Privacy, Security & Government Surveillance

This article originally appeared at techfreedom.org

Today, the House voted to extend key, but narrow, privacy rights to citizens of “covered countries.” The Judicial Redress Act, passed by a voice vote, would allow the Attorney General to work with other federal agencies to determine countries whose citizens can enforce their data protection rights in U.S. courts under the Privacy Act of 1974. Since that statute specifically exempts sensitive issues regarding law enforcement and national security, extending Privacy Act rights to citizens of selected countries poses no significant concerns.

Today, the House took one small step toward repairing America’s tarnished image on data privacy,” said Berin Szoka, President of TechFreedom. “Since the Snowden disclosures, our government’s inaction on surveillance reform has provoked an international crisis — one that could lead to a European blockade of American Internet companies.”

Two weeks ago, in the Schrems case, the European Court of Justice struck down the Safe Harbor agreement that has, since 2000, allowed U.S. companies to receive and use data about European citizens. Lack of redress rights for Europeans is among the chief reasons why the ECJ found that the Commission had failed to update its finding that U.S. privacy protections were “adequate.”

Without a new agreement, U.S. companies will be at the mercy of each and every European Data Protection Authority, which, under Schrems, can now decide how to regulate cross-border data flows. This burden will likely fall heaviest on U.S. tech startups, who can ill afford this risk. If the Digital Protection Authorities (DPAs) start cracking down, American companies may simply decide to forego the European market, or to split their services into two pieces that don’t allow users to interact — especially new companies that haven’t yet launched their services. That, in turn, could mean a regionalization of what has, until now, been an inherently global medium.

Passage of the Judicial Redress Act is ‘table stakes’ for the U.S.,” continued Szoka. “Without it, the State Department will have no credibility at the bargaining table in negotiating with the Europeans over a replacement for Safe Harbor. However, Privacy Act rights are necessary but not sufficient: Congress will need to move on to other privacy reforms immediately, starting with ensuring that law enforcement must obtain a warrant before accessing stored data of both American and European citizens. Congress will also need to finish the surveillance reforms it started with USA FREEDOM, specifically regarding Section 702.”

###

We can be reached for comment at media@techfreedom.org. See more of our work on privacy, especially:

  • “Only Congressional Privacy Reforms Can Prevent  EU Internet Blockade of US,” a statement from TechFreedom on the ECJ striking down Safe Harbor

This Wednesday, TechFreedom joined Niskanen Center and a coalition of free market groups in urging the White House to endorse the use of strong encryption and disavow efforts to intentionally weaken encryption, whether by installing “back doors,” “front doors,” or any security vulnerabilities into encryption products.

The coalition letter concludes:

We urge your Administration to consider the full ramifications of weakening or limiting encryption. There is no such thing as a backdoor that only the US government can access: any attempt to weaken encryption means making users more vulnerable to malicious hackers, identity thieves, and repressive governments. America must stand for the right to encryption — it is nothing less than the Second Amendment for the Internet.

The White House’s silence on encryption is deafening,” said Tom Struble, Policy Counsel at TechFreedom. “The President’s hitherto failure to endorse strong encryption has given ammunition to European regulators seeking to restrict cross-border data flows and require that data on EU citizens be stored in their own countries. Just yesterday, the European Court of Justice struck down a longstanding agreement that made it easier for Europeans to access American Internet services. If the White House continues to dawdle, it will only further embolden ‘digital protectionism’ across the pond.”

The letter’s signatories include: Niskanen Center, TechFreedom, FreedomWorks, R Street Institute, Students For Liberty, Citizen Outreach, Downsize DC, Institute for Policy Innovation, Less Government, Center for Financial Privacy and Human Rights, and American Commitment.

The last several months have been a busy time for tech policy. Major policies have been enacted, particularly in the areas of surveillance and Internet regulation. While we haven’t checked in here on TLF in some time,TechFreedom has been consistently fighting for the policies that make innovation possible.

