Privacy, Security & Government Surveillance

This article originally appeared at

Today, Rep. Michael McCaul (R-TX) and Sen. Mark Warner (D-VA) introduced legislation to create a blue ribbon commission that would examine the challenges encryption and other forms of digital security pose to law enforcement and national security. The sixteen-member commission will be made up of experts from law enforcement, the tech industry, privacy advocacy and other important stakeholders in the debate and will be required to present an initial report after six months and final recommendations within a year.

In today’s Tech Policy Podcast, TechFreedom President Berin Szoka and Ryan Hagemann, the Niskanen Center’s technology and civil liberties policy analyst, discussed the commission’s potential.

I see this commission as an ideal resting place for this debate,” Hagemann said. “Certainly what we’re trying to avoid is pushing through any sort of knee-jerk legislation that Senators Feinstein or Burr would propose, especially in the wake of a new terrorist attack.”

“I share the chairman’s concerns that since we’re not making any headway on these issues in the public forum, what is really needed here is for Congress to take some level of decisive action and get all of the people who have something to gain as well as something to lose in this debate to just sit down and talk through the issues that all parties have,” he continued.

I think it’s going to come out and say that there is no middle ground on end-to-end encryption, but it’s probably going to deal with the Apple situation very specifically,” Szoka said. “I think you’re going to see some standard that is going to be probably a little more demanding upon law enforcement than what law enforcement wants under the All Writs Act.”

This article was originally posted on

On January 11, TechFreedom joined nearly 200 organizations, companies, and experts from more than 40 countries in urging world leaders to support strong encryption and to reject any law, policy, or mandate that would undermine digital security. In France, India, the U.K, China, the U.S., and beyond, governments are considering legislation and other proposals that would undermine strong encryption. The letter is now open to public support and is hosted at

The letter concludes:

Strong encryption and the secure tools and systems that rely on it are critical to improving cybersecurity, fostering the digital economy, and protecting users. Our continued ability to leverage the internet for global growth and prosperity and as a tool for organizers and activists requires the ability and the right to communicate privately and securely through trustworthy networks.

There’s no middle ground on encryption,” said Tom Struble, Policy Counsel at TechFreedom. “You either have encryption or you don’t. Any vulnerability imposed for government use can be exploited by those who seek to do harm. Privacy in communications means governments must not ban or restrict access to encryption, or mandate or otherwise pressure companies to implement backdoors or other security vulnerabilities into their products.”

This article originally appeared at

Yesterday, the FTC reiterated its age-old formula: there are benefits, there are risks, and here are some recommendations on what we regard as best practices. The report summarizes the workshop the agency held in October 2014, “Big Data: A Tool for Inclusion or Exclusion?”

Commissioner Ohlhausen issued a separate statement, saying the report gave “undue credence to hypothetical harms” and failed to “consider the powerful forces of economics and free-market competition,” which might avoid some of the hypothetical harms in the report.

The FTC is essentially saying, ‘there are clear benefits to Big Data and there may also be risks, but we have no idea how large they are,’” said Berin Szoka. “That’s not surprising, given that not a single economist participated in the FTC’s Big Data workshop. The report repeats a litany of ‘mights,’ ‘concerns’ and ‘worries’ but few concrete examples of harm from Big Data analysis — and no actual analysis. Thus, it does little to advance understanding of how to address real Big Data harms without inadvertently chilling forms of ‘discrimination’ that actually help underserved and minority populations.”

“Most notably,” continued Szoka, “the report makes much of a single news piece suggesting that Staples charged higher prices online to customers who lived farther away from a Staples store — which was cherry-picked precisely because it’s so hard to find examples where price discrimination results in higher prices for poor consumers. The report does not mention the obvious response: if consumers are shopping online anyway, comparison shopping is easy. So why would we think this would be an effective strategy for profit-maximizing firms?”

