I haven’t said a lot about Google picking up wifi signals as it gathered imagery for its helpful Street View service, but the group “Consumer Watchdog” is doing cartwheels and handstands to try and generate interest in it. In my opinion, they’ve gone a little too far, and now—as have so many before—they will learn to fear my blog post.
This release from CW’s “corporateering” section is misleading in several ways. Take this, for example:
Google now admits that its Street View cars snooped on private WiFi networks as they prowled streets in thirty countries photographing people’s homes over the last three years. The company acknowledges it recorded communications it picked up from unencrypted WiFi networks.
To say “Google now admits” suggests that Google covered it up. Wrong. Google came forward with the information as soon as it discovered its mistake.
Is it “private WiFi networks” from which Google picked up data? The concepts and terminology are unclear to many, but the “private” characterization is misleading.
Many of these networks were privately owned, no doubt, but the question is whether they were configured to conceal the data being transmitted on them. They were not. Information was sent out in the clear (i.e. unencrypted) on these networks. And it was sent out by radio.
We should go into that: Continue reading →
Reliable national security reporter Siobhan Gorman at the Wall Street Journal has broken a story about an Internet surveillance program called “Perfect Citizen” to be managed by the National Security Agency.
Reading about it is frustrating, and for me blame quickly settles on Congress. Our legislature is utterly supine before the national security bureaucracy, which exaggerates cybersecurity threats and consistently uses the secrecy trump card to defy oversight.
If there is to be a federal government role in securing the Internet from cyberattacks, there is no good reason why its main components should not be publicly known and openly debated. Small parts, like threat signatures and such—the unique characteristics of new attacks—might be appropriately kept secret, but no favor is done to any potential attackers by revealing that there is a system for detecting their activities.
A cybersecurity effort that is not tested by public oversight will be weaker than ones that are scrutinzed by private-sector experts, academics, security vendors, and watchdog groups.
Benign intentions do not control future results, and governmental surveillance of the Internet for “cybersecurity” purposes may warp over time to surveillance for ideological and political purposes.
These abstract criticisms of “Project Citizen” are all that publicly available information allows. Far better would come from me and others more qualified if Congress were to do its job.
Congress owes it to us, the United States’ true citizens, to have public hearings on “Perfect Citizen.” Congress should reject broad assertions of secrecy so that the whole body politic can participate in securing our country from all threats.
Congressional and public oversight—searching oversight that tests assumptions and asks hard questions—would strenghten any government cybersecurity effort we find warranted. It would also ameliorate the threat of such programs to our civil liberties, democratic processes, and privacy.
Working in any field of public policy is a bit like living in a haunted house: You spend most of your day dodging bogeymen, ghosts, phantasms, phantoms and specters of imagined harms, frauds, invasions and various conspiracies supposedly perpetrated by evil companies against helpless consumers, justice, God, Gaia, small woodland creatures and every sort of underserved, disadvantaged and/or underprivileged group of man, animal, vegetable and mineral imaginable.
But Internet policy—particularly online privacy—tends to be haunted by such groundless imaginings far more than most other areas of policy, largely because it manifests itself in ways that are far more real and immediate to ordinary users. For example, as outraged as any of us might feel about the Gulf oil spill, how many of us have the slightest clue what’s really involved (beyond what we’ve learned watching TV anchors stumble through a vocabulary they don’t understand)?
By contrast, huge numbers of Americans have daily interaction with web services like those provided by Google, Microsoft, Yahoo, Twitter and Facebook. That doesn’t mean we necessarily
understand how these technologies work. Indeed, quite the contrary! As Arthur C. Clark said, “Any sufficiently advanced technology is indistinguishable from magic.” But we often think we know how these technological marvels work, and certainly sound much more informed when we spout off (pun intended) about these things than, say, “top kills” on the bottom of the ocean floor. In short, we know just enough web services to be dangerous when we ground strong policy positions in our unsophisticated understanding of how things really work online.
There are few better examples of this than the constantly repeated bugaboo that “Facebook sells your data to advertisers!” Or “Facebook only wants you to share more information with more people for advertising purposes!” These myths bear no relation to how advertising on social networking sites actually works, as Facebook CEO Sheryl Sandberg explains beautifully in a short tutorial video. Here’s the key portion: Continue reading →
Common Sense Media (CSM) is a media “watchdog” group that provides a terrifically useful service to the public through independent reviews of popular media content (movies, music, TV, games, and more). As a parent, I find their service indispensable and, as a policy analyst, I have praised their rating system and their media literacy / digital citizenship programs again and again, including numerous endorsements in my special report on Parental Controls & Online Child Protection and other testimony and filings before Congress and federal regulatory agencies.
Thus, being such a big fan of CSM, I was quite dismayed to see the comments they just submitted to the Federal Trade Commission (FTC) as part of the agency’s review of the Children’s Online Privacy Protection Act (COPPA). They advocate not just expanded educational efforts, which are great, but also expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.” For all the background on the law and the FTC’s resulting COPPA rule, see this beefy paper Berin Szoka and I authored last year and this testimony and follow-up submission Berin did for the Senate Commerce Committee. And then read the joint submission made by PFF, CDT, and EFF in the same FTC proceeding that CSM just filed in.
Sadly, it’s clear to me that Common Sense Media didn’t take anything we warned about in those papers or filings seriously—or perhaps that they just didn’t bother to read them very carefully, if at all. Their filing is a classic example of good intentions gone wrong. I understand that they want to take additional steps to protect children online, but they completely ignore the practical realities of COPPA expansion and its associated trade-offs:
Continue reading →
Now is a critical time for online commerce as policymakers assess their approaches to privacy. And as NetChoice says in our comments filed today, now is the perfect time for the Department of Commerce to be more involved in privacy issues.
