Transcript

What Google and the Govt Really Know About You

April 26, 2012

0:00:0

MICAH SIFRY: Hi everybody, this is Micah Sifry from Personal Democracy Media and welcome to another episode of Personal Democracy Plus's ongoing teleconferences with movers, shakers, thinkers, doers and innovators at the point where technology is colliding with politics and government and civic life.

Today I'm very pleased to be speaking with Chris Soghoian, Christopher Soghoian who is a Graduate Fellow at the Center for Applied Cyber Security Research and a PhD candidate in the School of Informatics and Computing at Indiana University, and a -- Wired magazine actually recently referred to Chris as a "Ralph Nader for the internet age," his single-handed journalism and kind of hacking activism if you will in terms of poking at the security holes and privacy issues that exist in the public sector as well in the private sector have made him really a go to expert on all the kinds of problems we now face with protecting privacy online.

He's actually currently a Fellow with the Open Society Foundations and working on a guide that will hopefully help a lot of us whether we're ordinary citizens or activists and journalists navigate this complicated space. It's very confusing for many of us to keep track and luckily we have people like Chris who are working hard to do so.

So with all that said Chris, welcome. I was wondering if you might start us out and kind of give an overview, the lay of the land as you see it. What is the state of online privacy today? What's the good news? What's the bad news?

CHRIS SOGHOIAN: So, the state of online privacy is not so great, I'll be honest with you. Consumers are increasingly relying on services provided to them by companies for free. You know, 10 years ago you would have paid for your word processing software, you would have paid for your backup software. In the early days of Netscape, you even paid for your browser. And now consumers increasingly rely on services provided for them by companies, nonprofits, but the companies provide these services for free, or at least "free" sort of in scare quotes because there's something -- there's an exchange that's happening and consumers may not realize that there's an exchange happening at all, or they may not at least realize the full scope of the exchange.

And the exchange essentially is that consumers are exchanging their personal data for the services they're getting. Facebook doesn't charge users any money, Google doesn't charge users any money, Hotmail, Yahoo, many of these companies are providing things for free. And in some cases the trade is at least relatively easy to figure out, right? So, you're getting this fantastic email service from Google and there are ads embedded in the window in which you're email is displayed.

A relatively savvy consumer can -- in fact, any consumer can figure out there are ads, but a relatively savvy consumer can figure out that the ads are based on their email. And in fact, there are studies conducted by academic experts showing that about 50 percent of the users realize that their gmail ads are based on the contents of their email.

But that's at least the scenario where there are ads in the service. And similarly, Facebook has ads embedded in their service, too. But things get a little more interesting for services like Google Docs where there are no ads. Or in fact, like the software download space like Internet Explorer and Google Chrome there are no ads built into Google Chrome. There is no Google Chrome plus that you can pay for, and so the business model isn't entirely clear to consumers. Why is Google giving this browser away? And why is Microsoft giving this browser away? It's a spectacular product, there's a large team of developers who are constantly add new features and fixing security flaws, but there's no obvious revenue model for this service. And Chrome has captured somewhere in the ballpark of 20 percent of the browser market. Why is Google offering this product?

And my hypothesis here is that the browsers that consumers use include many knobs and buttons that can be turned to configure them. Your browser can be configured to enable cookies, to allow cookies to track you by default or to block cookies by default, to allow all cookies or to block all cookies, to allow only some cookies or to block some cookies.

And if you look at the various browsers, what you find is that the settings are not the same across the different products. What you find is that Apple's browser by default is configured to block many forms of tracking cookies out of the box, right? So, if a consumer walks into an Apple store and pays $1,000 for a laptop, isn't thinking about privacy, just wants to hot, new MacBook. They get a browser by default that blocks most of third party advertising networks. If a consumer goes into Office Depot and buys a $400 Dell the browser that comes with their computer allows tracking by third party ad networks. Or if the consumer sees an ad on the subway or a Google home page or Google Chrome is somehow pre-installed on their laptop because of a deal between Google and the laptop manufacturer and they're using Chrome, similarly Chrome will allow that user to be tracked by ad networks by default.

And so what we have essentially is the browser which is provided now increasingly by ad companies configured by default to allow those same ad companies and their friends and partners to track consumers everywhere they go.

And essentially you see the desk is sort of stacked against consumers. We know from a solid body of behavioral science research that consumers don't change default settings whether those default settings are the 401K plan that their employer gives them, whether the default setting is their organ donation status or whether the default setting is their Facebook or Google privacy and security controls. The defaults that come with the product largely stay the way they were pre-set for 99 percent of consumers.

And unfortunately the companies, they're choosing the defaults are not choosing them in a way as such that privacy is the number one priority. In most cases as the default that are being picked are optimized to increase the revenue of the companies and to allow them to collect data. And this is fine because after all these are corporations who are obligated to return money to their shareholders, but I don't think consumers understand.

