Silicon Valley Wi-Fi Finalists Said Amenable on Privacy

At a town hall meeting here on privacy and security in the Wi-Fi plan, a police detective and IT industry veteran -- giving what was cast as the official law-enforcement position -- said the provider should keep data on users 90 days, to be available to govt. investigators only by warrant. Civil libertarians ripped the finalists, saying their proposals fail on basic privacy protections and their proposed constellation of data collection, maintenance and sharing prerogatives are for commercial benefit, not crime-fighting, as claimed.

The would-be providers are “not wedded” to the criticized formal proposals “thrown together” quickly, Fearey said. CEO Russell Hancock of Joint Venture: Silicon Valley, a Wi-Fi project sponsors, told us the finalists weren’t invited on the panel due to their biases. Privacy questions will be raised with them by the Wireless Silicon Valley Task Force, he said. Negotiation of privacy and security contract provision is “one of the foremost priorities” of organizers, Hancock told the meeting. The finalists are MetroFI, Silicon Valley Metro Connect and VeriLAN. What’s envisioned is tiers of free and ad-supported service, Hancock said.

A review committee was to meet late Wed. to pick a vendor to recommend today (Thurs.) to the task force, Fearey said. Sept. 5 the task force will announce a decision and turn it over to the boards of the sponsoring Joint Venture: Silicon Valley Network and Smart Valley organizations and the San Mateo Telecom Alliance, officials said.

The goal is to get the network’s first phase working in Jan. 2007, said Hancock. The Valley “has been a laggard” in municipal Wi-Fi but can “leap to the front” with this project, he said. The network will cover 36 cities -- north to the San Francisco city limits and south to Santa Cruz -- Santa Clara and San Mateo Counties, the San Mateo Sheriff’s Office and 850 owners of homes on land leased by Stanford U. The first city to approve the agreement to be negotiated with the contractor will be first to get Wi-Fi service, Fearey said.

Privacy and security have been afterthoughts in many muni Wi-Fi systems, including San Francisco’s, said Nicole Ozer, technology & civil liberties policy dir. for the ACLU of Northern Cal. Al Hammond, Broadband Institute of Cal. dir. and Santa Clara U. law prof., said 17 Cal. cities have Wi-Fi systems and 30 are considering them.

Law enforcement backs mandatory registration, even for free use of the Silicon Valley network, said Sherman Hall, an Atherton, Cal., detective. Otherwise, there’s no deterrent against crime using the network, investigations will be frustrated and there'll be no controls on minors, said Hall, a member of the FBI-led Rapid Enforcement Allied Computer Team Task Force of 16 agencies at all govt. levels. The network should use WEP or WPA security and “encrypt all wireless network segments” to “mitigate the risk of criminal abuse,” he said.

Police want “a narrow scope of information collected, and we're not interested in content” of users’ communications or browsing, Hall said. He said the provider should capture and save: (1) Identifying data including a user’s name, address and phone number. (2) ID confirmation, such as a credit card number. (3) Location information, such as access point used. (4) Data on leased Internet Protocol addresses including when used. With warrant requirements, “we advocate keeping what we have today and no loss of freedom,” Hall said. The service provider should tell users when giving data on them to police, except when a court orders nondisclosure, he said.

But requiring credit card information for identification would exclude many poor people who need Wi-Fi access, said Secure Content’s John Tuomy, an Internet consultant to school districts. End-user license agreements are inadequate to inform users of their rights and risks, said Dir. Jane Light of the San Jose Public Library.

All 3 proposals fall far short on 4 data-protection conditions the ACLU, Electronic Frontier Foundation and Electronic Privacy Information Center want, Ozer said: “All 3 of the finalists get a failing grade.” They would all “track who you are, where you are and what you are looking at,” and the data are “going to potentially be disclosed to a wealth of other companies as well as the government,” as the provider wishes, she said.

The groups want to bar the provider from: (1) Tracking users from session to session. (2) Commercializing personal data without a knowing opt-in. (3) Turning over user data without a warrant or court order or without advance notice to users. (4) Keeping personal data longer than needed to run the network, probably about 2 weeks. The only bidder whose provision approaches these conditions was MetroFI’s promise not to share personally identifiable data -- but without clarifying how it proposes to do targeted advertising it envisions, Ozer said.

Crime-fighting needs can met without going nearly as far the finalists propose in jeopardizing privacy, Lauren Gelman, assoc. dir. of Stanford Law School’s Center for Internet & Society, said: “The vendors are using the crime argument to their advantage, in ways that will benefit them financially.” Spamming can be prevented by limiting the number of e-mails sent in an anonymous session, she said; prepaid cards would allow ads targeted to users without knowing who they are. All anonymous illegal activity could be prevented by only letting users who don’t identify themselves browse websites, Gelman said. She worries more about privacy intrusions by service providers -- for commercial reasons and in response to routine, unopposed civil subpoenas -- than by police subject to a warrant requirement that’s “the gold standard” of protection, Gelman said.