Data Privacy Day is January 28. And as Steve DelBianco writes at the NetChoice blog, now is an opportune time for it as Congress, the Commerce Department, and the Federal Trade Commission each have proposed new rights and rules for data privacy.

To appreciate Data Privacy Day you must first ignore the Euro-babble description of what is Data Privacy Day (“an international celebration of the dignity of the individual expressed through personal information”) and take it for what it really is: a prodding for Internet users to take a critical look at how they share and communicate information online.

Importantly, this is not a day for governments, but for users. As Steve writes, “the role for government should be in areas where users and business cannot act alone, including law enforcement, international data flows, and pre-empting a patchwork of state laws. Government should use is powers to pursue online fraud and criminal misuse of data, not to create rules that narrowly prescribe what and how data should be used.”

Also, check out the tech-friendly quotes from Obama’s State of the Union in Steve’s post.

Here at TLF, our privacy discussions often center around such concepts as expectations of privacy, notice and choice, opt-in/out, and the like. These are all important and legitimate of course, but the privacy issue that seems to make news more than any other is Google Spy-Fi, and the defiant attitude Google has against governments. And this has me worried.

Not that I think governments necessarily need to regulate privacy, or that Google’s data collection from unsecured hotspots was even illegal. I’m thinking much more practically. People are concerned about privacy, governments are investigating Google to see what data it really collected, and Google seems to be cherry-picking the kinds of information it provides to different authorities. And in this defiant game of chicken, it’s the rest of the industry that’s the bacon – and I’m afraid we’re all slowly being fried.

There’s an old adage among practitioners of non-violent resistance that “an eye for an eye” retaliation leaves everyone blind. With yesterday’s news that authorities raided Google’s Korean office and found massive amounts of personal data, I’m wondering when—not if—bad behavior from the industry leader will result in a black eye for all online companies.

Korea’s National Police Agency claims to have found hundreds of thousands of emails, instant messages and other personal data” on Google’s hard drives. This is the latest finding similar to a string of other countries like Germany, Canada, Germany, France and the UK.

If it were all just foreign, that would be one thing. But there are 40 U.S. state Attorneys General looking into whether Google violated laws when it captured data transmitted from WiFi networks while its vehicles drove through cities and neighborhoods, taking photos for its Google Maps Street View product. The former leader of the AGs, Connecticut’s Richard Blumenthal, is now a Senator in Congress and has already vowed to scrutinize not just Google, but all online industry privacy practices.

This will result in unintended consequences for companies that collect data online. Last year featured numerous Congressional hearings, FTC workshops, and the recently released FTC and Commerce reports on privacy. I can’t even keep track of the number of privacy-related conference calls and events I attended.

But Google has a dismissive attitude toward investigations of its data collection. They seem to be saying “trust us, it’s not that bad”, but then government authorities discover a lot more data than Google confessed to collection. As this is Google—the industry leader in so many areas—this sets a bad precedent for future investigations and for other American companies with data centers overseas. Google should know better.

Even if if it turns out that Google technically did not break any U.S. law, this privacy problem won’t go away. All of the negative publicity is enough to spill over to the good guys. And in today’s privacy climate, a black eye could turn blind if retribution against Google means regulation of the entire online industry.

Recent media attention has resurrected the notion that criminal background checks for online dating sites are helpful and should even be required by law. Sunday’s front page article in the New York Times described how companies selling background checks can “unmask Mr. or Ms. Wrong.” And today’s Good Morning America featured a segment called “Online Dating: Are you Flirting with a Felon?”

I was interviewed by both the Times and Good Morning America to say that these background checks are superficial, create a false sense of security, and that government should never mandate these for online dating sites. First of all, I should say that I’m personally involved in this issue. I met my wife on Match.com. We didn’t screen each other, at least not for a criminal past. I remember doing a simple search on her screen name however, and for a while thinking she could be someone who she wasn’t, though.

But for fun, I did a postmortem background check on myself, just to see what my now wife would have seen. First, I went to Intelius and spent $58 (warning: there’s a constant barrage of confusing upsells) to see criminal, civil judgment, property, name, telephone and social networking data. The result: nothing harmful thankfully! But also nothing particularly helpful, either. And the report included a family member that isn’t, and left out my brother that is. Then I went to MyMatchChecker and ordered the basic level screening (the two most expansive products–“Getting Serious” and “All About Me”–require social security numbers, which I doubt most people will not learn about the other until they actually get married). The site made it easy to not include all relevant info, and I didn’t, so there’s a delay on my check. But let’s assume it’s all good too (ahem).

So would my wife have used the absence of a negative history to assume I was a good person? Well, she shouldn’t have. Although these criminal screenings can help in some situations, they still have some serious shortcomings. They result in false negatives when criminal records don’t appear or may not include felony arrests that were plead down to misdemeanors.

And these sort of criminal screenings are not very inclusive–at all. According to True.com, the only dating site that screens every member, their database for the District of Columbia would catch only those people sent to jail between 1987 and 2002 (in addition to registered sex offenders, which anyone can search for free). But here’s the clincher, many counties don’t even report their criminal records to a publicly accessible central database. The last time I checked, in Illinois only 4 out of 102 counties report to a centralized database accessible to companies that perform background screenings. That’s a huge amount of people excluded from the background pool.

When I went to testify in Illinois a few years ago, one member off a House Judiciary committee, an ex-FBI agent, understood the failures of screenings that are conducted with a name only. He differentiated criminal screenings with the more thorough and reliable background check (based on social security number, date of birth, fingerprints, employment history, etc.) and helped persuade his colleagues that a dating bill that promotes screenings would create more harm than good.

Because these criminal checks are incomplete and often inaccurate, I also worry about the false positives that could exist, mistakenly leading one to believe that the other person is worse than they actually are. If my report came back with some speeding tickets—hypothetically speaking, of course—would she have met me for our first date? Well, I guess it’s too late now!

But there is good new here. There’s zero evidence that meeting people online is any more dangerous than meeting them at bars, or social functions or through friends. Indeed, there is anecdotal evidence to suggest that the Internet makes such exchanges more transparent, rather than less.

Still, you should always be cautious when meeting people offline that you’ve met online. As a newly married Internet policy expert I know its good policy to share my wife’s feelings on this topic. And to protect yourself, she says to keep in mind the 3 Ps:

• Meet in a public space,
• Limit the amount of personal information you give out
• Phone a friend to let them know where you’ll be on your date

-Braden Cox

Earlier today the Commerce Department’s Internet Policy Task Force issued its expected privacy report. Commerce waded into shark-filled privacy waters and produced a report that overall is thoughtful, comprehensive and has lots of meat for strengthening the nation’s privacy framework. Of course, we have our quibbles too. On first read, here’s what I like and what concerns me:

Like:

• “Dynamic policies”. The report appropriately proposes what it calls “dynamic policies.” We agree that technology and information flows are constantly changing, so a privacy policy regulatory framework should not be static, nor should it be proscriptive.
• Privacy Policy Office. Because it would be located within Commerce, the office would be a vital advocate for online companies doing business overseas. It could help outreach with European regulators and coordinate certification procedures to enable cross-border data flows.
• Transparency through purpose specification and use limitation (NOT collection limitation and data minimization). The report proposes consumer assurances principles that would require data collectors to specify all the reasons for collecting personal information and then specify limits on the use of that information. This is a flexible approach compared to proscriptive regulations limiting data collection and requiring data minimization.
• Encourage Global Interoperability. In our comments, NetChoice advocated strongly for international privacy reciprocation, and where appropriate, harmonization.
• ECPA Review. We like how the report calls for a review of the Electronic Communications Privacy Act (ECPA). The law is outdated and doesn’t do a good job of clarifying the roles of online companies when responding to law enforcement requests.