The FTC can do a lot better than this,” concluded Szoka. “The agency has an entire Bureau of Economics, which the Bureau of Consumer Protection stubbornly refuses to involve in its work — presumably out of the misguided notion that economic analysis is somehow anti-consumer. That’s dead wrong. As with previous FTC reports since 2009, this one’s ‘recommendations’ will have essentially regulatory effect. Moreover, the report announces that the FTC will bring Section 5 enforcement actions against Big Data companies that have ‘reason to know’ that their customers will use their analysis tools ‘for discriminatory purposes.’ That sounds uncontroversial, but all Big Data involves ‘discrimination’; the real issue is harmful discrimination, and that’s not going to be easy for Big Data platforms to assess. This kind of vague intermediary liability will likely deter Big Data innovations that could actually help consumers — like more flexible credit scoring.”

This article originally appeared at

WASHINGTON D.C. — Yesterday, the Federal Trade Commission announced that it had reached a settlement with Wyndham Hotels over charges that the company had “unreasonable” data security. In 2009, Russian hackers stole customer information, including credit card numbers, from Wyndham hotel systems. The company initially refused to settle an FTC enforcement action, becoming the first to challenge the FTC’s approach to data security in federal court. The FTC has used a decade of settlements with dozens of companies to establish fuzzy de facto standards for data security. In August, the Third Circuit denied Wyndham’s appeal of the district court’s decision to let the case proceed.

The FTC has, once again, avoided having a federal court definitively answer fundamental questions about the constitutionality of the FTC’s approach to data security,” said Berin Szoka, President of TechFreedom, which joined an amicus brief in the case. “The FTC will no doubt claim the Third Circuit vindicated its approach, but all the court really said was that Wyndham’s specific practices may have been unfair. Indeed, the appeals court agreed with Wyndham that the FTC’s so-called ‘common law of consent decrees’ cannot provide the ‘fair notice’ required by the Constitution’s Due Process clause. This implied that the FTC needs to do much more to guide companies on what ‘reasonable’ data security would be. By settling the case, the FTC avoided having the district court resolve those questions.”

It’ll take years for another case to work its way through the courts,” explained Szoka. “LabMD’srecent victory before the FTC’s chief administrative law judge is encouraging, and may allow a federal court to weigh in on the requirements of Section 5’s amorphous unfairness standard, if the full Commission overrules the ALJ. But that case focuses more on how the FTC weighs costs and benefits in each enforcement action than on the issue of how much guidance it provides guidance to industry.”

It’s high time Congress reasserted itself here,” concluded Szoka. “The FTC has demonstrated little willingness to change from within, and we can’t wait for the courts to address these questions. Congress needs to put the FTC on sounder footing across the board — from data security to privacy and other consumer protection issues. Far from hamstringing the agency, requiring better explanation of what the law requires and weighing of costs and benefits would actually help consumers — both by promoting better business practices and by avoiding FTC actions that end up harming consumers. Such common sense reforms should be bipartisan, just as they were back in 1980, the last time Congress really checked the FTC’s vast discretion.”

Szoka is co-author, along with Geoffrey Manne and Gus Hurwitz, of the FTC: Technology & Reform Project’s initial report, “Consumer Protection & Competition Regulation in a High-Tech World: Discussing the Future of the Federal Trade Commission,” which critiques the FTC’s processes and suggests areas where the FTC, the courts and Congress could improve how the FTC applies its sweeping unfairness and deception powers in data security, privacy and other cases, especially related to technology.

This article originally appeared at

Today, the House voted to extend key, but narrow, privacy rights to citizens of “covered countries.” The Judicial Redress Act, passed by a voice vote, would allow the Attorney General to work with other federal agencies to determine countries whose citizens can enforce their data protection rights in U.S. courts under the Privacy Act of 1974. Since that statute specifically exempts sensitive issues regarding law enforcement and national security, extending Privacy Act rights to citizens of selected countries poses no significant concerns.

Today, the House took one small step toward repairing America’s tarnished image on data privacy,” said Berin Szoka, President of TechFreedom. “Since the Snowden disclosures, our government’s inaction on surveillance reform has provoked an international crisis — one that could lead to a European blockade of American Internet companies.”