I don't think that consumers realize that these options exist and that they have been set in a way that optimizes against their privacy.

MICAH SIFRY: Right, and I mean there are lots of tributaries that flow from what you've just said, but the first two that occur to me are the point about privacy and the browser you use is very different than privacy and say deciding to connect up on Apple or Facebook or something. Typically when you first make that purchase or open an account, you are asked; most people don't read the Terms of Service, but you are asked do you accept these Terms of Service. So, when you open an account with Apple in the iTunes store and they regularly update that, but at least the theory of informed consent here that people are giving their consent in an active way, whereas if I just fire up a browser the browser never tells me the first time I start using is, oh, by the way, cookies are on, third party services will have access to your browsing behavior. How do you feel about that?

CHRIS SOGHOIAN: And that's because the browser isn't tracking you. If Google built tracking technology into Chrome and Chrome were the only -- Google were the only ad network that could track you through Chrome, then they would have to engage in this sort of façade of informed consent. Where they would have to say, by using Chrome you hereby permit us to track everything you do on the web. That would be troublesome and then they would be accused of having a monopoly over the activities of Chrome users.

Instead what they go for is to just have their browser spew your private data all over the web and then their own sister ad division can just sit there on the receiving end and collect it without having to give you any form of informed consent. There'll be a privacy policy on the individual websites that you visit that say, well we may partner with other companies to track you. But that's an entirely different experience than being told when you install the browser, by the way, we're tracking you.

I should also note that Google now has a majority of the share of the smart phone market, and I think one of the reasons why Google has invested so heavily here is they didn't want Apple to have a lock down and control the mobile browser experience, right? Apple had showed a desire to block tracking technologies by default, Safari on mobile blocks third party cookies, Apple didn't want to allow Flash, so Flash cookies were sort of out of the picture. And had Apple dominated the mobile market, Google really would have been in a tough situation in terms of at least web-based tracking.

And so the alternate platform of Android and more importantly, Google's default browser on Android that allows tracking leaves the door open for companies like Google to continue to track consumers who don't know that it's going on and who to stick with the default settings.

MICAH SIFRY: Great. And when you mean -- and you don't just mean companies like Google, you mean companies who have set up their own cookies so that if you come to their site, there may be an ad network that that site has a deal with and they're placing a cookie on your browser so that they know you visited and they have even -- they may have knowledge of what you searched for, what products you were looking at, what pages you were reading.

I mean spell out -- what's the worst case scenario here for an ordinary -- we're not talking about people who are doing edgy things. We're talking about your average Mom and Pop web user. Why should this bother them?

CHRIS SOGHOIAN: I mean so this is a trap that you're dangling in front of me and this is a trap that privacy advocates often get ensnared by which is what's the harm, right? Why should consumers care about this data collection?

And if you allow yourself to get dragged down this hole, then you're having sort of a fact-based discussion well how much tracking is okay and when does it cross that creepy line? And I'm not going to go there. What I'm going to say is that I think that consumers have a basic right to not have this information collected about them particularly because they're not benefiting. And if you look at the numbers that come from this industry -- so Facebook's numbers I think are really revealing because the company has filed so much information in sort of the IPO process, we find out that Facebook makes approximately $5.00 per year, per user, right? There's no way to pay for Facebook Pro; there's no way to pay for a privacy preserving Facebook that is optimized to protect your privacy, that puts the user first and that shields your data. The only service that's offered is the privacy invading, data mining heavy Facebook platform.

And from that platform, Facebook squeezes out $5.00 of value, per user, per year. And so my argument here is that given that the sums of money are trifling to most people who can afford a $400 smart phone and who drink $5.00 lattes on a regular basis, the fact that we are allowing these companies to build these detailed dossiers about our movements online, our interests, our activities -- some databases have extremely sensitive things and others that don't even have -- that just have vague things. But why are we allowing these companies to collect this data when the sums of money are so small? When the per-click revenue is in the pennies, if that.

And I think if people realized how little their data was being sold for they would be even more offended, right? This isn't about improving the experience and showing consumers ads that are annoying, the ads are sort of the bit of the iceberg above the waterline but the part below the waterline that troubles me is the databases that are powering the ad system, the databases that increasingly have vast amounts of data about who we are and what we do online.

And you know I'm not going to tell you about the doomsday scenario of NSA getting the (inaudible) advertising database. I don't think we need to go there. I think it's enough to say that these companies shouldn't be permitted to collect this data without our consent, without our affirmative consent and without us getting something out of it. And I don't think we get enough out of it to justify the ecosystem that has been permitted to grow.

The only reason it's been permitted to grow in the way it has is because our consent is assumed, right? These companies can track us and collect our data and build these profiles because we don't know it's happening and there's nothing we can really do about it. And I think that at a basic level, it's screwed up.