Concerns:

• The Uncertainty of FIPPs. The report advocates the creation of Fair Information Practice Principles (FIPPs) that could be voluntarily adopted by industry. But what would the look like? The report mentions, but doesn’t explicitly endorse, FIPPs from the Department of Homeland Security—which are of course binding on government, and might not all be desirable for the private sector. According to the report, the proposed Privacy Policy Office would coordinate these. The FIPPs have been wrongly characterized as a consumer privacy “bill of rights” by some media outlets (they are industry codes of conduct, not affirmative consumer rights).
• Privacy Policy Office. While we like this, we’re also concerned by it. The process of convening multi-stakeholders means multi-viewpoints and multi-disagreements. We’d prefer the marketplace to be the venue and consumers to be the ultimate arbiter on privacy principles.
• National Requirements for Security Breaches. The report calls for Congressional legislation to create a nationwide data security breach law. But is this really necessary? 46 states already have a relatively consistent and reasonable approach toward how companies should safeguard data and the processes involved when there’s a breach.
• FTC Rulemaking. The report leaves open for further comment whether the FTC needs enhanced (APA) rulemaking authority in the privacy area. NetChoice has opposed giving the FTC blanket, no-hold-barred APA authority, and we’d also oppose this for an issue as broad as privacy.

Likes and concerns aside, 2011 is shaping up to be a busy privacy year! Look forward to working with stakeholders from government, industry and civil society to help refine and implement some of the core recommendations of this document.

At today’s FCC “Generation Mobile” forum — chock-full of online safety experts, company reps, Jane Lynch of the TV show Glee, and even Chairman Genachowski himself — it was the kids that made the show about mobile technology worthwhile. On a panel about generation mobile, here are a few of the statements we heard from high school kids:

1. “Don’t just take the phone away.”
2. “When parents snoop too much, it’s a privacy invasion.”
3. “We’ll listen more if you present us with concrete evidence for behavioral restrictions.”

These are the kinds of arguments tech policy advocates make, only we would have said them in our unique brand of policy speak:

1. Don’t regulate the technology, regulate bad behavior.
2. Privacy is important and governments/companies must respect the privacy interests of their citizens/customers.
3. Policymakers should collect sufficient data and analysis before introducing new legislation

Policy geek speak aside, here are some interesting facts we heard about teen use of mobile technology:

• According to Genachowski, 80% of fatal teen driving accidents are caused by distracted driving
• According to Amanda Lenhart of Pew, 15% of kids have received a sext message; only 4% have sent a sext
• Also from Amanda, 62% of schools allow cell phones in the school, but not in the classroom. 12% permissively allow anywhere.

“The do-not-track system could put an end to the technological ‘arms race’ between tracking companies and people who seek not to be monitored.” – David Vladeck, FTC

David Vladeck is right. The Do Not Track system would put an end to the technological “arms race” – but that’s not a good thing. Instead, its the nuclear option that will halt ongoing industry innovation and consumer welfare.

This has been unofficial privacy week in Washington, DC. Wednesday saw the release of the FTC’s privacy report. Yesterday was the House Commerce Committee hearing; phrased in the form of a question, the tile of the hearing was a bit presumptuous: “Do-Not-Track Legislation: Is Now the Right Time?” And today, NetChoice responds with why the answer to that question should be No.

Do Not Track is a Blunt Response, Not an Informed Choice

The FTC’s report calls for a “uniform and comprehensive” way for consumers to decide whether they want their activities tracked. The Commission points to a Do Not Track system consisting of browser settings that would be respected by web tracking services. A user could select one setting in Firefox, for example, to opt out of all tracking online. The FTC wrongly calls this “universal choice.”

Really, it’s a universal response. It’s a single response to an overly-simplified set of choices we encounter on the web. This single response means that tracking for the purpose of tailored advertising is either “on” or “off.” There is no middle setting. But it is the “middle” where we want consumers to be. The middle setting would represent an educated setting where consumers understand the tradeoffs of interest-based advertising – in return for tracking your preferences and using them to target ads to you, you get free content/services. But an on/off switch is too blunt and not, err, targeted enough. There is no incentive for consumers to learn about the positives, they’ll only fear the worst-case scenarios and will opt-out. In return they’ll also opt-out of the benefits.  [more on the “middle” below].

Do Not Track is nothing like Do Not Call

One of the fallacies about Do Not Track is that it would simply be like Do Not Call. But buyer beware: Do Not Compare the Two – they are nothing alike. As the IAB states in its analysis, there are fundamental technical differences:

Phone calls consist of one-to-one connections and are easily managed because each phone is identified by a consistent phone number. In contrast, the Internet is comprised of millions of interconnected websites, networks and computers—a literal ecosystem, all built upon the flow of different types of data. To create a Do Not Track program would require reengineering the Internet’s architecture.

Moreover, there are immense cost-benefit differences, too. Telemarketing is marketing, nothing transformational about that. Tracking is about marketing too, but it’s also much more: content personalization. As Fred Wilson described in yesterday’s New York Times debate, “[t]racking is the technology behind some of the most powerful personalization technologies on the Web. A Web without tracking technology would be so much worse for users and consumers.”

The “Middle Ground” is the Self Regulatory Approach Already Underway

Underlying this entire debate, and the disconnect between the benefits of tracking along with its costs, is the need for industry transparency and consumer education. Increasing transparency and promoting education would place the online industry squarely in the sweet spot, the “middle ground” where consumers are presented with the appropriate information to make informed decisions.

Thankfully, this process is already underway. It’s the appropriately named Self Regulatory Program for Online Advertising. Central to it is the Advertising Option Icon, which allows consumers to understand why it is they received certain targeted ads and to opt-out of future ads. It’s a just-in-time approach the kind of teachable moments that will truly educate and inform the meaning behind the choice.

The icon has only recently been activated, and the mechanisms to hold companies accountable will go live early in 2011. Let’s wait for this industry-led initiative to take hold before we talk about more extreme Do Not Track measures.

Simple responses don’t work for complex issues. That’s why we see a simple “do not track” response as failing both online consumers and industry.  Instead, let’s encourage the “middle” ground here of tailored responses for diverse forms of information sharing. It’s an arms race we want to encourage, as companies compete based on privacy policies and new technological innovation. Admittedly, throwing hand grenades is harder than dropping bombs, but innovation and consumer welfare will be rewarded in the long run.

Rob Pegoraro’s article in yesterday’s Washington Post is a worthy read, if only because it puts into context what is and isn’t a privacy breach.

