A Privacy Analysis of the Six Proposals for San Francisco Municipal Broadband
Six companies have proposed plans to bring municipal broadband to San Francisco.� They range from approaches where users will pay monthly fees, to advertising-supported services and free services.
Whatever the City's approach, we think it is important that the accepted proposal respect Californians' fundamental right to privacy.� San Franciscans have the right to a network that respects privacy and autonomy, one that allows users to explore what the Internet has to offer, including information about medical conditions and the use of online banking, without fear of government or commercial surveillance and intrusion. In the summary below, we compare the six proposals against a model standard of privacy rights.� This comparison only judges the proposals on privacy rights; other important interests, such as bridging the digital divide, reliability in service, and quality of service, are not considered.
Again, we applaud City officials for their efforts to bring municipal broadband to San Francisco.� This effort is an important experiment in public policy, one that we fully support.� Our efforts are intended not to slow down or frustrate this important process, but rather to ensure that the network respects privacy rights.
Background
On October 19, 2005, the ACLU of Northern California, Electronic Frontier Foundation (EFF), and the Electronic Privacy Information Center (EPIC) submitted comments to TechConnect concerning the privacy implications of municipal broadband access.� In that letter, the groups raised a series of privacy issues that sought to focus attention on whether uses of the municipal broadband network will have secure and private access to the Internet (see Appendix A).� In issuing the Request for Proposals, the City did seek privacy information from proposers, but did not set minimum standards for protecting privacy.
In a follow up letter dated February 21, 2006, the groups stressed that the city should consider minimum standards for the privacy issues raised by the RFP.� The groups argued that privacy notices are not enough and that minimum standards are necessary for each of the privacy questions posed to proposers in order to guarantee respect for users' rights.� Model minimum standards were proposed (see Appendix B).
Below, EPIC and EFF compare the privacy implications of the six proposals made to provide San Francisco with broadband service against the model minimum standards.� These standards promote privacy by limiting collection, use, and retention of personal information.� The fundamental approach endorsed is that where information needs to be collected, it should only be used for operational purposes and deleted after it is no longer needed.� Practically speaking, the minimum standards specified are best served by a system that:
- Allows access without "signing in."� Signing in can require personal information that enables tracking.� Even if signing in is done pseudonymously, it may enables session to session tracking and eventual identification of users.
- Provides a level of access that is free.� Fees, unless there are reasonable avenues for cash payment, can allow the network operator to identify users through credit card or check account information.
- If advertising is present, it is not targeted based on users' identity, location, or web surfing behavior.
In light of these considerations and the Gold Standard set forth by ACLU, EFF, and EPIC, one proposal is clearly more protective of privacy than the others.� The SF Metro Connect proposal is for a free service that does not require a sign in.� Unlike other proposals, it doesn't attempt to commercialize users' data by monitoring them.� Overall, the SF Metro Connect proposal is the most privacy-protective approach, and it satisfies nearly all the factors contained in the Gold Standard.
Short Summaries of Proposers' Bids
Communications Bridge Global (CBG)
Communications Bridge Global is not included in this analysis or in the privacy comparison chart, because the company failed to meaningfully respond to the city's request to provide information on privacy.
Earthlink/Google
Earthlink and Google have jointly proposed a plan where Earthlink would provide a premium, paid service delivering 1 Mbps connection speed, and Google would provide an advertising-supported 300 Kbps connection.� Both services require the user to sign on, thus creating the opportunity for persistent tracking across sessions.� The Google advertising supported service would target advertisements to individuals based on their Internet usage and other information.
MetroFi
MetroFi proposes an advertising-supported service with a 1 Mbps connection, or the same connection without advertisements for $20 a month.
As with many companies operating under self-regulatory privacy norms, MetroFi's privacy statement is contradictory.� It claims only to gather anonymous information for the free service, but later on the same page, the company states that its free service collects email addresses and demographic information through surfing behavior and questionnaires.� Email addresses are identifiable, personal information.� Furthermore, aggregate surfing behavior and questionnaire information can be used to identify individuals.�
NextWLAN
NextWLAN proposes to use transmitters to provide connectivity through consumer-grade DSL access.� In the company's "Micronode network," users would be connected to DSL lines through subscribers' access points and repeaters.� Basic services (384 Kbps symmetric connection) are advertising supported.� Upon signing in, users would be located to their very street address, and advertising would be targeted to them.� For-fee premium services could accommodate 1.5 or 3 Mbps connections.