0:15:15

MICAH SIFRY: You don't have an argument from me, but that last parenthetical, there's nothing we can do about it, is that really true? I mean, so you use the web, I mean what is your defensive strategy if somebody -- you need to use the web, you're a journalist, you want to be an informed participant in society. So what is your advice beyond say meticulously turning all your privacy settings up to 11?

CHRIS SOGHOIAN: I think that when you compare what happens on computers to any other sort of consumer product, I think it's both alarming and sort of ridiculous, right? You buy a car from a dealer, at least a new car, and you can drive it off the lot safely. It's not going to explode as you drive it down the road, and you know, it's safe to use out of the box. Whereas I buy a new computer and I have to spend hours modifying it and customizing it and it's not the equivalent of painting a new color and adding a racing stripe on the side. I mean, these are what I consider to be basic improvements that I need to apply. I need to enable this encryption because Microsoft doesn't consider it a basic feature, they consider it an enterprise-only feature. And so if you lose the laptop that you bought at Staples, the person who finds it can get all your private data and anything else that happens to be on it. I think that is a problem.

You know, you have to install a browser that better respects your privacy. You may need to install a virtual private networking service, you may need to install additional privacy plugins for your browser that shield you from the ad networks and I think that realistically the amount of time and effort required by consumers to block these tracking methods is simply beyond them.

And you as a consumer spend four, five, 10 hours on a weekend getting your computer to the point where you think you're safe and then the ad networks innovate around your privacy protections and suddenly they have a new way of tracking you. And we have this persistent problem in the industry that we're essentially in an arms race where the ad networks use one technology, let's say tracking cookies. And then once enough consumers start blocking them or once enough privacy tools are built into some of the other browsers or antivirus software suites to stop them, then the ad networks switch to flash cookies. And then consumers figure out about these or the FTC takes action and then they switch to another method, and then they switch to another method and another method and the problem here is that the ad networks see privacy controls and privacy software as an engineering problem that they need to figure out and evade.

They have a lot of money and they have a lot of resources and their business models depend upon the ability to track consumers and on the other side of the battle is the lone consumer who is essentially his or her own Chief Information Officer and Chief Technology Officer and Chief Privacy Officer and Chief Security Officer, and consumers don't have the time and don't have the resources to win this battle. And so we will always be tracked.

Are there things that savvy, really, really savvy consumers or people at extreme risk of surveillance like journalists can do? Sure, but for the average consumer the deck is just so stacked against you that -- you know, what I don't want to do is tell consumers, hey if you just follow three easy steps, you'll be safe online because then they will drop their card and not realize that this information can still be collected about them.

MICAH SIFRY: I should just mention parenthetically that I maybe should almost say that this is privacy month at Personal Democracy Media because actually two weeks from now our next call is going to be with Joseph Turow who has a new book out called The Daily You which looks further into I guess the industry side of all this tracking and what's grown up in -- it's the best -- I don't know if you've had a chance to read the book yet, Chris, but it's really an eye-opening guide into this kind of murky industry and you know, he raises some very important questions.

Even if you are not a person who worries about your privacy, there are other societal effects at work here. There's a segmentation underway, very subtle sorting of people into categories of either lucrative marketing target or the industry where it is actually waste, people who you don't want to market to and the experience that people get as they surf the web is now being segregated in some very subtle ways. And that is also destroying, he argues, the underpinnings for a great deal of the media ecosystem because the old line between advertising and editorial is completely breaking down. So, there's some other worrisome effects here even if the privacy effects are the ones that most concern you.

Before we get to the halfway point on the call, I would be remiss if did not ask you about well how is government addressing these questions? And is there anything that the government is doing to make things any better or worse. You have worked inside the Federal Trade Commission earlier in your career on these kinds of issues. What's your perspective on that?

CHRIS SOGHOIAN: The first thing you need to understand is that the government is not one gigantic beast. There are different agencies of the Federal level who have conflicting interests and have different missions, right?

And so the Federal Trade Commission -- I mean, I worked there between 2009 and 2010 and the people who work there genuinely want to move the ball forward, they are tasked with protecting consumers, that's their job, right? So they're going to take the consumers side on every issue. And the FTC, once they do everything they can, the problem is they don't really have much in the way of power to force companies to do things. What they can do is they can go after companies that have either lied to consumers or have made products that are so unsafe that consumers simply cannot avoid some kind of tangible harm.

And in the area of online tracking, there is no harm or at least not harm that rises to the level where the FTC can really step in. And so what the FTC is left doing for the most part is policing companies who are so dumb that they make inconsistent statements about what they do with user's data. If companies don't say anything or merely tell the truth about their data collection practices, the FTC really has no hook.