Two weeks ago, in the Schrems case, the European Court of Justice struck down the Safe Harbor agreement that has, since 2000, allowed U.S. companies to receive and use data about European citizens. Lack of redress rights for Europeans is among the chief reasons why the ECJ found that the Commission had failed to update its finding that U.S. privacy protections were “adequate.”

Without a new agreement, U.S. companies will be at the mercy of each and every European Data Protection Authority, which, under Schrems, can now decide how to regulate cross-border data flows. This burden will likely fall heaviest on U.S. tech startups, who can ill afford this risk. If the Digital Protection Authorities (DPAs) start cracking down, American companies may simply decide to forego the European market, or to split their services into two pieces that don’t allow users to interact — especially new companies that haven’t yet launched their services. That, in turn, could mean a regionalization of what has, until now, been an inherently global medium.

Passage of the Judicial Redress Act is ‘table stakes’ for the U.S.,” continued Szoka. “Without it, the State Department will have no credibility at the bargaining table in negotiating with the Europeans over a replacement for Safe Harbor. However, Privacy Act rights are necessary but not sufficient: Congress will need to move on to other privacy reforms immediately, starting with ensuring that law enforcement must obtain a warrant before accessing stored data of both American and European citizens. Congress will also need to finish the surveillance reforms it started with USA FREEDOM, specifically regarding Section 702.”


We can be reached for comment at See more of our work on privacy, especially:

  • “Only Congressional Privacy Reforms Can Prevent  EU Internet Blockade of US,” a statement from TechFreedom on the ECJ striking down Safe Harbor

This Wednesday, TechFreedom joined Niskanen Center and a coalition of free market groups in urging the White House to endorse the use of strong encryption and disavow efforts to intentionally weaken encryption, whether by installing “back doors,” “front doors,” or any security vulnerabilities into encryption products.

The coalition letter concludes:

We urge your Administration to consider the full ramifications of weakening or limiting encryption. There is no such thing as a backdoor that only the US government can access: any attempt to weaken encryption means making users more vulnerable to malicious hackers, identity thieves, and repressive governments. America must stand for the right to encryption — it is nothing less than the Second Amendment for the Internet.

The White House’s silence on encryption is deafening,” said Tom Struble, Policy Counsel at TechFreedom. “The President’s hitherto failure to endorse strong encryption has given ammunition to European regulators seeking to restrict cross-border data flows and require that data on EU citizens be stored in their own countries. Just yesterday, the European Court of Justice struck down a longstanding agreement that made it easier for Europeans to access American Internet services. If the White House continues to dawdle, it will only further embolden ‘digital protectionism’ across the pond.”

The letter’s signatories include: Niskanen Center, TechFreedom, FreedomWorks, R Street Institute, Students For Liberty, Citizen Outreach, Downsize DC, Institute for Policy Innovation, Less Government, Center for Financial Privacy and Human Rights, and American Commitment.

The last several months have been a busy time for tech policy. Major policies have been enacted, particularly in the areas of surveillance and Internet regulation. While we haven’t checked in here on TLF in some time,TechFreedom has been consistently fighting for the policies that make innovation possible.

  1. Internet Independence: On July 4th, we launched  the Declaration of Internet Independence, a grassroots petition campaign calling on Congress to restore the light-touch approach to Internet regulation that resulted in twenty years of growth and prosperity.
  2. Internet Regulation: This February the FCC issued its Open Internet Order, reclassifying broadbandas a communications service under Title II of the 1934 Communications Act, despite opposition from many in the tech sector, including supporters of our “Don’t Break the Net” campaign. In response, we’ve joined and several leading internet entrepreneurs in litigation against the FCC   to ask the Court to strike down the Order.
  3. Surveillance: Section 215 of the PATRIOT Act, which authorized bulk collection of phone records, sunset this May, giving privacy advocates the opportunity to enact meaningful surveillance reform. TechFreedom voiced support for such reforms, including the USA FREEDOM Act, which will end all bulk collection of Americans’ telephone records under any authority.
  4. Broadband Deployment: Making fast, affordable Internet available to everyone is a goal that we all share. We’ve been urging government at all levels to make it easier for private companies to do just that through policies like Dig Once conduits, while cautioning that government-run broadband should only be a last resort.
  5. FTC Reform: The FTC is in dire need of reform. We’ve recommended changes to ensure that the agency fulfills its duty to protect consumers from real harm without a regulatory blank check, which stifles innovation and competition. While progress has been made, there’s still a long way to go. The agency can start by helping to unshackle the sharing economy from legacy regulations.

