s Microsoft news has chipped away at that trust, and for many, it’s made us realize just how frightening the system is without it.

People following the Oscar Pistorius trial in the last week would have discovered that private chats can become very public if law enforcement authorities believe they are relevant to an investigation.

Although law enforcement authorities are required to follow various procedures to gain access to messaging and social media users’ communications, the companies operating the chat and email services we use daily don’t have this hurdle in their way if they deem it necessary to access their users’ communications.

The right to privacy in the South African Bill of rights includes the right not to have the “privacy [your] communications infringed”. This right is not absolute and can be (and is) limited by various laws including the Regulation of Interception of Communications and Provision of Communication-related Information Act which is how local law enforcement can obtain access to your communications. What this means is that, for law enforcement at least, there are checks and balances in place to protect our communications both thanks to laws as well as service providers’ requirements.

Unfortunately, those same providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

Microsoft

As The Verge pointed out, if you use Hotmail/Outlook.com, you have granted Microsoft permission to access your data. Microsoft’s Privacy Statement includes these permissions:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.

Because you agree to the Privacy Statement as a condition of your use of Microsoft’s services, you have consented to these uses of your personal information. These consent enable Microsoft to circumvent any questions about privacy infringement because your legitimate expectation of privacy does not extend to these particular activities. This is the key rationale for a privacy policy and it is the same principle applies to the permissions you grant to other providers (I’ve referred to a couple more below).

Google

Google operates an enormously popular email service, Gmail, which is also probably one of the most secure from the perspective of external surveillance and attacks. While Google holds itself out as its users’ protector from external threats, it also has the option of accessing your data because you have agreed to this when you agreed to its Privacy Policy which includes these provisions:

We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users.

We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know.

We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process or enforceable governmental request.
  • enforce applicable Terms of Service, including investigation of potential violations.
  • detect, prevent, or otherwise address fraud, security or technical issues.
  • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.

These three sections are drawn from different parts of Google’s Privacy Policy and, between them, they give Google permission to share fairly comprehensive information it has about you with law enforcement authorities as well as to use that information itself to, among other things, “protect” its services, itself and its users. This is a fairly broad term and this is likely intentional. When you write these sorts of policy documents, you don’t want to be too prescriptive if you anticipate requiring fairly broad consents for a wide range of foreseeable risks and to cater for unforeseen risks.

Yahoo

Yahoo’s webmail service is still very popular. While Yahoo’s privacy policy tends to be pretty good about handling users’ personal information, it also retains fairly broad permissions in its Privacy Policy (I added some emphasis):

Yahoo does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:

  • We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo’s terms of use, or as otherwise required by law.

Apple

Although not as popular as the other providers, Apple’s tight service and software integration makes its iCloud email service a convenient option, especially because its possible to create an email account on iCloud without requiring another email account first (which is increasingly rare). When you use Apple’s products and services, your consents include the following:

How we use your personal information

  • We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.

  • We may also use personal information for internal purposes such as auditing, data analysis, and research to improve Apple’s products, services, and customer communications.

Where this leaves you

<

p>Public events like the Oscar Pistorius trial and, before it, the ongoing revelations about state surveillance programs over the last year or so, have reminded us that our private communications are not quite as private as we may have hoped. Our privacy is protected more by obscurity and because our communications, for the most part, are not the sorts of things others would be terribly concerned about.

Our trust and the possibility of severe reputational harm keep the likes of Google, Yahoo, Microsoft, Facebook and others generally honest although, as we have seen with Microsoft, they may be prepared to break that trust if the reason is compelling enough to them. They will invariably point to the permissions we give them in our contracts with them and they’ll be quite right. We have agreed to this and we’ll continue being in agreement with them having this level of access to our data because the alternatives are not nearly as convenient.

Facebook.com email shuts down with a surprise

Facebook has decided to shut down its Facebook.com email service where you could receive emails into your Facebook inbox. Apparently not many users were actually using it.

You have the option of disabling the service in the meantime and, if you don’t, emails sent to your Facebook.com email address will be forwarded to your primary email address. As The Verge pointed out, there is, however, a problem with this:

Today’s update brings another odd and unfortunate side effect for Facebook: you can now reach someone’s primary email inbox by emailing their @facebook.com email address. These email addresses are by default only accessible to friends, but you can easily figure out somebody’s @facebook.com email address by finding their profile page’s URL and pasting it before the @ symbol. Fortunately, Facebook lets you turn off forwarding altogether, effectively destroying its email service once and for all.