Recently, there’s been a lot of noise–started by a Wall St Journal article–about a supposed privacy breach by Facebook surrounding the misuse of user data by applications installed on the user’s page. But as Pegoraro relates, this information was all public anyway, much like a phone book displays your identity. Here’s what he says is the difference between what is and isn’t a breach:

Privacy breach: Exposes private information you tried to keep confidential, in ways that risk the loss of money or security or otherwise fairly earn the adjective ‘Orwellian.’” NOT a privacy breach: Information about you that is already made public to users of a website, including the “basic parameters of people’s accounts:  their name, picture, gender and networks….”

The point is that we shouldn’t conflate the use (or misuse) of public information with the breach of private information. Doing so elevates a lesser offense at the expense of something that is much more serious.

But as much as I like the article, I also have a few quibbles. Pegoraro says that if users are still offended by Facebook, they should blame the site for its default settings and switch to a competitor. And while losing customers is the ultimate penalty for any business, he misses the point in a couple of ways. First, we want to encourage innovation in social media and information sharing, which means companies need the freedom to set and change default settings (I’ve blogged on this before). Second, instead of switching sites users can just adjust their privacy settings! This simple, less drastic measure wasn’t even mentioned.

A federal judge sided with privacy over taxes yesterday, signaling a victory for consumers in North Carolina. Now we’re waiting to see if this also means victory for consumers and online companies that sell into Colorado.

A U.S. District Court in Seattle blocked North Carolina’s Department of Revenue from compelling Amazon to reveal the names and addresses of its customers so that North Carolina could go after them for not paying use taxes on purchases where they did not pay sales tax.

The North Carolina DOR had been auditing Amazon’s 2003-2010 sales into the state and had asked for “all information for all sales to customers with a North Carolina shipping address.” Amazon provided detailed information about the purchases, but the DOR demanded information about the customers making the purchases. Amazon balked and filed suit, and the ACLU even intervened to support Amazon. And they won.

The court was clear that states cannot compel companies to disclose the purchasing behavior of its citizens:

The First Amendment protects a buyer form having the expressive content of her purchase of books, music and audiovisual materials disclosed to the government. The fear of government tracking and censoring one’s reading, listening and viewing choices chills the exercise of First Amendment rights.

What does this have to do with Colorado? Everything and more.

#3 in our latest iAWFUL list of bad laws is Colorado HB 1193, a bill enacted earlier this year that forces out-of-state retailers to send the Colorado Department of Revenue an annual statement of the purchase data for each resident. It’s similar to the North Carolina “request” except that it applies to all companies that sell into the state (not just Amazon). It’s a much larger and broader attempt to get purchase information so that Colorado can send a tax bill to its citizens that don’t pay use tax.

Tax administrators nationwide are looking to duplicate the Colorado approach. But this ruling should send a big chill down the spine of tax administrators who were hoping to copy Colorado’s law requiring all out-of-state sellers to report purchases to the state. And hopefully the ruling gives a shot of energy behind the effort to repeal HB 1193.

Today I testified at a hearing by Massachusetts Attorney General Martha Coakley on commercial sexual exploitation and the Internet. When I first learned about it, I feared the worst: time to demonize the Internet. After all, the hearing announcement openly targeted Craigslist and websites generally. But this was not the case at all—as we heard, NGOs, law enforcement, and industry all have roles to play.

Instead of Internet-bashing, the hearing was a constructive dialogue. We learned why children are forced into prostitution and how classified ads on the Internet can promote this illegal activity. I was there to learn how we can help.

Commercial sexual exploitation is big business. Over 100,000 women are in the illegal sex trade. Often these women are actually teenage girls, vulnerable and with no place to go. Their lives are run by pimps, they cater to “johns,” and their lives are a living hell – except that these women become so desensitized that they eventually have no life at all.

These child prostitutes show up in advertisements for “escort services” or “adult services.” Traditionally, these ads were in the yellow pages. Now they exist on the Internet, and these listings can often be graphic. But it’s hard to tell whether these ads involve women against their will or underage girls. That’s why there are folks who would like to see all these ads disappear. And they’ll blame Internet classifieds—indeed, one witness called sites like Craigslist and Backpage “electronic pimps.”

Unfortunately, there are those that think it is better to force the shut down of the adult services section of these sites. But as we heard from danah boyd of Microsoft and a fellow at the Harvard Berkman Center, merely shutting down the listed supply of adult services is superficial. It’s shutting off the most visible aspect of human anti-trafficking, which is a huge honeypot where pimps advertise and johns congregate. This should be the first place to start an investigation, not end a prosecution.

It’s far better for law enforcement to use these sites to identify what they think are ads of women in forced prostitution, and then infiltrate their criminal networks to reduce both the supply of women and the demand for their services. If we can develop strategies to break the networks, we can get to the root of the problem.

To this end, danah boyd also made great points about not getting distracted by the technology. Bad actors are sexually exploiting young girls by using the Internet to further their criminal enterprise, but it’s not an Internet problem
per se. Focusing on removing websites or portions of sites addresses symptoms of a much deeper criminal syndicate. For the most part, I think this point resonated with the Attorney General’s staff.

What certainly resonated throughout the entire hearing was that sex trafficking is a complex problem that requires a multi-disciplinary approach. We heard this from child welfare and victimization groups, law enforcement, and the online industry.

And that’s why we heard AG Coakley call for a task force to study the issue. We support her desire for all the interested groups to come together, and look forward to working with her to help eliminate commercial sexual exploitation.

The WSJ ran a front page, above-the-fold headline screaming that Facebook has had a privacy breach. But as Steve DelBianco discusses over at the NetChoice blog, today’s WSJ “breach” is all smoke and no fire.

The WSJ is saying that some of Facebook’s applications are accidentally sharing the public username on my Facebook page, in violation of the company’s privacy policy.  This story was nothing like a breach where my credit card numbers or sensitive personal information was leaked or hacked. A closer look at the issue indicates that there is far more smoke than fire in the WSJ piece.

Moreover, the WSJ should step-back from using tabloid-style headings to attract eyeballs (and advertising revenue) to their research and writing.  The breathless headline is clearly meant to feed the privacy beast that is increasingly in danger of doing far more harm than good.

While details are still forthcoming, it appears that the issue at hand involves external actions between application developers and advertising companies. Facebook has stepped-up and is holding third parties accountable to existing privacy requirements.

Earlier this month, a coalition of ad and marketing associations made public a new self-regulatory program for behavioral advertising (or as we like to refer to them, “interest-based ads”). Will it be enough to whet the appetite of members of Congress waiting to chomp on the privacy bit when they get back in November?

Hopefully. But it all depends on ad network uptake and user adoption. FTC Chairman Jon Leibowitz’s wait-and-see attitude toward the self-regulatory effort probably sums up the thoughts of many pro-regulatory privacy advocates. According to Politico’s Morning Tech, Leibowitz said:

We commend industry’s effort to get a broad group of industry leaders on board. However, the effectiveness of this effort will depend on how, and the extent to which, the opt-out is actually implemented and enforced – all of which is yet to be seen. We also urge industry to make sure that the opt-out is easy for consumers to find, use, and understand.

Making it easy for consumers is what the advertising option icon (above) is all about. It’s a just-in-time “heads-up” accompanying ads that allows users to obtain more information about why they’re seeing the ad. In the future, it will allow users to opt-out. Ad networks will pay a license fee to have the right to display the icon and must submit to ongoing compliance.