And so for example, you look at the FTC's investigation and then rapid closure of their investigation of Google's collection of wifi data with their street view vehicles and Google didn't tell anyone that they weren't collecting the data. So there's no deception angle for the FTC. And Google didn't use the data or put it online for anyone else to download, so there's no risk of identity theft or other harms due to the passwords and user names and other things that might be contained in the wifi data.

So, that sort of explains the limiting power of the FTC. I mean they can certainly go out and give speeches and say what they would really like the industry to do X, Y and Z, but industry has very little in the way of obligation to what the FTC says.

At the same time you have the Commerce Department and now the White House in talking the talk about privacy, but you have to remember that the Commerce Department isn't there to protect consumers. The Commerce Department is there to protect businesses and the economy. And the Commerce Department realizes that privacy is a threat to business, that strong privacy controls that would allow consumers to opt out of data collection practices would limit the sector of the economy, this sector of the economy that depends on easy, free access to consumer's private data.

And so what's happening now essentially is the Commerce Department now in cahoots with The White House are sort of embracing relatively weak, middle of the road privacy protections in an effort to suck the oxygen out of the room and out of the effort to pass comprehensive privacy reform. So, you have Commerce sort of blessing a do-not-track mechanism as long as it doesn't really go too far and companies can still collect data and just not use it to display the advertising in some cases.

And the details here are complex and as with all things DC, there are a lot of backroom deals. But the important thing that you need to understand here is that the people who are calling the shots and playing the largest role in the debate around online privacy in DC. Many of them are not representing consumers' interests, they're representing business interests and those interests do not align with consumers.

And so what's the government doing? Well in many cases, the government is actively colluding with business. Not because the government wants to track you, but because this is a really large part of our economy now and you know, given the recession we're in no one at the White House wants to be sabotaging Silicon Valley.

MICAH SIFRY: And the law as it currently stands hasn't really been updated in a while, right? We're talking about some fairly old standards of privacy protection. I mean I was just looking, the Electronic Communications Privacy Act at least on the issue of old data suggests that the government doesn't even need a warrant for accessing information that's more than 180 days old.

CHRIS SOGHOIAN: So, the Electronic Communications Privacy Act is a very old law, dates from 1986. It was written before most email services were around, certainly before people had 5 gigabyte email inboxes. It was written before cell phones, before Four Square, before social networking sites. I mean, it really doesn't mesh with how we use technology today.

I suppose the bigger issue there is ECPA's largely focused on government access of data and so companies are largely free to share any communications non-content information. So that's -- companies cannot share what you say, but they can share to whom you say stuff to, who your friends are, your location information, other things like that. Those kind of sharing are really unregulated under existing Federal law, and certainly companies are taking advantage of this. I mean entire business models have come into play because the law really didn't stop them.

We certainly need an update to our privacy laws, but there are a lot of lobbyists in DC and Google is probably one of the biggest spenders right now in DC. I think they're even outspending tobacco and oil. Certainly they're outspending Verizon right now. And Google just isn't going to want to let anything like that pass because it really will chill their ability to make billions of dollars.

MICAH SIFRY: From their ad network that's --

CHRIS SOGHOIAN: Ad networks that pays all their bills, yeah.

MICAH SIFRY: Is there another way though that this marketplace can be constructed? I mean I've encountered people who are talking about in a variety of different ways the notion of users controlling their own data and deciding in a more proactive way what they're willing to in effect sell to marketers or allow marketers to access. I mean people aren't all inherently so averse to having appropriate ads aimed at them, but when you phrase it as would you prefer to be in the driver's seat, most people would say, yes. Why isn't there a market for that kind of user-centric data control? Or is it too soon for it?

CHRIS SOGHOIAN: I think that's the wrong discussion. I think that's the wrong discussion to be having, I think the better discussion is to be saying why can't consumers not pay for the services that they use? When cable TV first came out, it was TV without the ads, right? That's why people signed up. You got more channels with no ads.

You know, there's no way to pay for a Facebook experience without the ads and data collection. And I think look, you may legitimately criticize the way that Facebook treats its users like cattle with regard to their personal data, but I think it's beyond dispute that Facebook has built a compelling, useful platform that now plays a central role in many people's lives in the way that they stay in touch with their friends and families and friends from middle school and high school, right? And I think it's a really cool platform. I personally don't use it because I don't trust the company, but I recognize that it plays this great role in facilitating communication with people that you otherwise wouldn't get to talk to very often. And I think it's a really big shame that Facebook only offers this service to you in one way and that way is our ads or go use something else.

And I think the better solution here would be for companies to offer ads for a paid version. I mean, I really think that we would see far better results if companies had a customer relationship with their users rather than seeing them as a source of data to generate ads.

MICAH SIFRY: Well the user is in effect the product, not the customer.

