May 2011

POLITICO reports that a bill aimed at combating so-called “rogue websites” will soon be introduced in the U.S. Senate by Sen. Patrick Leahy. The legislation, entitled the PROTECT IP Act, will substantially resemble COICA (PDF), a bill that was reported unanimously out of the Senate Judiciary Committee late last year but did not reach a floor vote. As more details about the new bill emerge, we’ll likely have much more to say about it here on TLF.

I discussed my concerns about and suggested changes to the COICA legislation here last November; the PROTECT IP Act reportedly contains several new provisions aimed at mitigating concerns about the statute’s breadth and procedural protections. However, as Mike Masnick points out on Techdirt, the new bill — unlike COICA — contains a private right of action, although that right may not permit rights holders to disable infringing domain names. Also unlike COICA, the PROTECT IP Act would apparently require search engines to cease linking to domain names that a court has deemed to be “dedicated to infringing activities.”

For a more in-depth look at this contentious and complex issue, check out the panel discussion that the Competitive Enterprise Institute and TechFreedom hosted last month. Our April 7 event explored the need for, and concerns about, legislative proposals to combat websites that facilitate and engage in unlawful counterfeiting and copyright infringement. The event was moderated by Juliana Gruenwald of National Journal. The panelists included me, Danny McPherson of VeriSign, Tom Sydnor of the Association for Competitive Technology, Dan Castro of the Information Technology & Innovation Foundation, David Sohn of the Center for Democracy & Technology, and Larry Downes of TechFreedom.

CEI-TechFreedom Event: What Should Lawmakers Do About Rogue Websites? from CEI Video on Vimeo.

This morning, the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law had a hearing entitled: “Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy.” It was a remarkably scattered affair, and I blogged three key—and very distinct—elements of it on the Cato@Liberty blog:

  • The Department of Justice used this “mobile privacy” hearing to call for increased surveillance of Internet and mobile phone users.
  • To escape a prosecutorial dead-end, Senator Blumenthal (D-CT) strongly suggested that he would outlaw the collection of radio signals. Where this government power would lead is quite profound.
  • Ignoring mobile privacy, Senator Schumer (D-NY) touted his hobby-horse, mobile app censorship.

Valid concerns with what mobile operating system providers Google and Apple have done with location information were somewhat lost in this disjointed and confused hearing.

I’m reading David Brin’s 1998 classic [The Transparent Society](http://www.amazon.com/gp/product/0738201448/ref=as_li_ss_tl?ie=UTF8&tag=jerrybritocom&linkCode=as2&camp=217145&creative=399349&creativeASIN=0738201448) and I’d like to share a passage that I found especially interesting in light of the [recent Do-Not-Track bill](http://thehill.com/blogs/hillicon-valley/technology/160035-rockefeller-unveils-do-not-track-bill) introduced by Sen. Rockefeller.

On this blog, Adam Thierer has often written about the [implicit quid pro quo](http://www.google.com/search?q=site:techliberation.com+quid+pro+quo) between tracking and free online services. It seems to me that many folks find this an abstract concept. Here is Brinn writing in the late 90s about the possibility of an explicit quid pro quo:

>An Economy of Micropayments? I cannot predict whether such an experiment would succeed, though using a “carrot”—or what chaos theorists call an “attractor state”—offers better prospects than the [IP owner’s] coalition’s present strategy of saber rattling and making hollow legal threats. In fact, the same approach might be used to deal with other aspects of “information ownership,” even down to the change of address you file with the post office. Perhaps someday advertisers and mail-order corporations will pay fair market value for each small use, either directly to each person listed or through royalty pools that assess users each time they access data on a given person. Or we might apply the concept of “trading-out”: getting free time at some favorite per-use site in exchange for letting the owners act as agents for our database records. It could be beneficial to have database companies competing with each other, bidding for the right to handle our credit dossiers, perhaps by offering us a little cash, or else by letting us trade our data for a little fun. Proponents of such a “micropayment economy” contend that the process will eventually become so automatic and computerized that it effectively fades into the background. People would hardly notice the dribble of royalties slipping into their accounts when others use “their” facts—any more than they would note the outflowing stream of cents they pay while skimming on the Web.