It’s the compliance part that’s interesting. The Better Advertising project is a new company formed specifically for the self-regulatory program. According to Internet Retailer, “the Council of Better Business Bureaus and the Direct Marketing Association, a trade group for direct-to-consumer marketers and retailers, will begin monitoring compliance with the program early next year.”

Let’s hope the coalition moves quickly and successfully, before Congress does….

At the Safe Internet Alliance event earlier this week there was a surprising amount of agreement on one aspect of sharing information on the Internet: eliminating the fear factor.

“Facts, not fear” was a meme throughout the event. Rep. Boucher discussed how comprehensive privacy legislation encourages Internet use because consumers don’t need to fear how their information is protected. And Josh Gottheimer of the FCC cited a study that shows that one of the main reasons why people don’t have broadband is due to, as he called it, the “fear factor.”

For increased use and adoption of the Internet and online services, cutting through the fear is key. That’s why I stressed why one of the main goals of a group that’s discussing privacy-related public policies should be to distinguish between legitimate concerns versus overreactions.

For online safety, there was a period just a year or two ago where we saw a lot of rhetoric, but not a lot of facts, about the real risks and likely threats kids face when online. Today the discussion is less fear-based, and as a result is much more productive for making the Internet safer. The NTIA OSTWG report stressed this fact-based approach.

Today privacy is where the online safety debate was a few years ago. There’s a similar danger of overreaction where rhetoric may crowd-out productive solutions. But there’s also a risk of being too glib on each side: pro-regulatory privacy advocates may not value the need for legitimate revenue models while businesses may sometimes dismiss legitimate privacy concerns.

Ultimately it may come down to a question of who decides. Whether it’s default settings or what is personal information, is it government, companies, or consumers that decide? I’ll tip my hand here: I think the key is for consumers to on the one hand understand the decisions they make, and on the other hand be allowed to make decisions.

Fear not, NetChoice looks forward to working with the Safe Internet Alliance and policymakers on privacy issues.

I’d like to recommend Sonia Arrison’s recent article on the need for updating the Electronic Privacy Communications Act (ECPA). She makes a good case why citizens should feel a bit worried about the ability of government to invade their privacy when they keep data in the cloud. And citizens are customers, so online businesses are worried if people may use less of their services. But here’s another angle for why we need to update ECPA…it’s to promote online safety. From an excellent analysis by Becky Burr, ECPA reform:

Would establish uniform, clear, and easily understood rules about when and what kind of judicial review is needed by law enforcement to access electronic content; and Would, by clarifying the applicable rules, enable business to respond more quickly and with greater confidence to law enforcement requests and to avail themselves of hosted productivity technology.

Right now the law is muddled, and online services have a hard time determining legitimate requests from those that are overreaching. When the law is clarified, businesses and law enforcement can (with appropriate legal process) share information that can help find sexual predators and other online miscreants.

Based on two (1, 2) previous cyber security bills, a draft bill that has been circulating around town backed by Senate Majority Leader Harry Reid would give the White House sweeping new powers over companies that operate “covered critical infrastructure” or (CCI). And more than that, the bill would eliminate a vital aspect of the governmental process: a right to a day in court.

People often think of critical infrastructure as power plants, dams, and public safety communication networks. On the Internet, modems, routers and other specific network equipment could be designated as CCI. But this bill is written broadly, so that the Administration could even designate online services—such as e-mail and cloud computing services—that use the Internet but are not themselves network infrastructure.

All businesses want to keep Americans safe and protect infrastructure that supports the American economy. But what happens if a company (or an industry) wants to challenge their CCI designation? Typically, what makes America work is that we can question authority and even challenge our government in court when we think it’s wrong. But this legislation explicitly denies businesses their right to challenge a CCI designation in court.

(4) Final appeal.—A final decision in any appeal under this subsection shall be a final agency action that shall not be subject to judicial review except as part of an enforcement action under section 306(b)(7). [emphasis added]

This part of the bill has to be amended to allow judicial appeals to make it fair for the businesses that will pay for it.

And when courts do review a designation, they should scrutinize whether the Secretary rightly applied–not just “considered”–the specific risk factors in the legislation. The current draft has a low bar for the government, requiring the Secretary to merely consider certain risk factors–and lets the Secretary add other factors, too.

In the event of a major cyber incident, companies should be leading the way in developing a fix, not standing by and waiting for the government to issue orders.

The companies that operate critical Internet infrastructure are not part of the cyber security problem, they are the key to the solution. Rather than punishing these pillars of the security community, lawmakers should be looking for innovative ways to support their efforts.

The high-tech industry has been a strong supporter of government’s renewed focus on cyber security. But we want to avoid the situation where government gains the power to issue expansive, unchecked edicts without the right to a day in court.

Up on the NetChoice blog, Steve DelBianco writes about how online child safety was a hot topic at the Internet Governance Forum (IGF) last week in Lithuania. There was one workshop on location-based services that allow users to publish their mobile phone location info to their parents or social network pages (e.g. Foursquare, Loopt, and Facebook Places).

The entire workshop reminded Steve of the movie Minority Report, where a ‘precrime’ police unit relies on the visions of psychics to predict future crimes, then arrests the potential perpetrators before they do anything wrong:

In the world of Internet governance, the future is now, as regulators want online services to predict and prevent safety threats before they actually occur. According to some privacy advocates and lawmakers, the precrime problem here is that location data might be seen by someone with bad intentions.  In the name of protecting children, panelists here favor a policy framework that would require innovators to clear new location-based services with regulators before making them available to users.

Think of the irony with this regulatory approach. Lawmakers are not likely to predict all the ways that bad people can abuse a good service, and regulatory approvals are notoriously slow and inflexible.  On the other hand, Internet innovation is marked by rapid development of new services and quick reactions to fine-tune new features or fix unexpected problems.

Thankfully, there was a young person in the audience that actually knows how kids use the Internet and what will help them the most:

More sage advice came from young people – the anticipated victims of precrimes that might use location-based info. Joonas Makinen of the Youth Coalition on Internet Governance told the IGF, “It is better to focus on fighting ignorance and building digital literacy than applying safety strategies based on restriction.”

Indeed.

After a quiet August recess in Washington, DC, it’s time to refocus our efforts on public policies that impact online commerce. And today we consider not the good, and not merely the bad, but the awful – iAWFUL.

NetChoice unveiled an updated version of out Internet Advocates’ Watchlist for Ugly Laws (iAWFUL) where we track the ten instances of state and federal legislation that pose the greatest threat to the Internet and e-commerce. Our efforts so far this year have helped to remove two of the worst offenders from the February 2010 iAWFUL list, including a federal bill giving the Federal Trade Commission more powers to make new rules for online activity without Congressional guidance, and a Maine law restricting online marketing to teenagers.

In our second update for 2010, NetChoice identifies new legislation that has the potential to stall Internet commerce. Our top two are Congressional bills:

Number 1:  Federal online privacy efforts such as Rep. Rush’s “Best Practices Act” (HR 5777) and the staff discussion draft from Boucher / Stearns. Number 2:  The expansion of Internet taxation HR 5660, the “Streamlined Sales Tax Bill”

This iAWFUL list targets federal privacy proposals that would curtail the continued development of ad-supported content and services that consumers have come to expect from the Internet. No one’s saying that privacy isn’t important or that we shouldn’t be concerned with our personal information. However, one federal privacy proposal would regulate small websites that don’t collect personally identifiable information but add just 100 users a week, even when users provide only a nickname and password.