Of all the proposals, NextWLAN is probably the most frank in how it plans to force-feed users advertising.� It also seems to contradict its privacy guarantees.� For instance, in the privacy section, the company claims that "NO User profiling mechanisms shall be incorporated into the" network.� However, elsewhere the company specifies that users will be immutably directed to location-aware portals:
On the revenue side, the WGR Gateway also uniquely incorporates the defining, enabling element of a Free-to-the-User, No-Cost-to-the-City municipal WiFi network: an e-commerce monetized, fully captive location aware Internet portal. Upon logging in to SFWiFi a User will be immediately and immutably redirected to a portal-proxy server hosted webpage cognizant of the User�s to-the-street-address location and supporting state of the art e-advertising functions (automatically generated maps pointing to local merchants and other businesses of interest to the User can yield the Network Operator up to $0.25 per mouse click in local search advertising revenue) and other key User Services.
San Francisco has broad, laudable goals in providing municipal broadband to its citizens and visitors.� It should not make them "fully captive" to a system that knows their location and can "immutably redirect[]" them to advertisers.�
NextWLAN claims that is collects name, address, and phone number and that this information is never disclosed.� But the company does not specify how it addresses legal demands for subscriber information, which obviously has to be disclosed to law enforcement and others in certain circumstances.
It is important to note that NextWLAN's proposal is simply the most frank about using location and other data to target advertising.� Other proposals that promote advertising-supported services are not substantively different, but these other companies may have better public relations messaging to mask how privacy invasive these practices are.
Razortooth (Redtap)
Razortooth (Redtap) has proposed a cooperatively-owned network combined with the creation of community access centers and initiatives to promote digital literacy.� The company proposes a free basic service that would cover government property, and a $5 a month co-op membership fee for other areas.� As with the other proposals dependent on payment, the membership fee creates an opportunity to identify and then track users across sessions.� However, the low price of the co-op service, combined with the community access centers does make it possible for Razortooth to sell access packages for cash to those who wish to use the service without identifying themselves.� Razortooth promises "No ad-ware or spy-ware will be used.� Users will be free to access the Internet unhampered by ad-driven business models or pop-up-ads."
The company claims that it "will not share ANY private user information or anonymous demographic information with ANY outside vendor not affiliated with RedTAP."� This is an important promise; it could be strengthened by removing the qualifier "private" before "user information" and by adding a policy that requires routine deletion of user data after it is no longer operationally necessary to maintain.� It is also important to ensure that the co-op members who run the proposed system do not snoop on other users by means of their ability to service the access points.� Razortooth is included in the privacy comparison chart below because the company provided us with their privacy policy after we requested it.
SF Metro Connect (Seakay/Cisco Systems/IBM)
This proposal seeks to combine Seakay's experience, Cisco's hardware, and IBM's software to create a non-profit operated 1Mbps network called SF Metro Connect.� It would operate on a public-radio-like model, where equipment was donated, underwriting solicited from corporations, and donations sought from community members and foundations.� SF Metro Connect would provide a free 1Mbps symmetric connection, and charge for those needing more bandwidth.� The company claims that: "Our self sustaining economic model presents a viable financial alternative to what in our opinion is a model of collecting information and charging users for premium service."� From the proposal, it appears that the only information SF Metro Connect would collect is the MAC addresses of users.
Overall, from the information available, SF Metro Connect's proposal appears to be the most privacy friendly.� In a FAQ posted on the Seakay site, the company claims, "SF Metro Connect will not collect, disseminate, sell or use any personally identifiable data about any individual network users for any purpose, unless required by law. We support a user�s right to privacy."�
However, it should be noted that there is significant controversy surrounding the corporate citizenship of Seakay's partners, Cisco Systems and IBM.� Cisco is alleged to have provided the Chinese government with technology enabling state censorship.� IBM has helped the US government develop intrusive data mining systems and has been a strong opponent of information privacy laws.
Respectfully submitted,
Chris Hoofnagle
Senior Counsel and Director, West Coast Office
Electronic Privacy Information Center (EPIC)
[email protected]
415-981-6400Kurt Opsahl
Staff Attorney
Electronic Frontier Foundation (EFF)
[email protected]
415-436-9333
Green=Privacy Friendly Yellow=Need more information; has privacy-friendly aspects Red=Privacy Invasive
San Francisco Request for Proposals
Coalition Gold Standard[2]
Earthlink (premium) /
Google (free)MetroFI
NextWLAN
Razortooth (Redtap)
SF Metro Connect
(SeaKay, Cisco, IBM)
What personal information is collected about users?
None, if possible.
Anonymous and pseudonymous access should be available.
Google: email address
Earthlink: name, address, telephone number, billing information, computer info.
Earthlink also enhances data by buying information from third parties.
Email address for free service, billing information for premium service.
Name, address, and phone.
Registration requests name, email address, birth date, gender, zip code, primary language, secondary language, occupation, industry, and personal interests.
"�will not collect user information."