That is essentially what happened, except without all the transactions costs. It seems to me that all Do Not Track will do is introduce the transactions costs that we have so far avoided to the benefit of innovation. Who will this change benefit? The few people who are not willing to make the trade and who today have [options to opt out](http://adblockplus.org/). This leaves the majority of us who are willing to make the bargain in a very un-Coasean world.

On the podcast this week, Julian Sanchez, a research fellow at the Cato Institue who focuses on issues related to technology, privacy, and civil liberties, discusses electronic communications. Sanchez talks about changes in surveillance of electronic communications since 9/11, highlighting the large number of cases in which the FBI has gathered phone, internet, and banking information without judicial oversight. He then discusses the legal framework around electronic communications, which he says was built for a very different set of assumptions than we have today. Sanchez also gives a few recommendations for how to disentangle the convoluted legal standards related to electronic communications.

Related Links

To keep the conversation around this episode in one place, we’d like to ask you to comment at the web page for this episode on Surprisingly Free. Also, why not subscribe to the podcast on iTunes?

A UK government report issued this week warns that climate change, in addition to threatening many different parts of everyday life, also threatens the Information and Communications Technology (ICT) industry. The report, available online, warns that regulatory measures have to be taken to lessen the threat of rising temperatures and stormy weather, which would have adverse effects on the radio waves that constitute communications technology.

Specifically, the report’s authors assume that rising temperatures and rainy storms will interfere with radio waves. This assumes that that the aforementioned rising temperatures and rainy storms are indeed a foregone conclusion. For the sake of argument, let’s assume they are correct.

The study mentions that rising temperatures will cause cell towers to lose efficiency, but nothing in the document backs this up. Making such a claim requires scientific data but nothing was offered. A skeptical person reading this report may think, anecdotally, that cell towers are sited in all sorts of conditions all over the globe, taking into account varying temperatures in which they operate. Cell towers sited in Alaska are probably able to handle the extreme cold, otherwise the cell provider would not waste money placing it there. Likewise, a cell tower sited in Arizona would need to take into account the 100 degree+ temperature. And at last count, wireless service is available in both Alaska and Arizona. Continue reading →

“[There’s No Data Sheriff on the Wild Web](http://www.nytimes.com/2011/05/08/weekinreview/08bilton.html),” is an article by Nick Bilton in the *New York Times* this weekend, pointing out that no federal law punishes the massive breaches of personal information like the recent Epsilon and Sony cases.

>”There needs to be new legislation and new laws need to be adopted” to protect the public, said Senator Richard Blumenthal, Democrat of Connecticut, who has been pressing Sony to answer questions about its data breach and what the company did to avoid it. “Companies need to be held accountable and need to pay significantly when private and confidential information is imperiled.”

>But how? Privacy experts say that Congress should pass legislation regulating companies if they collect certain types of information. If such laws existed today, they say, Sony could be held responsible for failing to properly protect the data by employing up-to-date security on its systems.

>Or at the very least, companies would be forced to update their security systems. In underground online forums last week, hackers said Sony’s servers were severely outdated and infiltrating them was relatively easy.

While there may be no law requiring site operators to keep their networks updated and secure, it’s not as if they currently have no incentive to do so, and it’s not as if they are completely unaccountable. Witness the (at least) two lawsuits already filed against Sony. [One in Canada](http://ingame.msnbc.msn.com/_news/2011/05/03/6577819-sony-declines-to-testify-before-congress-as-1-billion-lawsuit-filed) for $1 billion and [one in the U.S.](http://ingame.msnbc.msn.com/_news/2011/04/27/6544610-sony-sued-could-bleed-billions-following-playstation-network-hack) looking for class action status. Not to mention that the PlayStation network is still down and losing money, as well as Sony’s reputation loss. Are you now more or less likely to buy a PlayStation as your next console?

To the extent we do need legislation, it’s not to tell firms to keep their Apache servers up to date. There are plenty of terrible things that happen to a firm if it doesn’t take the security of its customers’ data seriously. Sony is living proof of that. Adding a criminal fine to the pile likely won’t improve private incentives. What prescriptive legislation might to do, however, is put federal bureaucrats in charge of security standards, which is not a good thing in my book.