And where these proposals attempt to mitigate new regulatory burdens, they don’t go nearly far enough. The proposals would grant the Federal Trade Commission broad powers to dictate the details of self-regulatory programs, effectively transforming the FTC into a “port authority” of the Internet. Moreover, the safe harbor “choice program” found in Representative Bobby Rush’s (D-IL) legislation is no real solution for online businesses, who would be forced to conform to avoid costly lawsuits enabled by the bill’s private right of action – with statutory damages of $1,000 per violation.

An updated federal push to expand Internet taxation via the Streamlined Sales Tax (SST) jumped into the number two slot of the 2010 iAWFUL list. In their hunt for additional tax revenues, a handful of states have again asked Congress to force out-of-state businesses to be their tax collectors. H.R. 5660, sponsored by Representative Delahunt (D-MA), would take money from consumers and move it to two dozen state capitols while imposing costly new burdens on small businesses in all fifty states. This new collection burden would be a jobs-killer that cannot be justified by the grossly overestimated revenues trumpeted by advocates.

Although sales tax systems are as complex as ever, SST supporters have abandoned their original promise to exempt small businesses and compensate sellers for the burdens of collecting taxes. The proposed legislation once again shows that serious simplification of sales tax systems has become just a slogan — not a standard.

Individual legislative proposals from a broad swath of states including California, Colorado, Illinois, Maryland, New Mexico, Virginia and Oregon round out the iAWFUL list through additional tax grabs that seek to use the Internet as a novel revenue source at the cost of consumer privacy and convenience.

The entire updated 2010 iAWFUL includes:

1. Federal Online Privacy Legislation – New to iAWFUL

2. Federal Legislation to Expand Internet Taxation

3. Consumer Purchase Tax Reporting Initiative (CO)

4. Hotel Taxes on Online Travel Companies (NY, FL)

5. Advertising Nexus Taxes (CO, IL, NM, MD, VA, VT)

6. New Taxes on Digital Downloads (OK, SC)

7. Nevada Encryption Mandate (NV)

8. California Data Breach Notification (CA)

9. Regulation of Free Trial Offers and Renewal Agreements (OR)

10. Component Nexus Laws (CA, CO, OK)

It’s not often that you see advice on Internet privacy sandwiched between articles on “4 Times it Pays to Splurge” and  how to “Be a Full-time Mom with a Part-time Passion.” But online privacy is such a hot topic that even Redbook, the women’s magazine, has a story in its August issue.  The article is an informed, well-balanced look at providing practical tips (well it should be, I was interviewed for it!) on being secure and private when on various Internet sites:

If you’re a LIVE-LIFE-OUT-LOUD GIRL (i.e., you offer a play-by-play of your life to your 1,000 Facebook friends, blog readers, and Twitter followers), these are the guidelines you — and everyone — should follow:

• On your social networking profiles, take the time to check out the privacy settings and decide whom you want to have access to what information. The risks here aren’t great, but do you really want your cousins to read about your sex life, or your frenemy to see photos of the party you didn’t invite her to?
• If you’re on a public wireless network, like at Starbucks, don’t do your online banking or log on to other sites that contain sensitive information about you. Other users accessing the network might be able to access it.
• Teach your kids about the risks of sharing personal information on the Web. If it feels appropriate for your child, bring up the countless cases of tweens’ and teens’ personal photos and videos that have ended up in the wrong inboxes because of how easy it is to forward email. Have a conversation about what sites they’re visiting online, and make sure they’re staying safe by signing up for a free limiting service such as AOL Parental Controls, which allows you to log in and monitor their activity. Check with your wireless carrier for similar services on your kids’ phones, too.

There’s more tips if interested, or read about unboring veggies sides for grilled food.

In reaction to recent government pressures for RIM to reveal customer encryption keys, Steve DelBianco writes over at the NetChoice blog:  enough with the bullies from UAE and Saudi Arabia kicking sand on the skinny Canadian guy.

It’s not likely that the UAE and Saudi governments will pick a fight with every company in a global industry.  Nor is it likely they would ban all electronic messaging, knowing their monarchs would be forced to back down after a few days of embarrassing international criticism.

It’s time for these governments to stop bullying a company that’s investing heavily to bring connectivity, content, and commerce to their own citizens.  It will only lead to a larger fight where everyone loses.

Kicking sand, indeed.

Two privacy bills are already up for consideration. And at yesterday’s Senate Commerce hearing on Consumer Online Privacy, we heard Senator Kerry announce that he will be working on new legislation to regulate online privacy.  While we wait to see what Kerry will offer, NetChoice has concerns over the bills we do know about:  Rep. Rush’s “Best Practices Act” and the Boucher/Stearns Discussion Draft. Our side-by-side comparison identifies four concerns:

• Both proposals would regulate small websites that don’t even collect PII. Boucher-Stearns would regulate a tiny online startup that is adding just 100 users a week, even where its users provide only a made-up user name and password. As defined, “covered information” would overly restrict the flow of useful information and harm the development of ad-supported content and services.
• Safe harbor? Hardly! A company could be torpedoed with lawsuits from enterprising trial lawyers just for sending marketing emails that were later found to be outside of the safe harbor, up to $1,000 per violation and uncapped punitive damages.
• Marketing and advertising have legitimate operational purposes. Additional consent should not be required when a business uses covered information to do follow-up marketing to customers with whom it has already established a business relationship. Congress has recognized this consumer expectation in past legislation, which is why it built important exceptions in the CAN-SPAM Act for “relationship messages” to contact customers in an existing business relationship.
• The FTC should enforce laws against unfair or deceptive practices, not micromanage self-regulatory efforts. As the overseer of the safe harbor program, the FTC will have broad powers to dictate the details of self-regulatory programs, effectively transforming the FTC into the port authority of the Internet.

We’re also worried about the Rush bill mandate requiring access to information. It broadly applies to covered or sensitive information about individuals “that may be used for purposes that could result in an adverse decision about an individual….”

More analysis to come.

Internet governance is often thought of as ICANN and domain names, but the Internet Governance Forum, a body of the UN, takes a broad approach. Tomorrow I’ll be speaking on a panel about online safety at IGF-USA,  a national body that reports to the full IGF.  We’ll discuss the recent NTIA OSTWG “Youth Safety on a Living Internet” report, among other online safety issues such as sexting, cyberbullying, and proposed state legislation.

UPDATE:  Here’s a summary and video excerpt of my presentation.

Here’s the panel:

Moderator: Danny Weitzner, Associate Administrator, Office of Policy Analysis and Development U.S. Department of Commerce

Panelists :

• Michael W. McKeehan, Executive Director, Internet and Technology Policy, Verizon
• Braden Cox, Policy Counsel, NetChoice Coalition
• Anne Collier, via remote participation [Invited]
• Jennifer Hanley, Family Online Safety Institute (FOSI)
• Stacie Rumenap, Stop Child Predators

Respondents:

• Morgan C. Little, Elon University Graduate, Political Science, American University
• Jane Coffin, NTIA: comments on some of the global activities
• Bessie Pang, Executive Director, POLCYB

Check it out and come for the other panels on cybersecurity, cloud computing and global governance for governments. Registration is free.

