The industry backlash is against the “Right to Know Act,” a bill introduced in February by Bonnie Lowenthal, a Democratic assemblywoman from Long Beach. It would make Internet companies, upon request, share with Californians personal information they have collected—including buying habits, physical location and sexual orientation—and what they have passed on to third parties such as marketing companies, app makers and other companies that collect and sell data.

Instead of discussing the merits of the bill, here I want to show an aspect of industry association lobbying. As noted previously, these groups are useful to companies for several reasons: they can be used to “launder” policy, they can air controversial views without attribution to any one company, they can help hide companies advocacy when it appears to conflict with previous commitments, and they defray critical reporting. They also amplify power, because they place legislators in a house of mirrors–trade groups allow companies to mask the provenance of their advocacy and to multiply it. This creates a kind of echo chamber for companies.

The Journal’s Vauhini Vara and Geoffrey Fowler reported:

The coalition includes such trade groups as the Internet Alliance, TechNet and TechAmerica, all of which represent major Internet companies

This past week, Will Gonzalez, a Facebook lobbyist based in Sacramento, aired concerns in a meeting about how the bill would hurt Facebook’s business, according to a legislative aide. Mr. Gonzalez didn’t respond to requests for comment.

Representatives for Facebook and Google declined to comment on the bill.

Vara and Fowler are on the right path–break through these groups and talk to their principals about their stance on the bill. Facebook and Google won’t comment to the Journal, I imagine, because AB 1291 is fundamentally a transparency measure. Opposition to it creates some dissonance with these companies’ rational choice/transparency/openness rhetoric.

But back to my point–the trade groups help companies hide their advocacy positions, and amplify them. Check out my poor man’s version of the web of web advocacy below.

This is the letterhead of the opposition letter submitted by tech companies against California’s AB 1291.

… The lead companies also paid scientists who produced flawed studies casting doubt on the link between lead exposure and child health problems. When University of Pittsburgh professor Herbert Needleman first showed that even children with relatively modest lead levels tended to have lower intelligence and more behavioral problems than their lead-free peers, some of these industry-backed researchers claimed that his methods were sloppy and accused him of scientific misconduct (he has since been exonerated).

The companies also hired a public relations firm to influence stories in The Wall Street Journal and other conservative news outlets, which characterized Needleman as part of a leftist plot to increase government spending on housing and other social programs…

Many campuses have decided to outsource email and other services to “cloud” providers.  Berkeley has joined in by migrating student and faculty to bMail, operated by Google.  In doing so, it has raised some anxiety about privacy and autonomy in communications.  In this post, I outline some advantages of our outsourcing to Google, some disadvantages, and how we might improve upon our IT outsourcing strategy, especially for sensitive or especially valuable materials.

Why outsourcing matters

Many of us welcome possible alternatives to CalMail, which experienced an embarrassing, protracted outage in fall 2011.  Many of us welcomed the idea of migrating to Gmail, because we use it personally, have found it user-friendly and reliable, and because it is provided by a hip company that all of our students want to work for.

But did we really look before we leaped?  Did we really consider the special context of higher education, one that requires us to protect both students and faculty from outside meddling and university-specific security risks?  Before deciding to outsource, we have to be sure that there are service providers that understand our obligations, norms, and the academic context.

In part because of the university’s particular role, our email is important and can be unusually sensitive to a variety of threats.  Researchers at Berkeley are conducting clinical trials with confidential data and patient information.  We are developing new drugs and technologies that are extremely valuable.  Some of us perform research that is classified, export-controlled, or otherwise could, if misused, cause great harm.  Some of us consult to Fortune 500 companies, serve as lawyers with duties of confidentiality, or serve as advisors to the government.  Some of us are the targets of extremist activists who try to embarrass us or harm us physically.  Some of us are critical of companies and repressive governments.  These entities are motivated to find out the identities of our correspondents and our strategic thinking, through either legal or technical means.  And not least, our email routinely contains communications with students about their progress, foibles, and other sensitive information, including information protected by specific privacy laws, such as the Federal Educational Rights and Privacy Act (FERPA). We have both legal and ethical duties to protect this information.

Our CalMail operators know these things, and as I understand it, they have been very careful in protecting the privacy of campus communications. Outsourcing providers such as Google however, may be far less likely to be familiar with our specific duties, norms, and protocols, or to have in place procedures to implement them. Outsource providers may be motivated to provide services that they can develop and serve “at scale” and that do not require special protocols. As described below, this seems to have been the case with Google’s contracts with academic institutions.

