The big news out of Europe today is that the European Court of Justice (ECJ) has invalidated the 15-year old EU-US safe harbor agreement, which facilitated data transfers between the EU and US. American tech companies have relied on the safe harbor to do business in the European Union, which has more onerous data handling regulations than the US. [PDF summary of decision here.] Below I offer some quick thoughts about the decision and some of its potential unintended consequences.
#1) Another blow to new entry / competition in the EU: While some pundits are claiming this is a huge blow to big US tech firms, in reality, the irony of the ruling is that it will bolster the market power of the biggest US tech firms, because they are the only ones that will be able to afford the formidable compliance costs associated with the resulting regulatory regime. In fact, with each EU privacy decision, Google, Facebook, and other big US tech firms just get more dominant. Small firms just can’t comply with the EU’s expanding regulatory thicket. “It will involve lots of contracts between lots of parties and it’s going to be a bit of a nightmare administratively,” said Nicola Fulford, head of data protection at the UK law firm Kemp Little when commenting on the ruling to the BBC. “It’s not that we’re going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications.” And by driving up regulatory compliance costs and causing constant delays in how online business is conducted, the ruling will (again, on top of all the others) greatly limits entry and innovation by new, smaller players in the digital world. In essence, EU data regulations have already wiped out much of the digital competition in Europe and now this ruling finishes off any global new entrants who might have hoped of breaking in and offering competitive alternatives. These are the sorts of stories never told in antitrust circles: costly government rulings often solidify and extend the market dominance of existing companies. Dynamic effects matter. That is certainly going to be the case here. Continue reading →
This week I will again be attending the Family Online Safety Institute’s excellent annual summit. The 2-day affair brings together some of the world’s leading experts on online safety and privacy issues. It’s a great chance to learn about major developments in the field. As I was preparing for the session I am moderating on Thursday, I thought back to the first FOSI annual conference, which took place back in 2007. What is remarkable about that period compared to now is that there was a flurry of legislative and regulatory activity related to online child safety then that we simply do not see today.
In fact, just 3 1/2 years ago, John Morris of the Center for Democracy and Technology and I compile a legislative index [summary here] that cataloged the more than 30 legislative proposals that had been introduced in the the 110th session of Congress. There was also a great deal of interest in these issues within the regulatory community. Finally, countless state and local measures related to online safety and speech issues had been floated. Today, by contrast, it is hard for me to find any legislative measures focused on online safety regulation at the federal level, and I don’t see much activity at the agency level either. I haven’t surveyed state and local activity, but it seems like it has also died down.
Generally speaking, I think this is a good development since I am opposed to most proposals to regulate online speech, expression, or conduct. But let’s ignore the particular wisdom of such measures and ask a simple question:
What explains the decline in Internet safety legislation and online content regulation? I believe there are three possible explanations: Continue reading →
It seems peculiar to me that some of the same individuals and groups who so vociferously opposed a “broadcast flag” technological mandate in past years are now in a mad rush to have federal policymakers mandate a “Do Not Track” regulatory regime for privacy purposes. The broadcast flag debate, you will recall, centered around the wisdom of mandating a technological fix to the copyright arms race before digitized high-definition broadcast signals were effectively “Napster-ized.” At least that was the fear six or seven years ago. TV broadcasters and some content companies wanted the Federal Communications Commission (FCC) to recognize and enforce a string of code that would have been embedded in digital broadcast program signals such that mass redistribution of video programming could have been prevented.
Flash forward to the present debate about mandating a “Do Not Track” scheme to help protect privacy online. As I noted in my filing last week to the Federal Trade Commission, at root, Do Not Track is just another “information control regime.” Much like the broadcast flag proposal, it’s an attempt to use a technological quick-fix to solve a complex problem. When it comes to such information control efforts, however, there aren’t many good examples of simple fixes or silver-bullet solutions that have worked, at least not for very long. The debates over Wikileaks, online porn, Internet hate speech, and Spam all demonstrate how challenging it can be to put information back into the bottle once it is released into the digital wild.
To be clear, I am not opposed to technological solutions like broadcast flag or Do Not Track,
but I am opposed to forcing them upon the Internet and digital markets in a top-down, centrally-planned fashion. While I am skeptical that either scheme would work well in practice (whether voluntary or mandated), my concern in these debates is that forcing such solutions by law will have many unintended consequences, not the least of which will be the gradual growth of invasive cyberspace controls in these or other contexts. After all, if we can have “broadcast flags” and “Do Not Track” schemes, why not “flag” mandates for objectionable speech or “Do Not Porn” browser mandates? Continue reading →
As a cyber-libertarian, I’ve been lucky enough to work with people of all ideological stripes in pursuit of various public policy objectives. I’ve made selective alliances with people on the Right on economic policy issues (like opposing Net Neutrality regulation, Internet taxes, etc) and also worked closely with folks on the Left on speech and culture issues (content controls, anonymity, online safety concerns, etc).