The missing incentive here might be the incentive to disclose that a breach has occurred. Rep. Mary Bono Mack [has suggested that she might introduce legislation](http://thehill.com/blogs/hillicon-valley/technology/159581-gop-rep-sony-playing-the-victim-in-hacker-attack) to require such disclosures. Such legislation may well be responding to a real and harmful information asymmetry. If a firm could preserve such an asymmetry, then the usual incentives wouldn’t work.

Rather than trying to legislatively predict and preempt security breaches, when it comes to the security of personal information it might be better to seek a policy of transparency and resiliency. As I explain in my [latest TIME Techland piece](http://techland.time.com/2011/05/08/why-your-personal-information-wants-to-be-free/), we may now be in a world were it’s next to impossible to ensure that at lease some of our private personal information that is digitized and connected to the net won’t be compromised. To attempt to put that genie back in the bottle might be not only futile, but counterproductive. Instead, we may be better served by being informed when our data is compromised, seeking civil redress, and learning to cope with the new reality. As I write in the piece:

>On net, the fact that we now live in a hyper-connected world where information can’t be controlled is a good thing. The cultural, social, economic and political benefits of such a transparent system will likely outweigh the price we pay in privacy and security. And that’s especially the case if learn to live with that reality.

>Human beings are incredibly resilient, and faced with a new environment, we adapt. When major changes take place—-from natural disasters to the Industrial Revolution—-we learn to live in the new context, but only if we acknowledge the new reality. We need to get used to this new world in which information can’t be controlled.

>Maybe a new social norm will develop that accepts that everyone will have embarrassing facts about them online, and that it’s OK because we’re human. Maybe if we assumed that data breaches are inevitable, we wouldn’t give up on securing networks, but we might do more to cope. For example, the technology exists to make all credit card numbers single-use to a particular vendor, so they’re of little value to hackers.

>Welcome to the new world. Information wants to be free. The Net interprets information control as damage and routes around it. Get used to it.

Late last week, the Project on Government Oversight‘s Danielle Brian took a little umbrage at a Huffington Post piece by former U.S. Deputy Chief Technology Officer Beth Noveck, who had been implementing the Obama Administration’s Open Government Initiative until she recently returned to New York Law School.

Brian’s piece suggests a slight schism in the transparency community, between what I believe are the “insider” and “outsider” camps. Brian leaves to the end a crucial point: “[C]an’t the two camps in the open government world peacefully co-exist? There’s just too much work to be done for us to get bogged down in denigrating each others’ agendas.” They most certainly can.

Noveck was a bit dismissive of the open government movement as perceived by much of the transparency community. “Many people, even in the White House,” she wrote, “still assume that open government means transparency about government.” Actually, Noveck continued, open government is “open innovation or the idea that working in a transparent, participatory, and collaborative fashion helps improve performance, inform decisionmaking, encourage entrepreneurship, and solve problems more effectively. By working together as team [sic] with government in productive fashion, the public can then help to foster accountability.”

Visualize the difference between these two approaches: open government as a tool for public oversight and open government as a tool for public participation. When open government is about public oversight, the wording connotes the public looking down from above on the work its servants are doing. When open government is about collaboration, the public is at best an equal partner, allowed to participate in the work of governing. Noveck’s unfortunate language choice treats accountability as a kind of dessert to which the public will be entitled when it has donated sufficient energies to making the government work better.

The administration’s December 2009 open government memorandum predicted this divide. In calling for each agency to publish three “high-value data sets,” it said:

High-value information is information that can be used to increase agency accountability and responsiveness; improve public knowledge of the agency and its operations; further the core mission of the agency; create economic opportunity; or respond to need and demand as identified through public consultation.

As I noted at the time, it’s a very broad definition.

Without more restraint than that, public choice economics predicts that the agencies will choose the data feeds with the greatest likelihood of increasing their discretionary budgets or the least likelihood of shrinking them. That’s data that “further[s] the core mission of the agency” and not data that “increase[s] agency accountability and responsiveness.” It’s the Ag Department’s calorie counts, not the Ag Department’s check register.

Noveck wants us to put the calorie counts to use. Brian wants to see the check register.

