On Wednesday, April 10, a bill “to Affirm the Policy of the United States Regarding Internet Governance” was marked up in the U.S. House of Representatives. The bill is an attempt to put a formal policy statement into statute law. The effective part says simply:

It is the policy of the United States to promote a global Internet free from government control and to preserve and advance the successful multistakeholder model that governs the Internet.

Yet this attempt to formulate a clear principle and make it legally binding policy has become controversial. This has happened because the bill brings to a head the latent contradictions and elisions that characterize U.S. international Internet policy. In the process it has driven a wedge between what was once a unified front by U.S. Democrats and Republicans against incursions into Internet governance by intergovernmental organizations such as the ITU.

The problem, it seems, is that the Democratic side of the aisle can’t bring itself to say that it is against ‘government control’ per se. Indeed, the bill has forced people linked to the Obama administration to come out and openly admit that ‘government control’ of the internet is OK when we exercise it; it’s just those other countries and international organizations that we need to worry about.

The U.S. has been deeply enmeshed in this contradiction ever since the World Summit on the Information Society in 2003-5, when it fended off criticisms of the U.S.-controlled ICANN while claiming to oppose ‘government control.’ In the meantime various US government agencies have (largely unconscious of or independently of the Internet freedom rhetoric) cast global shadows of hierarchy over various aspects of the Internet, seeking extraterritorial domain name takedowns, ACTA, restricted online gambling, cyber-weapons, and so on.

Until now, the contradiction has remained latent, a sotto voce muttering that the emperor has no clothes. Only a few hyper-critical academics (like us) were willing to articulate the argument, generally irritating everyone in the process. But now it’s out in the open. The double standard is humorously evident in this video showing the testimony of Rep. Eshoo, a Democrat of California, in the markup hearings. Rep. Eshoo says:

“…the expert agencies have expressed concern with the term, quote, ‘government control,’ unquote. One diplomat suggested that the use of his term could actually undermine existing Internet governance institutions such as ICANN because of its, uh, uh, close relationship with, uh, our government. Foreign countries frequently cite the close coordination between ICANN and US Dept of Commerce as an example of US quote ‘control’ over the internet.”

Well, yes, Rep. Eshoo, other countries do look at ICANN as a form of global Internet control exercised by one government. Are they wrong? ICANN gets its policy making authority over the DNS root directly from a contract with the U.S. government, and in exchange for receiving that contract ICANN has to stay in the U.S. and conform to various policies. This is not ‘close coordination;’ it’s control. Not even the slipperiest politician can plausibly deny this.

A similar double standard was raised in the response of Public Knowledge (PK), a U.S. public interest group. PK happily collected grants to join the U.S.-led charge against ‘government control of the Internet’ in the renegotiation of the ITU’s International Telecommunication Regulations. It joined in the anti-government rhetoric about how the Internet had to be left alone. Now it wants to clarify its position a bit:

we fear that the broad language of the proposed bill may intrude on areas of consumer protection, competition policy, law enforcement and cybersecurity long considered appropriate for national policy formulated by governments with input from civil society, business and the technical community.

Like Rep. Eshoo, PK is forced to distinguish between government control at home (the good kind) and government control that involves the rest of the world (the scary kind). Note that PK also tacitly accepts the description of different roles for government and civil society that the authoritarian states put into the WSIS Tunis Agenda: governments formulate policy and the rest of us just provide input.

Remember, at the end of the WCIT negotiations we were being told that an indirect reference to spam (“unsolicited bulk electronic communications”) in the ITRs opened the door to systematic content regulation on a global basis. Now PK is forced to admit that:

Although we opposed the ITU resolution to require countries to limit spam, the United States protects its citizens from spam through the CAN-SPAM Act.

Indeed. And why are domestic spam laws fine and international ones (that would have to be enforced by and consistent with those same domestic laws, and ratified by the same national legislature that passed the domestic laws) a threat to the very basis of free expression? According to PK,

Our opposition to ceding authority to the ITU to decide how to balance consumer protection and free expression is not because we see no role for government in protecting consumers or promoting competition. Rather, we believe those matters are best decided here at home, by a Congress accountable to the people and enforced by a government constrained by the Constitution.

So has PK gone cyber-nationalist? Like the Chinese, the Russians, the Saudis and the Iranians, does it want a balkanized Internet governed by a separate and distinct series of national sovereigns? If so, what, exactly, is wrong with the ITU as a venue for negotiating governance? The ITU is a global governance institution founded on the principles of national sovereignty.

We think its high time to call the bluff of American politicians and advocacy groups that play with this double standard. If they cannot bring themselves to embrace a principle of “a global Internet free from government control” it’s time to ask them what they do stand for.

Defending the legitimate rights of consumers to be protected against fraud or monopolies is not “government control” of the Internet, by any serious definition. By protecting individual rights to privacy, by challenging coercive and collusive monopolies and by prosecuting fraud, governments are maintaining individual freedom, not exerting control. It is worrisome, therefore, that allegedly liberal groups such as PK want to maintain an option for ‘government control’ at the level of broad principle.

The PK’s reversion to cybernationalism is both intellectually flawed and politically disturbing. Their attempt to distinguish between national laws and international ones falls apart completely when examined. Laws that overreach and over-regulate occur in both levels; PK simultaneously underestimates the dangers of government control at home (which is odd, given its involvement in issues such as CISPA) and overstates the dangers of international laws (which typically have to be ratified domestically and are subject to reservations).

Whether you are talking about China, Russia or the USA, you can’t have a free Internet and a national Internet. As a virtual space constructed out of a globally interconnected infrastructure, cyberspace realizes its highest potential when it is not artificially bounded by jurisdiction or hierarchically imposed filters. Right now, the biggest threats to internet freedom are from national governments. And while there are indeed aspects of communications that can and should be left to domestic regulation, any regulation that is too scary to be implemented at the international level probably poses many of the same dangers when enacted at the national level. The idea that we only have to worry about ‘government control’ when we are talking about foreign governments is obviously wrong.

The House bill articulates a worthy principle that can be and should be globally applicable to the Internet. Not controlling the Internet does not mean that there is no role for laws or regulations that safeguard individual rights; it means that national governments should recognize the Internet’s transnational nature and refrain from trying to suppress the rights to free expression and free association that have emerged in the context of a decentralized Internet not under the control of any sovereign.

For CNET today, I have a long analysis and commentary on the “Stop Online Piracy Act,” introduced last week in the House. The bill is advertised as the House’s version of the Senate’s Protect-IP Act, which was voted out of Committee in May.

It’s very hard to find much positive to say about the House version. While there’s considerable evidence its drafters heard the criticisms of engineers, legal academics, entrepreneurs and venture capitalists, their response was unfortunate.

Engineers pointed out, for example, that court orders requiring individual ISPs to remove or redirect domain name requests was a futile and dangerous way to block access to “rogue” websites. Truly rogue sites can easily relocate to another domain, or simply have users access them with their IP address and bypass DNS altogether.

There are millions of DNS servers, according to Verisign, so getting all of them to make the change would be impossible, splintering the system. And redirecting DNS requests is some sense introducing a bug in the system, one that is inconsistent with upcoming security measures aimed at protecting users from being hijacked.

But all the drafters of SOPA seemed to have heard was the part about “futile.” Their response has been to make the DNS provisions vaguer and more open-ended, in hopes that whatever mechanisms the rogue sites come up with to evade the law will also be illegal.  Blocking is now extended not just to “parasite” sites but to a “portion thereof,” for example.

And the Attorney General can now apply for injunctive relief against any “entity” that provides “a product or service designed or marketed for the circumvention or bypassing of measures” taken in response to an earlier court order.

Similar efforts are found throughout SOPA, particularly in the felony streaming provision, and the private right of action (or what the bill calls the “market-based system”) for private enforcement of copyright and trademark abuses.  Where clarity isn’t possible, the drafters have opted for vagueness, open-ended definitions, and hedges.  Even the term “including” is defined, to be clear that it means “including but not limited to.”

The point to criticism of Protect-IP was instead that it was impossible to regulate technology that is changing so quickly, and that any effort to do so would only prove obsolete on arrival.  As previous efforts from CAN-SPAM to ECPA and back make clear, you cannot future-proof legislation aimed at specfiic features of emerging technologies.

That, unfortunately, is exactly what SOPA tries to do.  And beyond making the legislation clumsy and imprecise, the intentional vagueness greatly increases the potential for unintended consequences.  I describe several unintentionally dangerous examples from SOPA in the CNET piece; other analysts have done the same in pieces listed at the end of this post.