FAQ states: "� will not collect, disseminate, sell or use any personally identifiable data about any individual network users for any purpose, unless required by law."
How is this information used?
Only for purposes necessary to operation of the network.
Google: to authenticate and login users.
Earthlink:� for provision of service and marketing.
Free service will use info for targeting advertisements.
Service targets marketing based on user's street address.
For "record keeping, marketing to you the customer, and for billing purposes."�
Operation of network.
How long is this information stored?
A data retention schedule should specify that data are kept only for so long as needed to operate the network.
Google: account usage information deleted regularly; never stored more than 180 days.
Earthlink: as long as needed for business purposes.
Information retained as long as subscription is active.
Not specified.
Not specified.
N/A, because user information is not collected.
With whom is this information shared?
Only when necessary for operation of the network.
Google: with third parties (with opt out rights).
Earthlink: With affiliates.
No one.
Only to business partners to deliver specific services.
Only with third parties providing services requested by the customer.
N/A, because user information is not collected.
Is this information commercialized in any way?
Providers should not commercialize personal information without voluntary, opt-in consent.
Google: Yes, used for personalized content and advertising.
Earthlink: to market services, and to third parties (with opt out).
Free services use user information for advertising.
Used to target advertising.
Used for Razortooth marketing.
N/A, because user information is not collected.
Is this information correlated to a specific user, device or location?
Providers should correlate information to specific users, devices, or locations only to the extent necessary to operate the network.
Google: Yes, but it is regularly deleted.
Earthlink: Yes.
No.
Yes.� Users are captive to location-based advertising portal.
"Once you register with RedTAP and sign in� will have presence information for you at all times you are logged into our services."
N/A, because user information is not collected.
Are mechanisms available to allow users to opt in or opt out of any service that collects, stores,
or profiles information on the searches performed, websites visited, e-mails sent, or any other
use of the Network?
Opt in should be the standard for services that exceed the basic function of providing individuals with Internet access.
Google: Opt-in for sensitive information; opt-out for other info. Does not explain how the service profiles and targets users based on surfing.
Earthlink: Opt-out.
Users can avoid information collection for advertsing purposes only by paying for premium service.
No.
Not clear, but "The customer has the right to opt in/out of mailing lists and marketing related communication."
N/A, because user information is not collected.
Are mechanisms available to allow users to opt in or opt out of any service that tracks
information about the user�s physical location?
Providers should take all reasonable steps to enable location-based services without creating a tracking or logging mechanism that will create records of individuals' location.
Google: non-responsive
Earthlink: Opt-out, once node-level tracking is available.
No persistent location tracking, but targeting of ads based on location in the free service.
No, location tracking is basis of service.
Not specified.
N/A, because user information not collected.
Are users enumerated or assigned any unique number that can be used to track them from session to session?
Providers should take all reasonable steps to design the system to revent enumeration from session to session.
Providers should obtain a user's voluntary affirmative consent before enumerating users across sessions.
Google: Cookies are used, but it appears as though users can disable them.
Earthlink: Cookies are used, as is Doubleclick.
Yes.
Yes.
"Once you register with RedTAP and sign in to our services, we�will have presence information for you at all times you are logged into our services."
No.�
Are policies in place to respond to legal demands for users� personal information in accordance
with applicable laws?
Providers should follow Cable Policy Act standards by giving the user notice of the legal demand before complying.
Google: Yes, but policy does not specify whether notice to the user is given.
Earthlink: may disclose at company's sole discretion, policy does not specify whether notice to the user is given.
No legal access policy specified.
No legal access policy specified.
Yes, but policy does not specify whether notice will be given.� Also, company reserves ability to disclose "in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of RedTAP's terms of use, or as otherwise required by law."
N/A, because user information is not collected.
Are users allowed access to all information collected about them?
Users should be able to access personal information collected and maintained by the provider and its affiliates or partners.
Google: Yes.
Earthlink: may access registration information.
Proposal says no, but MetroFi's privacy policy states that the company offers access and correction rights.
No user access policy specified.
Can access account information, unclear whether other data can be accessed.
N/A, because user information is not collected.
Are users provided with a mechanism to review this information and to correct inaccuracies or delete information?
Providers should extend reasonable means for users to correct or delete personal information collected by the provider and its affiliates or partners.
Google: Yes.
Earthlink: offers access and modification to information, but no apparent deletion.
Proposal says no, but MetroFi's privacy policy states that the company offers access and correction rights.
Correction and deletion rights unspecified.
Can edit and delete profile.
N/A, because user information is not collected.
[2] The full text of the Coalition Gold Standard is available as Appendix B.
Last Updated:
April 5, 2006
Page URL: http://www.epic.org/privacy/choicepoint/casenjud4.26.05.html