Free is the death of the open Web and privacy is the sacrificial offering

The problem with free services is that they have to make money in some way or another and the way that they generally do this is through advertising which leverages our personal information in order to give some kind of value to their advertisers. We agree to this when we sign up for these services. The extent of our agreement is documented in privacy policies which few people read and truly consider.

What this means is that we are essentially trading information about ourselves for access to these services which, admittedly, we do see value in otherwise we wouldn’t use them quite so much.

Parchman Penal Farm. View of Afican American female prison inmates standing beside slaughtered hogs.

This article was originally published on MarkLives in my TechLaw columnon 28 November 2013.

Our insistence on having access to free services such as Facebook or Twitter both heralds the death of the open Web and, at the same time, has given rise to most of the online privacy-related controversies in recent years.

The problem with free services is that they have to make money in some way or another and the way that they generally do this is through advertising which leverages our personal information in order to give some kind of value to their advertisers. We agree to this when we sign up for these services. The extent of our agreement is documented in privacy policies which few people read and truly consider.

What this means is that we are essentially trading information about ourselves for access to these services which, admittedly, we do see value in otherwise we wouldn’t use them quite so much.

What happens in the meantime is that these free services find themselves having to extract more and more value from us using our personal information by tailoring their infrastructure to take more advantage of our preferences, relationships and data. What this means for consumers is that the respective for consumer privacy often takes a back seat to extracting more value from prices for advertisers.

Public pressure on these free services, typically reputational harm, is what keeps them relatively honest and often attracts regulatory oversight in the interests of preserving consumers’ rights and protecting their privacy.

Despite this, most of the privacy controversies on the social Web emerge from at the intersection of a need to establish a sustainable and profitable revenue model while, at the same time, maintaining some degree of respect for consumers privacy rights in order to secure users’ trust in these services. Google has been particularly vocal about the importance it places on users’ trust as an incentive to “do no evil”.

An emerging trend is that social services become more closed and limit interoperability with other services. The idea being to ensure that users spend more and more of their time in investing more and more of themselves in these services to maximise value. A consequence of this is markedly less emphasis on open standards supporting an open, interoperable Web and that, on the whole, is enormously detrimental to this idea of an open Web where people can engage with each other across multiple platforms and services.

One area where we are seeing this happening again is in the instant messaging or chat space which has seen a resurgence of interest, likely because this is where younger users seem to be heading as the platform for their preferred social experience. Facebook and Google have developed mobile messaging services (Messenger and Hangouts, respectively) partly to compete with enormously popular mobile-based messaging services like WhatsApp and, more recently, WeChat. Unfortunately these services are largely not compatible or interoperable with each other.

What is happening with these chat/messaging services echoes of what happened originally with email services in the Internet’s distant past. Back then if you were using one email provider you typically couldn’t send an email to a user using another email provider because each email service ran on proprietary and incompatible platforms. This eventually changed with the adoption of open standards facilitating the distribution of email across different service providers and enormously enhanced the value of the email as a primary communication method which we all rely on today.

Despite open messaging protocols like XMPP (formerly Jabber) which enable providers to create interoperable messaging products, the current generation of messaging services are following defunct proprietary models that once crippled email. Even Google, which baked XMPP into its Google Talk service has abandoned XMPP in favour of its proprietary Hangouts service which has replaced Google Talk as Google’s primary chat service. Facebook’s Messenger, at one point, supported XMPP (and may still) but Facebook’s emphasis (like Google, Apple, WhatsApp, WeChat and others) is to entice users to switch to its platform as their primary chat service. Chat is a pretty sticky service and if a brand can entice users to switch, their overall service use would likely increase considerably, enhancing their value to advertisers and paying an even higher price for these “free” services.

<

p>In the meantime, hopes for an open Web based on interoperable standards and protocols are fading. Our hopes now lie with companies like Mozilla and, ironically, to an extent with Google which is still an advocate for an open Web and their desire to move beyond closed platforms and continue building an interoperable Web capable of generating meaningful revenue to support free services.

Cancer stories and contextual privacy

If you are unfamiliar with Twitter direct messages, they are inherently private and only people who follow you may send you direct messages. Aside from not informing Adams that she was writing a story about her, Keller apparently did not obtain Adams’ permission to repeat the direct message conversation and that violated Adams’ privacy, regardless of how public she is about other aspects of her experiences. 