Two good things I found in the 79-page draft:

1.  The failure of Protect-IP to define “nonauthoritative domain name server” has been addressed.  That term is now defined, and the definition looks correct to me.

2.  SOPA recognizes, at least, the better approach to solving the problem of foreign websites that blatantly violate copyright and trademark.  Near the back, Section 205 calls on the State and Commerce Departments to make enforcement of existing international law and treaties regarding information products and services a priority.  This includes the assignment of new attaches dedicated to information products.

Would that SOPA started and ended with this provision, there would be little basis to fault its drafters.  If the problem SOPA is attempting to solve, after all, is the scourge or foreign websites that distribute movies, music, and counterfeit goods without a license (often pretending to be legitimate), then surely the solution is one of foreign and trade policy and not micromanaging Internet protocols.

Instead, we have a bill that treats all U.S. consumers as guilty until proven innocent, and hands Hollywood the keys to the inner workings of the Internet.  Just what they’ve always wanted.

Worth reading:

• Ryan Radia, “Preliminary thoughts on SOPA “  (TLF)
• David Sohn, “House Copyright Bill Casts Dangerously Wide Net”  (CDT)
• Corynne McSherry, “Disastrous IP Legislation Back–and it’s Worse than Ever “  (EFF)
• Sherwin Siy, “House Version of Rogue Websites Bill Adds DMCA Bypass, Penalties for DNS Workarounds” (Public Knowledge)
• Mike Masnick, “E-Parasites Bill Ends Internet as we Know it”  (TechDirt)

Every once and awhile it’s worth taking a step back and looking at the long view of how Internet policy developments have unfolded and consider where they might be heading next.  We’ve reached such a moment as it pertains to efforts to police the Internet for copyright piracy, objectionable online content, privacy violations, and cybersecurity.  We’re at an interesting crossroads in this regard since the prospects for successful cracking down on copyright piracy and pornography appear grim.  Seemingly every effort that has been tried has failed.  The Net is awash in online porn and pirated content.  I am not expressing a normative position on this, rather, I’m just stating what now seems to be commonly accepted fact.

In the meantime, the United States is in the process of creating new information control regimes and this time its access to personal information and cybersecurity that are the focus of regulatory efforts.  The goal of the privacy-related regulatory efforts is to help Netizens better protect their privacy in online environments and stop the “arms race” of escalating technological capabilities.  The goal of cybersecurity efforts is to make digital networks and systems more secure or, more profoundly as we see in the Wikileaks case, it is to bottle up state secrets.

These efforts are also likely to fail.  Simply stated, it’s a nightmare to bottle-up information once it’s out there.  It doesn’t make a difference if that information we are seeking to control is copyrighted content, hate speech, dirty pictures, defamatory speech, secret diplomatic cables, or personal information.  Information is the blood that runs through the veins of the Internet and once it’s out it is pretty much Game Over. Commenting on the recent Wikileaks debacle over the release of diplomatic cables, Wall Street Journal columnist Daniel Henninger noted that “There is one certain fix for the WikiLeaks problem: Blow up the Internet. Short of that, there is no obvious answer.”  The same thing is increasingly true for these other types of information flows.

Now That’s A Lot of Information

As I pointed out in my recent essay, “Privacy as an Information Control Regime,” efforts to control information today are greatly complicated by problems associated with (1) convergence, (2) scale, (3) volume, and (4) unprecedented individual empowerment / user-generation of content.  It’s the volume problem that I want to spend a bit of time on here today.

As I noted in that previous essay, the sheer volume of media and communications activity taking place today greatly complicates regulatory efforts. In simple terms, there is just too much stuff for policymakers to police today relative to the past.

Let’s put some hard numbers on this problem.  IDC’s 2009 report, “The Digital Universe Ahead — Are You Ready?” provides the following snapshot of the data deluge:

• Last year, despite the global recession, the Digital Universe set a record.  It grew by 62% to nearly 800,000 petabytes.  A petabyte is a million gigabytes.  Picture a stack of DVDs reaching from the earth to the moon and back.
• This year, the Digital Universe will grow almost as fast to 1.2 million petabytes, or 1.2 zettabytes.
• This explosive growth means that by 2020, our Digital Universe will be 44 TIMES AS BIG as it was in 2009.  Our stack of DVDs would now reach halfway to Mars.

And here’s a little something from the Global Information Industry Center’s report on “How Much Information?”:

In 2008, Americans consumed information for about 1.3 trillion hours, an average of almost 12 hours per day. Consumption totaled 3.6 zettabytes and 10,845 trillion words, corresponding to 100,500 words and 34 gigabytes for an average person on an average day. A zettabyte is 10 to the 21st power bytes, a million million gigabytes. These estimates are from an analysis of more than 20 different sources of information, from very old (newspapers and books) to very new (portable computer games, satellite radio, and Internet video). Information at work is not included.

(How about that caveat: information at work is not included!!)

To put all these petabytes and zettabytes in some context, here’s a chart that appeared in an Economist essay back in February entitled, “All Too Much: Monstrous Amounts of Data“:

These are mind-boggling numbers.  As the Economist chart suggests, it’s hard to even fathom what “yottabytes” entails, but that’s what’s next.

Anyway, let’s return to the privacy wars and think about the volume problem in that context. Today we’re hearing proposals to regulate online services (advertising networks) or software (web browsers) to clamp down on the flow of information.  The so-called “Do Not Track” mechanism is one potential solution that has been floated in the regard.

This reminds me of the illusive search for a “simple fix” or silver-bullet solution to online pornography.  The PICS /ICRA experience is instructive in this regard. That would be the W3C’s Platform for Internet Content Selection and Internet Content Rating Association.  For a time, there was hope that voluntary metadata tagging and content labeling could be used to screen objectionable content on the Internet.  But the sheer volume of material to be dealt with made that task almost impossible.  The effort has been abandoned now.  Of course, it’s true that effort didn’t have a government mandate behind it to encourage more widespread adoption, but even if it would have, does anyone really think all porn or other objectionable content would have been labeled and screened?

Similar problems await information control efforts in the privacy realm, even if a mandated Do Not Track mechanism required the re-engineering of web browser architecture.  Those who think Do Not Track would slow the “arms race” in this arena are kidding themselves.  If anything, a Do Not Track mandate will speed up that arms race.  Take a look at how well The CAN SPAM Act worked in practice if you want another example.

Selective Morality

Now, let’s pretend for a moment that I am wrong about all this in the privacy space and that the FTC and Congress somehow find a workable mechanism to control flows of personal information and can clamp down accordingly.   Again, I don’t believe it will happen, but if it did, doesn’t that mean it’s equally likely that the same mechanism would be used to crack down on speech, expression, copyrighted content, state information flows, or whatever else?

Perhaps that’s not a bad thing from your perspective, but what I find entertaining about this debate is how the folks who support an aggressive information control regime for privacy purposes generally also oppose  information control efforts as it pertains to speech, expression, copyright, or state secrets.  There’s a bit of selective morality at play here.  When it comes to personal information, the attitude seems to be that we must ‘pay any price, bear any burden,’ even going so far as to property-tize personal information flows.  In every other case, however, the attitude seems to be: Let information flow.

Regardless of one’s disposition on these matters, my point here is more simple: the information will flow.  Indeed, I think it is safe to say that there is a strong and growing negative correlation between the aggregate volume of data flowing across digital networks and the ability of policymakers to control those information flows. The recent Wikileaks release has made that new fact of life more evident to the world, but the ongoing IP wars might also hold some lessons for us in this regard.

Consider the thoughts of Sydney-based consultant Mark Pesce, who compares the two experiences.  He writes:

We’ve been here before.  This is 1999, the company is Napster, and the angry party is the recording industry.  It took them a while to strangle the beast, but they did finally manage to choke all the life out of it – for all the good it did them.  Within days after the death of Napster, Gnutella came around, and righted all the wrongs of Napster: decentralized where Napster was centralized; pervasive and increasingly invisible.  Gnutella created the ‘darknet’ for filesharing which has permanently crippled the recording and film industries.  The failure of Napster was the blueprint for Gnutella. In exactly the same way – note for note – the failures of Wikileaks provide the blueprint for the systems which will follow it, and which will permanently leave the state and its actors neutered.

And it is likely a blueprint for what will happen in the privacy arena as well.

Conclusion

Again, I want to be clear that the point of this essay has not been to endorse or celebrate copyright piracy, widespread porn, privacy violations, release of state secrets, etc.  We’ll all have differences of opinions on these matters.  But there’s simply no getting around the fact that all these problems are all likely here to stay and, barring extreme crackdowns, it’s very hard for me to imagine how government might reverse that tide.