CHRIS SOGHOIAN: Yeah, look consumers pay for their telephone services, they pay for their internet services, they pay for TV, we pay for stamps, we pay for Fedex, we pay for all of these other communication tools but the companies that provide many of our modern electronic communication services won't take our money.

MICAH SIFRY: But in effect you are saying that there could be a market for our money if a company came along and said here's your --

0:30:09

CHRIS SOGHOIAN: It's not if a company came along, right because if I started the privacy preserving social networking service that was truly amazing, protected everyone's privacy and could be had for just $1.00 a month, it wouldn't do any good if all my friends are on Facebook. You have these network effects that mean that all your friends have to leave Facebook at once and that's simply not going to happen.

I think you'll be far more -- I mean, it's going to be really difficult to compete with a service that uses these network effects and social pressure. It's far better if Facebook just started offering a different kind of account. The problem is is there's no way to offer a privacy preserving Facebook and market it as that without signaling to your customers that the regular Facebook doesn't protect your privacy.

They can certainly say this one doesn't have any ads, but I don't think that the ads are the problem. The ads are just the symptom -- the way you see the data mining is happening below the waterline. But the bigger problem is the data mining and the data collection and for Facebook to offer a paid service without the data collection, they have to -- and to make it compelling to consumers, they have to then reveal how bad the default service is, and that's just something I don't think they're going to want to do.

MICAH SIFRY: Well yeah, it would be embarrassing for them. People I think saw a glimpse of it when timeline came out and you saw just how far back information was held. But it's more along the lines of even when you delete a photo, Facebook doesn't delete the photo from its servers. And I think there is some low level awareness on the part of people that Facebook may have embarrassing photos of them that they've tried to get rid of that they can't.

I'm going to pause for a second in case - we're at the half way point -- if somebody listening wants to poke their nose in and make a comment or as a question, just hit *6 on your phone and I will see you in the Q&A queue. We'll just pause momentarily to see if anybody jumps in. If not, I'm always happy to keep going.

So, Chris one question for you about other angles to -- other pathways perhaps raise awareness around this issue. One that I've been asking people about lately is the political arena and it comes up in two ways; the first one is that more and more campaigns are obviously collecting huge amounts of data about their supporters and about the voter pool at large. And this is I suspect going to be the year where micro-targeting voters on the basis of both information that they willingly give over to campaigns as well as the information that the campaigns can get from tracking them or buying available consumer databases, that may turn out to be a very important factor in the election.

And so perhaps one wedge, one way of raising awareness, I'm curious what you think, is to actually be asking the politicians what are you doing with the data your collecting on me for your campaign? How do I know it will stay secure? Why aren't you telling me all the things that you are doing with it? It seems like you're invading my privacy. Do you think there's anything to try to make an issue that way?

CHRIS SOGHOIAN: Look, I think it's definitely a problem. But I think it's a problem for a different reason. And you know, one thing to remember here of course is that politicians always exempt themselves from the laws they pass. So, canned spam, the email spam law exempts political emails. The do not call registry exempts political telephone calls. And of course any kind of do not track legislation, if it ever passed would most likely exempt tracking for political purposes.

These are the people who pass the rules, they are not going to pass rules that limit their own use of data, right? It's foolish to assume they will.

The big concern here isn't that they're going to give themselves an exemption because that sort of goes without saying. It's that as these politicians come to depend on this data in the same way that law enforcement increasingly is sort of addicted to things like location data, right because it's so easy and it's so useful to them.

As politicians realize that this stuff is either going to make or break elections, it's going to strengthen their ties to industry, to the data miners and the data brokers and it's going to make them even less willing to regulate the other uses of these data sets because the data miners are going to be able to say, well look, the only way that we can stay in business is if we sell this data to multiple sources, and we cannot pay our bills only collecting this data for political purposes. We need to be able to mine it so that JC Penney can show ads, too. You guys are just another of our client segments.

If you regulate those other segments out of business, we're going to go bankrupt and then you're going to lose this source of data, too. By the same token I think as Facebook becomes a central role in the way that politicians get elected and even raise funds, then I think that gives Facebook a strong amount of power and leverage over politicians who might otherwise want to regulate that company and its problematic practices.

I mean, I just think it gives this industry some kind of coercive power over the politicians that are in effect our proxies and are supposed to be protecting us from their predatory practices.

MICAH SIFRY: We tried to raise the issue as we've watched not just campaigns but the official arms of government treat Facebook as the de facto public square for things like Town Hall meetings. So, the White House now, whenever they do a live event, they are doing it in tandem with Facebook and I suppose they would argue, well, that's where all the people are. How could we not go to where all the people are online and you really have to find cases -- there are communities by the way that still have a high allergic reaction to sites like Facebook, not necessarily solely on the privacy issue.