Finally, communications platforms are powerful.  They are the focus of government surveillance and control because those who control communications can influence how people think and how they organize.  Universities have historically experienced periodic pressures to limit research, publication, teaching, and speech. Without communications confidentiality, integrity, and availability, the quality of our freedom and the role we play in society suffers.  And thus the decision to entrust the valuable thoughts of our community to outsiders requires some careful consideration.

The Good

There are some clear benefits to outsourcing to Google.  They include:

• An efficient, user-friendly communications system with a lot of storage.  The integration of Google Apps, such as Calendar, is particularly appealing, given the experience we have had with CalAgenda.  Google Drive is a pleasure compared to the awkward AFS.
• Our communications may in some senses be more securely stored in the hands of Google.  Google has some of the best information security experts in the world.  They are experienced in addressing sophisticated, state-actor-level attacks against their network.  To its credit, Google has been more transparent about these attacks than other companies.
• Although it is not implemented at Berkeley, Google offers two-factor authentication.  This is an important security benefit not offered by CalMail that could reduce the risk that our accounts are taken over by others.  Those of us using sensitive data, or who are at risk of retaliation by governments, hackers, activists, etc., should use two-factor authentication.
• As a provider of services to the general public, Google is subject to a key federal communications privacy law.  This law imposes basic obligations on Google when data are sought by the government or private parties.  It is not clear that this law binds the operations of colleges and universities generally.  However, this factor is not very important with respect to the Berkeley’s adoption of bMail, as we have adopted a strongelectronic communications policy protecting emails systemwide.
• Google recently announced that it will require government agents to obtain a probable cause warrant for user content.  This is important, because other providers release “stale” (that is, over 180 days old) data to government investigators with a mere subpoena.  A subpoena is very easy to obtain, whereas a probable cause warrant standard requires the involvement of a judge, an important check against overzealous law enforcement.  Google’s position protects us from the problem that our email archives can be obtained by many government officials who need only fill out and stamp a one-page form.

The Not So Good

Still, there are many reasons why outsourcing, and outsourcing to Google specifically, creates new risks.  While our IT professionals did an in-depth analysis of Google and Microsoft, it seems that the decision to outsource was taken before the reality of the alternatives available to us were evaluated.

• We must consider issues around contract negotiations and whether services provided fulfill the requirements I set forth above. In initial negotiations, Google treated Berkeley IT professionals like ordinary consumers—it presented take-it-or–leave-it contracts.  Google was resistant to, though it eventually accepted, assuming obligations under FERPA, a critical concession for colleges and universities.  Google also used a gag clause in its negotiations with schools.  This made it difficult for our IT professionals to learn from other campuses about the nuances of outsourcing to Google.  As a result, much of what we know about how other campuses protected the privacy of their students and faculty is rumor that cannot be invoked, as it implicitly violates the gag clause.
• On the most basic level, we should pause to consider that both companies the campus considered for outsourcing are the subject of 20-year consent decrees for engaging in deceptive practices surrounding privacy and/or security.  Google in particular, with its maximum transparency ideology, does not seem to have a corporate culture that appreciates the special context of professional secrecy.  The company is not only a fountainhead of privacy gaffes but also benefits from shaping users’ activities towards greater disclosure.
• As discussed above, UC and Berkeley routinely handle very sensitive information, and many of us on campus have special obligations or particularized vulnerabilities.  Companies with valuable secrets do not place crown jewels in clouds.  When they do outsource, they typically buy “single-tenant” clouds, computers where a single client’s data resides on the machine.  Google’s service is a “multi-tenant” cloud, and thus Berkeley data will only be separated from others on a logical level.  Despite the contract negotiation, Google’s is a consumer-level service and our contract has features of that type of service.  There is a rumor that one state school addressed this issue by negotiating to be placed in Google’s government-grade cloud service, but because of the secrecy surrounding Google’s negotiations, I cannot verify this.
• Third parties are a threat to communications privacy, but so are first parties—communications providers themselves.  While we may perceive cloud services as being akin to a locker that the user secures, in reality these are services where the provider can open the door to the locker.  In some cases, there is a technical justification for this, in other cases, companies have some business justification, such as targeting advertising or engaging in analysis of user data.
• It is rumored that some campuses understood this risk, and negotiated a “no data mining clause.”  This would guarantee that Google would not use techniques to infer knowledge about users’ relationships with others or the content of messages.  Despite our special responsibilities to students to protect their information and our research and other requirements, we lack this guarantee.
• Despite the good news about Google’s warrant requirement, we still need to consider intelligence agency monitoring of our data.  Any time data leaves the country, our government (and probably others) captures it at the landing stations and at repeater stations deep under the ocean.  And the bad news is our contract does not keep Berkeley data in the U.S.  Even while stored in the country, there are risks.  For instance, the government could issue a national security letter to Google, demanding access to hundreds or even thousands of accounts while prohibiting notice to university counsel.  Prior to outsourcing, those demands would have to be delivered to university officials because our IT professionals had the data.  Again, to its credit, Google is one of the most forthcoming companies on the national security letter issue, and its reporting on the topic indicates that some accounts have been subject to such requests.
• Google represented that its service meets a SAS 70 standard in response to security concerns, but it is not clear to me that this certification is even relevant.    SAS 70 speaks to the internal controls of an organization, and specifically to data integrity in the financial services context.  The University’s concerns are broader–confidentiality and availability are key elements–and apply to both external and internal controls and the University’s rights to monitor and verify.  There are notable examples of SAS 70 compliant cloud services with extreme security lapses, such as Epsilon (confidentiality) and AWS (availability).  SAS 70 allows the company, which is the client of the auditor, and the auditor itself, to agree upon what controls are to be assured.
• Google will have few if any incentives to develop privacy-enhancing technologies for our communications platform, such as a workable encryption infrastructure.  As it stands, the contract creates no incentives or requirements for development of such technologies, and in fact, such development runs counter to Google’s interests.
• In the end, CalMail was being very effectively maintained by only a few employees. It is not clear to me that an outsourced solution—which, in order for the security and other issues to be managed properly, requires Berkeley personnel to interface with the system and with Google—is necessarily less costly. This is especially concerning in light of the fact that we appear to have lost the connection to IT personnel who understand the sensitivity of the data we handle, and moved to a much more consumer-oriented product.