In the extreme, I suppose we could follow the Chinese mode and firewall off digital networks, effectively nationalize ISPs, and then pay citizens to inform on each other about various transgressions.  Or, we could impose punishing forms of liability on digital intermediaries — effectively deputizing online middlemen and making them servants of the State.  But such extreme solutions would have nightmarish ramifications for the future of the Internet and digital communications networks.  We have to ask ourselves how far we want to go to control information flows.

Two privacy bills are already up for consideration. And at yesterday’s Senate Commerce hearing on Consumer Online Privacy, we heard Senator Kerry announce that he will be working on new legislation to regulate online privacy.  While we wait to see what Kerry will offer, NetChoice has concerns over the bills we do know about:  Rep. Rush’s “Best Practices Act” and the Boucher/Stearns Discussion Draft. Our side-by-side comparison identifies four concerns:

• Both proposals would regulate small websites that don’t even collect PII. Boucher-Stearns would regulate a tiny online startup that is adding just 100 users a week, even where its users provide only a made-up user name and password. As defined, “covered information” would overly restrict the flow of useful information and harm the development of ad-supported content and services.
• Safe harbor? Hardly! A company could be torpedoed with lawsuits from enterprising trial lawyers just for sending marketing emails that were later found to be outside of the safe harbor, up to $1,000 per violation and uncapped punitive damages.
• Marketing and advertising have legitimate operational purposes. Additional consent should not be required when a business uses covered information to do follow-up marketing to customers with whom it has already established a business relationship. Congress has recognized this consumer expectation in past legislation, which is why it built important exceptions in the CAN-SPAM Act for “relationship messages” to contact customers in an existing business relationship.
• The FTC should enforce laws against unfair or deceptive practices, not micromanage self-regulatory efforts. As the overseer of the safe harbor program, the FTC will have broad powers to dictate the details of self-regulatory programs, effectively transforming the FTC into the port authority of the Internet.

We’re also worried about the Rush bill mandate requiring access to information. It broadly applies to covered or sensitive information about individuals “that may be used for purposes that could result in an adverse decision about an individual….”

More analysis to come.

Now is a critical time for online commerce as policymakers assess their approaches to privacy. And as NetChoice says in our comments filed today, now is the perfect time for the Department of Commerce to be more involved in privacy issues.

What? We’re calling for more government involvement in a politically charged issue? Yes, and here’s why it’s an appropriate response to the Commerce Dept’s Notice of Inquiry.

Data flows today are much more complex than they were even a decade ago.  Simple one-way transfers between one country and another have been replaced by multinational corporations that transfer data across multiple jurisdictions on a daily basis.

Because of this, privacy-related laws and regulation can have a broad impact on the growth of online commerce, not just here in the U.S. but across the globe. And as a voice for commerce, the Department of Commerce should promote pro-commerce policies over there (EU, Asia, elsewhere) and over here (in the U.S.).

Here’s what we say in our comments:

• The Commerce Department should act as an international ambassador for innovative American online companies.  The Department can play an important role as a government-to-government advocate for flexible international rules to promote continued innovation and economic growth.  And as a government agency speaking to other government agencies, the Commerce Department can bring credibility and leverage that cannot be matched by corporate interests alone.

• Domestically, the Commerce Department should work with the FTC to step-up state and federal enforcement against unfair or deceptive information practices. Aggressive enforcement will help foster a better climate for innovation than would expanded regulation. New regulations are followed only by legitimate businesses who were already complying with the old regulations. Bad actors, on the other hand, ignore both old and new regulations with impunity (e.g., Spammers are still spamming even after the FTC issued new regulations pursuant to the CAN-SPAM Act).

But whether it is overseas or here in the U.S., we advocate that the Commerce Department promote a privacy framework that is flexible enough to permit innovation, and that opposes static laws that undermine consumer interests in improved online services.

For the past month, online companies have considered the privacy legislation discussion draft from Rep. Boucher and Stearns. The legislation is a broad attempt to set privacy defaults for the collection, use and sharing of information on the Internet.

Last Friday, NetChoice submitted comments to Rep. Boucher and Stearns.

While there are some aspects of the bill to like (eg. no private right of action), we’re worried that the bill does too much, too soon, to set opt-in or opt-out defaults. We explored in a previous post why flexibility in setting user defaults is important for continued social network innovation.

Fortunately, open and thoughtful consideration of this matter can continue without undue pressures to find a quick fix for privacy. Because while there have been state legislative proposals on privacy, there is not now a patchwork of state laws creating unworkable compliance challenges for interstate e-commerce. In other words, we can take our time and get this right.

Our comments discuss how the draft bill would interfere with four commonplace scenarios for collecting and using information. Here’s one of ’em:

1. The Operational Purpose exemption in this draft legislation is too narrow, in that it does not permit use of covered information for marketing or advertising to existing customers.

   Case 1: A consumer buys a new washer and dryer and writes her email address on a product registration card. That’s an Operational Purpose, so no consent is required to collect the info.

But if the retailer later wants to send an email offering an extended service contract, he has to first obtain consent to send the email, since that’s a use of covered information for marketing purposes. Additional consent should not be required when a business uses covered information to do follow-up marketing to customers with whom it has already established a business relationship. Customers expect their vendors and suppliers to offer upgrades, options, service contracts, etc. Congress has recognized this consumer expectation in past legislation, which is why it built important exceptions in the CAN-SPAM Act for “relationship messages” to contact customers in an existing business relationship.

But the Operational Purpose exemption is denied if the business uses any covered information for advertising or marketing — to its own customers. This would force businesses to first request consent from their customer before contacting them with information about additional services or products. A low response rate to these permission requests will mean that fewer customers will learn about products and services they value, and businesses will have to spend more to market to existing customers.

Read the other three here.

Here are a few fake tech news headlines I wish I’d seen today:

• Foreign Affairs: Google, Taiwan Announce “Merger of Equals” to Counter China
• SFGate: Facebook Gives in to Privacy Demands; All Information Now Inaccessible by Default
• CongressDaily : Congress to Vote by Twitter, Hashtag Landgrab Begins for Clever Bill Acronym Titles
• Broadband Breakfast: FCC Nationalizes Broadband Providers, Free Press Says “Important First Step”
• Worker’s Daily : Obama to Create Department of Journalism, Promises End to “Media Meddling” in Politics
• Federal Times: FCC Asserts Ancillary Jurisdiction over 2010 Census, Claims Measuring Population First Step in Measuring Broadband Use (Adam Marcus)
• SearchEngineWatch: Yahoo!’s “e.g.” Browser Latest “i.e.” Competitor, Privacy Advocates Demand Yodeling Opt-In (YaHOOOOOOOOOOO!)
• Privacy Times: Google Critics Scott Cleland, Jeff Chester Form Bi-Partisan “Elgoog Institute” to Expose Google Evil
• London Times: Microsoft Pulls Windows Operating System from Europe to Protest “Great Wall of Brussels” Antitrust Protectionism
• CircleID: ICANN-DY Wall Calendar with Hotties of Internet Governance, CEO Beckstrom to Reprise Scott Brown Centerfold
• MediaPost: FTC Bans Blogging, Wikipedia as “Unfair” & “Deceptive”
• The Hill: Court Rules Bush Wiretapping Illegal; Obama Administration Vows Not to Reveal Own Illegal Wiretaps
• E-Commerce Today: Amazon.com Relocates Facilities to Amazon River to Avoid U.S. State Sales Taxes, Too Late for Carnaval
• Communications Daily: Hugo Chavez Rumored Replacement for Retiring FCC Commissioner, Promises Not to Regulate Internet
• Washington Post: Obama Makes Good on Campaign Transparency Promises, Installs 24/7 Webcams Throughout White House
• New York Times: New Study: Kids Under 13 Suddenly Start Lying about Age to Evade COPPA Parental Consent Requirement
• Gawker: State of the Net Conference Again Frustrated by Insufficient Bandwidth, Organizers Promise More Traffic Management Next Year (Adam Marcus)
• Moscow Times: Russian Hackers Demand FCC Impose Data Portability Backdoors
• Tech Crunch: Nigerian Spam Kings Applaud US CAN-SPAM Law as Useful Fiction, Good for Overseas Competition
• Daily Caprican: Caprican Communications Commission Announces Goal of Universal V-World Access, Demands V-Neutrality
• Universe Today: FCC Scraps “Gateway Device” Plan, Just Gives $1 Billion to TiVo (Adam Marcus)
• USA Today: FISA Court Judges Take Permanent Vacation, Nobody Notices (Adam Marcus)
• Seattle Times: Microsoft Unveils Own Social Networking Service, Makes All MSCE-Certified Admins “Mayors” (Adam Marcus)

Hey, they don’t pay us to be funny! Feel free to share your favorite mock headlines below.

