Privacy, Security & Government Surveillance

Digital Due Process: Protecting Americans’ Privacy by Restoring Constitutional Limits to Government in ECPA

by on March 30, 2010 · 20 comments

By Ryan Radia & Berin Szoka

Today a broad array of civil liberties groups, think tanks, and technology companies launched the Digital Due Process coalition. The coalition’s mission is to educate lawmakers and the public about the need to update U.S. privacy laws to better safeguard individual information online and ensure that federal privacy statutes accurately reflect the realities of the digital age.

Over 20 organizations belong to the Digital Due Process coalition, including such odd bedfellows as AT&T, Google, Microsoft, the Center for Democracy & Technology, the American Civil Liberties Union, the Electronic Frontier Foundation, The Progress & Freedom Foundation (where Berin works), the Competitive Enterprise Institute (where Ryan works), the Internet Technology & Innovation Foundation, Citizens Against Government Waste, and Americans for Tax Reform. The full member list is available at the coalition’s website.

Amidst the heated tech policy wars, it’s not every day that such a diverse group of organizations comes together to endorse a unified set of core principles for legislative reform. Over two years in the making, the Digital Due Process coalition, spearheaded by the Center for Democracy & Technology, is a testament to the broad consensus that’s emerged among business leaders, activists, and scholars regarding the inadequacies of the current legal regime intended to protect Americans’ privacy from government snooping and the need for Congress to revisit decades-old privacy statutes. It also represents a revival of a bipartisan consensus on the need for reform reached back in 2000, when the Republican-led House Judiciary Committee voted 20-1 to approve very similar reforms (HR 5018).

Today, in the digital age, robust privacy laws are more important than ever. That’s because U.S. courts have been unwilling to extend the Fourth Amendment’s protection against unreasonable search and seizure to individual information stored with third parties such as cloud computing providers. Thus, while government authorities must get a search warrant based on probable cause before they can lawfully rifle through documents stored in your desk, basement, or safe deposit box, information you store on the cloud enjoys no Constitutional protection. (Some legal scholars argue this interpretation of the Fourth Amendment, referred to as the Third Party Doctrine, is outdated and deficient. See, for example, Jim Harper’s excellent 2008 article in the American University Law Review.)

Continue reading →

SHARE: 20 comments

PFF Briefing 4/16: Super-Sizing the FTC & What It Means for the Internet, Media & Advertising

by on March 28, 2010 · 0 comments

Please join us for this Progress & Freedom Foundation luncheon briefing on Friday, April 16, 12-2 pm in the Capitol Visitor Center, Room SVC 208/209 at E Capitol St NE & 1st St NE. I’ll be moderating a discussion of the growing powers of the Federal Trade Commission (FTC) and what it might mean for consumers, advertisers, media creators, and the Internet.

As I’ve discussed herehere and here, financial reform legislation passed by the House (HR 4173) and now under debate in the Senate would give the FTC sweeping new powers to regulate not just Wall Street, but also unfair or deceptive trade practices across the economy. This could reshape regulation in a wide range of areas, such as privacy, cybersecurity, child safety, COPPA, and child nutrition, affecting media online as well as offline. Unfortunately, as Adam and I have noted, there seems to be a disconnect at the FTC between concerns over the future of struggling media creators and efforts to step up regulation on a number of fronts, especially privacy. The FTC has also asserted expanded authority to regulate “unfair” competition in its lawsuit against Intel, based solely on the FTC’s Section 5 unfairness authority rather than traditional antitrust law. PFF has assembled a group of expert panelists—veteran FTC practitioners, scholars and insiders—to discuss these issues and more. Here’s our panel:

  • Jack Calfee, Resident Scholar, American Enterprise Institute for Public Policy Research (AEI) & author of Fear of Persuasion: A New Perspective on Advertising and Regulation (1998)
  • Maureen Ohlhausen, Partner, Wilkinson Barker Knauer, Consumer Protection Law and Competition Law practices, & 11-year FTC veteran
  • Jim Davidson , Chair of the Public Policy group, Polsinelli Shughart PC
  • Stu Ingis, Partner, Venable LLP Continue reading →

SHARE: 0 comments

FTC Announces Broad COPPA Review for Children’s Online Privacy

by on March 24, 2010 · 8 comments

The Federal Trade Commission (FTC) today announced the release of an 18-page Request for Public Comment (embedded below) on its implementation of the Children’s Online Privacy Protection Act or 1998 (COPPA), which governs online sharing by, and collection of information from, children under age 13. The FTC had previously announced that it would accelerate the review, which had been planned for 2015, particularly because of concerns about the mobile marketplace, as noted in the FTC’s report on that topic released in February.