But one way to perhaps push back would be to say so, to the politician, you are deliberately excluding people from joining you in a Town Hall conversation unless they join Facebook? You're forcing them to join a site that they don't want to join, why are you doing that?

But that requires getting people to see the sort of sleight of hand that's underway here because these aren't real Town Halls, they're not real public squares, these are private platforms trying to play that role.

What about Europe? Do you see any hope from the noises we keep hearing from the other side of the Atlantic? The European Commission? And the various countries, Germany in particular, where you have a very, very strong cultural aversion to this kind of sharing. I mean, do you think there's a chance that a tougher regulatory approach might be kind of get to the web via Europe?

CHRIS SOGHOIAN: Yeah, actually -- I'm biased because I spent my childhood in Europe and I have several European passports as well. Look, I think particularly around the issue of do not track, Europe is going to play a key role in not only protecting the privacy of Europeans but in protecting the privacy of Americans.

So, do-no-track is a technology that is now built into every web browser. Even though the FCC doesn't really have any power in this space, it was able to sort of bully the web browsers into adding a button into their products. I mean Mozilla and Microsoft didn't really take any bullying, Google probably required the most prodding. But the web browsers now include this signal that consumers can enable with a single button.

But now the haggling that's taking place in Washington and other cities is what happens when an advertising company receives this signal? What does it mean? Can they still collect data? Can they collect data but just not use it for ads? These are the discussions that are happening and this is where sort of you have the Commerce Department and others trying to water down the language.

The Europeans didn't have the leverage or the power to get the browser vendors to build this thing into their products. Once it's there, the Europeans can give it teeth. And so while do-not-track may end up meaning something very weak in the United States, in Europe it may mean something far stronger.

The Europeans are very keen on this idea of a right to forget, or a right to be forgotten, which is sort of a vague concept but at least concept of it might be sort of a prospective in the future, once I click this button don't log what I'm doing. And this convenient button is now in the browsers of millions of Europeans and just waiting to be empowered.

And of course if the Europeans give it teeth, then it's going to be very difficult for companies, large, multinational companies to say, well in Europe, consumers are going to get real privacy. But in the States, we're still going to give them this luke warm privacy that we agreed to with the White House and the Commerce Department.

And so I think that what might end up happening is that American consumers may get to free ride on European privacy regulations in the same way that we've been able to free ride on some certain environmental rules that the Europeans have passed because companies don't want to make a different product for every market.

MICAH SIFRY: Right. We have a question, I see -- hang on one second here. Go ahead.

PARTICIPANT 1: Hi, this is Loralei Kelley, I'm in Washington. I'm with the New America Foundation with the open technology folks. And I've been looking at Congress and the role of technology and just to the point that was just made about the Town Square and these corporations just sort of occupying that space. What's interesting to me is it doesn't seem to -- there doesn't seem to be an institutional alternative to that like citizens coming up with creative alternatives back home in the District.

And interestingly, I just got an article from Politico where they just did a big poll with Hill staff and Hill staff are not using social media sites like Facebook and Twitter. They're using YouTube a little bit, but they're not using it like lobbyists or people outside of Congress. It makes sense that Congress is also stuck on the Blackberry, I'm calling you on a Blackberry.

But what's interesting to me is the potential build sort of human technology that parallels this advances in interaction with peer technology or that the face-to-face stuff, I worked through with Congress for years and what the noise is doing up there, because it's such a private setting is that people are really going back to basics and they just want to talk to other people because they absolutely -- they can't filter the noise. Institutional filters are obsolete, inadequate and way under capacity for the most important kinds of information.

But I think an even more interesting place to innovate right now is back in states and districts with new methods of convening in person. And I'm wondering if you've seen any advances in that when you were working with the Federal Government. Members back in the districts like 10 to 13 weeks more now than two years ago when they changed and there's all these new transparency rules being passed to open up this treasure trove of civic potential.

And it seems to me that there's this gold mine or mining camp at least waiting to happen on the civic public obligation side. I don't have much faith anymore that either party is going to stand up for the public interests very well.

MICAH SIFRY: Chris, to you think -- I'm sorry Loralei, I'm just trying to sum up -- Chris, do you see that? Is there a way for this sort of civic hacking community to help us around this problem? Or is that also in your view the wrong way to look at it?

CHRIS SOGHOIAN: I think the politicians are going to go where the users are because after all the purpose of this is to get votes. And you know there may be a privacy preserving social network out there that is made by academics or open source developers, but the --

MICAH SIFRY: Well let me just give you an example of what I mean.

CHRIS SOGHOIAN: -- exactly where Farmville is.

MICAH SIFRY: Yeah, but for argument's sake, I mean it's too late for the US Postal Service, but when the German Postal Service saw the web coming, one of the things they did was decide to become an email provider and so they have at least a foot hold in the digital age that some of our previous communication platforms here didn't do.