The Federal Trade Commission (FTC) today announced the release of an 18-page Request for Public Comment (embedded below) on its implementation of the Children’s Online Privacy Protection Act or 1998 (COPPA), which governs online sharing by, and collection of information from, children under age 13. The FTC had previously announced that it would accelerate the review, which had been planned for 2015, particularly because of concerns about the mobile marketplace, as noted in the FTC’s report on that topic released in February.

COPPA has undoubtedly succeeded in its primary goal of enhancing parental involvement in their child’s online activities in order to protect the privacy and safety of children online.  Yet these benefits have come at a price, as COPPA’s considerable compliance costs (estimated at $45/child, which can be crushing in the era of “free”) have likely reduced the digital media choices available for children.  So I’m glad to see the Commission recognize these trade-offs by asking about the costs and benefits of COPPA and any proposed changes right off the bat (Questions 1-5). Such trade-offs are an inevitable part of life and policymakers can’t simply ignore them, even when it’s “for the children.”

The Potential for COPPA Expansion

I look forward to seeing comments on the important questions raised by the Commission about precisely how best to implement the framework enacted by Congress.  But I do worry that the Commission has explicitly invited proposals for legislative changes to the statute itself. In particular:

6. Do the definitions set forth in Part 312.2 of the Rule accomplish COPPA’s goal of protecting children’s online privacy and safety? … 28. Does the commenter propose any modifications to the Rule that may conflict with the statutory provisions of the COPPA Act? For any such proposed modification, does the commenter propose seeking legislative changes to the Act?

Note that question #6 does not include the critical limitation “consistent with the Act’s requirements,” which appears no less than 17 times in subsequent questions about specific aspects of the current rules. Whatever the FTC intended, this will omission, combined with question #28, will be taken as an open invitation by many to propose not just changes in how the COPPA rules are implemented, but wholesale revisions to the COPPA statute itself.

(In this sense, this inquiry is somewhat reminiscent of the FCC’s far more open-ended inquiry in its related “Empowering Parents” proceeding, where the FCC all but asked commenters to draw up new statutory authority for the agency and go lobby Congress to enact it. Check out the joint comments PFF filed with EFF in that important proceeding.)

Most troubling would be any proposal to extend COPPA to cover adolescents age 13-17—which Congress considered, but rejected, back in 1998 in recognition of the free speech rights at stake. As Adam Thierer & I explained in our June 2009 PFF paper, COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, at least four states have considered such “COPPA 2.0” laws in recent years. Maine actually passed such a law last summer but decided not to enforce it and gave up on trying to amend it, as Braden recently explained. (See my testimony on that new Maine law here.)

In practice, such COPPA 2.0 laws would require age verification of all visitors to general audience websites, and would likely therefore be struck down by the courts on First Amendment grounds for much the same reasons the courts have struck down efforts to require age verification for access to pornography. In essence, a “scaled-up” COPPA would converge with COPA as a broad age verification mandate, as we explained in our COPPA 2.0 paper. Furthermore, such broad age verification mandates could, ironically, reduce online privacy by requiring more information to be collected from both adolescents and adults for age verification purposes, while doing little to make adolescents safer.

Even if COPPA’s age bracket is not expanded, I worry that broad revision of key terms like “collection” (Question #10) and “personal information” (#12-13) could have serious unintended consequences for online advertising and data use, which are the lifeblood of the online ecosystem.

COPPA Under the “FTC On Steroids”

Both these concerns will grow significantly if the FTC succeeds in obtaining sweeping new powers in pending legislation related to financial reform. Although Rep. Barney Frank’s “Wall Street Reform and Consumer Protection Act of 2009” (H.R. 4173) is mostly famous for creating a Consumer Financial Protection Agency, it would also “put the FTC on steroids,” in the words of Jim Miller, FTC Chairman from 1981 to 1985.

In particular, the bill would give the FTC broad APA rulemaking authority. Today, the FTC can issue rules only subject to certain important procedural safeguards, but Congress has given it specific mandates to issue narrow rules under the APA in particular areas—like COPPA and CAN-SPAM. If such legislation were ultimately enacted (which now depends on the Senate), the FTC could conceivably supplement COPPA’s rules for kids under 13 with its own APA rules for older kids—and Congress would never have to revisit the issue at all. Indeed, it’s not clear how the COPPA statute would continue constrain the agency in reshaping the COPPA rules.

But even if the FTC doesn’t take such a drastic step to expand COPPA, the new enforcement powers the FTC would gain under HR 4173 could transform how COPPA is implemented. For the first time, the FTC would be able to impose civil penalties for any violation of Section V of the FTC Act, including violations of COPPA; bring suit on its own rather than going through the DOJ; and go after parties that merely provided “substantial assistance” to those that violated COPPA. In such an enforcement environment, the potential cost of violating COPPA could become astronomical, as every separate violation (even on a per user or per day basis) could be subject to a fine of up to $16,000.

FTC Chairman Jon Leibowitz has pushed for all this authority, including at Senate testimony back in February, but promised to use these powers only wisely. However, when pressed to enumerate areas in which APA rulemaking authority would be helpful, Leibowtiz could only respond that, “…we’d really want to […] think for a while if we got this authority about what we wanted to do and what we wouldn’t want to do…” So… does that include COPPA, Mr. Chairman?

Chairman Leibowitz may not intend to use these powers to expand COPPA or radically change COPPA enforcement, but as I’ve said, I fear these soothing promises of regulatory restraint will ultimately prove hollow, if not under this FTC Chairman, then under his successors. And any discussion of re-writing COPPA has to take into consideration such radical changes in the FTC’s rulemaking and enforcement powers.

What about Education?

Finally, I’m surprised to see that the word “education” is used nowhere in the FTC’s Request for Comments. Just about everyone involved in debates about online child safety and privacy would agree that the solution begins with education—even if it doesn’t end there. One might have thought the FTC would ask about whether effective implementation of COPPA’s goals required more education efforts rather than (or perhaps in combination with) stricter regulations—especially since the FTC has done such a terrific job with its own education efforts, such as:

• OnGuard Online, the inter-agency website intended to educate all Internet users about online safety
• NetCetera, the FTC’s excellent child safety effort
• The “You Are Here” virtual mall launched by the FTC last year to educate kids in 5th-8th grade (age 10-14) about marketing both online and offline.

What’s Next

Comments on the COPPA review are due June 30, 2010. Adam Thierer and I will definitely be filing comments on behalf of PFF. If you’re planning to file, too, and would like to compare notes, we’d be happy to hear from you.

FTC COPPA Review Request for Comments – March 24 2010 http://d1.scribdassets.com/ScribdViewer.swf

That’s basically what FTC Chairman Jon Leibowitz told the Association of National Advertisers when he spoke to their “Advertising Law & Public Policy” conference last Thursday. As I noted last week, there’s intense pressure in Congress to pass a financial regulatory overhaul and, unfortunately, the version passed by the House in December—Rep. Barney Frank’s “Wall Street Reform and Consumer Protection Act of 2009” (H.R. 4173)—would also grant the Federal Trade Commission vast new powers for all its regulations, not just those relating to the non-bank financial institutions it currently regulates. In particular, HR 4173 would:

• Make it far easier (and not just faster) for the FTC to issue all kinds of new regulations on its own, without a specific Congressional mandate to do so and instead of relying on case-by-case enforcement to punish “unfair” or “deceptive” acts and practices;
• Reduce public input into those regulations;
• Impose heavy civil penalties on companies before notifying them that a practice might be “unfair” or “deceptive”;
• Prosecute those who merely provided “substantial assistance” to someone engaged in “unfair” or “deceptive” acts or practices; and
• Sue on its own authority, instead of through DOJ (as now).

I summarized my concerns about this bill in this short interview with PFF’s new communications director, Mike Wendy, last week: [display_podcast]

Leibowitz has lobbied hard to have his agency put on steroids (as former FTC Chairman Jim Miller put it), asking for all these things, as well as more funding, at the first Senate hearing on Hr 4173 back in February. (Conveniently, he was the only witness!) He repeated his calls for these powers on Thursday but tried to allay fears about how they’d be used. As Communications Daily reports:

The FTC would use expanded authority only where consumers suffer “significant harm,” bad behavior is common in the industry, standards would improve practices and the expected burdens are “reasonable,” Leibowitz said. “We’d be really stupid if we try to solve every problem in American society with a rule,” he said, so the commission will use any new authority “very judiciously….”  Where business practices and consumer expectations are “evolving,” self-regulation is working and First Amendment issues are involved, the FTC would hold back, he said… [including] behavioral advertising and marketing to children. It would show “enormously bad judgment to pursue those matters, Leibowitz said. “We do believe in self-regulation.”