COPPA has undoubtedly succeeded in its primary goal of enhancing parental involvement in their child’s online activities in order to protect the privacy and safety of children online.  Yet these benefits have come at a price, as COPPA’s considerable compliance costs (estimated at $45/child, which can be crushing in the era of “free”) have likely reduced the digital media choices available for children.  So I’m glad to see the Commission recognize these trade-offs by asking about the costs and benefits of COPPA and any proposed changes right off the bat (Questions 1-5). Such trade-offs are an inevitable part of life and policymakers can’t simply ignore them, even when it’s “for the children.”

The Potential for COPPA Expansion

I look forward to seeing comments on the important questions raised by the Commission about precisely how best to implement the framework enacted by Congress.  But I do worry that the Commission has explicitly invited proposals for legislative changes to the statute itself. In particular:

6. Do the definitions set forth in Part 312.2 of the Rule accomplish COPPA’s goal of protecting children’s online privacy and safety? … 28. Does the commenter propose any modifications to the Rule that may conflict with the statutory provisions of the COPPA Act? For any such proposed modification, does the commenter propose seeking legislative changes to the Act?

Note that question #6 does not include the critical limitation “consistent with the Act’s requirements,” which appears no less than 17 times in subsequent questions about specific aspects of the current rules. Whatever the FTC intended, this will omission, combined with question #28, will be taken as an open invitation by many to propose not just changes in how the COPPA rules are implemented, but wholesale revisions to the COPPA statute itself. Continue reading →

SHARE: 8 comments

How Can We Be at Cyberwar if We Don’t Know What It Is?

by on March 23, 2010 · 3 comments

Brilliant column from William Jackson on GCN.com debunking “cyberwar”:

“The United States is fighting a cyberwar today and we are losing it,” former National Security Agency chief and national intelligence director Mike McConnell wrote in a recent op-ed column in the Washington Post. “It’s that simple.” It is neither simple nor true. Failure to distinguish between real acts of war and other malicious behavior not only increases the risks of war, but also distracts us from more immediate threats such as online crime.

The habit of threat inflation is harmful to the country. Jackson’s welcome take on “cyber” threats earns an accolade I rarely give out: Read the whole thing.

Update: Tim Stevens, a researcher in the Department of War Studies, King’s College London, has—ahem—attacked “cyberwar” rhetoric multiple times. (1, 2, 3, 4, 5) Kudos, Tim.

SHARE: 3 comments

FTC Chairman Leibowitz: Just Trust Us, We Won’t Abuse Vast New Powers!

by on March 21, 2010 · 8 comments

That’s basically what FTC Chairman Jon Leibowitz told the Association of National Advertisers when he spoke to their “Advertising Law & Public Policy” conference last Thursday. As I noted last week, there’s intense pressure in Congress to pass a financial regulatory overhaul and, unfortunately, the version passed by the House in December—Rep. Barney Frank’s “Wall Street Reform and Consumer Protection Act of 2009” (H.R. 4173)—would also grant the Federal Trade Commission vast new powers for all its regulations, not just those relating to the non-bank financial institutions it currently regulates. In particular, HR 4173 would:

  • Make it far easier (and not just faster) for the FTC to issue all kinds of new regulations on its own, without a specific Congressional mandate to do so and instead of relying on case-by-case enforcement to punish “unfair” or “deceptive” acts and practices;
  • Reduce public input into those regulations;
  • Impose heavy civil penalties on companies before notifying them that a practice might be “unfair” or “deceptive”;
  • Prosecute those who merely provided “substantial assistance” to someone engaged in “unfair” or “deceptive” acts or practices; and
  • Sue on its own authority, instead of through DOJ (as now).

I summarized my concerns about this bill in this short interview with PFF’s new communications director, Mike Wendy, last week: [display_podcast]

Leibowitz has lobbied hard to have his agency put on steroids (as former FTC Chairman Jim Miller put it), asking for all these things, as well as more funding, at the first Senate hearing on Hr 4173 back in February. (Conveniently, he was the only witness!) He repeated his calls for these powers on Thursday but tried to allay fears about how they’d be used. Continue reading →

SHARE: 8 comments

I Fisk the Schumer-Graham National ID Plan . . .

by on March 19, 2010 · 0 comments

—all one paragraph of it—on the Cato@Liberty blog.

The upshot: Their promise not to have a national ID database is almost certainly wrong. Sold as a simple quick-fix, it would take decades and hundreds of billions of dollars to build, encountering untold complexities beyond what we already know.