In light of the Delahunt “Main Street Fairness Act” (HR 5660) introduced earlier this month, over at the NetChoice blog Steve DelBianco describes why it is important to consider that “where you sit determines where you stand”  when it comes to Internet taxes:

Big-box stores like Walmart and Target support a federal mandate that forces everyone to collect sales tax, even for states where they have zero presence.  So why would these giant chains  — who already have to collect taxes on their web sales — stand for this? Because from where Walmart sits, any simplification – even a little – helps reduce their costs.  And because these big boys want to impose new tax collection costs on their small online competitors.

He’s also reacting to a post at BNET last week, where Chris Dannen described how big retailers are supporting the so-called “streamlined sales tax”:

“Brick-and-mortar retailers — many of whom have operations online — are some of the most vocal proponents of the new online tax laws. The members of the pro-tax lobby, which includes Best Buy, WalMart ,Target and others, already collect sales tax online, regardless of the buyer’s state, and see Web-only retailers as having an unfair advantage, from How to Tax E-Commerce without Killing Entrepreneurship (and eBay)”

Now is a critical time for online commerce as policymakers assess their approaches to privacy. And as NetChoice says in our comments filed today, now is the perfect time for the Department of Commerce to be more involved in privacy issues.

What? We’re calling for more government involvement in a politically charged issue? Yes, and here’s why it’s an appropriate response to the Commerce Dept’s Notice of Inquiry.

Data flows today are much more complex than they were even a decade ago.  Simple one-way transfers between one country and another have been replaced by multinational corporations that transfer data across multiple jurisdictions on a daily basis.

Because of this, privacy-related laws and regulation can have a broad impact on the growth of online commerce, not just here in the U.S. but across the globe. And as a voice for commerce, the Department of Commerce should promote pro-commerce policies over there (EU, Asia, elsewhere) and over here (in the U.S.).

Here’s what we say in our comments:

• The Commerce Department should act as an international ambassador for innovative American online companies.  The Department can play an important role as a government-to-government advocate for flexible international rules to promote continued innovation and economic growth.  And as a government agency speaking to other government agencies, the Commerce Department can bring credibility and leverage that cannot be matched by corporate interests alone.

• Domestically, the Commerce Department should work with the FTC to step-up state and federal enforcement against unfair or deceptive information practices. Aggressive enforcement will help foster a better climate for innovation than would expanded regulation. New regulations are followed only by legitimate businesses who were already complying with the old regulations. Bad actors, on the other hand, ignore both old and new regulations with impunity (e.g., Spammers are still spamming even after the FTC issued new regulations pursuant to the CAN-SPAM Act).

But whether it is overseas or here in the U.S., we advocate that the Commerce Department promote a privacy framework that is flexible enough to permit innovation, and that opposes static laws that undermine consumer interests in improved online services.

There’s a bill moving in California (SB 1361) that restricts how social networking sites display the personal information of 13 to 17 yr olds. It’s billed as a privacy bill and at first glance seems relatively harmless — after all, kids don’t need to be broadcasting their contact information, right? Maybe. It all depends.

It depends on the situation, obviously. We teach our kids to recognize risky situations and to react appropriately.

But whether or not teens are at risk by publishing their telephone numbers is not the threshold question here. The law presumes such and I’m not aware of any specific findings offered in testimony about the bill.

Instead, the issue at hand is whether we need a law to restrict social networking websites from publishing certain information from teenagers. And with any law, there’s always the corresponding principle of unintended consequences.

A bit more about the bill. It restricts a social networking website from displaying the home address and telephone numbers of minors who self-identify as being under 18. It only applies to “web fields specifically designated to display the registered user’s home address or telephone number” – recognizing the impracticality of having hundreds of thousands of websites police every area where kids can share information.

Arguing against bills that aim to protect children is really hard work – who can be against the children (or in this case, adolescents)? But I truly believe this bill has serious unintended consequences and sets a bad precedent for how minors are allowed to share information on the Internet.

Here’s why SB 1361 shouldn’t become law:

• It’s a one-size-fits-all approach that encourages kids to lie about their age. If a teen can’t share this info in a pre-prescribed field, they will either share it in a general space, share it via text or email, or lie about their age in order to share the info.—thereby circumventing a site’s safety features.
• It undercuts existing safety solutions and the sort of “teachable moments” endorsed by the NTIA OSTWG and Berkman Internet safety reports.
• It wrongly assumes that predators discover a kid’s home address or telephone number through the Internet and then contact them offline (instead, we know that at-risk kids are groomed online, not offline).
• It provides a false sense of security to parents.
• Finally, it’s better to educate teens on how to properly give out their contact information than to have the government do it for them.

The bill is before the Assembly, having been referred to the Arts/Entertainment committee. It will likely be heard in the next week or two, and has already passed the Senate.

For the past month, online companies have considered the privacy legislation discussion draft from Rep. Boucher and Stearns. The legislation is a broad attempt to set privacy defaults for the collection, use and sharing of information on the Internet.

Last Friday, NetChoice submitted comments to Rep. Boucher and Stearns.

While there are some aspects of the bill to like (eg. no private right of action), we’re worried that the bill does too much, too soon, to set opt-in or opt-out defaults. We explored in a previous post why flexibility in setting user defaults is important for continued social network innovation.

Fortunately, open and thoughtful consideration of this matter can continue without undue pressures to find a quick fix for privacy. Because while there have been state legislative proposals on privacy, there is not now a patchwork of state laws creating unworkable compliance challenges for interstate e-commerce. In other words, we can take our time and get this right.

Our comments discuss how the draft bill would interfere with four commonplace scenarios for collecting and using information. Here’s one of ’em:

1. The Operational Purpose exemption in this draft legislation is too narrow, in that it does not permit use of covered information for marketing or advertising to existing customers.

   Case 1: A consumer buys a new washer and dryer and writes her email address on a product registration card. That’s an Operational Purpose, so no consent is required to collect the info.

But if the retailer later wants to send an email offering an extended service contract, he has to first obtain consent to send the email, since that’s a use of covered information for marketing purposes. Additional consent should not be required when a business uses covered information to do follow-up marketing to customers with whom it has already established a business relationship. Customers expect their vendors and suppliers to offer upgrades, options, service contracts, etc. Congress has recognized this consumer expectation in past legislation, which is why it built important exceptions in the CAN-SPAM Act for “relationship messages” to contact customers in an existing business relationship.

But the Operational Purpose exemption is denied if the business uses any covered information for advertising or marketing — to its own customers. This would force businesses to first request consent from their customer before contacting them with information about additional services or products. A low response rate to these permission requests will mean that fewer customers will learn about products and services they value, and businesses will have to spend more to market to existing customers.

Read the other three here.

Companies often promote consistent and reliable customer experiences. KLM touts itself as “the reliable airline” while Michelin touts its dependability “because so much is riding on your tires.” And now we have Yahoo, who announced that it will be increasing the social networking functionality in Yahoo Mail. Yahoo has the ability to promote consistency in determining user defaults for sharing information.