I’m glad to hear Commission Leibowitz say all this but… well, I fear these soothing promises of regulatory restraint will ultimately prove hollow, if not under this FTC Chairman, then under his successors (just as I am not comforted by FCC Chairman Julius Genachowski’s similar promises not to regulate the Internet, no matter how sincere he may be). Strangely, Leibowitz promises the FTC will regulate only when “bad behavior is common in the industry”—and yet HR 4173 would eliminate the requirement of the FTC’s current Magnuson-Moss rulemaking procedures that a regulated practice must be “prevalent.” (The Direct Marketing Association’s Linda Wooley discussed this critical issue in detail in her testimony.) This illustrates a broader point: the whole point of restraining our regulatory agencies by statute is that we all know better than to trust a regulator when he says, “Oh, don’t worry, we’re not really going to use all that power—and if we do, we’ll be sure to use it carefully!”

The FTC May Need New Focused Mandates, But Not More Broad Powers

Leibowitz singled out “negative-option marketing (where marketers presume consumers want a certain product and charge them for it unless they opt-out) as an example of the kinds of scams the FTC would use its new powers to punish. Perhaps he’s right that the FTC may not be able to adequately address such unfair and deceptive practices today. But it does not follow that this requires increasing the FTC’s powers across the board. Sen. Kay Bailey Hutchison hit the nail on the head in her remarks at last week’s Senate Commerce Committee hearing on HR 4173:

In evaluating whether, and how, to change the scope and extent of FTC regulatory authority, I believe we must first ask whether there is a particular exigency, or area of consumer harm, that is so pervasive that the FTC’s existing enforcement capabilities and rulemaking processes are not sufficient to address the issue.  Second, if there is such an exigency, is the proposed legislative change broadly applied, resulting in greater regulatory burdens across a wide range of industries, or is it appropriately narrow to provide the FTC greater ability to develop rules and carry out enforcement actions directly relevant to that exigency.  Third, we need to consider whether the FTC has sufficient personnel in key areas of its responsibility to carry out its enforcement and consumer protection mandates.

In written testimony, FTC Commissioner William Kovacic supported retaining Moss-Magnuson’s additional procedural safeguards because:

While many other agencies do have the authority to issue rules following notice and comment procedures [under the Administrative Procedure Act (APA)], the Commission’s rulemaking is unique due to the range of subject matter (unfair or deceptive acts or practices) and sectors (reaching broadly across the economy, except for specific carve-outs). Except where Congress has given the FTC a more focused mandate to address particular problems, beyond the FTC Act’s broad prohibition of unfair or deceptive acts or practices, I believe that it is prudent to retain procedures beyond those encompassed in the APA.

Congress has already enacted several such statutes, such as COPPA, telemarketing, the CAN-SPAM Act and mortgages, and if the FTC could identify particular problems that require a new mandate to issue rules under the APA. Yet, as Linda Wooley noted in her testimony, when Commissioner Leibowitz was asked at last month’s hearing to enumerate areas in which APA rulemaking authority would be helpful, he could only respond that, “…we’d really want to […] think for a while if we got this authority about what we wanted to do and what we wouldn’t want to do…”

William Allen Rogers's 1904 cartoon recreates an episode in Gulliver's Travels, with T.R. as Gulliver

In other words, Leibowitz wants Congress to write his agency a blank check to do whatever it deems necessary in the future. Specifically, the FTC would get to decide which issues were appropriate for preemptive regulation, as well as achieving much the same effect of aggressive regulation through litigation designed to intimidate—imitating Teddy Roosevelt’s approach to foreign policy: “Speak softly and carry a big stick!“

We’ve been down this road before. In the 1970s, the FTC so thoroughly abused its uniquely vast jurisdiction by issuing rules to, among other things, ban advertising to children, that it was dubbed the “National Nanny” by the Washington Post—hardly a Thatcherite bastion. This experience led Congress in 1980 to impose the procedural safeguards that would be repealed by HR 4173. Congress was so angry it actually briefly shut down the agency to make it clear that it had not dubbed the agency a regulatory knight errant, free to tilt its steely lance at imagined windmills of “unfairness” or “deception.”

The Dodd Bill: A Welcome Alternative to HR 4173

HR 4173 was sent to the Senate in December, and in January, the bill was referred to the Senate Banking Committee, chaired by Sen. Chris Dodd. The Senate Commerce Committee, which held the two hearings discussed above, has jurisdiction only over the bill’s implications for non-financial regulation. So the two committees will have to work out some kind of compromise before the Senate can pass a bill—which will probably have to be reconciled with what the House passed. That procedural posture is important because it means the Senate has the opportunity to do what the House did not: Pause and consider whether financial overhaul really requires reinventing the FTC as the “National Nanny” it was well on its way to becoming back in the 1970s—and, in particular, what such a radical change to the FTC’s powers would mean for the Internet and other media regulated by the agency.

The good news is that Sen. Dodd’s draft 1336-page legislation seems to do precisely what Sen. Hutchinson and others have suggested: Change the FTC’s authority only with regards to a particular problem—in this case, financial regulation. (Dodd’s bill differs in a number of other respects from HR 4173). In a nutshell, Dodd’s bill would transfer the FTC’s consumer financial protection functions to the newly created Bureau of Consumer Protection at the Federal Reserve, but the FTC could also punish violations of the bill’s financial protections on its own under Section 5 of the FTC act.  Further, the Fed’s BCP would have to consult with the Federal Trade Commission before imposing any regulations. The FTC could impose civil penalties, but only for “knowing violations” of the CFPA Act—i.e., only for financial offenses. In an important recognition of the dangers of unbridled agency discretion, the Dodd bill also imports the FTC’s existing definition of “unfairness” as requiring that an act or practice be “likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers” and which is “not outweighed by countervailing benefits to consumers or to competition.”

The bad news is that Dodd’s bill is unlikely to be the final word on the FTC’s authority, as Sen. Rockefeller’s Commerce Committee may insist on some or all of the provisions of HR 4173 that expand the FTC’s powers across the board among a flurry of other amendments. Still, whatever its other shortcomings or advantages, Dodd’s bill offers a path forward for financial overhaul that does not require remaking the FTC—and thus transforming regulation of the Internet, other media, advertising, cyber-security and privacy—among many other things. And for that, the Dodd bill deserves careful consideration as an alternative to just giving the FTC all the power it could ever want, and then just hoping the agency doesn’t abuse it—which is essentially what Chairman Leibowitz, much like the FCC’s Chairman Genachowski, is suggesting we do.

Congress gets dinged a lot for slowing down innovation, but sometimes that is just what the doctor ordered. Thirty-five years ago, a Democratically controlled Congress passed the Magnuson-Moss Act in an attempt to check a hyperactive FTC.

Like a kid set loose in a candy store, the FTC at the time had gone on a binge of overreaching and harmful regulation. The core enabler of this action is the exceptionally broad mandate bestowed on the agency to regulate all “unfair” consumer activity. Unlike regulating the structural stability of bridges or safety in food, “fairness” is a subjective concept.

Congress’ prudent action to place special restrictions on FTC rulemaking [15 U.S.C. Sect. 57a(b)(2)(A)] was in direct response to the agency’s overreach and regulation of activities that would have included advertising children’s products – in essence, acting like a kid in a candy store. Magnuson-Moss was the equivalent of putting the candy behind the counter, providing Congress and courts control over how much candy was appropriate.

Now, 35 years later, the FTC has that ‘unfairness feeling’ again. In a NY Times interview last month, FTC Chairman Jon Leibowitz signaled his intent to change standard marketing tactics of disclosure and opt-out, by requiring users to opt-In for collection of information for targeting ads.   They are concerned about what’s “fair” in advertising, but we know that low rates of opt-in will reduce ad revenue. If the change were put into effect, free online services might have to charge a “fare” to users.

At the same time, the FTC is seeking to shed what the Chair called “medieval restrictions” on its rulemaking powers.  A change that would allow the FTC to move quickly to require opt-in. Taken together, these threats to online services and e-commerce are #1 on the NetChoice 2010 iAWFUL list.

Earlier in the 111th Congress, legislation was passed in the House to reform financial services regulatory mechanisms. The bill expanded FTC rulemaking authority, even though the FTC wasn’t blamed for failing to regulate trade that contributed to the financial crisis.