SHARE: 0 comments

How Financial Overhaul Could Put the FTC on Steroids & Transform Internet Regulation Overnight

by on March 17, 2010 · 23 comments

Progress Snapshot 6.7 , The Progress & Freedom Foundation (PDF)

This week marks a pivotal point in the history of the Internet.  Monday was the 25th anniversary of the first .COM registration—and in some ways, the beginning of the commercial Internet.  Yesterday, the Federal Communications Commission unveiled its long-awaited National Broadband Plan, which proposes ambitious subsidies to encourage broadband deployment.  On the theory that unease about online privacy may discourage broadband adoption, the Plan also calls for increased regulation of how websites collect, and use, data from consumers.

The debate over how to regulate online data use has gone on for over a decade, leading to today’s final “Roundtable” in the “Exploring Privacy” series held by the Federal Trade Commission over the last three months.  The stakes in this debate are high: Data is the lifeblood of online content and services, and consumers will ultimately bear the cost of restrictions on data use in the form of reduced advertising funding for, and innovation in, online content and services.

That’s why this week’s most important technology policy event may ultimately prove to be today’s Senate Commerce Committee hearing on Rep. Barney Frank’s “Wall Street Reform and Consumer Protection Act of 2009” (H.R. 4173), which narrowly passed the House in December without a single hearing and no real debate.  Although the sprawling (273,579 word) bill is mostly famous for creating a Consumer Financial Protection Agency, it would also, in just 613 words, “put the FTC on steroids,” in the words of Jim Miller, FTC Chairman from 1981 to 1985.  With vastly expanded powers, the FTC could impose sweeping new regulation touching virtually every sector of our economy.

The current FTC chairman, Jon Leibowitz, has made clear his determination to step up regulation of online data use, advertising, “blogola,” and child protection, just to name a few of the hot topics in Internet policy.  While the FTC will no doubt continue to push for increased statutory authority, such as the online privacy bill reportedly being drafted by House Commerce Internet Subcommittee Chairman Rick Boucher (mandating opt-in for data collection), Chairman Leibowitz may be able to implement most of his radical Internet regulatory agenda using the new powers conferred on his agency in a bill (H.R, 4173) few realize has anything to do with Internet policy. Continue reading →

SHARE: 23 comments

Livetweeting Final FTC Privacy Roundtable Today

by on March 17, 2010 · 2 comments

I’m livetweeting today’s final FTC Privacy Roundtable (check out the #FTCPriv hashtag on Twitter). Check out the day’s agenda or watch the webcast here. Adam Thierer and I expressed our concerns about the rush to regulation at the First Roundtable back in December—see my written comments and Adam’s summary of his remarks. David Vladeck, Director of the Bureau of Consumer Protection offered the following summary of the Roundtable process at the kick-off this morning:

  1. Benefits & risks of technology. “March of technology has blurred and threatens to obliterate the distinction between PII [personally identifiable information) and non-PII…. It’s getting harder and harder for users to choose anonymity.”
  2. Privacy challenges raised by emerging business models. What do consumers know? Consumers are often presented with confusing and unfamiliar situations. Consumers understand little about how their information is handled.
  3. Innovation in disclosure. Industry is testing privacy icons.
  4. Privacy policies are too vague, too long, too complicated and too hard to find. We need effective ways to disclose what information is being collected and to give consumers a meaningful way to control its use. There’s no way to put the genie back in the bottle once information has been shared.

On the critical question of next steps, Vladeck claims the agency isn’t certain where it will go and plans to “sit back” and think about the detailed record before making public a set of detailed recommendations on which the public will be invited to provide input. I’d like to believe him and I hope the agency really does think long and hard about the evidence provided in this process as to the trade-offs inherent in increased regulation, the complexity of this space, and the need for a cautious approach when it comes to tinkering with the data flows that are the lifeblood, both technological and financial, of the Internet. But based on their recent public statements, I fear that Vladeck and FTC Chairman Jon Liebowitz have already made up their minds about the need for regulation, and that this process is really just paving the way for a report this summer that will call for sweeping new legislation—just as the FTC did back in its 2000 Report to Congress. Continue reading →

SHARE: 2 comments

National Broadband Plan on Privacy Regulation: Another FCC Power-Grab?

by on March 16, 2010 · 4 comments

I’ve just read through the National Broadband Plan‘s (NBP) section on online privacy (pp. 52-57). I share the FCC’s goal of increasing consumer control over their digital profiles, and applaud the FCC’s call for promoting the development of trusted identity providers and for increased education about identity theft.  But I’m disappointed to see that the FCC is focused on regulatory solutions instead of less restrictive alternatives like consumer education, technological empowerment, increased enforcement of existing laws, or limiting government access to data collected by the private sector.