But social networking is a product much different than most – it is participatory. Passengers can’t fly airplanes and drivers don’t design tire tread, but social networking users control what and with whom they share information.

So what happens when a social networking service changes functionality or adds new features? How does a company be consistent in carrying-over a user’s preference from the prior version to the new one? What assumptions should it make on user privacy preferences for new features?

These considerations matter whenever an online service tries to increase its social networking functionality. Last week, Facebook unveiled new privacy controls, and we blogged that it was a welcome response to clear-up confusion. In the coming weeks Yahoo will change how status updates work in Yahoo Mail. Michael Arrington’s TechCrunch article describes it well:

[C]urrently to see status updates for others in Yahoo Mail, you have to have a mutual follow, meaning both people have agreed to be “friends.” You can then see that user’s Yahoo status updates as well as updates on third party services that they have added to their Yahoo profile as well. In the new version there will no longer be a requirement for a mutual follow. So, like on Twitter, users can follow whomever they choose. This isn’t actually a dramatic change for Yahoo, since users can follow others in this way already on Yahoo Messenger.

Like Google and Facebook before it, Yahoo is adding features to make its service more “social.” And because of the scrutiny over the changes by Google and Facebook, Yahoo seems to be going out of its way to assure users that they can rely and depend on Yahoo. According to the Yahoo Corporate Blog:

Before Yahoo! Updates is expanded to Yahoo! Mail where many more people will see their Contacts’ activity, we want you to explore your Updates settings and make sure you know who can see what you’re publishing. Even if you are among the many Yahoo! users who haven’t ever generated an update, we want to encourage everyone to actively manage these settings. Because the majority of events listed within Updates are inherently public activities, our defaults are set to allow anyone to see them (that is, for people over 18; we have different defaults that are age-appropriate for people under 18 – learn more in our FAQ).

In one sense, Yahoo is trying to stay consistent: in Yahoo Messenger, user updates are public, so they’re going to make updates public in Mail too. But in another sense, Yahoo is making assumptions—that users want to have their updates be public. Hence the rationale for Yahoo’s explanation: Updates are inherently public activities, our defaults are set to allow anyone to see them.

As online services add features and functionality, they will be faced with decisions about setting defaults about what most users prefer. Google Buzz presumed that Gmail users would want to publicly reveal which people they emailed the most—but based on the wide range of user pushback, Google chose this default poorly.

In the case of Yahoo, it is trying to make it easy for users to control and opt-out of sharing status updates: “[Y]ou can easily limit who sees your Updates stream either by editing the controls for each specific activity…or by turning your Updates stream off entirely in one simple step.”

Yahoo and other online services will strive to seek a balance. They will want to respect previously expressed user preferences, while defaulting settings so that people see and are encouraged to use new features.

But if the threat of regulation—beckoned by the noisy call of privacy critics—becomes too great, companies will be afraid to take risks and introduce new service. Forcing online sites to perpetually maintain original settings prevents innovative business models and services (just ask Microsoft about how slavish consistency to decade-old software makes Windows innovation so difficult). Strict consistency is a brake on innovation.

We know that companies won’t always get the right balance. But online services need the freedom to experiment with new ways for publishing and sharing information.

As the social web matures, we’ll see more and more sites confronted with this balancing act. They’ll need to carryover preferences from old to new versions, and make assumptions on what information most users will or will not want to disclose. If sites get it wrong, some users will change their settings, while others will leave—ultimately, either is a better expression of user preferences than any law or regulation.

In a nod to the popular Dos Equis commercials, Steve DelBianco blogs about the new Facebook privacy controls and says “Stay thirsty, Facebook.  We need you guys to keep innovating.”

Right now you might not care much about Facebook’s ad revenue.  But you might start caring if falling ad revenue forced Facebook to cut spending on things like server capacity and speed, content vetting, quality control, or development of new features and access for mobile devices. You’d also start caring if Facebook over-reacted to privacy critics by slowing-down its innovation.  I’m talking about innovations like “instant personalization“, which helps selected websites customize your content based on your Facebook profile.   And innovation like a social plugin for content websites, which makes it so easy for you to refer articles or news to your Facebook friends.  Both of these innovations help create a personal, social Internet experience, and they do it though sharing of information.

As I’ve previously blogged, we’re just at the tip of the iceberg when it comes to socializing the web. Whether it’s over beers or on the Internet, users want to be social — even if we’re not the most interesting guy in the world. So keep innovating, Facebook.

In his op-ed today, Facebook founder Mark Zuckerberg promised further changes to give users better control of privacy settings.  It’s a clear signal that Facebook is seeking to meet user privacy preferences while still attracting enough ad revenue to keep the site free for everyone.  But will these signals even be heard above all the noise made by Facebook’s critics?

That’s the question posed by my colleague Steve DelBianco at the NetChoice blog:

Radio engineers speak in terms of signal-to-noise ratio when they want to measure usable signals against a background of useless static. There’s been a lot of noise over Facebook recently, driven by a feeding frenzy of technology bloggers and journalists. Their hyperbole hit a high note when some equated Facebook’s privacy drill to BP’s giant oil spill, while others wrote articles (or op-eds? It’s so hard to tell sometimes) that insult Facebook employees and impugn their motives.  Just when you think nothing could rival the noise of Washington’s echo chamber, the technology pundits show us how a real shout-down is supposed to work.

Steve hits hard against the pile-on “feeding frenzy” on Facebook, going so far as to call critics “Chicken Little.” Strong, but also accurate.

While we all support the process of vocal user feedback to improve a product/service, with Facebook there’s more going on. Even Senators with a love for the limelight have jumped on the bandwagon by telling Facebook how to manage a service it gives us for free. Of course, management by Congress is the fastest way to suck innovation and competitiveness out of one of America’s fastest growing industries.

To the extent that productive criticism turns into deafening noise, Facebook’s positive signals will be unfairly distorted.

What makes a joke funny is that there is often a kernel of underlying truth. And  when Senator Rockefeller quipped that COPPA’s age should be extended beyond 12 to age 18, or even 25, nervous laughter followed. Because unfortunately there’s existing movement afoot from some advocates to expand COPPA’s reach and scope to adolescents.

I attended this morning’s Congressional hearing on the Children’s Online Privacy Protection Act (COPPA), where I heard TLF’s own Berin Szoka deliver masterful testimony. Based on what we heard at the hearing, we’ll have to be on the lookout for efforts to create a new privacy regime for adolescents (13-17).

Senate Commerce (Consumer Protection Subcommittee) heard testimony from Facebook, Microsoft, PFF, Kathryn Montgomery, EPIC, and the FTC.  Members at the hearing were: Rockefeller, Pryor, Wicker, and Klobuchar. The hearing was convened to learn about how new technologies impact children privacy in the context of the FTC’s current review of COPPA. Through the prepared testimony, it was clear that there were two camps for the role of Congress:

1. Congress doesn’t need to amend or propose new legislation. The FTC has sufficient authority to make changes to COPPA, as only minor changes are needed

2. Congress needs to be involved. New laws are needed to address privacy harms to children and adolescents due to new digital marketing techniques:  behavioral targeting and invisible data collection practices.

