Based on two (1, 2) previous cyber security bills, a draft bill that has been circulating around town backed by Senate Majority Leader Harry Reid would give the White House sweeping new powers over companies that operate “covered critical infrastructure” or (CCI). And more than that, the bill would eliminate a vital aspect of the governmental process: a right to a day in court.
People often think of critical infrastructure as power plants, dams, and public safety communication networks. On the Internet, modems, routers and other specific network equipment could be designated as CCI. But this bill is written broadly, so that the Administration could even designate online services—such as e-mail and cloud computing services—that use the Internet but are not themselves network infrastructure.
All businesses want to keep Americans safe and protect infrastructure that supports the American economy. But what happens if a company (or an industry) wants to challenge their CCI designation? Typically, what makes America work is that we can question authority and even challenge our government in court when we think it’s wrong. But this legislation explicitly denies businesses their right to challenge a CCI designation in court.
(4) Final appeal.—A final decision in any appeal under this subsection shall be a final agency action that shall not be subject to judicial review except as part of an enforcement action under section 306(b)(7). [emphasis added]
This part of the bill has to be amended to allow judicial appeals to make it fair for the businesses that will pay for it. Continue reading →
If you blinked, you missed it. Heaven knows, I did. The OECD privacy guidelines celebrated their 30th birthday on Thursday last week. They were introduced as a Recommendation by the Council of the Organization for Economic Cooperation and Development on September 23, 1980, and were meant to harmonize global privacy regulation.
Should we fete the guidelines on their birthday, crediting how they have solved our privacy problems? Not so much. When they came out, people felt insecure about their privacy, and demand for national privacy legislation was rising, risking the creation of tensions among national privacy regimes. Today, people feel insecure about their privacy, and demand for national privacy legislation is rising, risking the creation of tensions among national privacy regimes. Which is to say, not much has been solved.
In 2002—and I’m still at this? Kill me now—I summarized the OECD Guidelines and critiqued them as follows on the “OECD Guidelines” Privacilla page.
The Guidelines, and the concept of “fair information practices” generally, fail to address privacy coherently and completely because they do not recognize a rather fundamental premise: the vast difference in rights, powers, and incentives between governments and the private sector. Governments have heavy incentives to use and sometimes misuse information. They may appropriately be controlled by “fair information practices.”
Private sector entities tend to have a balance of incentives, and they are subject to both legal and market-punishments when they misuse information. Saddling them with additional, top-down regulation in the form of “fair information practices” would raise the cost of goods and services to consumers without materially improving their privacy.
Not much has changed in my thinking, though today I would be more careful to emphasize that many FIPs
are good practices. It’s just that they are good in some circumstances and not in others, some FIPs are in tension with other FIPs, and so on.
The OECD Guidelines and the many versions of FIPs are a sort of privacy bible to many people. But nobody actually lives by the book, and we wouldn’t want them to. Happy birthday anyway, OECD guidelines.
If you store sensitive files on your personal computer which law enforcement authorities wish to examine, they generally cannot do so without first obtaining a search warrant based upon probable cause
. But what if you store personal information online—say, in your Gmail account, or on Dropbox? What if you’re a business owner who uses Salesforce CRM or Windows Azure? How secure is your data from unwarranted governmental access?
Both the U.S. Senate and the House of Representatives are investigating these crucial questions in two separate hearings this week. Congress hasn’t overhauled the privacy laws governing law enforcement access to information stored with remote service providers since 1986. The Electronic Communications Privacy Act (ECPA), the key federal law governing electronic privacy, has grown increasingly out of touch with reality as technology has evolved and Americans have grown increasingly reliant on cloud services like webmail and social networking. As a result, government can currently compel service providers to disclose the contents of certain types of information stored in the cloud without first obtaining a search warrant or any other court order requiring the scrutiny of a judge.
Thus, the Competitive Enterprise Institute has joined with The Progress & Freedom Foundation, Americans for Tax Reform, Citizens Against Government Waste, and the Center for Financial Privacy and Human Rights in submitting a written statement to the U.S. Senate and House Judiciary Committees urging Congress to reform U.S. electronic privacy laws to better reflect users’ privacy expectations in the information age. The groups also belong to the Digital Due Process coalition, a broad array of public interest organizations, businesses, advocacy groups, and scholars who are working to strengthen U.S. privacy laws while also preserving the building blocks of law enforcement investigations.
Continue reading →
As the Internet evolves and new data collection technologies emerge, privacy concerns are increasingly in the spotlight. Few doubt that these concerns are, in many cases, legitimate. The major point of contention is which institutions in society are best equipped to address the privacy challenges of the information age. While a number of privacy scholars point to stricter federal regulation as the answer, others are very skeptical of granting government a more expansive role in safeguarding sensitive information on the Internet.
In this week’s issue of
Advertising Age, Carolyn Homer and I have a guest column in which we discuss 
the role of market institutions in addressing privacy concerns:
A series of recent high-profile privacy gaffes involving internet firms such as Google, Microsoft and Facebook has spurred a public outcry for stronger privacy protections. Politicians in Congress have responded with a slew of blustering letters, hearings, and legislative threats. On July 19, Rep. Bobby Rush, D-Ill., introduced a sweeping privacy bill in the House of Representatives, and Sen. John Kerry, D-Mass., has pledged to introduce a similar bill in the Senate. This legislation would stifle the dynamic internet economy and targeted advertising while doing little to improve consumer privacy.