A similar Senate bill addressing financial regulatory reform did not change FTC rulemaking powers.  Fortunately, at a Senate Commerce hearing on February 4, several Senators challenged Chairman Leibowitz as he made the case for an expedited rulemaking process.

The specific purpose of the Magnuson-Moss Act was to enact safeguards that restrain the FTC’s ability to unilaterally deem certain practices “unfair” and, in turn, to expand its authority in many areas including banning broad categories of advertising.

These safeguards include important procedures that allow for enhanced stakeholder participation, require a detailed evidentiary record before the FTC can create new rules, and enable courts to scrutinize rulemakings as a valuable check to ensure proper process and evidentiary support.  

The current process through which the FTC promulgates rules, as established by the long standing Magnuson-Moss Act, is a proven and effective vehicle for the regulation of business that provides the Commission with authority to punish businesses that act in a deceptive manner.

Chairman Leibowitz argued that his agency strains to make timely rules. But Congress has demonstrated time and again that when it wants the FTC to move quickly, it will direct the FTC to do so. For example, both the COPPA and CAN-SPAM laws gave the FTC rulemaking authority – under the expedited APA process [5 U.S.C. Sect 553] – allowing the FTC to issue regs quickly.

The bottom line is that new regulations are not necessary to hold legitimate businesses accountable for their actions. Outlaws who spam and scam are STILL spamming and scamming after the FTC issued regulations.

A new era of increased regulatory promulgation at the FTC would harm law-abiding competitors and consumers while failing to address those who operate outside the law. To address these individuals, aggressive enforcement seems more relevant than expanded regulation.

This is why the FCC’s campaign for an expedited rulemaking process is the equivalent of handing a child the keys to a candy store, and the reason why it tops the 2010 iAwful list.

Chris Soghoian has responded to my recent post lauding his Targeted Advertising Cookie Opt-Out (or “TACO” – documented and downloadable here). We’re agreed in the main on user empowerment. The interesting stuff is on the margin: He disagrees with me that blocking third party cookies as I do (and he does too) is a satisfactory approach to suppressing tracking by advertisers.

There are a couple of points worth making about the discussion.

The first has to do with our slightly differing objectives. Chris is deeply focused on advertisers and his dislike of being tracked by advertisers. Though it is not absolute, I have a preference against tracking by anyone other than sites that I know, like, and trust. I’m no more worried about advertisers than any entity that would track my surfing – and there are many.

Again, TLF readers, I ask you to try setting your browser to query you before setting cookies. It’s a real insight into the dozens of entities getting a look at you as you surf, including a bunch of social networks and news sites.

If “advertisers” are what you seek to harness, that seems like a group that can be captured through some kind of centralized control mechanism. (I don’t think it actually is.) But if your goal is privacy as against all comers, you don’t attempt to centrally plan or decide who is good and who is bad. Responsibility rests with the end user.

Let the goal be “advertisers,” though. And I ask: Those social networks and news aggregators – are they “advertisers”? If you’re going to require a subset of Web communicators to obey opt-out cookies, you have to be able to define that subset – a problem Chris doesn’t seem to have thought about yet.

Lots of different publishers, sites, and networks have data that is entirely fungible with the tracking data advertisers collect. What do you get if you push down on the “officially advertisers” part of the balloon? Workarounds.

But I’ve backed into the second point – the means to these ends. Chris soft-pedals how he would get at tracking, but as far as I can tell it’s a law that says “advertisers” have to obey opt-out cookies.

Unlike all of the previous anti-advertising technologies, the opt-out mechanism provides users with a way to positively affirm that they do not wish to be tracked and targeted. This opt-out cookie is something that advertisers cannot ignore.

Is it by magic that they “cannot ignore” opt-out cookies? No, it’s by law.

With the right law in place, Chris appears to believe, “[t]he Federal Trade Commission and Congress would likely take an interest” when advertisers tried to skirt opt-out cookies, using other technologies to glean information about Web surfers’ interests.

His hope is to end the “arms race” in which users have to constantly chase the shifting tactics advertisers use to track them. It’s a fair point: There is a constant, rolling change in how the Web is used by publishers, advertisers, and consumers to interact and trade the data each produces.

That is an “arms race” only if you’ve adopted the rigid, war-like stance that tracking by advertisers is inherently wrong. It’s not. Berin and Adam, who have done a lot more work than me on this lately, have done a good write-up of the subtleties. What Chris calls an “arms race” is better thought of as a constantly unfolding negotiation among all parties about the terms of the content-for-advertising bargain.

I believe, as a person who dislikes third-party cookies, that offering them to my computer in the hopes of gleaning some information is not wrong. Some people think it’s horribly wrong. Most people are indifferent.

Who’s right? Everyone and nobody. There doesn’t have to be one answer.

But should the terms of use for the Web be written by a vociferous minority (i.e. Chris) that can’t persuade the public to refuse tracking using the tools available to them? Perhaps the demand for control comes because the public won’t be persuaded.

Now that would be wrong – regulating cookies to force “protection” on a public that could seek it for itself, but won’t. That would deprive “advertisers” – we still don’t know who they are – of freedom and communications channels, it would deny publishers revenues, and it would deny consumers content they want and enjoy.

But let’s talk about arms races. Chris seeks exit from the so-called arms race on the technical and user side in favor of an arms race in the legislative and regulatory world. The law he imagines – so perfect as it resides there in his head – would have to be passed by Congress and implemented by a regulatory agency like the Federal Trade Commission.

Each of these regulatory bodies is under constant, well, “siege” by phalanxes of lobbyists, paid to advocate the views of their clients, including ” advertisers.” There is no realistic hope that Chris’ opt-out cookie law would make it through that in the form he wants. Defining what one means by “advertisers” is a gruesome task, with likely First Amendment problems. Instead of the clean bill Chris imagines, it would be perverted (from Chris’ perspective) by lobbying and special-interest influence. Remember when Congress passed a law alleging it would prevent spam?

Chris would transfer the arms race we’re in now – where consumers are in control, if apathetic – to a field where consumers are not in control and very apathetic, believing that they are protected by the government. This is the approach preferred by victims of the fatal conceit, who think that they can design society better than society can design itself. (Berin has done a terrific job of lambasting the Center for Democracy and Technology for its similarly conceited, blindly pro-regulatory armchair quarterbacking on the online advertising issue.)

Plenty of people dream about regulation that works, of course. The SEC’s failure to protect investors in the Madoff case provides one more example among many where law and regulation failed utterly to protect consumers – and by its existence encouraged their irresponsibility.

It is damaging folly to try protecting consumers from the tracking advertisers do when consumers can just as well protect themselves.

Braden has noted the release of John McCain’s tech policy–rightly decrying McCain’s socialistic community broadband concept.  But far more outrageous, in my view is this bit of doublethink.  First, the good part we should all applaud:

John McCain Has Fought to Keep the Internet Free From Government Regulation The role of government in the Innovation Age should be focused on creating opportunities for all Americans and maintaining the vibrancy of the Internet economy. Given the enormous benefits we have seen from a lightly regulated Internet and software market, our government should refrain from imposing burdensome regulation. John McCain understands that unnecessary government intrusion can harm the innovative genius of the Internet. Government should have to prove regulation is needed, rather than have entrepreneurs prove it is not.

Amen!  Even a hardened Ron Paul/Bob Taft/Grover Cleveland/Jack Randolph-survivalist/libertarian-crank like me can rally behind that banner.  But then this self-styled champion of deregulation pulls a really fast one:

John McCain Will Preserve Consumer Freedoms. John McCain will focus on policies that leave consumers free to access the content they choose; free to use the applications and services they choose; free to attach devices they choose, if they do not harm the network; and free to chose among broadband service providers.

That sure sounds nice, but it’s all Wu-vian code for re-regulation, not de-regulation.  You might recognize that McCain is talking obliquely here about the FCC’s 1968 Carterfone doctrine, which has consumed much attention on the TLF (see this piece in particular).

McCain then insists that he will be a bold leader for “good” regulations:

When Regulation Is Warranted, John McCain Acts. John McCain does not believe in prescriptive regulation like “net-neutrality,” but rather he believes that an open marketplace with a variety of consumer choices is the best deterrent against unfair practices…

What would you call requiring “openness” but “prescriptive regulation” against business models that require closed networks?  McCain deserves credit for rejecting, at least on a rhetorical level, “net neutrality” mandates, but what is Skype/Carterfone but “Wireless Net Neutrality?”  Whatever fine distinctions one may draw between these two ideas (both spawned from the hyperactive brain of Tim Wu), one finds no such nuance here–just the intellectually contradictory acceptance of a very politically popular position (“openness” for network devices) with the rejection of a closely related, if not inseparable, concept.  Indeed, if McCain weren’t such a saintly model of philosophical and political consistency, one might wonder whether his campaign was simply trying have the best of both worlds by appealing to the tech-policy center-left while paying lip-service to the free market community by denouncing the loathsomely anti-free market concept of “net neutrality.”