Privacy on the social Web is tricky. A year after Randi Zuckerberg’s reminder that privacy is nuanced and contextual, Emma Keller, writing for the Guardian, crossed a few lines in her article about Lisa Adams’ experiences with breast cancer which was titled “Forget funeral selfies. What are the ethics of tweeting a terminal illness?” and was withdrawn by the Guardian after a controversy exploded on Twitter. The article is still available in the Internet Archive’s Wayback Machine if you would like to read it.

In her post titled “Social Media Is a Conversation, Not a Press Release” on Medium, Zeynep Tufekci explored a few themes that emerged from the controversy, including the ethical implications of Keller’s approach and the value of a public conversation about cancer. Although the subject resonates with me, generally, (my father passed away on 2003 after a short struggle with pancreatic cancer), this aspect stood out for me:

Emma Keller admitted that she had conversed with the subject via email and DM on Twitter without telling her that she was doing a story about her, and quoted Lisa Adams’ private direct messages without as much of a notification, let alone a permission.

In her article, Keller referenced a direct message conversation she had with Adams:

In some ways she has invited us all in. She could argue that she is presenting a specific picture – the one she wants us to remember. “I do feel there will be lasting memories about me. That matters,” she wrote to me in a direct message on Twitter.

If you are unfamiliar with Twitter direct messages, they are inherently private and only people who follow you may send you direct messages. Aside from not informing Adams that she was writing a story about her, Keller apparently did not obtain Adams’ permission to repeat the direct message conversation and that violated Adams’ privacy, regardless of how public she is about other aspects of her experiences. She related another incident which highlights the nuances:

She describes a fantastic set up at Sloan-Kettering, where she can order what she wants to eat at any time of day or night and get as much pain medication as she needs from a dedicated and compassionate “team”, but there is no mention of the cost. She was enraged a few days ago when a couple of people turned up to visit her unannounced. She’s living out loud online, but she wants her privacy in real life.

Privacy isn’t an all or nothing thing. As I pointed out in my post about Randi Zuckerberg’s contextual privacy experience last year –

The seminal case on the right to privacy in South Africa is the Constitutional Court case of Bernstein and Others v Bester NO and Others. The Constitutional Court said that the right to privacy is informed largely by a legitimate expectation of privacy which, in turn, means that a person must establish that:

“he or she has a subjective expectation of privacy and that the society has recognized that expectation as objectively reasonable.”

The subjective component means that a person can’t have an expectation of privacy where that person has consented to have his or her privacy invaded. The objective component introduces a requirement for reasonableness when assessing an apparent privacy violation. There is a notion of a “continuum of privacy interests” which is a helpful application of this idea of a legitimate expectation of privacy. The Court in the Bernstein case said the following:

“The truism that no right is to be considered absolute, implies that from the outset of interpretation each right is always already limited by every other right accruing to another citizen. In the context of privacy this would mean that it is only the inner sanctum of a person, such as his/her family life, sexual preference and home environment, which is shielded from erosion by conflicting rights of the community. This implies that community rights and the rights of fellow members place a corresponding obligation on a citizen, thereby shaping the abstract notion of individualism towards identifying a concrete member of civil society. Privacy is acknowledged in the truly personal realm, but as a person moves into communal relations and activities such as business and social interaction, the scope of personal space shrinks accordingly.”

This is an explanation for why people in the public eye have a different legitimate expectation of privacy than people who are deeply private and secretive. A person’s legitimate expectation of privacy is determined by their level of publicity and the consents they have given to invasions of their privacy.

<

p>Keller made a common mistake of assuming that because Adams is public about some aspects of her cancer experiences that she has waived her expectation that the rest of her life enjoy some measure of privacy. This is not the case. Privacy is a complex and nuanced set of expectations and rights and is complicated by the very public fora we use to share aspects of our lives. Nevertheless, it is a model which confounds many people, including journalists who should take greater care with information they are privy to.

Are banks assessing your creditworthiness based on your social media profiles?

GigaOm has an interesting article titled “New breed of lenders use Facebook and Twitter data to judge borrowers” which looks at a growing trend in financial services industries. Banks and other lenders are starting to look at customers’ social media profiles when assessing their needs and the risks they may pose as debtors. An emerging South African consumer protection framework could support extension of this behaviour to South Africa, if it hasn’t already been adopted.