The long view

Looking ahead, we should carefully consider how we could assume the best posture for outsourcing. Instead of experimenting with Google, we would be better served by an evaluation of the campus needs that includes regulatory and ethical obligations and that captures the norms and values of our mission.  Provider selection should be broader than choosing between Google and Microsoft.

As a first step, we should charge our IT leadership with forming formal alliances with other institutions to jointly share information and negotiate with providers.  Google’s gag provision harmed our ability to both recognize risks and to address them.

We need to be less infatuated with “the cloud,” which to some extent is a marketing fad.  Many of the putative benefits of the cloud are disclaimed in these services’ terms of service.  For instance, a 2009 survey of 31 contracts found that, “…In effect, a number of providers of consumer-oriented Cloud services appear to disclaim the specific fitness of their services for the purpose(s) for which many customers will have specifically signed up to use them.”  The same researchers found that providers’ business models were related to the generosity of terms.  This militates towards providers that charge some fee for service as opposed to “free” ones that monetize user data.

We should charge our IT professionals with the duty of documenting problems with outsourced services.  To more objectively understand the cloud phenomenon, we should track the real costs associated with outsourcing, including outages, the costs of managing the relationship with Google, and the technical problems that users experience.  Outsourcing is not costless.  We could learn that employees have simply been transferred from the operation of CalMail to the management of bMail.  We should not assume that systems mean fewer people—they may appropriately require meaningful staffing to fulfill our needs. As the expiration date ofsystem wide Google contract approaches in June 2015, these metrics will help us make an economical decision.

Finally, there are technical approaches that, if effective, could blunt, but not completely eliminate, the privacy problems created by cloud services.  Encryption tools, such asCipherCloud, exist to mask data from Google itself.  This can help hide the content of messages, reduce data mining risks from Google, and cause the government to have to come to Berkeley officials to gain access to content.  The emergence of these services indicates that there is a shared concern about storing even everyday emails in cloud services.  These services cost real money, but if we continue to think we can save money by handing over our communications systems to data mining companies, we are likely to end up paying in other ways.

Update: The Chronicle reports that the show is just a celebrity infomercial, with softball questions, and no critical discussion:

You would be forgiven for mistakenly thinking you’d tuned in to an infomercial for Weight Watchers in the first half hour of Katie Couric’s new syndicated talk show, “Katie,” which premiered Monday afternoon…

This is a good development for consumers. We should have the choice to move away from ad-supported business models. As I explain with my co-author Jan Whittington, there is a cost to free business models. “Free,” ad-supported services are packed with hidden costs to privacy and other consumer interests.

While the ads are gone, there is still no word on whether Amazon will reduce tracking of Kindle users. Without backing off on tracking, this is not a pure privacy play.

And an interesting data point–how is it that Amazon is willing to give up these special offers for only $15, given that “customers love our special offers“?

As I understand it, it might work like this: ABC Corp. has an extensive database of consumer email addresses, but is concerned that no one is reading the company’s spam. So ABC uploads its consumer email database to Facebook, which identifies Facebook members who are customers of ABC. ABC Corp can then send its marketing through Facebook so that it lands in the Facebook Feeds of its existing customers.