Marc Rotenberg (EPIC) and Kathryn Montgomery were both quick to say that adolescents have NO protections, and thus there is a gap. They called for fair information and marketing practices to protect the privacy of adolescents, implying that this could be done with the cooperation of industry, just like what happened with COPPA. Rotenberg chided business practices “designed to conceal” what they collect and do with personal information.

Sen. Pryor asked why does COPPA stop at age 13? Why not up to 18? Facebook responded that we need to include older children into our digital society, that social networking and other online communications have been overwhelmingly positive for children. Montgomery agreed with this assertion, but said it’s not about blocking access to older children, it’s about being transparent and not collecting data.

Sen. Pryor also asked about age verification…is there a good way to age verify? Rotenberg agreed that it’s not perfect. Still, maybe it’s worth trying.  Berin Szoka debunked this, saying that there’s no good way to age verify, and the process of age verifying actually puts more information into the hands of private companies, reducing privacy!

So here’s one to end on: how many members of Congress does it take to update COPPA? None! The FTC can (and should) do it! And that’s no joke.

Facebook is in the spotlight—unfairly.

Yesterday, four Democratic U.S. senators — Charles Schumer (D-N.Y.), Michael Bennet (D-Col.), Mark Begich (Alaska) and Al Franken (D-Minn.) — published a letter to Facebook expressing their concern over Facebook’s privacy policies.  They asked Facebook to “fix” its privacy policy?

Privacy is a complex and often personal concept – how do these four senators know it’s broken?

Well, the letter follows the announcement of Facebook’s new Open Graph API that could revolutionize social networking. As one commentator wrote on ReadWriteWeb, “the bits of this platform bring together the visions of a social, personalized and semantic Web that have been discussed since del.icio.us pioneered Web 2.0 back in 2004.” The future of the web is not just knowing whether a user is interacting with a webpage, but knowing whether users are liking a specific kind of thing (referred to as the semantic web).

This sounds like very interesting stuff (understatement intended). And here’s the thing that many people (including many members of Congress) forget:  Facebook is a new model of business that has shaken up the way we communicate. And it’s operating in uncharted territory, miles ahead of the Washington, D.C. crowd that would like to put their own stamp on the company. This is a company that is driving innovation, the last thing we need are politicians attempting to fine-tune the engine.

Which company is the next target of a letter? What’s the precedent being set by these demands for Facebook and other innovative web-based companies? I imagine there are a lot of concerned entrepreneurs across the country wondering if they’re next.

It’s April 15, so hopefully nobody’s waiting in long lines at the post office (though we think you should be using the Internet to file electronically). Unfortunately, it’s only April but already it has been a taxing year for online commerce.

We’ve seen six tax-related categories of bills that have been introduced in state legislatures this year: (1) Privacy-invading purchase reporting laws; (2) Bounty hunter bills; (3) affiliate advertising as a nexus for requiring sales tax collection; (4) imposing hotel taxes on online travel companies; (5) expanding Internet sales taxes based on inadequate simplification; and (6) new taxes on digital downloads.

Colorado law turns online companies into the purchasing police (and snitch)

Colorado passed HB 1193 earlier this year (it takes effect in May), and in an effort to get consumers to pay the use tax on Internet purchases it requires out-of-state companies to share purchasing data with the state Dept of Revenue.

Out-of-state retailers must track and report the purchases of Coloradans and: (a) file an annual statement with purchase data for each purchaser to the Department of Revenue; (b) send buyers a summary statement of all their purchases so they know how much use tax to pay (like a 1099 form we receive on investments, only would it be called “Form 1984”?); and (c) on every invoice and receipt, notify Colorado purchasers of their need to file a sales and use tax return with the state; Colorado’s Department of Revenue will now know all the vendors where residents made online or catalog purchases from remote sellers. This would include sensitive items of a particular kind of merchandise — sex items, specialty books, items that reveal political views, etc.

Declan McCullagh wrote a good article on this yesterday. California has an almost identical bill pending (AB 2078). So does Tennessee (HB 1947).

Deputizing plaintiff’s lawyers to sue for uncollected taxes

Georgia (SB 512) was a “bounty hunter” bill that would give the state revenue commissioner broad authority to to hire contractors on contingency to go after uncollected sales taxes. It would authorize payment of contingency fees to lawyers who successfully sue remote online retailers to enforce collection obligations. The bill failed to meet the legislature’s crossover deadline, so it’s effectively dead this year.

Affiliate nexus laws are an unconstitutional expansion of sales tax burdens to out-of-state businesses.

Colorado (SB 1193), Connecticut (HB 5481), Illinois (SB 3353), Maryland (SB 824), New Mexico (HB 50), Virginia (SB 660) and Vermont (HB 661) introduced bills declaring that some forms of Internet advertising are equivalent to having sales agents in their states. California’s Senate Budget and Fiscal Committee passed a budget report that includes an advertising nexus tax. All these states want to force out-of-state advertisers to collect and remit sales tax on sales to their residents.

Advocates believe the measures will raise tax revenue, but that’s a false hope, as seen in states that enacted this law in 2009. Moreover, fewer advertising dollars would flow to in-state websites, costing income and jobs. State laws that use Internet advertising as a proxy for an in-state sales representative will stunt the growth of new business models and distort the evolution of Internet marketing.

Imposing hotel taxes on services provided by Online Travel Companies—the wrong tax for the wrong jurisdiction

Local governments want to levy their double-digit hotel occupancy taxes on service fees charged by online travel websites. New York City passed an ordinance, the state of Florida considered legislation and sued Expedia and Orbitz, and 67 other municipalities have filed lawsuits.

In Jan-2009, the Multistate Tax Commission recommended a model bill to impose hotel taxes on service fees charged by travel agents. But treating online intermediaries as hotels is the wrong approach — service fees should not be taxed the same way as a hotel room charge.

NetChoice is now working with the Streamlined Sales Tax Governing Board and with NCSL to evaluate an alternative proposal that taxes agent services as a service rendered to the traveler booking the room.

Expanding Internet sales taxes, based on inflated expectations and inadequate simplification

Overblown tax revenue estimates are luring states into a system where costs could outweigh benefits. Florida and Virginia are the latest states betting on inflated tax collection estimates if they embrace a nationwide sales tax regime called the Streamlined Sales Tax (SST).

For a decade, the SST sought to reduce the burden of sales tax collection on interstate commerce, as held by the Supreme Court’s Quill decision. However, the SST is not nearly simple enough.  Moreover, recent research proves that the lost revenue from taxes on out-of-state purchases is grossly overstated.

New taxes on digital downloads of music, movies, books, games, and software

Colorado (HB 1192), Indiana (SB 250), Wyoming (HB 29) and Vermont introduced legislation—and Oklahoma introduced a budget proposal—that would impose new sales taxes on digital downloads.

States are looking everywhere for new revenue, but it doesn’t make sense to add taxes to digital downloads, the greenest way you can get music, movies, books, games, and software. Instead, states should be encouraging behavior that avoids round trips in the car, warehousing, and the use of plastic and packaging.

Moreover, some state tax administrators wrongly contend that digital goods are the equivalents of offline products.  Just ask the Kindle users whose books were ‘recalled’ by Amazon. Finally, these bills place in-state businesses at a disadvantage to out-of-state competitors, who wouldn’t have to collect the sales tax when selling the same downloads to in-state customers.