GigaOm has an interesting article titled “New breed of lenders use Facebook and Twitter data to judge borrowers” which looks at a growing trend in financial services industries. Banks and other lenders are starting to look at customers’ social media profiles when assessing their needs and the risks they may pose as debtors. An emerging South African consumer protection framework could support extension of this behaviour to South Africa, if it hasn’t already been adopted.

At first glance this may seem somewhat outrageous (and it reminds me of the prospect of insurers using similar data to assess and modify premiums for insurance cover) but this sort of behaviour could well be supported by new consumer protection frameworks being adopted in South Africa.

The Treating Customers Fairly framework is in the process of being adopted by South African financial institutions:

is an outcomes based regulatory and supervisory approach designed to ensure that specific, clearly articulated fairness outcomes for financial services consumers are delivered by regulated financial firms.

Participating firms are required to show they deliver six outcomes which include these two:

  • Products & services marketed and sold in the retail market are designed to meet the needs of identified customer groups and are targeted accordingly; and
  • Where advice is given, it is suitable and takes account of customer circumstances

These two criteria could well lend support for a similar practice of analysing customers’ social media profiles and streams when assessing customers’ needs and risks under the guise of improved compliance with Treating Customers Fairly.

Is privacy a recent fiction or a neglected human right?

Google’s Chief Internet Evangelist, Vint Cerf, recently spoke at the FTC’s Internet of Things Workshop where he suggested that privacy is a recent construct our society created when technology made it possible. Is privacy an anomaly, as he suggests, or is it an important right which technology has enabled and which we are neglecting to the point where we are negating it so we can share more stuff with each other?

Google’s Chief Internet Evangelist, Vint Cerf, recently spoke at the FTC’s Internet of Things Workshop where he suggested that privacy is a recent construct our society created when technology made it possible. According to The Verge’s coverage of his speech, privacy wasn’t a given just a few decades ago –

Elaborating, he explained that privacy wasn’t even guaranteed a few decades ago: he used to live in a small town without home phones where the postmaster saw who everyone was getting mail from. “In a town of 3,000 people there is no privacy. Everybody knows what everybody is doing.”

Rather than privacy being a fundamental right which is being threatened by technology (as we’ve seen through the recent government surveillance revelations courtesy of Edward Snowden), he argued that technology has both enabled what we take for granted as privacy today and, at the same time, is enabling us to erode it. I don’t believe he was arguing that privacy as a preference for being secretive is a recent invention. I suspect people have always tended to have a sense of their private spaces and have protected that in varying degrees, to the extent they have been able to. What is fairly recent is this idea of a right to privacy which is protected by legal authority.

Our right to privacy in South Africa has evolved through our common law and was entrenched as a fundamental right in our Constitution. The right to privacy is described in section 14 of the Constitution:

Everyone has the right to privacy, which includes the right not to have-

(a) their person or home searched;

(b) their property searched;

(c) their possessions seized; or

(d) the privacy of their communications infringed.

It is not an absolute right but it is an important one. It is also a right which we have to be mindful of and actively protect. What has been happening, instead, is that we have become accustomed to abdicating our right to privacy in exchange for access to online services and the ability to share more stuff with each other. This isn’t an egg we can unscramble. As Cerf pointed out (courtesy of The Verge) –

”Our social behavior is also quite damaging with regard to privacy,” Cerf says. He gives an example how a person could be exposed doing something that they wanted to keep secret by being tagged in the background of a stranger’s photo — a photo they never expected to be caught in. “The technology that we use today has far outraced our social intuition, our headlights. … [There’s a] need to develop social conventions that are more respectful of people’s privacy.”

This touches on my 2012 post titled Changing privacy norms where I wrote about our changing understanding of what privacy is and how our online activities are shrinking our expectations of privacy. Most people still think privacy is about secrecy but it is really more about how much control you have over your personal information which you have disclosed and continue to share? The more we share with each other online, the less control we have and virtually every controversy over an apparent privacy violation by a social media service is actually a further consensual encroachment into what remains of our private spaces that we have enabled.

Privacy may have been a very different sensibility before 20th century technologies enabled more effective protections and modern laws created more clearly defined privacy rights but we are complicit in continued privacy erosion through our digital tools. The big question is how aware we are of this, its implications for our future society and whether we are comfortable with the very public future that lies ahead?