The big news out of Europe today is that the European Court of Justice (ECJ) has invalidated the 15-year old EU-US safe harbor agreement, which facilitated data transfers between the EU and US. American tech companies have relied on the safe harbor to do business in the European Union, which has more onerous data handling regulations than the US. [PDF summary of decision here.] Below I offer some quick thoughts about the decision and some of its potential unintended consequences.

#1) Another blow to new entry / competition in the EU: While some pundits are claiming this is a huge blow to big US tech firms, in reality, the irony of the ruling is that it will bolster the market power of the biggest US tech firms, because they are the only ones that will be able to afford the formidable compliance costs associated with the resulting regulatory regime. In fact, with each EU privacy decision, Google, Facebook, and other big US tech firms just get more dominant. Small firms just can’t comply with the EU’s expanding regulatory thicket. “It will involve lots of contracts between lots of parties and it’s going to be a bit of a nightmare administratively,” said Nicola Fulford, head of data protection at the UK law firm Kemp Little when commenting on the ruling to the BBC. “It’s not that we’re going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications.” And by driving up regulatory compliance costs and causing constant delays in how online business is conducted, the ruling will (again, on top of all the others) greatly limits entry and innovation by new, smaller players in the digital world. In essence, EU data regulations have already wiped out much of the digital competition in Europe and now this ruling finishes off any global new entrants who might have hoped of breaking in and offering competitive alternatives. These are the sorts of stories never told in antitrust circles: costly government rulings often solidify and extend the market dominance of existing companies. Dynamic effects matter. That is certainly going to be the case here. Continue reading →

It was my pleasure this week to be invited to deliver some comments at an event hosted by the Information Technology and Innovation Foundation (ITIF) to coincide with the release of their latest study, “The Privacy Panic Cycle: A Guide to Public Fears About New Technologies.” The goal of the new ITIF report, which was co-authored by Daniel Castro and Alan McQuinn, is to highlight the dangers associated with “the cycle of panic that occurs when privacy advocates make outsized claims about the privacy risks associated with new technologies. Those claims then filter through the news media to policymakers and the public, causing frenzies of consternation before cooler heads prevail, people come to understand and appreciate innovative new products and services, and everyone moves on.” (p. 1)

As Castro and McQuinn describe it, the privacy panic cycle “charts how perceived privacy fears about a technology grow rapidly at the beginning, but eventually decline over time.” They divide this cycle into four phases: Trusting Beginnings, Rising Panic, Deflating Fears, and Moving On. Here’s how they depict it in an image:

Privacy Panic Cycle - 1


Continue reading →

On Thursday, it was my great pleasure to participate in a Washington Legal Foundation (WLF) event on “Online Privacy Regulation: The Challenge of Defining Harm.” The entire event video can be found on YouTube here, but down below I pasted the clip of just my remarks. Other speakers at the event included:  FTC Commissioner Maureen K. Ohlhausen, Commissioner; John B. Morris, Jr., the Associate Administrator and Director of Internet Policy athe U.S. Department of Commerce’s National Telecommunications and Information Administration; and Katherine Armstrong, Counsel at the law firm of Hogan Lovells. Glenn Lammi of the WLF moderated the session.

My remarks drew upon a few recent law review articles I have published relating digital privacy debates to previous debates over free speech and online child safety issues. (Here are those articles: 1, 2, 3).