Posts tagged as:

Senate Cybersecurity Bill Nukes Privacy Protections

by on February 9, 2012 · 0 comments

My seen-it-all cool was shaken yesterday when I examined how a Senate cybersecurity bill would scythe down legal protections for privacy. Anyone participating in government “cybersecurity exchanges” would have nearly total immunity from liability under any law. No Privacy Act, no ECPA, no E-Government Act, no contract law, no privacy torts. The scuttlebutt is that Senator Reid (D-NV) may push this especially hard as payback to the Internet for the SOPA/PIPA debacle.

In the push for cybersecurity legislation, Congress is driven far more by its desire to act (and D.C. lobbyists’ desire to have Congress act) than by any plausible contribution it can make to the difficult problem of securing computers, networks, and data. That’s why this cybersecurity bill, and all others I have seen, have greater costs than benefits.

Read about the devastation for privacy and the rule of law on offer in a current draft in “The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy.”

SHARE: 0 comments

Commerce Department’s “Dynamic Policy” Privacy Approach – Likes & Concerns

by on December 16, 2010 · 1 comment

Earlier today the Commerce Department’s Internet Policy Task Force issued its expected privacy report. Commerce waded into shark-filled privacy waters and produced a report that overall is thoughtful, comprehensive and has lots of meat for strengthening the nation’s privacy framework. Of course, we have our quibbles too. On first read, here’s what I like and what concerns me:

Like:

  • “Dynamic policies”. The report appropriately proposes what it calls “dynamic policies.” We agree that technology and information flows are constantly changing, so a privacy policy regulatory framework should not be static, nor should it be proscriptive.
  • Privacy Policy Office. Because it would be located within Commerce, the office would be a vital advocate for online companies doing business overseas. It could help outreach with European regulators and coordinate certification procedures to enable cross-border data flows.
  • Transparency through purpose specification and use limitation (NOT collection limitation and data minimization). The report proposes consumer assurances principles that would require data collectors to specify all the reasons for collecting personal information and then specify limits on the use of that information. This is a flexible approach compared to proscriptive regulations limiting data collection and requiring data minimization.
  • Encourage Global Interoperability. In our comments, NetChoice advocated strongly for international privacy reciprocation, and where appropriate, harmonization.
  • ECPA Review. We like how the report calls for a review of the Electronic Communications Privacy Act (ECPA). The law is outdated and doesn’t do a good job of clarifying the roles of online companies when responding to law enforcement requests.

Concerns: Continue reading →

SHARE: 1 comment

The Politics of ECPA Reform: Protecting Us from the Real Big Brother

by on March 30, 2010 · 0 comments

CNet‘s Declan McCullagh has a great piece about the politics of actually implementing the ECPA reform principles announced today by the Digital Due Process Coalition, which PFF, CEI and Net Coalition all proudly signed on to along with a number of other think tanks, advocacy groups, and leading tech companies.  Ryan and I explained earlier today how these proposals would Protect Americans’ Privacy by Restoring Constitutional Limits to Government.

As I note at the end of the article:

“This is an opportunity for President Obama to show that he understands President Reagan’s central lesson: ‘Government is not the solution to our problem—government is the problem,'” says Berin Szoka, an attorney at the Progress and Freedom Foundation. “These proposals offer a sensible, long-overdue way of protecting us from the real Big Brother, our government, without crippling law enforcement or the private companies that keep giving us all wonderful new content and services, mostly for free.”

This is a point Adam Thierer and I have made repeatedly in the debate over how to deal with concerns about online privacy. Check out our/my key pieces on this point:

SHARE: 0 comments

Digital Due Process: Protecting Americans’ Privacy by Restoring Constitutional Limits to Government in ECPA

by on March 30, 2010 · 20 comments

By Ryan Radia & Berin Szoka

Today a broad array of civil liberties groups, think tanks, and technology companies launched the Digital Due Process coalition. The coalition’s mission is to educate lawmakers and the public about the need to update U.S. privacy laws to better safeguard individual information online and ensure that federal privacy statutes accurately reflect the realities of the digital age.

Over 20 organizations belong to the Digital Due Process coalition, including such odd bedfellows as AT&T, Google, Microsoft, the Center for Democracy & Technology, the American Civil Liberties Union, the Electronic Frontier Foundation, The Progress & Freedom Foundation (where Berin works), the Competitive Enterprise Institute (where Ryan works), the Internet Technology & Innovation Foundation, Citizens Against Government Waste, and Americans for Tax Reform. The full member list is available at the coalition’s website.

Amidst the heated tech policy wars, it’s not every day that such a diverse group of organizations comes together to endorse a unified set of core principles for legislative reform. Over two years in the making, the Digital Due Process coalition, spearheaded by the Center for Democracy & Technology, is a testament to the broad consensus that’s emerged among business leaders, activists, and scholars regarding the inadequacies of the current legal regime intended to protect Americans’ privacy from government snooping and the need for Congress to revisit decades-old privacy statutes. It also represents a revival of a bipartisan consensus on the need for reform reached back in 2000, when the Republican-led House Judiciary Committee voted 20-1 to approve very similar reforms (HR 5018).

Today, in the digital age, robust privacy laws are more important than ever. That’s because U.S. courts have been unwilling to extend the Fourth Amendment’s protection against unreasonable search and seizure to individual information stored with third parties such as cloud computing providers. Thus, while government authorities must get a search warrant based on probable cause before they can lawfully rifle through documents stored in your desk, basement, or safe deposit box, information you store on the cloud enjoys no Constitutional protection. (Some legal scholars argue this interpretation of the Fourth Amendment, referred to as the Third Party Doctrine, is outdated and deficient. See, for example, Jim Harper’s excellent 2008 article in the American University Law Review.)