The service has some privacy safeguards, because some hashing will be in place to stop Facebook from just copying the customer databases held by merchants (too bad they don’t do this for address book scanning!), and because the targeting will be based upon phone numbers and email addresses already in possession of the merchant. Thus, the idea is that this is marketing only to people with a business relationship with the advertiser.

This is a great model for businesses trying to communicate with their existing customers. It lets them reach customers through a new channel (Facebook) that is very popular. It avoids the hassle of telemarketing and possibly the regulatory regime associated with email marketing.

The Enhancement Problem

But here’s the catch–two core privacy assumptions are flawed. Merchants have difficulty getting phone numbers and email addresses from customers. Sometimes, instead of asking customers for personal information, they find ways to trick consumers into providing it, or they simply buy emails/phones/home address about a customer based upon whatever data they already possess. This practice is known as data enhancement, it happens where a company links more information about consumers to an existing database.

A recent case explored this practice at Williams-Sonoma: “After acquiring this information [zip code from Jessica Pineda at the register], the Store used customized computer software to perform reverse searches from databases that contain millions of names, e-mail addresses, residential telephone numbers and residential addresses, and are indexed in a manner that resembles a reverse telephone book. The Store’s software then matched Pineda’s now-known name, zip code or other personal information with her previously unknown address, thereby giving the Store access to her name and address.” That’s how you end up with dead trees in your mailbox.

The whole point of data enhancement is to get information about the consumer that she is otherwise unwilling to provide. It’s really sneaky and it contravenes transparency and fairness principles. Enhancement obviates many attempts to protect privacy through selective revelation.

How Did They Get My Facebook?

There’s a second problem here. Many people do not want to be contacted by the companies that they frequent. In a recent survey, I found with colleagues that 74 percent of Americans thought that a merchant should not be able to call them, even if they gave their phone number to the merchant! Consumers want specific permission controls over direct marketing.

Finding a new channel to contact people may be great for advertisers, but for users, contact through some new, unexpected channel, can be a bit unwelcome.

A Fix?

Perhaps Facebook could correct this problem by requiring merchants using this new service to guarantee that they collected email addresses and phone numbers directly from the consumer, with their consent that the information be used for marketing. Otherwise, this new service will create incentives for companies to engage in more enhancement, and it will further junk up Facebook.

Is the Times’ Christine Haughney critiquing Zakaria or not? Resnick is well known for being a marketing personality, one that makes broad, unsubstantiated health claims about “POM,” her silly juice that you should not waste your money on. Nor should you ever buy anything from her former business, the Franklin Mint, or Fiji, her overpriced water (see a theme here?).

Is a Resnick endorsement a thumbs up or down?

I joined and still think it is a good idea to join, based upon arguments started in a series of posts concerning Chris Anderson’s book, “Free.”

There are two reasons to avoid free products and start paying for things. First, free is a force for mediocrity, both online and off. It displaces better products, because no one can compete with free things, and because free things are usually just good enough to do the job we need them to do.

Second, as Jan Whittington and I explain in our work on social network services that are advertised as free, “free” services have costs. A sample of food at a mall’s food court is free to the recipient. You get it and walk away. Online services are different, because you do not walk away whole. The service keeps personal information about you and you forever have to monitor how it deals with that data. In our first paper, we describe the depredations of C Everett Koop’s dr.koop.com, a free social network for medical issues. Drkoop.com went bankrupt, and its member database was sold to a Florida-based “nutritional supplement” company. The best part of the story was the reaction of the buyer. He said, “Three years ago, Drkoop.com would not have given us the time of day…Now we own them.” Shifting policies represent a monitoring cost, a real investment of your time and a risk to your privacy.

At the end of the day, services like Facebook and Twitter must adhere to what advertisers want, and so paeans to “making the world more open” and real identity requirements are masks for serving advertisers’ wishes. If we want to escape that trap, we’re going to have to actually start paying for things with money.

With regard to modern commerce, Mr. Keizer grumps: “We would do well to ask if the capitalist economy and its obsessions with smart marketing and technological innovation cannot become as intrusive as any authoritarian state.” Actually, no. If consumers become sufficiently annoyed with mercantile snooping and excessive marketing, they can take their business to competitors who are more respectful of privacy. Not so with the citizens of an intrusive state.

There is almost no market for privacy among merchants. Companies learned long ago that raising privacy as an issue backfires–it causes consumers to worry about it rather than feel safe about an alternative product. Whether online or offline, going to a competitor doesn’t increase your privacy, in real or perceived terms. It’s simply too easy to hide invasive practices from consumers.