But I think it's clear what you're saying is that we're now trapped to a large degree, we're locked in because that's where everybody else is. You can't exactly get people to leave Facebook en masse over this issue just because of a better service is being offered.

And at this point, most people -- I hate to say this, but I think most people would say, what, the government is providing a social network? Well, that's going to really work.

So, it seems like that doesn't have much likelihood of success either. How do you answer the folks, the Jeff Jarvis is the one who comes to mind, good friend of PDF, who argue really against the loss, the fear here of losing privacy and instead argue the virtues of public-ness that in his case certainly he's benefitted from sharing all kinds of information about himself and being buoyed if you will by the larger social network, the weak ties that you can create by being public online.

What's your answer to that? But that's voluntary, right? That's him choosing to do it as opposed to people having it done to them without their consent?

CHRIS SOGHOIAN: With all due respect to the fact that he's a friend of your organization, I think he doesn't really know what he's talking about when it comes to privacy and he seems to have built a substantial business around flying around the world telling people about how great it is that you can share information.

I think you basically answered the question yourself, which is there's a huge difference between consumers knowingly sharing information by Tweeting it or checking into Four Square or posting an update on Facebook about their life or something that's bothering them or asking for help from others and the passive covert collection of information. And I don't think that Jeff can build -- Jeff or any of the sort of similar folks -- can build a useful case to justify the passive and covert data collection practices.

I mean, if the best they have is well you get advertisements that aren't as annoying, I --

MICAH SIFRY: Yeah, but I think you would argue that you actually not only get advertisements that aren't annoying, but I think he would probably argue that this also enables all those free web publishers to survive. That's it's actually the commercial unpinning for online publishing.

CHRIS SOGHOIAN: But publishers aren't surviving.

MICAH SIFRY: Well, you don't have an argument from me. I'm just -- you know, that some are making money from online advertising, but it seems like they're competing over a much smaller pool of money than anybody wants to admit.

CHRIS SOGHOIAN: I mean, I think the problem here is that Jeff can barely make his argument himself, and so when we try and speak for him we do an even worse job than he would do.

But I think that -- again, the benefits don't outweigh the costs. If the publishers are making just pennies each and in exchange for people knowing this information about us, I don't think the trade is fair. And I don't think that consumers realize how little -- one thing I don't think consumers realize the (inaudible) to begin with, but I think many people would be truly offended at how little their data is being sold for.

MICAH SIFRY: Yeah, and yet it surprises me, and I suspect it must surprise you, too, that this isn't a bigger political issue that periodically we do see politicians trying to make noise about some aspect of the scary internet you know, cyber-bullying being an example, child pornography being an example, prostitution on sites like Craigslist being an example.

But why do you think they're not talking about this? I mean, I certainly in my own private life as a parent have been kind of amazed going into a school setting for example, and parents who are just adjusting to the fact that their kids are using these tools have tremendous fears that they don't really know who to go to for advice on. But a lot of parental reaction is around protecting the privacy of their kids and not understanding really what's going on.

So, why do you think this isn't a bigger issue in some genuine way?

CHRIS SOGHOIAN: Well the first thing is that I think that most politicians don't understand how the data collection works. Or even understand that it's happening to begin with. The fears that people articulate relate to stalkers finding out information about them or people being fired or things that they or their family or friends have actually experienced, right? These kinds of tangible harms that at least someone you know has happened to. Whereas the underlying ecosystem and the technology that's powering it are below the radar for most people.

And the technology that is enabling this is so complex that in a sort of post Ted Stevens' world, no member of Congress wants to be ridiculed for botching a question about these complex issues. I mean I saw during 2009 / 2010 there were hearings in the House Judiciary Committee focused on electronic communications privacy act reform, focused on things like government tracking of your location data and government access to data in the cloud. And very, very few members showed up to ask questions.

Now all their staffers were there and I understand their members, many of them were in the back room watching on TV. But you know, they were really, really hesitant to show up and ask questions about a topic as complex as cloud computing because if they just screwed up one work, they would be on The Daily Show that evening.

Now of course there are few members who clearly don't care about saying stupid things, right? We saw that during the SOPA debates. But the vast majority of members have sort of an intuitive fear that if they veer too far to the world of technology, they're going to screw something up and they're going to be ridiculed by 20-year-olds.

And I think that is one of the main reasons why we don't have that. The other of course, huge problem, is that members of Congress don't have technologists working for them. And the Congressional committees that are in charge of the internet, the NRG in Commerce and Judiciary Committees, neither of them have technological advisors.