  1. Internet Independence: On July 4th, we launched  the Declaration of Internet Independence, a grassroots petition campaign calling on Congress to restore the light-touch approach to Internet regulation that resulted in twenty years of growth and prosperity.
  2. Internet Regulation: This February the FCC issued its Open Internet Order, reclassifying broadbandas a communications service under Title II of the 1934 Communications Act, despite opposition from many in the tech sector, including supporters of our “Don’t Break the Net” campaign. In response, we’ve joined CARI.net and several leading internet entrepreneurs in litigation against the FCC   to ask the Court to strike down the Order.
  3. Surveillance: Section 215 of the PATRIOT Act, which authorized bulk collection of phone records, sunset this May, giving privacy advocates the opportunity to enact meaningful surveillance reform. TechFreedom voiced support for such reforms, including the USA FREEDOM Act, which will end all bulk collection of Americans’ telephone records under any authority.
  4. Broadband Deployment: Making fast, affordable Internet available to everyone is a goal that we all share. We’ve been urging government at all levels to make it easier for private companies to do just that through policies like Dig Once conduits, while cautioning that government-run broadband should only be a last resort.
  5. FTC Reform: The FTC is in dire need of reform. We’ve recommended changes to ensure that the agency fulfills its duty to protect consumers from real harm without a regulatory blank check, which stifles innovation and competition. While progress has been made, there’s still a long way to go. The agency can start by helping to unshackle the sharing economy from legacy regulations.

The big news out of Europe today is that the European Court of Justice (ECJ) has invalidated the 15-year old EU-US safe harbor agreement, which facilitated data transfers between the EU and US. American tech companies have relied on the safe harbor to do business in the European Union, which has more onerous data handling regulations than the US. [PDF summary of decision here.] Below I offer some quick thoughts about the decision and some of its potential unintended consequences.

#1) Another blow to new entry / competition in the EU: While some pundits are claiming this is a huge blow to big US tech firms, in reality, the irony of the ruling is that it will bolster the market power of the biggest US tech firms, because they are the only ones that will be able to afford the formidable compliance costs associated with the resulting regulatory regime. In fact, with each EU privacy decision, Google, Facebook, and other big US tech firms just get more dominant. Small firms just can’t comply with the EU’s expanding regulatory thicket. “It will involve lots of contracts between lots of parties and it’s going to be a bit of a nightmare administratively,” said Nicola Fulford, head of data protection at the UK law firm Kemp Little when commenting on the ruling to the BBC. “It’s not that we’re going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications.” And by driving up regulatory compliance costs and causing constant delays in how online business is conducted, the ruling will (again, on top of all the others) greatly limits entry and innovation by new, smaller players in the digital world. In essence, EU data regulations have already wiped out much of the digital competition in Europe and now this ruling finishes off any global new entrants who might have hoped of breaking in and offering competitive alternatives. These are the sorts of stories never told in antitrust circles: costly government rulings often solidify and extend the market dominance of existing companies. Dynamic effects matter. That is certainly going to be the case here. Continue reading →

It was my pleasure this week to be invited to deliver some comments at an event hosted by the Information Technology and Innovation Foundation (ITIF) to coincide with the release of their latest study, “The Privacy Panic Cycle: A Guide to Public Fears About New Technologies.” The goal of the new ITIF report, which was co-authored by Daniel Castro and Alan McQuinn, is to highlight the dangers associated with “the cycle of panic that occurs when privacy advocates make outsized claims about the privacy risks associated with new technologies. Those claims then filter through the news media to policymakers and the public, causing frenzies of consternation before cooler heads prevail, people come to understand and appreciate innovative new products and services, and everyone moves on.” (p. 1)

As Castro and McQuinn describe it, the privacy panic cycle “charts how perceived privacy fears about a technology grow rapidly at the beginning, but eventually decline over time.” They divide this cycle into four phases: Trusting Beginnings, Rising Panic, Deflating Fears, and Moving On. Here’s how they depict it in an image:

Privacy Panic Cycle - 1

 

Continue reading →

On Thursday, it was my great pleasure to participate in a Washington Legal Foundation (WLF) event on “Online Privacy Regulation: The Challenge of Defining Harm.” The entire event video can be found on YouTube here, but down below I pasted the clip of just my remarks. Other speakers at the event included:  FTC Commissioner Maureen K. Ohlhausen, Commissioner; John B. Morris, Jr., the Associate Administrator and Director of Internet Policy athe U.S. Department of Commerce’s National Telecommunications and Information Administration; and Katherine Armstrong, Counsel at the law firm of Hogan Lovells. Glenn Lammi of the WLF moderated the session.