While engaging with with people on both sides of the political fence, I’m often struck by some of their internal inconsistencies. Conservatives, for example, talk about a big game about personal responsibility on some issues, but quickly abandon that notion when they claim media content or online speech should be regulated by the State (typically “for the children.”) In this essay, I’d like to discuss interesting inconsistencies on the political Left, especially among advocates of strong privacy regulation (most of whom tend to be Left-leaning in their worldview). In particular, here are the two things I find most interesting about modern privacy advocates:
(1)
Most privacy advocates are vociferous First Amendment supporters, yet they abandon their free speech values and corresponding constitutional tests when it comes to privacy regulation. When it comes to proposals to regulate media content or online speech, most folks on the Left have a very principled, clear-cut position: people (or parents) should take responsibility for unwanted information flows in their lives (or the lives of their children). In particular, they rightly argue that the many user empowerment tools on the market (filters, monitoring software, other parental control technologies) constitute a so-called “less-restrictive means” of controlling content when compared to government regulation.
Advocacy groups that I have a great deal of respect for and work with quite closely on these issues–such as EFF, CDT and ACLU—all take this position. Generally speaking, they argue that, when it comes to speech regulation, “household standards” (user-level controls) should trump “community standards” (government regulation). And in Court—where I frequently file joint amicus briefs with them—they repeatedly employ the “less-restrictive means” test to counter government efforts to regulate information flows.
But when it comes to privacy, they throw all this out the window! Continue reading →
Common Sense Media (CSM) is a media “watchdog” group that provides a terrifically useful service to the public through independent reviews of popular media content (movies, music, TV, games, and more). As a parent, I find their service indispensable and, as a policy analyst, I have praised their rating system and their media literacy / digital citizenship programs again and again, including numerous endorsements in my special report on Parental Controls & Online Child Protection and other testimony and filings before Congress and federal regulatory agencies.
Thus, being such a big fan of CSM, I was quite dismayed to see the comments they just submitted to the Federal Trade Commission (FTC) as part of the agency’s review of the Children’s Online Privacy Protection Act (COPPA). They advocate not just expanded educational efforts, which are great, but also expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.” For all the background on the law and the FTC’s resulting COPPA rule, see this beefy paper Berin Szoka and I authored last year and this testimony and follow-up submission Berin did for the Senate Commerce Committee. And then read the joint submission made by PFF, CDT, and EFF in the same FTC proceeding that CSM just filed in.
Sadly, it’s clear to me that Common Sense Media didn’t take anything we warned about in those papers or filings seriously—or perhaps that they just didn’t bother to read them very carefully, if at all. Their filing is a classic example of good intentions gone wrong. I understand that they want to take additional steps to protect children online, but they completely ignore the practical realities of COPPA expansion and its associated trade-offs:
Continue reading →
Today’s Online Safety Technical Working Group (OSTWG) meeting included some heated debate about whether online intermediaries should be doing more to assist law enforcement to help track down child predators and those producing and distributing child pornography. (It’s not clear whether or when NTIA will actually put the archived video or a transcript online at this point).
Most interesting was the third panel of the day (agenda), which devolved into a shouting match as Dr. Frank Kardasz (resume) of the Arizona Internet Crimes Against Children (ICAC) Task Force basically accused Internet intermediaries of being willing accomplices in crimes of sexual abuse against children—and suggested that they could be charged as co-defendants in child porn prosecutions. A few industry folks in the room expressed their outrage at such slander. A retired law enforcement officer perhaps put it best when he said that he had never dealt with an ISP that didn’t sincerely want to help law enforcement stop this monstrous crime.
Apart from those pyrotechnics, and a superb morning presentation by the Pew Internet Project’s Amanda Lenhart about “Social Media & Young Adults,” the most interesting part of the day concerned data retention mandates. Even as a debate rages in Washington about how much collection and use of online data should be permitted, Dr. Kardasz suggested online service providers should be required to hold user data for 5 years. A number of attendees noted the staggering costs of such a mandate given the sheer volume of information shared every day by use, especially for startups for whom building monitoring and compliance infrastructure can be a significant barrier to entry. Of course, practical objections are always answered with practical counter-solutions—in this case, several attendees asked why we couldn’t just provide tax incentives or stimulus money to defray such costs. One attendee joked that we’d have to devote the entire state of Montana just to house all the necessary server farms.
But the strongest objection came from John Morris of the Center for Democracy & Technology, who rightly noted that no amount of government subsidies for data retention could prevent leakage of sensitive private data. For this reason and because of the basic civil liberties at stake whenever the government has access to large pools of data about its citizens, Morris argued that we need to strike a balance between how we protect children & the values of free society. Dave McClure of the US Internet Industry Association (USIIA) seconded this point powerfully: If such vast data is retained, it will be abused.