Mr. Rush’s bill, titled the Best Practices Act, would give the Federal Trade Commission broad new powers to regulate nearly any organization that routinely collects even basic data about individuals, including phone numbers and email addresses. The bill would empower the FTC to dictate businesses’ data security practices, perform extensive compliance audits, and even restrict which kinds of information firms can collect and how long they can store it.
This approach may sound sensible, but it ignores the crucial role of responsible data collection in the information age. Limiting such practices will impede e-commerce and endanger free internet content backed by advertising. The internet’s ubiquitous information sharing is a feature, not a bug.
Continue reading →
Up until I began doing my reading for this fall’s Criminal Procedure: Investigation course, I largely bought the heroic Warren Court story of privacy and the Fourth Amendment.
The story is simple: The Supreme Court, concerned only with helping businesses through decisions like Lochner, had left people unprotected from warrantless searches and seizures. In decisions like
Olmstead v. United States (holding that a warrantless wiretap did not violate the Fourth Amendment), the Court threw privacy under the bus. But, as with the First Amendment, Brandeis and Holmes dissented, presaging the arrival of the glorious Warren Court, which overturned Olmstead in Katz v. United States.
Though, unlike many FedSocers, I love the Warren Court and its expansion and constitutionalization of personal liberties both procedural and substantive, the heroic story just isn’t quite right.
Continue reading →
Washington Times reporter Shaun Waterman has a characteristically excellent article out today about U.S. cybersecurity authorities failing to secure their own systems.
According to a new report by government auditors, systems at the U.S. Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, were not maintained with updates and security patches in a timely fashion and as a result were riddled with vulnerabilities that hackers could exploit.
Time and again, people look to government intervention based on what they imagine government might do under ideal conditions. Real conditions produce far weaker results.
We’re better off distributing the problem of data, network, and computer security among all the self-interested actors in the country—fallible as they are. We should not abandon the problem to a central authority whose failure fails us all.
Individuals, shadowy criminal organizations, and nation states all now have the capacity to devastate modern societies through computer attacks.
It’s simply not true.
The author must not know the meaning of “devastate,” which is, according to the handiest Web dictionary, “to lay waste; render desolate.”
There is no such capacity—anywhere—to do such damage through computer attacks, and the capacity of some actors to produce some inconvenience, to cause some economic harm, and perhaps to cause physical damage or injury—none of that justifies such a stupidly phrased sentence.
It’s the first line of the abstract to “An e-SOS for Cyberspace” by Temple University law professor Duncan Hollis. Almost certainly, given the overblown premise, it calls for overblown reactions.
This concludes my review of the first sentence of another fear-mongering cybersecurity paper.
After a quiet August recess in Washington, DC, it’s time to refocus our efforts on public policies that impact online commerce. And today we consider not the good, and not merely the bad, but the awful – iAWFUL.
NetChoice unveiled an updated version of out Internet Advocates’ Watchlist for Ugly Laws (iAWFUL) where we track the ten instances of state and federal legislation that pose the greatest threat to the Internet and e-commerce. Our efforts so far this year have helped to remove two of the worst offenders from the February 2010 iAWFUL list, including a federal bill giving the Federal Trade Commission more powers to make new rules for online activity without Congressional guidance, and a Maine law restricting online marketing to teenagers.
In our second update for 2010, NetChoice identifies new legislation that has the potential to stall Internet commerce. Our top two are Congressional bills:
Number 1: Federal online privacy efforts such as Rep. Rush’s “Best Practices Act” (HR 5777) and the staff discussion draft from Boucher / Stearns.
Number 2: The expansion of Internet taxation HR 5660, the “Streamlined Sales Tax Bill”
This iAWFUL list targets federal privacy proposals that would curtail the continued development of ad-supported content and services that consumers have come to expect from the Internet. No one’s saying that privacy isn’t important or that we shouldn’t be concerned with our personal information. However, one federal privacy proposal would regulate small websites that don’t collect personally identifiable information but add just 100 users a week, even when users provide only a nickname and password. Continue reading →
I’ll be there, speaking on a privacy-focused panel entitled: “We Know What You Watch.”
Spooky!
There’s an interesting agenda and, as conferences go, this one seems to be pretty well organized. For example, they have a page of badges they encourage participants to use in promotions like this one. (What do you think of the one I selected?)
And they suggest the Twitter hashtags #openvideo and #ovc10.
Once again, New York TLFers, that’s the Open Video Conference, Oct. 1-2 at the Fashion Institute of Technology.
I’m at the mid-point of an online debate hosted by the Economist.com on the proposition: “This house believes that governments must do far more to protect online privacy.”
I’m on the “No” side. In my opening statement, I tried to give some definition to the many problems referred to as “privacy,” and I argued for personal responsibility on the part of Internet users. I even gave out instructions for controlling cookies, by which people can deny ad networks their most common source of consumer demographic information if they wish. Concluding, I said:
Government “experts” should not dictate social rules. Rather, interactions among members of the internet community should determine the internet’s social and business norms.
In the “rebuttal” stage, which started today, I dedicated most of my commentary to documenting how governments undermine privacy—and I barely scratched the surface.
Along with surveillance program after surveillance program, I discussed how government biases protocols and technologies against privacy, using the Social Security number as an example. I don’t know what syndrome causes many privacy advocates to seek protection in the arms of governments, which are systematic and powerful privacy abusers themselves.
Nonetheless, I’m opposing the “free lunch” argument, which holds that a group of government experts can come up with neutral and balanced, low-cost solutions to many different online problems without thwarting innovation. Right now the voting is with the guy offering people the free lunch, not the guy arguing for consumer education and personal responsibility.
You can vote here.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.