My remarks drew upon a few recent law review articles I have published relating digital privacy debates to previous debates over free speech and online child safety issues. (Here are those articles: 1, 2, 3).

In a recent Senate Commerce Committee hearing on the Internet of Things, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) “announced legislation that would direct the National highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our cars and protect drivers’ privacy.” Spurred by a recent report from his office (Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk) Markey argued that Americans “need the equivalent of seat belts and airbags to keep drivers and their information safe in the 21st century.”

Among the many conclusions reached in the report, it says, “nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” This comes across as a tad tautological given that everything from smartphones and computers to large-scale power grids are prone to being hacked, yet the Markey-Blumenthal proposal would enforce a separate set of government-approved, and regulated, standards for privacy and security, displayed on every vehicle in the form of a “Cyber Dashboard” decal.

Leaving aside the irony of legislators attempting to dictate privacy standards, especially in the post-Snowden world, it would behoove legislators like Markey and Blumenthal to take a closer look at just what it is they are proposing and ask whether such a law is indeed necessary to protect consumers. Continue reading →

The Obama Administration has just released a draft “Consumer Privacy Bill of Rights Act of 2015.” Generally speaking, the bill aims to translate fair information practice principles (FIPPs) — which have traditionally been flexible and voluntary guidelines — into a formal set of industry best practices that would be federally enforced on private sector digital innovators. This includes federally-mandated Privacy Review Boards, approved by the Federal Trade Commission, the agency that will be primarily responsible for enforcing the new regulatory regime.

Many of the principles found in the Administration’s draft proposal are quite sensible as best practices, but the danger here is that they could soon be converted into a heavy-handed, bureaucratized regulatory regime for America’s highly innovative, data-driven economy.

No matter how well-intentioned this proposal may be, it is vital to recognize that restrictions on data collection could negatively impact innovation, consumer choice, and the competitiveness of America’s digital economy.

Online privacy and security is vitally important, but we should look to use alternative and less costly approaches to protecting privacy and security that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

That is why flexible data collection and use policies and evolving best practices will ultimately serve consumers better than one-size-fits all, top-down regulatory edicts. Continue reading →

do not panicOn Sunday night, 60 Minutes aired a feature with the ominous title, “Nobody’s Safe on the Internet,” that focused on connected car hacking and Internet of Things (IoT) device security. It was followed yesterday morning by the release of a new report from the office of Senator Edward J. Markey (D-Mass) called Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, which focused on connected car security and privacy issues. Employing more than a bit of techno-panic flare, these reports basically suggest that we’re all doomed.

On 60 Minutes, we meet former game developer turned Department of Defense “cyber warrior” Dan (“call me DARPA Dan”) Kaufman–and learn his fears of the future: “Today, all the devices that are on the Internet [and] the ‘Internet of Things’ are fundamentally insecure. There is no real security going on. Connected homes could be hacked and taken over.”

60 Minutes reporter Lesley Stahl, for her part, is aghast. “So if somebody got into my refrigerator,” she ventures, “through the internet, then they would be able to get into everything, right?” Replies DARPA Dan, “Yeah, that’s the fear.” Prankish hackers could make your milk go bad, or hack into your garage door opener, or even your car.

This segues to a humorous segment wherein Stahl takes a networked car for a spin. DARPA Dan and his multiple research teams have been hard at work remotely programming this vehicle for years. A “hacker” on DARPA Dan’s team proceeded to torment poor Lesley with automatic windshield wiping, rude and random beeps, and other hijinks. “Oh my word!” exclaims Stahl. Continue reading →

Yesterday, the Federal Trade Commission (FTC) released its long-awaited report on “The Internet of Things: Privacy and Security in a Connected World.” The 55-page report is the result of a lengthy staff exploration of the issue, which kicked off with an FTC workshop on the issue that was held on November 19, 2013.

I’m still digesting all the details in the report, but I thought I’d offer a few quick thoughts on some of the major findings and recommendations from it. As I’ve noted here before, I’ve made the Internet of Things my top priority over the past year and have penned several essays about it here, as well as in a big new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology shortly. (Also, here’s a compendium of most of what I’ve done on the issue thus far.)

I’ll begin with a few general thoughts on the FTC’s report and its overall approach to the Internet of Things and then discuss a few specific issues that I believe deserve attention. Continue reading →