John McCain has always believed the government’s role must be rooted in protecting consumers. He championed laws that penalized fraudulent marketing practice…

Indeed, where would we be today without John McCain championing the FTC’s ability to punish unfair and deceptive trade practices–which dates back to 1914?  Still, it’s certainly a good sign that McCain at least listed is this second (after his idea of requiring openness through regulation as a way of decreasing the need for other forms of regulation).  Show me the tech policy issue that can’t be adequately addressed by simple enforcement of privacy policies and we can have a real tech policy debate!

…protected kids from harmful Internet content…

Really?  Did McCain help right all the software tools that let parents control what their kids can access online?  If not, I’m not sure what he’s referring to here other than Internet censorship.

… secured consumer privacy, and sought to minimize spam.

Ah yes, if it weren’t for the CAN-SPAM Act, we’d all be getting deluged with spam.  Oh, wait, it’s spam-filters and not legislation that have actually “minimized” this problem.”

When businesses struggled to assess the legal role of electronic signatures, John McCain led legislative efforts to ensure that these Innovation Age signatures were legally sufficient so that e-commerce could thrive. His record reflects the careful balance between protecting the essential elements of the Internet and securing the Internet as a safe tool of commerce, education and entertainment for our citizens. Offering simple common sense solutions to real problems is at the core of the McCain’s innovation agenda.

It’s hard to argue with “balance” and “common sense.”  Both would be a welcome change of pace from the the current chicken-little-ism by which so many Internet policy debates are driven by vague, unsubstantiated fears and shameless scare-tactics by the advocates of regulation.

But what’s ominous about McCain’s Internet policy is that he doesn’t even mention “free speech” or the “first amendment.”  This omission from the man who so famously said (about his relentless efforts to restrict political speech in the name of “campaign finance reform”):

I would rather have a clean government than one where quote First Amendment rights are being respected that has become corrupt. If I had my choice, I’d rather have the clean government.

I, for one, find it pretty troubling that McCain’s idea of “balance” when it comes to the Internet is all about “safety” and (mandatory) “openness” without so much as a mention of freedom of expression.

McCain deserves credit for opposing Internet taxation and “net neutrality” (among other things), and Obama’s alternative isn’t exactly Mises 2.0 either.  But you don’t have to be much of a libertarian to scan down the list of the government programs and regulations he supports–especially “Internet Access For All Americans”–and realize that he is, at best, a fair-weather free-marketeer.  If free-marketeers have learned anything from Kevin Martin’s reign of terror at the FCC, it’s that a “free-market” Republican president can appoint regulators who pay lip-service to free market ideas while selling them out at (almost) every turn–especially when it comes to content Republican voters don’t like.

I won’t hold my breath for a de-regulatory tech policy agenda under a McCain presidency, but “hope springs eternal in the human breast.”  Should McCain win, we can only hope that the current vagaries of his tech policy ( e.g., “openness” and “protecting children”) will be resolved in favor of McCain’s de-regulatory talk, and that his current re-regulatory positions will either “evolve” for the better or at least not becomes priorities of his administration.  As for the good aspects of his policies, let us all remember Regan’s dictum:  “Trust, but verify.”

I’m reading about the first-ever felony conviction for spamming. While I almost always agree with the ACLU on free speech issues, I found the Virginia ACLU’s amicus brief in the acse totally unpersuasive.

The ACLU argues that the First Amendment protects a right to anonymous speech, which I wholeheartedly agree with. However, I don’t think that right can be stretched so far as to strike down the Virginia anti-spam statute at issue in this case. This statute prohibited the falsification of email headers while sending more than 10,000 pieces of unsolicited bulk email. So this means that under the statute, someone may (a) send out an unlimited number of emails using a real email address, (b) send out 9999 emails per day (99,999 per month, 999,999 per year) while falsifying email headers, or (c) send out an unlimited number of emails with falsified addresses to people who have previously consented to receive them. I find it extremely difficult to imagine a circumstance in which these restrictions would impinge on legitimate exercises of free speech. The activities prohibited by this statute simply don’t include the kinds of situations that motivate the constitutional protection of anonymous speech—defending a point of view or releasing sensitive information without fear of reprisal or public embarrassment. Whistleblowers might want to send falsified emails to a few dozen journalists, legislators, or business leaders, but I’m having trouble thinking of a plausible situation in which a whistle-blower had a genuine need to reach more than 10,000 people.

I find analogies to older technologies—and to 18th-century pamphleteers in particualr—unpersuasive in this case because this case just isn’t like anything that existed in the pre-Internet age. In 1975, there just wasn’t any way to transmit tens of thousands of messages for a fraction of a penny per message. The costliness of information transmission—any available communications technology cost at least a few pennies per message—meant that the law never had to grapple with the possibility that sending messages could become a significant enough nuisance to require regulation. Now we do live in that world, and I think it’s a mistake to put too much weight on misleading analogies to older communications technologies with vastly different properties.

A final reason anti-spam legislation doesn’t bother me from a First Amendment perspective is that I don’t see any slippery slope here. Not only is the activity being targeted unambiguously bad, but there are very few grey areas, and the grey areas are pretty bad themselves. The Virginia statute applies two very clear bright lines—spam must be unsolicited and it must consist of more than 10,000 pieces in a 24-hour period—that make it trivially easy for anyone interested in following the law to do so. Moreover, thanks to the growth of spam filters, there is an enormous gulf between bad spammers and legitimate emails users. Legitimate users who did vaguely spam-like things (say, a non-profit organization that sent out a fundraising appeal to people who hadn’t consented to receive it) would get most of their spam blocked by ISPs’ spam filters and would get contacted by email administrators very promptly to be told to knock it off. It’s hard to imagine such an organization breaking Virginia’s law (sending out 10,000 copies and forging email headers), and even if it did it’s hard to imagine a prosecutor going after them. Which means that only spammers are engaging in spammer-like behavior. It’s pretty easy to write a statute that criminalizes most spammers and few if any legitimate email users. To use the Supreme Court’s lingo, Virginia’s spam law strikes me as “narrowly tailored” to blocking an undisputed evil and is no more restrictive than is necessary to accomplish that objective. If there’s any speech restriction that should pass First Amendment scrutiny, this is it.

Update: None of this is to say that some anti-spam laws can’t be too broad. CAN-SPAM, for example, appears to criminalize the sending of “multiple” deceptive emails or the creation of more than five separate email accounts for sending commercial emails. I can certainly think of grey areas for those kinds of prohibitions, and would have serious doubts about their constitutionality.

Don’t take your eye off the ball, people. The FTC’s assessment of $2.9 million against ValueClick does not mean that CAN-SPAM is working. The Inbox at Privacilla.org has about 25,000 spam messages in it – because Rackspace’s hosted email product has such ineffectual anti-spam technology. Oh, and because CAN-SPAM, which was supposed to “can” spam – meaning “end it” – didn’t.

As noted in the post below, the telecommunications reform plan floated recently by the staff of the House Energy and Commerce committee includes some 80 regulations, mandates or restrictions. To be more precise, there are, by my count, 82–more than one per page. Of course, some might quibble over this number– the difference between a rule with two mandates and a rule with one two-part mandate is an ephemeral one. And certainly the mandates vary in significance. Some are trivial, some are burdensome, some are justified, some are outrageous. But any way you look at it, there are an awful lot of them. Here they are:

1. BITS (“Broadband Internet Transmission Service”) providers required to file registration statements with the FCC.
2. BITS providers barred from offering service until registration has become effective.
3. BITS providers required to “connect and exchange traffic” with other BITS providers and telecommunications carriers.
4. BITS providers required to provide subscribers with access and banned from blocking, impairing or interfering with “lawful content, applications, and services.”
5. BITS providers required to permit subscribers to connect and use “devices of their choosing.”
6. BITS providers banned from installing network features, functions or capabilities that do not meet interconnectivity requirements.
7. VoIP (“Voice over Internet Protocol”) providers required to file registration statement with the FCC.
8. VoIP providers barred from offering service until registration has become effective.
9. VoIP providers required to exchange traffic with other VoIP and telecommunications carriers.
10. VoIP providers required to enter into agreements with other providers regarding compensation for carrying traffic.
11. The FCC to write regulations defining the “reasonable rate” for such compensation.
12. VoIP providers required to file compensation agreements with FCC and state PUC.
13. VoIP providers required to provide 911 services.
14. Firms owning 911 infrastructure required to provide access to VoIP providers on a non-discriminatory basis.
15. VoIP providers found not technologically able to provider 911 service required to provide notice to each subscriber at start of contract.
16. VoIP providers required to provide location-specific 911 service to the extent feasible.
17. VoIP numbers required to be “portable” from on carrier to another.
18. VoIP providers to provide relay services for the hearing and speech impaired.
19. BVS (“Broadband Video Service”) providers required to file registration statement with the FCC.
20. BVS providers barred from offering service until registration has become effective.
21. BVS providers subject to program rating mandates.
22. BVS providers required to make available facilities for candidates for public office.
23. BVS providers subject to requirements regarding disclosure of payments.
24. BVS providers and broadcasters subject to retransmission consent requirements.
25. BVS providers subject to cable ownership limits.
26. BVS providers subject to “must-carry” rules.
27. BVS providers subject to cable regulations for the “basic tier” of programming.
28. BVS providers subject to rules on blocking and scrambling of channels.
29. BVS providers subject to emergency alert requirements.
30. BVS providers subject to rules regarding “disposition of wiring after termination of service.”
31. BVS providers subject to set-top box compatibility and competitive availability rules.
32. BVS providers subject to cable EEO rules.
33. BVS providers subject to closed-captioning mandates.
34. BVS providers can be required to provide channels for public, educational or governmental use.
35. Local authorities may use BVS “institutional networks” for public, educational or governmental use.
36. BVS providers barred from denying access to any group of potential subscribers because of income.
37. BVS subject to cable TV program access requirements.
38. BVS providers barred from omitting any TV or unaffiliated programmers in viewing guides.
39. BVS providers barred from acquiring a financial interest in programmers.
40. BVS providers barred from negotiating exclusive agreements with programmers.
41. BVS providers barred from discriminating against vendors based on affiliation.
42. All providers required to provide conspicuous notice to customers of terms of service, including program line-ups and rate changes.
43. All providers required to provide accurate, complete, clear and simple statements of charges.
44. All providers banned from charging for service or equipment that the subscriber has not affirmatively requested.
45. The FCC required to set service termination requirements and is authorized to limit penalties for early termination.
46. All providers required to meet FCC service standards, including standards for service visits and responses to service outages.
47. All providers to maintain specified subscriber records.
48. All providers required to establish subscriber dispute resolution systems, including an 800 number that customers can use.
49. Unsolicited faxes to be banned.
50. Unwanted solicitations over VoIP networks to be prohibited.
51. FCC to prohibit use of equipment for obscene or indecent communication over BITS, VoIP and BVS systems generally prohibited.
52. Unfair and deceptive practices to be banned by FCC regulation.
53. Statutory anti-indecency requirements to be applied to BITS, VoIP and BVS services.
54. Limits on telephone solicitation to apply to VoIP and BITS services.
55. Pay-per-call regulations to apply to all providers.
56. Common carrier rules relating to pay per call services to apply to VoIP and BITS providers.
57. Rules relating to mobile service messages under the “CAN-SPAM” act to apply to BITS and VoIP providers.
58. All providers to provide subscribers annually with notice of privacy practices.
59. All providers banned from collecting personally identifiable information without express consent of subscribers.
60. All providers banned from disclosing personally identifiable subscriber information without express consent.
61. All providers required to provide subscriber access to all personally identifiable information maintained by the provider regarding the subscriber.
62. All providers required to destroy all personally identifiable subscriber information if it is no longer necessary.
63. Duty imposed on all providers to protect confidentiality of information.
64. Providers prohibited from using information collected from other providers for use in own marketing efforts.
65. Providers prohibited from using customer proprietary network information for any purpose other than those related to the service for which it was collected.
66. Providers must disclose to customers any proprietary network information upon request.
67. Provides may use customer proprietary information in aggregated form only if it provides the same date to other service providers.
68. VoIP providers required to provide information to telephone directory publishers.
69. VoIP providers required to provide customer information to emergency service providers.
70. Equipment manufacturers for VoIP, BITS and BVS services required to ensure that all equipment be accessible to the disabled, unless it presents and undue burden.
71. BITS, VoIP and BVS providers required to ensure that services are accessible to the disabled, unless it presents and undue burden.
72. If the above is an undue burden, then the manufacturer or service provider must ensure the equipment is compatible with widely used peripheral equipment.
73. All providers are barred from installing network features, functions, or capabilities that do not comply with disability standards.
74. All providers are prohibited from impairing or impeding closed-captioning or video description services.
75. All providers must document steps taken to achieve access.
76. All providers must develop enforcement and expedited complaint procedures for these requirements.
77. Telephone companies barred from acquiring BITS providers.
78. Cable firms barred from acquiring BITS providers.
79. Utilities are required to provide non-discriminatory access to poles and other infrastructure to BITS providers and BVS providers.
80. BITS providers must provide non-discriminatory access to cable firms.
81. The FCC authorized to resolve disputes in private standard-setting organizations regarding equipment for services in this act.
82. The FCC authorized to require contracts, agreements and other arrangements related to this act to be filed with it.

And they’re off! It’s a race between technology and law to see who can control spyware.

In Lane 5, the U.S. Congress is again considering anti-spyware legislation.

In Lane 6, Microsoft has just introduced an anti-spyware program that rivals Ad-Aware and SpyBot, according to one writer’s first impression.

Who’s in Lanes 1-4? Oh, it’s the anti-spyware tools that are already out there: Ad-Aware, SpyBot Search & Destroy, PestPatrol, and all the others.

Place your bets, ladies and gentlemen! If you backed CAN-SPAM, here’s a chance to make your money back – or double your losses.

The Federal Trade Commission has issued regulations fleshing out the CAN-SPAM Act. Given the impotence of CAN-SPAM to reduce spam, this weighty document can be regarded as regulation without a reason. Indeed, if, like me, you don’t buy the Supreme Court’s commerial speech doctrine, this is not just regulation without a reason, this is speech regulation without a reason.

There is (or may someday be) an argument that CAN-SPAM has (or will) reduce spam, but the recent successful spam lawsuits I’ve seen have gone off on laws other than CAN-SPAM or at least CAN-SPAM plus other laws. A full study of what laws are actually used against spammers, and perhaps an attempt to measure their deterrent effect, is needed. Volunteers?

Here is my latest addition to the corpus of commentary on spyware. This week, your U.S. House of Representatives is scheduled to consider legislation to ban it. The legislation is junk.

Why? Well, for one thing: it wouldn’t actually stop actual spyware. Considering how Congress did with suppressing spam through the CAN-SPAM Act, you kind of wonder how many times Congress is willing to lie to the American people. (Don’t start counting because, if you do, a few weeks from now you’ll still be counting and you’ll get an aneurysm and you’ll have to stop.)

Mine follows on fellow TLFer James Gattuso’s very good spyware piece and it marginally improves on a quick and dirty spyware rant I laid on y’all earlier. James and I agree: Carefully applying existing law to the online world is going to be superior to fresh statutes passed in haste each time a new Internet pathology emerges.

CEI filed comments today in response to a Federal Trade Commission request for comment about email authentication. The FTC will be holding a summit on November 9-10 about what authentication schemes will help the spam problem. The FTC, in its Federal Register notice, characterizes the summit as a “first step” towards “an active role in spurring the market’s development, testing, evaluation, and deployment” of authentication systems. Of course, what the FTC is really saying is that industry better play a card or else the government will force its hand.

I’m worried about the FTC role here. This summit is a foray into the technical standards setting process, which to me seems like it goes beyond the FTC’s consumer protection and antitrust mission.

Some spam is indeed fraudulent (which might give it a consumer protection link), but by and large spam imposes costs not because it is fraudulent but because of its sheer volume. A recent TechNewsWorld article reveals that some spammers are actually complying with sender authentication!

What is needed is a combination of authentication and accreditation. Authentication will help prevent spoofing and phishing by revealing the identity of an email’s originator, and accreditation will use a reputation-based system to determine if the originator is likely a spammer. Determining who is or is not, or what is or is not, a spammer requires a system based on value judgments as to what constitutes spam and would be best managed by a private body–or better yet, multiple bodies and consumers–than by a slow-moving and costly political bureaucracy.

Just as an authentication mandate might help the Federal Trade Commission enforce legislation such as the CAN-SPAM Act, so would requiring GPS devices in all cars help traffic police–but the costs to liberty in both scenarios are great. The Commission should limit its involvement in authentication and accreditation standards to the purpose of the summit–educating the public about email authentication–but tread no further.