Your best-kept secrets are at the fingertips of nearly anyone who wants to find them, says law professor Paul Ohm, a national expert on internet law.
Law professor Paul Ohm. Photo by Glenn Asakawa
Should police be able to track your whereabouts via your cell phone, scour your computer files and read your e-mail without a search warrant?
Should companies be allowed to collect reams of personal data about you and share it, as long as they vow to “protect” your identity?
Should a boss be able to fire an employee for a drunken, decade-old Facebook post?
In the rapidly evolving digital age, the answers remain largely unanswered, and consumers have far more to lose than they realize, says CU law professor Paul Ohm, pictured left. As lawmakers work to rewrite archaic privacy laws for the internet era, the 38-year-old computer programmer turned prominent cyber law scholar is poised to be an important part of the conversation.
“We are living in an amazingly important time,” says Ohm, one of only a few hundred lawyers nationwide to specialize in internet and computer law. “In many ways we are setting the ground rules now that will dictate privacy for the next 30 or 40 years.”
Ohm earned his bachelor’s at Yale in computer science in the early 1990s during a time when the internet was evolving from a tool for computer geeks to a novel curiosity for the masses.
“It was an opportune time to be studying computer science,” he recalls.
But after a few years as a programmer, his love of writing and longing for more human contact drew him to pursue a law degree at UCLA. Ohm sought a career that would “let me think about computer science as much as I think about law.” In 2001 he found that niche at the U.S. Department of Justice Computer Crime and Intellectual Property Section where he specialized in surveillance of e-mails and other online activity.
“I remember the first time I read someone’s inbox and came upon a receipt for Pottery Barn, which obviously had nothing to do with my case. I thought, ‘Something seems a little bit out of whack that the government can do this.’ ”
At one point he helped locate a serial killer by tracing his MapQuest searches. On another occasion, he helped track the source of a high school bomb threat by convincing the message board provider to reveal identifying information (the Internet Protocol address) about the “anonymous” poster.
“It was gratifying we were helping people in crisis come to rapid resolution, but it made me feel an internal pang of doubt and slight concern,” Ohm says. “People would be really shocked if they knew the ease with which the government can gain access to private information about them.”
Fast forward to 2011 and Ohm — who joined the faculty in 2006 — often finds himself on a very different side of the privacy debate, defending suspects who believe they have had their e-mail or computers searched without due process. He also speaks with lawmakers and journalists about the need for more internet privacy regulations and encourages a new generation of lawyers to think critically about the sticky issues at the intersection of technology and law.
“He is young, super energetic and his fluency with technology and computer science gives him a unique perspective,” says Blake Reid (CompSci’04, Law’10), 27, who took several classes with Ohm.
“People would be really shocked if they knew the ease with which the government can gain access to private information about them.”
— Law professor Paul Ohm
In 2010 Ohm published a chilling 70-page paper in the UCLA Law Review outlining why so-called “anonymization” — deleting sensitive data like social security numbers or names from databases before sharing them — doesn’t necessarily offer the anonymity it promises.
The paper has been downloaded more than 7,000 times by everyone from journalists to policymakers.
“This wasn’t just a well-read paper — it was a viral hit,” says Eric Goldman, director of the High Tech Law Institute at Santa Clara University. “It shook up the world of data privacy scholars and forced them to confront some difficult issues that everyone had been avoiding.”
As Ohm points out, health researchers share patient data with other researchers. Websites share transaction data with advertisers and website administrators sometimes release “anonymized data” to the public in the name of open research.
But while blacking out social security numbers might once have been enough to protect anonymity, that is no longer the case. Thanks to lightning-fast computers and an ever-growing web of databases that hold different pieces of the jigsaw puzzle, we can figure out who people are, he says.
“If I know a 23-year-old living in a ranch house in Boulder has been diagnosed with cancer, I can without a lot of computing time or expertise find a short list of 23-year-olds who live in ranch houses in Boulder,” he says. “It’s a lot easier than we used to think it was.”
According to one study, 87 percent of the population can be uniquely identified with just three pieces of information — zip code, birthday and gender. In 2006, after AOL publicly posted 20 million “anonymized” search queries for 650,000 users of its search engine, bloggers quickly linked actual people with the sometimes embarrassing queries. Thelma Arnold, a 62-year-old widow from Lilburn, Ga., had searched for “numb fingers,” “60 single men” and “dog that urinates on everything.”
In another case, a computer scientist was able to identify the medical records of William Weld, then-governor of Massachusetts, using data publicly released by a health insurance company with the promise that “explicit identifiers” would be omitted. Zip code, birthday and gender were left in.
The loss of anonymity has serious consequences.
“Our enemies will find it easier to connect us to facts that they can use to blackmail, harass, defame, frame or discriminate against us,” Ohm writes, calling for a “sea change in the law” to protect consumers from unscrupulous marketers, identity thieves and malevolent snoopers.
“I can point to an example almost every day in the newspaper where a giant company says, ‘Something bad has happened to our data, but don’t worry about it because it has been anonymized.’ It isn’t the silver bullet everyone thought it was.”
Internet databases aside, Ohm points out that most of us willingly open a window into our private lives every day with our Tweets, Facebook posts and smart phones.
“Forty years ago we used to have these huge Supreme Court cases over whether police could take a tiny radio-tracking beeper and put it on your car. Interestingly, we have all now willingly bought tracking beepers of our own and we carry them with us all day.”
Police often look at cell phone records, which also provide a person’s location. They can confiscate a person’s smart phone or computer, which can contain libraries full of information, and scour it endlessly.
“We have this Fourth Amendment of the Constitution that protects you from unreasonable searches and seizures but what that means on the internet is really murky,” Ohm says. “I argue that there should be more limits on this.”
Then there are social networking sites like Facebook, which ask for more information ostensibly so they can serve customers better. But they share this information with third parties.
“People are agreeing to a lot more risk than they realize,” Ohm says. “You should treat everything you say on Facebook like something you would say publicly and expect it to be saved for all time.”
Ohm is certainly not without detractors. In a recent paper, Brooklyn law school professor Jane Yakowitz argued that the risks spelled out in Ohm’s anonymization paper “rarely if ever materialize” and that liberal data sharing is “crucial to beneficial social research” [such as medical studies].
And Ohm himself concedes that sharing information also can allow companies to offer fun services — like help you find the movie you’ll like or enable you to hook up with friends at a coffee shop — and aid in research.
As lawmakers and federal regulators draft internet-specific privacy laws as many intend to do this year, they’ll face difficult decisions between privacy on one hand and innovation and usefulness on the other hand.
“Data can either be useful or perfectly anonymous but never both,” Ohm says.
What we, as a society, choose to prioritize remains to be seen.