Given the nature of bureaucracies and the FCC’s sweeping assertions of its own authority in recent years, I suppose we shouldn’t be surprised that the FCC’s primary suggestion is that it should be given a key role in crafting privacy regulations for online services.  But the FCC clearly lacks any statutory authority over the “computing cloud” and Congress has not asked the agency for suggestions on expanding its jurisdiction.

The FCC deserves credit for recognizing something I’ve stressed: the manifold benefits of online data collection and use, especially that targeted advertising can significantly increase funding for “free” ad-supported content and services:

These data are giving rise to something akin to a “digital identity,” which is a major source of potential innovation and opens up many possibilities for better customization of services and increased opportunities for monetization. The value of a targeted advertisement based on personal data can be several times higher than the value of an advertisement aimed at a broad audience. For example, the going rate for some targeted advertising products can be several times the rate for a generic one because consumers can be six times more likely to “click through” a targeted banner advertisement than a non-targeted one. This differential will likely increase as targeting becomes more refined and more capable of predicting preferences, intentions and behaviors. Firms’ ability to collect, aggregate, analyze and monetize personal data has already spurred new business models, products and services, and many of these have benefited consumers. For example, many online content providers monetize their audience through targeted advertising. Whole new categories of Internet applications and services, including search, social networks, blogs and user-generated content sites, have emerged and continue to operate in part because of the potential value of targeted online advertising.

Unfortunately, the FCC doesn’t acknowledge that these benefits are a critical part of the trade-off inherent in increased regulation of how online service providers collect and use data. Continue reading →

SHARE: 4 comments

A Busy Week for Tech Policy: Broadband Plan, Privacy Regulation, .COM Anniversary & FTC Authority

by on March 15, 2010 · 5 comments

This will be a busy week for tech policy in Washington! First, tomorrow the FCC is expected to release the National Broadband Plan that it’s been working on since Congress passed the “Recovery Act” passed in January 2009, tasking the FCC with formulating “a detailed strategy for achieving affordability of such service and maximum utilization of broadband infrastructure and service by the public.” Under Chairman Julius Genachowski, the FCC has issued a flurry of inquiries about extending FCC regulation to various aspects of the Internet, as we’ve lamented. Perhaps most troubling is the agency’s open-ended inquiry about regulating the use and collection of data by the private sector on the grounds that concerns about online privacy might slow broadband adoption. For the reasons I laid out in my comments on that inquiry, I very much hope the FCC does not attempt to shoe-horn this regulatory agenda into the Broadband plan. Unfortunately, the just-released executive summary suggests (mid-way down column 1 on page 2) the FCC may take a hard line on this issue.

At the same time that the FCC will be launching its “Five Ten Year Plan” for our infrastructure tomorrow, Verisign will be celebrating the 25th anniversary of the first .COM registration with a Policy Impact Forum in the Reagan Center. The all-start cast includes President Clinton, former FCC Commissioner Reed Hunt, ICANN President Rod Beckstrom, All Things Digital editor Kara Swisher, U.S. CTO Aneesh Chopra, Huffington Post founder Arianna Huffington and… my personal favorite, comedian Mo Rocca! They’ll all come together to celebrate how the private sector—symbolized by .COM—has transformed the Internet from a defense research project to a vibrant marketplace of ideas, goods, services, ads and personal sharing. Talk about Internet optimism!

On Wednesday, the Federal Trade Commission will hold its third and final Exploring Privacy Roundtable. Adam Thierer spoke at the first Roundtable on privacy polls and surveys, something I’ve written a lot about. I talked about the benefits of online advertising, as summarized in my comments to the FTC. We remain concerned that, for all the talk about improving self-regulation, this process is going to lead to increased regulation of data use and collection without first looking to the kinds of “less restrictive” we’ve been emphasizing to address real, non-conjectural harms: user education, user empowerment, increased enforcement, technological innovation at all levels, and enhanced protection from the clearest harm of all, government snooping.

Also on Wednesday (at 3pm), the Senate Commerce Committee will hold a hearing (in SR-253) on “Financial Services and Products:  The Role of the Federal Trade Commission in Protecting Consumers, Part 2.” What’s at stake in this hearing is far more than financial regulation, but how pending legislation already passed by the House—originally the Consumer Financial Protection Act (CFPA), which was reborn as the “Wall Street Reform and Consumer Protection Act of 2009” (HR 4173)—would, if enacted, expand the FTC’s powers to regulate vast swathes of our economy. Continue reading →

SHARE: 5 comments

← Previous Entries

Next Entries →