A few days ago, National Public Radio (NPR) tried to offer some lighter fare to break up the death march of gloomier stories about economic calamity. You can listen to the story online. The story’s reporter, Chana Joffe-Walt, followed a mail carrier named Andrea on her route around the streets of Seattle. The premise of the story is that Andrea can measure economic suffering along her mail route–and therefore in that mythical place, “Main Street”–by keeping tabs on the type of mail she delivered. I have two technology policy thoughts about this story, but because I have a lot to say, I will break this into two posts. In this post, I will share some general thoughts about privacy, and in the next post, I will tie this story to NebuAd and Phorm.
I was troubled by Andrea’s and Joffe-Walt’s cavalier approaches to privacy. In the course of the five minute story, Andrea reveals a lot of private, personal information about the people on her route. Only once does Joffe-Walt even hint at the creepiness of peering into people’s private lives in this way, embracing a form of McNealy’s “you have no privacy, get over it” declaration. In the first line of the story, Joffe-Walt says, “Okay before we can do this, I need to clear up one question: Yes, your mailman reads your postcards; she notices what magazines you get, which catalogs; she knows everything about you.” The last line of the story is simply, “The government is just starting on its $700 billion plan. As it moves forward, Wall Street economists will be watching Wall Street; Fed economists will be watching Wall Street; Andrea will be watching the mail.”
There are many privacy lessons I can draw from this: First, did the Postal Service approve Andrea’s participation in the interview? If it did, did it weigh the privacy impact? If not, why not?
More broadly speaking, I bet all of the people who produced or authorized this story, from Andrea and Joffe-Walt to the Postal Service and NPR, if they thought about privacy at all, engaged in a cost-benefits balancing, and they evidently made the same types of mistakes on both sides of that balancing that people often make when they think about privacy.
First, what are the costs to privacy from this story? At first blush, they seem to be slight to non-existent because the reporter anonymized the data. Although most of the activity in the story appears to center on one city block in Seattle, we aren’t told which city block. This is a lot like AOL arguing that it had anonymized its search queries by replacing IP addresses with unique identifiers or like Phorm arguing that it protects privacy by forgetting that you visited Orbitz.com and remembering instead only that you visited a travel-related website.
The NPR story exposes the flaw in this type of argument. Although a casual listener won’t be able to place the street toured by Andrea, it probably wouldn’t be very hard to pierce this cloak of privacy. In the story, we are told that the street is “three-quarters of a mile [north] of” Main Street. The particular block is “a wide residential block where section 8 housing butts against glassy, snazzy new chic condos that cost half-a-million dollars.” Across the block are a couple businesses including a cafe “across the way.” Does this describe more than a few possible locations in Seattle? [Insert joke about the number of cafes in Seattle here.]
It’s probably even easier for someone who lives in Seattle to pinpoint the location, particularly if it is near where they live or work. For these people, thanks to NPR, they now know that in the Section 8 building lives “a single mom with an affinity for black leather is getting an overdraft notice” and a “minister . . . getting more late payment bills.” The owner of the cafe has been outed as somebody who pays his bills only by applying for new credit cards. If you lived or worked on this particular block, wouldn’t you have at least a hunch about the identities of the people tied to these potentially embarrassing facts?
Laboring under the mistaken belief that anonymization negated any costs to privacy, the creators of the story probably thought the costs were outweighed by the potential benefits. But these benefits seem to pale in comparison to the privacy risks, accurately understood. What does the listener gain by listening to this story? A small bit of anecdotal knowledge about the economic crisis? A reason to fear his mailman? The small thrill of voyeurism? A chance to think about the economic crisis while not seized by fear and dread? I’m not saying that these benefits are valueless, but I don’t think they were justified when held against the costs.
Everything personally-identifying (in the strict sense of that phrase) that leaves my house is shredded. And a generic white plastic bag protects most of the contents of my trash from being seen by my garbageman. So, I suspect my garbageman knows (and *could know*) considerably less about me than my mailman does (but maybe not). Can we solve some of this by, for example, having the postal service deliver mail in opaque pre-sorted containers (or at least offer the *option* of having that)?
Why is this surprising?
There’s a technical term for this in security-land. It’s called traffic analysis.
Certainly USPS is in a fantastic position to engage in it. But how can you stop it with the current mail delivery protocol, any more than you could stop a network adminstrator from sniffing network traffic?
I’m not too worried about the Andreas or Cliff Clavins or the Newmans of the world being marginally curious or observant about mail traffic patterns, as long as they are not in a position to make or act on inferences about the traffic.
I’d be much more worried if the USPS were given permission (or a mandate) to perform traffic analysis wholesale (or even targeted).
It would not greatly surprise me to hear there’s a warrantless mail traffic analysis program run by DHS or some such.
oopse. I thought I corrected the errors sorry all.
So who will be the first to pull this street up on Google’s Street View? I
So many stories about the erosion of privacy, and no mention of the dossier Google has on all of us who use the Internet.
It’s downright odd.
I highly doubt that the Postal Service approved this story, since they have nothing to gain and everything to lose–in particular, their reputation, such as it is, for preserving customers’ privacy–from it.
My guess is that the NPR reporter’s token gestures towards privacy preservation were meant as reassurance to the letter carrier, so that she would talk to them, not as a serious attempt to preserve anyone’s privacy. Reporters themselves have absolutely zero interest in preserving the privacy of the people about whom they’re reporting. They’re in the business of disseminating information to people who are interested in it, after all, and any kind of privacy preservation simply gets in their way. I expect that if the letter carrier had been comfortable revealing the full identities of her customers, along with lurid details of their lives, and if the reporter had had reason to believe that her audience would be interested in them–say, if some were friends or relatives of celebrities, or were otherwise objects of public curiosity without being public figures themselves–then even the perfunctory anonymization described here would have been dispensed with.
Yes, the NPR folk were a little incautious about information that may make it possible to identify the specific neighborhood. (Not living in Seattle, I cannot judge if this makes specific identification possible – possibly not.) Then again, their incaution makes little or no difference, and makes a (perhaps unintended) point. Much of the information you might hope was private is not, and more can be deduced indirectly.
Better not to believe in an illusion of privacy, when reality differs.
Yes, in balance the impact of the NPR story is almost certainly worth the cost. We have far less privacy than most folk think. That point needs to be made, and repeated. If you value privacy, it is best to know how little you have.
Don’t shoot the messenger. 🙂
Curiously enough — or maybe this is just a perfect example of Murphy’s Law — there’s really only about fifteen blocks or so of Main Street in Seattle, total, maybe half of which might contain a neighborhood with this description; so it shouldn’t be difficult to determine the locations of the various landmarks and postal patrons noted in the segment. (One could probably come up with an exhaustive but still very short list of possibilities in only half an hour.) Using a different street, like Jackson or Yesler, would have been a much more effective “anonymization.”
Whether or not this proves that street names are an insufficient level of anonymity in a scenario like this, it certainly does demonstrate that for purposes of specificity, all street names are NOT created equal; and, as usual, the devil is in the details.