Then the riposte from advocates of data retention mandates: Aren’t online intermediaries
already retaining huge amounts of consumer information? If they can do that, why can’t they retain the data we need to track down child predators and child porn distributors? Continue reading →
I’ll be heading to Oxford University this week to participate in an Oxford Internet Institute (OII) forum on the subject of “Child Protection, Free Speech and the Internet: Mapping the Territory and Limitations of Common Ground.” It’s being led by several experts from the OII as well as my good friends John Morris and Leslie Harris of the Center for Democracy & Technology (CDT). The aims of this forum are:
- To facilitate a dialogue between NGOs campaigning to protect respectively, child protection and children’s rights online, and freedom of speech and other civil liberties online.
- To promote a better understanding of each others’ positions, to share perspectives and information with a view to identifying areas of common ground and areas of disagreement.
- To identify any shared policy goals, and possible tools to support the achievement of those goals.
- To publicize the findings of the forum in international policy debates about Internet governance and regulation.
Conference participants were asked to submit a 2-3 pg summary of their views on a couple of questions that will be discussed at this event. I have listed those questions, and my answers, down below the fold. It’s my best attempt to date to succinctly outline my views about how to balance content concerns and free speech issues going forward. Continue reading →
On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:
- Parry Aftab, Executive Director, WiredSafety.org
- Todd Haiken, Senior Manager of Policy, Common Sense Media
- Jim Halpert, Partner, DLA Piper
- Berin Szoka, Senior Fellow, The Progress & Freedom Foundation
We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:
Download mp3
Here is the full event description: Continue reading →
What Unites Advocates of Speech Controls & Privacy Regulation? [pdf]
by Adam Thierer & Berin Szoka
The Progress & Freedom Foundation,
Progress on Point No. 16.19
Anyone who has spent time following debates about speech and privacy regulation comes to recognize the striking parallels between these two policy arenas. In this paper we will highlight the common rhetoric, proposals, and tactics that unite these regulatory movements. Moreover, we will argue that, at root, what often animates calls for regulation of both speech and privacy are two remarkably elitist beliefs:
- People are too ignorant (or simply too busy) to be trusted to make wise decisions for themselves (or their children); and/or,
- All or most people share essentially the same values or concerns and, therefore, “community standards” should trump household (or individual) standards.
While our use of the term “elitism” may unduly offend some understandably sensitive to populist demagoguery, our aim here is not to launch a broadside against elitism as
Time magazine culture critic William H. Henry once defined it: “The willingness to assert unyieldingly that one idea, contribution or attainment is better than another.”[1] Rather, our aim here is to critique that elitism which rises to the level of political condescension and legal sanction. We attack not so much the beliefs of some leaders, activists, or intellectuals that they have a better idea of what it in the public’s best interest than the public itself does, but rather the imposition of those beliefs through coercive, top-down mandates.
That sort of elitism—elitism enforced by law—is often the objective of speech and privacy regulatory advocates. Our goal is to identify the common themes that unite these regulatory movements, explain why such political elitism is unwarranted, and make it clear how it threatens individual liberty as well as the future of free and open Internet. As an alternative to this elitist vision, we advocate an empowerment agenda: fostering an environment in which users have the tools and information they need to make decisions for themselves and their families. Continue reading →
We often talk about the problem of having all 50 states impose different regulatory requirements on the Internet, with the most restrictive standard effectively applying to all Internet actors.Fortunately, in the U.S. such efforts can be stamped down either by invoking the “Dormant Commerce Clause” (DCC) in court or by passing “preemptive federal regulation.” (Unfortunately, most who complain about patchwork approaches, both in industry and the advocacy community, usually forget about the DCC and move right to federal legislation.)
But what about the 195 independent countries in the world (to say nothing of their regional/local subdivisions)? What if they each tried regulating Internet activity? Our friends at the Center for Democracy at Technology report on a scary precedent set by a Belgian court in March when it ruled that Belgian law applied to Yahoo! merely because Belgian citizens could access Yahoo! Mail. Thus, the court ruled that Yahoo! violated Belgian law when the company refused to hand over user data in response to an email from a Belgian prosecutor. CDT rightly applauds Yahoo! for insisting that the Belgians “follow established diplomatic and legal processes in order to gain access to user information.” But as the post notes, the really scary prospect is that of one country asserting authority over every site or service on the Internet that can be accessed in their country.
If this precedent stands, it’s likely to cause, at the very least, many companies to limit access to their sites or services by persons from countries with burdensome regulatory approaches. Even if those foreign laws are well-intentioned and laudable—such as efforts to punish fraud (as in the Belgian case) or to crack down on, say, child porn or protect user privacy)—the result could be to balkanize Internet services. This would be especially unfortunate, given the incredible importance of services that might previously have seemed “un-serious” like Twitter or Facebook as “technologies of freedom.” CDT notes the danger to Internet freedom:
To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium’s moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.