What? We’re calling for more government involvement in a politically charged issue? Yes, and here’s why it’s an appropriate response to the Commerce Dept’s Notice of Inquiry.
Data flows today are much more complex than they were even a decade ago. Simple one-way transfers between one country and another have been replaced by multinational corporations that transfer data across multiple jurisdictions on a daily basis.
Because of this, privacy-related laws and regulation can have a broad impact on the growth of online commerce, not just here in the U.S. but across the globe. And as a voice for commerce, the Department of Commerce should promote pro-commerce policies over there (EU, Asia, elsewhere) and over here (in the U.S.).
Here’s what we say in our comments:
- The Commerce Department should act as an international ambassador for innovative American online companies. The Department can play an important role as a government-to-government advocate for flexible international rules to promote continued innovation and economic growth. And as a government agency speaking to other government agencies, the Commerce Department can bring credibility and leverage that cannot be matched by corporate interests alone.
- Domestically, the Commerce Department should work with the FTC to step-up state and federal enforcement against unfair or deceptive information practices. Aggressive enforcement will help foster a better climate for innovation than would expanded regulation. Continue reading →
I was interviewed yesterday for the local Fox affiliate on Cal. SB 1411, which criminalizes online impersonations (or “e-personation”) under certain circumstances.
On paper, of course, this sounds like a fine idea. As Palo Alto State Senator Joe Simitian, the bill’s sponsor, put it, “The Internet makes many things easier. One of those, unfortunately, is pretending to be someone else. When that happens with the intent of causing harm, folks need a law they can turn to.”
Or do they?
The Problem with New Laws for New Technology
SB1411 would make a great exam question of short paper assignment for an information law course. It’s short, is loaded with good intentions, and on first blush looks perfectly reasonable—just extending existing harassment, intimidation and fraud laws to the modern context of online activity. Unfortunately, a careful read reveals all sorts of potential problems and unintended consequences.
Continue reading →
There’s a bill moving in California (SB 1361) that restricts how social networking sites display the personal information of 13 to 17 yr olds. It’s billed as a privacy bill and at first glance seems relatively harmless — after all, kids don’t need to be broadcasting their contact information, right? Maybe. It all depends.
It depends on the situation, obviously. We teach our kids to recognize risky situations and to react appropriately.
But whether or not teens are at risk by publishing their telephone numbers is not the threshold question here. The law presumes such and I’m not aware of any specific findings offered in testimony about the bill.
Instead, the issue at hand is whether we need a
law to restrict social networking websites from publishing certain information from teenagers. And with any law, there’s always the corresponding principle of unintended consequences.
A bit more about the bill. It restricts a social networking website from displaying the home address and telephone numbers of minors who self-identify as being under 18. It only applies to “web fields specifically designated to display the registered user’s home address or telephone number” – recognizing the impracticality of having hundreds of thousands of websites police every area where kids can share information.
Arguing against bills that aim to protect children is really hard work – who can be against the children (or in this case, adolescents)? But I truly believe this bill has serious unintended consequences and sets a bad precedent for how minors are allowed to share information on the Internet.
Here’s why SB 1361 shouldn’t become law: Continue reading →
I participated last week in a Techdirt webinar titled, “What IT needs to know about Law.” (You can read Dennis Yang’s summary here, or follow his link to watch the full one-hour discussion. Free registration required.)
The key message of
The Laws of Disruption is that IT and other executives need to know a great deal about law—and more all the time. And Techdirt does an admirable job of reporting the latest breakdowns between innovation and regulation on a daily basis. So I was happy to participate.
Legally-Defensible Security
Not surprisingly, there were far too many topics to cover in a single seminar, so we decided to focus narrowly on just one: potential legal liability when data security is breached, whether through negligence (lost laptop) or the criminal act of a third party (hacking attacks). We were fortunate to have as the main presenter David Navetta, founding partner with The Information Law Group, who had recently written an excellent article on what he calls “legally-defensible security” practices.
Continue reading →
For the past month, online companies have considered the privacy legislation discussion draft from Rep. Boucher and Stearns. The legislation is a broad attempt to set privacy defaults for the collection, use and sharing of information on the Internet.
Last Friday, NetChoice submitted comments to Rep. Boucher and Stearns.
While there are some aspects of the bill to like (eg. no private right of action), we’re worried that the bill does too much, too soon, to set opt-in or opt-out defaults. We explored in a previous post why flexibility in setting user defaults is important for continued social network innovation.
Fortunately, open and thoughtful consideration of this matter can continue without undue pressures to find a quick fix for privacy. Because while there have been state legislative proposals on privacy, there is not now a patchwork of state laws creating unworkable compliance challenges for interstate e-commerce. In other words, we can take our time and get this right.
Our comments discuss how the draft bill would interfere with four commonplace scenarios for collecting and using information. Here’s one of ’em:
- The
Operational Purpose exemption in this draft legislation is too narrow, in that it does not permit use of covered information for marketing or advertising to existing customers.
Case 1: A consumer buys a new washer and dryer and writes her email address on a product registration card. That’s an Operational Purpose, so no consent is required to collect the info.
But if the retailer later wants to send an email offering an extended service contract, he has to first obtain consent to send the email, since that’s a use of covered information for marketing purposes.
Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.