I’ll be heading to Oxford University this week to participate in an Oxford Internet Institute (OII) forum on the subject of “Child Protection, Free Speech and the Internet: Mapping the Territory and Limitations of Common Ground.” It’s being led by several experts from the OII as well as my good friends John Morris and Leslie Harris of the Center for Democracy & Technology (CDT). The aims of this forum are:
- To facilitate a dialogue between NGOs campaigning to protect respectively, child protection and children’s rights online, and freedom of speech and other civil liberties online.
- To promote a better understanding of each others’ positions, to share perspectives and information with a view to identifying areas of common ground and areas of disagreement.
- To identify any shared policy goals, and possible tools to support the achievement of those goals.
- To publicize the findings of the forum in international policy debates about Internet governance and regulation.
Conference participants were asked to submit a 2-3 pg summary of their views on a couple of questions that will be discussed at this event. I have listed those questions, and my answers, down below the fold. It’s my best attempt to date to succinctly outline my views about how to balance content concerns and free speech issues going forward. Continue reading →
We often talk about the problem of having all 50 states impose different regulatory requirements on the Internet, with the most restrictive standard effectively applying to all Internet actors.Fortunately, in the U.S. such efforts can be stamped down either by invoking the “Dormant Commerce Clause” (DCC) in court or by passing “preemptive federal regulation.” (Unfortunately, most who complain about patchwork approaches, both in industry and the advocacy community, usually forget about the DCC and move right to federal legislation.)
But what about the 195 independent countries in the world (to say nothing of their regional/local subdivisions)? What if they each tried regulating Internet activity? Our friends at the Center for Democracy at Technology report on a scary precedent set by a Belgian court in March when it ruled that Belgian law applied to Yahoo! merely because Belgian citizens could access Yahoo! Mail. Thus, the court ruled that Yahoo! violated Belgian law when the company refused to hand over user data in response to an email from a Belgian prosecutor. CDT rightly applauds Yahoo! for insisting that the Belgians “follow established diplomatic and legal processes in order to gain access to user information.” But as the post notes, the really scary prospect is that of one country asserting authority over every site or service on the Internet that can be accessed in their country.
If this precedent stands, it’s likely to cause, at the very least, many companies to limit access to their sites or services by persons from countries with burdensome regulatory approaches. Even if those foreign laws are well-intentioned and laudable—such as efforts to punish fraud (as in the Belgian case) or to crack down on, say, child porn or protect user privacy)—the result could be to balkanize Internet services. This would be especially unfortunate, given the incredible importance of services that might previously have seemed “un-serious” like Twitter or Facebook as “technologies of freedom.” CDT notes the danger to Internet freedom:
To understand how problematic this ruling is, we need only imagine how the governments of China, Iran, Vietnam or other repressive regime of your choice may decide that the precedent set here is one well worth following. Such actions undermine Belgium’s moral authority since, after all, it would only be hypocritical for Western democracies to criticize such radically overbroad assertions of jurisdiction by other nations.
Recall a couple of years ago when I lauded Google – and also picked on them – for making customer data “more anonymous”?
“‘Anonymous’ is correctly regarded as an absolute condition,” I wrote. “Like pregnancy, anonymity is either there or it’s not. Modifying the word with a relative adjective like ‘more’ is a curious use of language.”
The challenge of these concepts – “anonymized” or “de-identified” data – is still around, and it’s still a difficult one.
Here’s a sophisticated take on the question:
Information is increasingly difficult to classify as “identified” or “de-identified,” particularly as it is copied, exchanged, or recombined with other information. With rapidly evolving technologies and databases, it is more appropriate to describe a spectrum of “identifiability,” rather than a binary classification of information as identifiable or not. The question could then become not whether deidentified information might be made re-identifiable, but rather which entities would be able to re-identify the information, how much effort they would have to expend, and what limits are placed on their doing so.
And here’s an advocacy group apparently lacking that sophistication. They treat information as flatly “de-identified” in a legal filing about a New Hampshire law that bans the sale of prescription drug data for marketing purposes:
[T]he Prescription Information Law does not implicate patient privacy. While it purports to protect privacy interests, the statute regulates patient de-identified information.
Here’s the thing: Both quotes were issued by the Center for Democracy and Technology. Continue reading →
Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”
As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.
Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment,
etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.
We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:
- Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
- Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
- Hamper routine and socially beneficial communication between adolescents and adults;
- Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);
Continue reading →
Chris Soghoian has responded to my recent post lauding his Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). We’re agreed in the main on user empowerment. The interesting stuff is on the margin: He disagrees with me that blocking third party cookies as I do (and he does too) is a satisfactory approach to suppressing tracking by advertisers.
There are a couple of points worth making about the discussion.
The first has to do with our slightly differing objectives. Chris is deeply focused on advertisers and his dislike of being tracked by advertisers. Though it is not absolute, I have a preference against tracking by anyone other than sites that I know, like, and trust. I’m no more worried about advertisers than any entity that would track my surfing – and there are many.
Again, TLF readers, I ask you to try setting your browser to query you before setting cookies. It’s a real insight into the dozens of entities getting a look at you as you surf, including a bunch of social networks and news sites.
If “advertisers” are what you seek to harness, that seems like a group that can be captured through some kind of centralized control mechanism. (I don’t think it actually is.) But if your goal is privacy as against all comers, you don’t attempt to centrally plan or decide who is good and who is bad. Responsibility rests with the end user.
Let the goal be “advertisers,” though. And I ask: Those social networks and news aggregators – are they “advertisers”? If you’re going to require a subset of Web communicators to obey opt-out cookies, you have to be able to define that subset – a problem Chris doesn’t seem to have thought about yet.
Lots of different publishers, sites, and networks have data that is entirely fungible with the tracking data advertisers collect. What do you get if you push down on the “officially advertisers” part of the balloon? Workarounds.
But I’ve backed into the second point – the means to these ends. Chris soft-pedals how he would get at tracking, but as far as I can tell it’s a law that says “advertisers” have to obey opt-out cookies. Continue reading →
I’ve already laid out my own reactions to Google’s roll-out of an “interest based advertising” (IBA) program here. In a nutshell, I applauded Google setting a new “gold standard” in user empowerment by providing:
- Notice in their IBA-targeted ads of who’s paying for the ad and the fact that Google is serving it; and
- A link to a powerful “Ad Preference Manager” that allows users to:
- See and modify the “digital dossier” (to use the fearmonger’s term) of interests associated with the cookie on their computer; and
- Opt-out of tracking for IBA purposes.
But as I predicted, despite these pro-privacy features (and despite the fact that other major companies such as Yahoo! and Microsoft already have IBA programs), a number of privacy advocacy organizations are attacking Google for daring to enter the IBA (or “online behavioral advertising”) business at all. I’ll have much more to say about the criticism of Google’s new Ad Preference Manager soon, especially coming from Marc Rotenberg of EPIC (a “disaster“) and Jeff Chester of CDD—precisely the sort of the “paroxysms of privacy hysteria” I predicted.
But first, the criticism from Ari Schwartz of the Center for Democracy & Technology requires a response today. At its best, CDT plays a vital role in calling corporations to continually raise the bar on privacy. My own think tank, the Progress & Freedom Foundation, works closely with CDT on many issues, such as advocating user empowerment through technological means as a constitutionally “less restrictive” way of protecting children than government censorship.
Here’s what Ari had to say: Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.