There is no fundamental tension between these two agendas. Both are doable at the same time. The difference between them is that one is the openness agenda of the insider: using transparency, participation, and collaboration to improve on the functioning of government as it now exists.

The openness agenda of the outsider seeks information about the management, deliberation, and results of the government and its agencies. It is a reform (or “good government”) agenda that may well realign the balance of power between the government and the public. That may sound scary—it’s certainly complicates some things for insiders—but the “outsider” agenda is shared by groups across the ideological and political spectra. Its content sums to better public oversight and better functioning democracy, things insiders are not positioned to oppose.

I think these things will also reduce the public’s demand for government, or at least reduce the cost of delivering what it currently demands. But others who share the same commitment to transparency see it as likely to validate federal programs, root out corruption, and so on (a point I made in opening Cato’s December 2008 policy forum, “Just Give Us the Data!”) There are no losers in this bet. Better functioning programs and reduced corruption are better for fans of limited government than poorly functioning programs and corruption.

Forward on all fronts! The existence of two camps is interesting, but not confounding to the open government movement.

Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas) have released a discussion draft of their forthcoming “Do Not Track Kids Act of 2011.”  I’ve only had a chance to give it a quick read, but the bill, which is intended to help safeguard kids’ privacy online, has two major regulatory provisions of interest:

(1) New regulations aimed at limiting data collection about children and teens, including (a) expansion of the Children’s Online Privacy Protection Act (COPPA) of 1998, which would build upon COPPA’s “verifiable parental consent” model; and (b) a new “Digital Marketing Bill of Rights for Teens;” and (c) limits on collection of geolocation information about both children and teens.

(2) An Internet “Eraser Button” for Kids to help kids wipe out embarrassing facts they have place online but later come to regret.  Specifically, the bill would require online operators “to the extent technologically feasible, to implement mechanisms that permit users of the website, service, or application of the operator to erase or otherwise eliminate content that is publicly available through the website, service, or application and contains or displays personal information of children or minors.” This is loosely modeled on a similar idea currently being considered in the European Union, a so-called “right to be forgotten” online.

Both of these proposals were originally floated by the child safety group Common Sense Media (CSM) in a report released last December.  It’s understandable why some policymakers and child safety advocates like CSM would favor such steps. They fear that there is simply too much information about kids online today or that kids are voluntarily placing far too much personal information online that could come back to haunt them in the future. These are valid concerns, but there are both practical and principled reasons to be worried about the regulatory approach embodied in the Markey-Barton “Do Not Track Kids Act”: Continue reading →

For Forbes.com this morning, I take a close look at last month’s controversial FCC order requiring facilities-based wireless carriers to negotiate data roaming agreements with other carriers.

There are business, technical, and legal reasons why the order stands on unsteady ground, which the article looks at in detail.

The order, by encouraging artificial competition in nationwide mobile broadband, could also undermine arguments against AT&T’s merger with T-Mobile USA.

How so?  If every regional, local, or rural carrier can offer their customers access to the nationwide coverage of Verizon, AT&T, or Sprint, on terms overseen for “commercial reasonableness” by the FCC, what’s the risk of consumer harm from combining AT&T and T-Mobile’s infrastructure?  Indeed, doing so would create stronger nationwide 3G and 4G networks for other carriers to use.  In that sense, it’s actually pro-competitive, and a pragmatic solution to spectrum exhaustion. Continue reading →

I spaced out and completely forget to post a link here to my latest Forbes column which came out over the weekend.  It’s a look at back at last week’s hullabaloo over “Apple, The iPhone, and a Locational Privacy Techno-Panic.” In it, I argue:

Some of the concerns raised about the retention of locational data are valid. But panic, prohibition and a “privacy precautionary principle” that would preemptively block technological innovation until government regulators give their blessings are not valid answers to these concerns. The struggle to conceptualize and protect privacy rights should be an evolutionary and experimental process, not one micro-managed at every turn by regulation.

I conclude the piece by noting that:

Public pressure and market norms also encourage companies to correct bone-headed mistakes like the locational info retained by Apple.  But we shouldn’t expect less data collection or less “tracking” any time soon.  Information powers the digital economy, and we must learn to assimilate new technology into our lives.

Read the rest here. And if you missed essay Larry Downes posted here on the same subject last week, make sure to check it out.