Our work at Berkeley shows the folly of simply going to a different site in order to have more privacy. Here’s just one example, in our Web Privacy Census, we did a large-scale survey of popular websites in order to assess mercantile snooping and excessive tracking. Of the most popular 1,000 websites, Google trackers are present on 712 of them. Good luck finding a competitor who is more respectful of your privacy.

I do not know what the Internet Association will do nor do I discuss its merits here (as it has no track record yet). I wish to use this as an opportunity to discuss some of the issues in trade group lobbying. Consumer groups have problems too, but unlike companies, consumers have no direct representation in most regulatory matters, and consumer groups are completely outgunned in money, influence, and manpower in DC.

The creation of a new lobbying group for tech interests is a notable thing. These organizations are always created for some strategic reason. It could be that the many existing trade organizations are too closely aligned with other tech companies with dissimilar interests. Here, the Internet Association makes a big deal about being the first group to explicitly represent the interests of the Internet, whatever that means. Or perhaps it was created because other organizations have become too discredited to be believed anymore. When firms’ sock puppets are discredited, they can simply be abandoned, and rise again (sometimes with the exact same employees) in new form. This is a lot like Unbranding.

There are already tons of tech lobby groups. Companies find them useful because they can launder policy through them. The groups can say controversial things, or engage in sock puppetry with reasonable deniability. So when you read a news article about some controversy, and see a trade organization quoted instead of a company directly involved in the tussle, chances are that the company decided to participate in the fray through its proxy and avoid the risk of direct exposure to critical reporting. Reporters do not kick the tires too hard on these groups to see who is actually behind them.

The Lobbying Clone Wars

Generally speaking, we too easily recognize these groups as legitimate. Federal agencies, for instance, recognize them and take them as seriously as ordinary principals in debates. This is problematic, because firms use these groups to amplify their interests. So, for instance, on Congressional hearings or FTC events, sometimes you’ll see company representatives appearing on a panel along with witnesses from trade organizations that the company underwrites. Similarly, in the current debate at the Department of Commerce over privacy, the agency is going to try to develop a “consensus.” Those wanting to influence that consensus will be far more effective if they multiply their presence in the room with additional lobbyists who appear to be independent but really are fully backed by specific companies.

“The Internet must have a voice in Washington.”

Turning back to the Internet Association, a few things to note for future reference. First, their PR firm is HDMK. That’s important to know because closely related groups often share the same PR firm. If you see two groups with the same PR firm, chances are they have coordinated their messages, or they are really just the same interest broadcasting through two different speakers.

Second, the Internet Association is interesting because it explicitly claims to represent users. It will represent, “the interests of America’s leading Internet companies and their global community of users.”

This could be a great source of legitimacy problems for this group, because user interests so often diverge from the interests of Google, Facebook, Amazon, eBay, and the like. These companies tend to think that user interests align with their own because consumers would simply choose other services if they were in misalignment. It’s a form of circular reasoning that many businesses suffer from.

Of course, consumers use what is available to them, and the market often obscures or blocks options that users are likely to take. For instance, in Douglas Edwards’ recent book [FN1] about working at Google, he discussed the company’s first-party cookie policy:

What if we [Google] let users opt out of accepting our cookies altogether? I liked that idea, but Marissa [Mayer] raised an interesting point. We would clearly want to set the default as “accept Google’s cookies.” If we fully explained what that meant to most users, however, they would probably prefer not to accept our cookie. So our default setting would go against users’ wishes. Some people might call that evil, and evil made Marissa uncomfortable. She was disturbed that our current cookie-setting practices made the argument a reasonable one. She agreed that at the very least we should have a page telling users how they could delete their cookies, whether set by Google or by some other website.

Even when companies know that consumers want more privacy, firms can have incentives to code in privacy-invasive options by default. Firms may also have incentives to hide the tussle among these options. Google could have implemented compromise approaches that preserved some privacy, by using session cookies or by choosing cookies that expired after some short amount of time, but it did not.

A similar theme appears in Katherine Losse’s tale of employment at Facebook. According to Losse, when Facebook made major changes to users’ privacy settings, there was no internal debate at the company about how users would feel about the changes. Losse was charged to write blog posts on behalf of Zuckerberg explaining the need of users to become more open.

It will be interesting to see how the Internet Association will represent user interests and the interests of companies such as Google and Facebook, when we know that these companies themselves make strategic decisions to shape, deny, or flat out commandeer users’ choices.

FN1: Douglas Edwards, I’m Feeling Lucky: The Confessions of Google Employee Number 59, at 341 (HMH 2011).