So, you'll have a banking committee that has an economist, or you'll have other committees that have experts from their respect subject areas, the intelligence committees all have former spies working for them, but you don't have a single technologist advising. You have lawyers who maybe understand a little bit more technology than the average lawyer, but the Congress simply doesn't have any experts at their beck and call and I think the blame for that is largely in Newt Gingrich's hands because there used to be an office that had experts for Congress and Gingrich shut it down as a cost-saving measure during his sort of Republican revolution.

MICAH SIFRY: Right, the Congressional Technology Office. Are there any members who you except from that group that you were execrating or any individual members who you think do understand these issues or are trying to understand these issues?

CHRIS SOGHOIAN: I think (Mark Heed and Barton) Republican and Democrat clearly are interested in privacy and are bold and speak loudly about the privacy issues of the day. But even then, I don't think they understand the core technical issues because they shouldn't have to, it's not their jobs. They largely respond to the privacy scandal of the day in the Wall Street Journal.

I've spoken with other members of Congress and their staff and there are people who are interested in privacy but it's very rare that I find someone who actually understands the underlying ecosystem. The closest we have probably at a staff level is Al Fraken. His Privacy subcommittee actually has a couple lawyers who spent a long time studying this stuff and seem to have a pretty good understanding now. I terms of members of the Congress, I understand that there's a member from Colorado named Jared Polis who is a former -- he's a web entrepreneur. So I suspect he would -- he was a prominent and loud anti-SOPA voice early this year and I suspect that he probably had a better understanding of technology than your average member of Congress.

MICAH SIFRY: Right, and it isn't entirely clear to us whether all the people who rallied to stop the SOPA and PIPA bills would respond in the same way to try to improve online privacy because as you point out, a lot of those very same people are blithely using these services with little care.

CHRIS SOGHOIAN: Well SOPA was a unique circumstance because the interests of the internet companies and the interest of the users were aligned. Look at this week, we have members of Congress and the House considering SISPA, this atrocious fiber security legislation that Google and Facebook are backing. And so you're not going to see Google adding a link on their home page saying, call your member of Congress because they want the law to pass. It's really just the civil liberties groups and some consumers and forums like Reddit that are being active on this, but when the companies want something to pass, you will not see a level of SOPA type protests. That only happens when the companies feel that that bill will threaten their own interests.

MICAH SIFRY: No, you need an alignment between business and the public interest groups to do what we saw happen there.

I would just -- personally I think the public interest side of this conversation maybe getting bigger and stronger, we don't know, but I prefer to see the glasses half full rather than half empty. I think it's a promising signed that people may be waking up but it takes a lot of hard work and there aren't that many people working on these issues.

We've just got a few minutes left so I wanted to just ask you if you would describe the project that you're working on for Open Society. What will this -- you've described it to me before in conversation as a kind of guide to consumers so that they can see easily what the various privacy implications are of the services that they're using.

What should we look forward to from you, Chris in the coming year?

CHRIS SOGHOIAN: Sure, so Privacyreports.org is going to launch in the mid to late summer. The most basic idea here is that there are differences between the services that we use. When you're picking a search engine or you're picking a social networking service or a telephone company or an email provider or online backup provider, you know, there are differences other than just sort of the salient ones, the who-has-the-biggest inbox or how much free space to do I get with DropBox versus Googledrive?

There are big differences in privacy in the data retention practices, who's encrypting your data, and who's sharing your data without a warrant with the government. And it's basically impossible to find out the differences by navigating the websites of the companies. Although these differences exist, the companies, those with good practices and bad, go out of their way to hide these things, they simply don't seem to want to compete on privacy and security and would rather compete on who has the iPhone or who's giving you two versus five gigabytes of free storage space?

And my goal is sort of kickstart a market for privacy and I think for consumers to be able to vote with their wallets, so at least vote with their data. And to pick the companies that are good or bad, these differences need to be made salient. Consumers need to be able to see easily which telephone company doesn't keep any records of your calls, or which online backup service encrypts all your data? And until that information is made public and accessible in an easy form, we're simply not going to see any competition on privacy.

My goal is to make that happen. And you'll see letter grades for services, you know, A through D basically or an F or whatever is deserving.

MICAH SIFRY: So, that's PrivacyReport.org? And that's something --

CHRIS SOGHOIAN: Reports with an "s."

MICAH SIFRY: Privacyreports.org coming sometime late this summer from Chris Soghoian, that is very exciting and promising news, Chris.

Really, thank you so much for taking the time to talk with us today. And of course we will be following your work. We're looking forward to you speaking at Personal Democracy Forum this June 11th and 12th. We'll be getting into these and related issues.

Folks, you've been listening to Personal Democracy Plus, our on-going series of teleconferences with people who are working at the cutting edge of technology and politics.

Chris, again thank you and to everybody else, we'll see you online!

CHRIS SOGHOIAN: Thanks!

[END OF AUDIO]