Continue reading →

SHARE: 20 comments

Should Court Reject Google Books Settlement On Privacy Grounds?

by on March 5, 2010 · 3 comments

A couple weeks ago the Google Books Settlement fairness hearing took place in New York City, where Judge Denny Chin heard dozens of oral arguments discussing the settlement’s implications for competition, copyright law, and privacy. The settlement raises a number of very challenging legal questions, and Judge Chin’s decision, expected to come down later this spring, is sure to be a page-turner no matter how he rules.

My work on the Google Books Settlement has focused on reader privacy concerns, which have been a major point of contention between Google and civil liberties groups like EFF, ACLU, and CDT. While I agree with these groups that existing legal protections for sensitive user information stored by cloud computing providers are inadequate, I do not believe that reader privacy should factor into the court’s decision on whether to approve or reject the settlement.

I elaborated on reader privacy in an amicus curiae brief I submitted to the court last September. I argued that because Google Books will likely earn a sizable portion of its revenues from advertising, placing strict limits on data collection (as EFF and others have advocated) would undercut Google’s incentive to scan books, ultimately hurting the very authors whom the settlement is supposed to benefit. While the settlement is not free from privacy risks, such concerns aren’t unique to Google Books nor are they any more serious than the risks surrounding popular Web services like Google search and Gmail. Comparing Google Book Search to brick-and-mortar libraries is inapt, and like all cloud computing providers, Google has a strong incentive to safeguard user data and use it only in ways that benefit users and advertisers.

Continue reading →

SHARE: 3 comments

OSTWG, Child Protection, Privacy & Data Retention Mandates v. “Behavioral” Advertising

by on February 4, 2010 · 5 comments

Today’s Online Safety Technical Working Group (OSTWG) meeting included some heated debate about whether online intermediaries should be doing more to assist law enforcement to help track down child predators and those producing and distributing child pornography. (It’s not clear whether or when NTIA will actually put the archived video or a transcript online at this point).

Most interesting was the third panel of the day (agenda), which devolved into a shouting match as Dr. Frank Kardasz (resume) of the Arizona Internet Crimes Against Children (ICAC) Task Force basically accused Internet intermediaries of being willing accomplices in crimes of sexual abuse against children—and suggested that they could be charged as co-defendants in child porn prosecutions. A few industry folks in the room expressed their outrage at such slander. A retired law enforcement officer perhaps put it best when he said that he had never dealt with an ISP that didn’t sincerely want to help law enforcement stop this monstrous crime.

Apart from those pyrotechnics, and a superb morning presentation by the Pew Internet Project’s Amanda Lenhart about “Social Media & Young Adults,” the most interesting part of the day concerned data retention mandates. Even as a debate rages in Washington about how much collection and use of online data should be permitted, Dr. Kardasz suggested online service providers should be required to hold user data for 5 years. A number of attendees noted the staggering costs of such a mandate given the sheer volume of information shared every day by use, especially for startups for whom building monitoring and compliance infrastructure can be a significant barrier to entry. Of course, practical objections are always answered with practical counter-solutions—in this case, several attendees asked why we couldn’t just provide tax incentives or stimulus money to defray such costs. One attendee joked that we’d have to devote the entire state of Montana just to house all the necessary server farms.

But the strongest objection came from John Morris of the Center for Democracy & Technology, who rightly noted that no amount of government subsidies for data retention could prevent leakage of sensitive private data. For this reason and because of the basic civil liberties at stake whenever the government has access to large pools of data about its citizens, Morris argued that we need to strike a balance between how we protect children & the values of free society. Dave McClure of the US Internet Industry Association (USIIA) seconded this point powerfully: If such vast data is retained, it will be abused.

Then the riposte from advocates of data retention mandates: Aren’t online intermediaries already retaining huge amounts of consumer information? If they can do that, why can’t they retain the data we need to track down child predators and child porn distributors? Continue reading →

SHARE: 5 comments

DoJ Fails to Report Electronic Surveillance Activities

by on April 30, 2009 · 7 comments

Unlike with wiretaps, law enforcement agents are not required by federal statutes to obtain search warrants before employing pen registers or trap and trace devices. These devices record non-content information regarding telephone calls and Internet communications. (Of course, “non-content information” has quite a bit of content – who is talking to whom, how often, and for how long.)

The Electronic Privacy Information Center points out in a letter to Senate Judiciary Committee Chairman Patrick Leahy (D-VT) that the Department of Justice has consistently failed to report on the use of pen registers and trap and trace devices as required by law:

The Electronic Communications Privacy Act requires the Attorney General to “annually report to Congress on the number of pen register orders and orders for trap and trace devices applied for by law enforcement agencies of the Department of Justice.” However, between 1999 and 2003, the Department of Justice failed to comply with this requirement. Instead, 1999-2003 data was provided to Congress in a single “document dump,” which submitted five years of reports in November 2004. In addition, when the 1999-2003 reports were finally provided to Congress, the documents failed to include all of the information that the Pen Register Act requires to be shared with lawmakers. The documents do not detail the offenses for which the pen register and trap and trace orders were obtained, as required by 18 U.S.C. § 3126(2). Furthermore, the documents do not identify the district or branch office of the agencies that submitted the pen register requests, information required by 18 U.S.C. § 3126(8).

EPIC has found no evidence that the Department of Justice provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008. “This failure would demonstrate ongoing, repeated breaches of the DOJ’s statutory obligations to inform the public and the Congress about the use of electronic surveillance authority,” they say.

It’s a good bet, when government powers are used without oversight, that they will be abused. Kudos to EPIC for pressing this issue. Senator Leahy’s Judiciary Committee should ensure that DoJ completes reporting on past years and that it reports regularly, in full, from here forward.

SHARE: 7 comments