Your best-kept secrets are at the fingertips of nearly anyone who wants to find them, says law professor Paul Ohm, a national expert on internet law.
Law professor Paul Ohm. Photo by Glenn Asakawa
Should police be able to track your whereabouts via your cell phone, scour your computer files and read your e-mail without a search warrant?
Should companies be allowed to collect reams of personal data about you and share it, as long as they vow to 鈥減rotect鈥 your identity?
Should a boss be able to fire an employee for a drunken, decade-old Facebook post?
In the rapidly evolving digital age, the answers remain largely unanswered, and consumers have far more to lose than they realize, says CU law professor Paul Ohm, pictured left. As lawmakers work to rewrite archaic privacy laws for the internet era, the 38-year-old computer programmer turned prominent cyber law scholar is poised to be an important part of the conversation.
鈥淲e are living in an amazingly important time,鈥 says Ohm, one of only a few hundred lawyers nationwide to specialize in internet and computer law. 鈥淚n many ways we are setting the ground rules now that will dictate privacy for the next 30 or 40 years.鈥
Ohm earned his bachelor鈥檚 at Yale in computer science in the early 1990s during a time when the internet was evolving from a tool for computer geeks to a novel curiosity for the masses.
鈥淚t was an opportune time to be studying computer science,鈥 he recalls.
But after a few years as a programmer, his love of writing and longing for more human contact drew him to pursue a law degree at UCLA. Ohm sought a career that would 鈥渓et me think about computer science as much as I think about law.鈥 In 2001 he found that niche at the U.S. Department of Justice Computer Crime and Intellectual Property Section where he specialized in surveillance of e-mails and other online activity.
鈥淚 remember the first time I read someone鈥檚 inbox and came upon a receipt for Pottery Barn, which obviously had nothing to do with my case. I thought, 鈥楽omething seems a little bit out of whack that the government can do this.鈥 鈥
At one point he helped locate a serial killer by tracing his MapQuest searches. On another occasion, he helped track the source of a high school bomb threat by convincing the message board provider to reveal identifying information (the Internet Protocol address) about the 鈥渁nonymous鈥 poster.
鈥淚t was gratifying we were helping people in crisis come to rapid resolution, but it made me feel an internal pang of doubt and slight concern,鈥 Ohm says. 鈥淧eople would be really shocked if they knew the ease with which the government can gain access to private information about them.鈥
Fast forward to 2011 and Ohm 鈥 who joined the faculty in 2006 鈥 often finds himself on a very different side of the privacy debate, defending suspects who believe they have had their e-mail or computers searched without due process. He also speaks with lawmakers and journalists about the need for more internet privacy regulations and encourages a new generation of lawyers to think critically about the sticky issues at the intersection of technology and law.
鈥淗e is young, super energetic and his fluency with technology and computer science gives him a unique perspective,鈥 says听Blake Reid听(CompSci鈥04, Law鈥10), 27, who took several classes with Ohm.
鈥淧eople would be really shocked if they knew the ease with which the government can gain access to private information about them.鈥
鈥 Law professor Paul Ohm
In 2010 Ohm published a chilling 70-page paper in the听UCLA Law Review听outlining why so-called 鈥渁nonymization鈥 鈥 deleting sensitive data like social security numbers or names from databases before sharing them 鈥 doesn鈥檛 necessarily offer the anonymity it promises.
The paper has been downloaded more than 7,000 times by everyone from journalists to policymakers.
鈥淭his wasn鈥檛 just a well-read paper 鈥 it was a viral hit,鈥 says Eric Goldman, director of the High Tech Law Institute at Santa Clara University. 鈥淚t shook up the world of data privacy scholars and forced them to confront some difficult issues that everyone had been avoiding.鈥
As Ohm points out, health researchers share patient data with other researchers. Websites share transaction data with advertisers and website administrators sometimes release 鈥渁nonymized data鈥 to the public in the name of open research.
But while blacking out social security numbers might once have been enough to protect anonymity, that is no longer the case. Thanks to lightning-fast computers and an ever-growing web of databases that hold different pieces of the jigsaw puzzle, we can figure out who people are, he says.
鈥淚f I know a 23-year-old living in a ranch house in Boulder has been diagnosed with cancer, I can without a lot of computing time or expertise find a short list of 23-year-olds who live in ranch houses in Boulder,鈥 he says. 鈥淚t鈥檚 a lot easier than we used to think it was.鈥
According to one study, 87 percent of the population can be uniquely identified with just three pieces of information 鈥 zip code, birthday and gender. In 2006, after AOL publicly posted 20 million 鈥渁nonymized鈥 search queries for 650,000 users of its search engine, bloggers quickly linked actual people with the sometimes embarrassing queries. Thelma Arnold, a 62-year-old widow from Lilburn, Ga., had searched for 鈥渘umb fingers,鈥 鈥60 single men鈥 and 鈥渄og that urinates on everything.鈥
In another case, a computer scientist was able to identify the medical records of William Weld, then-governor of Massachusetts, using data publicly released by a health insurance company with the promise that 鈥渆xplicit identifiers鈥 would be omitted. Zip code, birthday and gender were left in.
The loss of anonymity has serious consequences.
鈥淥ur enemies will find it easier to connect us to facts that they can use to blackmail, harass, defame, frame or discriminate against us,鈥 Ohm writes, calling for a 鈥渟ea change in the law鈥 to protect consumers from unscrupulous marketers, identity thieves and malevolent snoopers.
鈥淚 can point to an example almost every day in the newspaper where a giant company says, 鈥楽omething bad has happened to our data, but don鈥檛 worry about it because it has been anonymized.鈥 It isn鈥檛 the silver bullet everyone thought it was.鈥
Internet databases aside, Ohm points out that most of us willingly open a window into our private lives every day with our Tweets, Facebook posts and smart phones.
鈥淔orty years ago we used to have these huge Supreme Court cases over whether police could take a tiny radio-tracking beeper and put it on your car. Interestingly, we have all now willingly bought tracking beepers of our own and we carry them with us all day.鈥
Police often look at cell phone records, which also provide a person鈥檚 location. They can confiscate a person鈥檚 smart phone or computer, which can contain libraries full of information, and scour it endlessly.
鈥淲e have this Fourth Amendment of the Constitution that protects you from unreasonable searches and seizures but what that means on the internet is really murky,鈥 Ohm says. 鈥淚 argue that there should be more limits on this.鈥
Then there are social networking sites like Facebook, which ask for more information ostensibly so they can serve customers better. But they share this information with third parties.
鈥淧eople are agreeing to a lot more risk than they realize,鈥 Ohm says. 鈥淵ou should treat everything you say on Facebook like something you would say publicly and expect it to be saved for all time.鈥
Ohm is certainly not without detractors. In a recent paper, Brooklyn law school professor Jane Yakowitz argued that the risks spelled out in Ohm鈥檚 anonymization paper 鈥渞arely if ever materialize鈥 and that liberal data sharing is 鈥渃rucial to beneficial social research鈥 [such as medical studies].
And Ohm himself concedes that sharing information also can allow companies to offer fun services 鈥 like help you find the movie you鈥檒l like or enable you to hook up with friends at a coffee shop 鈥 and aid in research.
As lawmakers and federal regulators draft internet-specific privacy laws as many intend to do this year, they鈥檒l face difficult decisions between privacy on one hand and innovation and usefulness on the other hand.
鈥淒ata can either be useful or perfectly anonymous but never both,鈥 Ohm says.
What we, as a society, choose to prioritize remains to be seen.
听