My seen-it-all cool was shaken yesterday when I examined how a Senate cybersecurity bill would scythe down legal protections for privacy. Anyone participating in government “cybersecurity exchanges” would have nearly total immunity from liability under any law. No Privacy Act, no ECPA, no E-Government Act, no contract law, no privacy torts. The scuttlebutt is that Senator Reid (D-NV) may push this especially hard as payback to the Internet for the SOPA/PIPA debacle.

In the push for cybersecurity legislation, Congress is driven far more by its desire to act (and D.C. lobbyists’ desire to have Congress act) than by any plausible contribution it can make to the difficult problem of securing computers, networks, and data. That’s why this cybersecurity bill, and all others I have seen, have greater costs than benefits.

Read about the devastation for privacy and the rule of law on offer in a current draft in “The Senate’s SOPA Counterattack?: Cybersecurity the Undoing of Privacy.”

Earlier today the Commerce Department’s Internet Policy Task Force issued its expected privacy report. Commerce waded into shark-filled privacy waters and produced a report that overall is thoughtful, comprehensive and has lots of meat for strengthening the nation’s privacy framework. Of course, we have our quibbles too. On first read, here’s what I like and what concerns me:

Like:

• “Dynamic policies”. The report appropriately proposes what it calls “dynamic policies.” We agree that technology and information flows are constantly changing, so a privacy policy regulatory framework should not be static, nor should it be proscriptive.
• Privacy Policy Office. Because it would be located within Commerce, the office would be a vital advocate for online companies doing business overseas. It could help outreach with European regulators and coordinate certification procedures to enable cross-border data flows.
• Transparency through purpose specification and use limitation (NOT collection limitation and data minimization). The report proposes consumer assurances principles that would require data collectors to specify all the reasons for collecting personal information and then specify limits on the use of that information. This is a flexible approach compared to proscriptive regulations limiting data collection and requiring data minimization.
• Encourage Global Interoperability. In our comments, NetChoice advocated strongly for international privacy reciprocation, and where appropriate, harmonization.
• ECPA Review. We like how the report calls for a review of the Electronic Communications Privacy Act (ECPA). The law is outdated and doesn’t do a good job of clarifying the roles of online companies when responding to law enforcement requests.

Concerns:

• The Uncertainty of FIPPs. The report advocates the creation of Fair Information Practice Principles (FIPPs) that could be voluntarily adopted by industry. But what would the look like? The report mentions, but doesn’t explicitly endorse, FIPPs from the Department of Homeland Security—which are of course binding on government, and might not all be desirable for the private sector. According to the report, the proposed Privacy Policy Office would coordinate these. The FIPPs have been wrongly characterized as a consumer privacy “bill of rights” by some media outlets (they are industry codes of conduct, not affirmative consumer rights).
• Privacy Policy Office. While we like this, we’re also concerned by it. The process of convening multi-stakeholders means multi-viewpoints and multi-disagreements. We’d prefer the marketplace to be the venue and consumers to be the ultimate arbiter on privacy principles.
• National Requirements for Security Breaches. The report calls for Congressional legislation to create a nationwide data security breach law. But is this really necessary? 46 states already have a relatively consistent and reasonable approach toward how companies should safeguard data and the processes involved when there’s a breach.
• FTC Rulemaking. The report leaves open for further comment whether the FTC needs enhanced (APA) rulemaking authority in the privacy area. NetChoice has opposed giving the FTC blanket, no-hold-barred APA authority, and we’d also oppose this for an issue as broad as privacy.

Likes and concerns aside, 2011 is shaping up to be a busy privacy year! Look forward to working with stakeholders from government, industry and civil society to help refine and implement some of the core recommendations of this document.

CNet‘s Declan McCullagh has a great piece about the politics of actually implementing the ECPA reform principles announced today by the Digital Due Process Coalition, which PFF, CEI and Net Coalition all proudly signed on to along with a number of other think tanks, advocacy groups, and leading tech companies.  Ryan and I explained earlier today how these proposals would Protect Americans’ Privacy by Restoring Constitutional Limits to Government.

As I note at the end of the article:

“This is an opportunity for President Obama to show that he understands President Reagan’s central lesson: ‘Government is not the solution to our problem—government is the problem,'” says Berin Szoka, an attorney at the Progress and Freedom Foundation. “These proposals offer a sensible, long-overdue way of protecting us from the real Big Brother, our government, without crippling law enforcement or the private companies that keep giving us all wonderful new content and services, mostly for free.”

This is a point Adam Thierer and I have made repeatedly in the debate over how to deal with concerns about online privacy. Check out our/my key pieces on this point:

• Online Advertising & User Privacy: Principles to Guide the Debate
• Privacy Trade-Offs: PFF Comments on December 7 FTC Privacy Workshop
• Targeted Online Advertising: What’s the Harm & Where Are We Heading?
• Chairman Leibowitz’s Disconnect on Privacy Regulation & the Future of News
• My comments on FCC’s Privacy Inquiry for National Broadband Plan

By Ryan Radia & Berin Szoka

Today a broad array of civil liberties groups, think tanks, and technology companies launched the Digital Due Process coalition. The coalition’s mission is to educate lawmakers and the public about the need to update U.S. privacy laws to better safeguard individual information online and ensure that federal privacy statutes accurately reflect the realities of the digital age.

Over 20 organizations belong to the Digital Due Process coalition, including such odd bedfellows as AT&T, Google, Microsoft, the Center for Democracy & Technology, the American Civil Liberties Union, the Electronic Frontier Foundation, The Progress & Freedom Foundation (where Berin works), the Competitive Enterprise Institute (where Ryan works), the Internet Technology & Innovation Foundation, Citizens Against Government Waste, and Americans for Tax Reform. The full member list is available at the coalition’s website.

Amidst the heated tech policy wars, it’s not every day that such a diverse group of organizations comes together to endorse a unified set of core principles for legislative reform. Over two years in the making, the Digital Due Process coalition, spearheaded by the Center for Democracy & Technology, is a testament to the broad consensus that’s emerged among business leaders, activists, and scholars regarding the inadequacies of the current legal regime intended to protect Americans’ privacy from government snooping and the need for Congress to revisit decades-old privacy statutes. It also represents a revival of a bipartisan consensus on the need for reform reached back in 2000, when the Republican-led House Judiciary Committee voted 20-1 to approve very similar reforms (HR 5018).

Today, in the digital age, robust privacy laws are more important than ever. That’s because U.S. courts have been unwilling to extend the Fourth Amendment’s protection against unreasonable search and seizure to individual information stored with third parties such as cloud computing providers. Thus, while government authorities must get a search warrant based on probable cause before they can lawfully rifle through documents stored in your desk, basement, or safe deposit box, information you store on the cloud enjoys no Constitutional protection. (Some legal scholars argue this interpretation of the Fourth Amendment, referred to as the Third Party Doctrine, is outdated and deficient. See, for example, Jim Harper’s excellent 2008 article in the American University Law Review.)

To be sure, this doesn’t mean that data stored in the cloud is completely without legal protection. In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA), a then-forward-looking law that established several new privacy protections limiting governmental access to consumer data stored or transmitted by “remote computing service providers” and “electronic communications service providers.” Thanks to this law, along with earlier statutes such as the Wiretap Act, most electronic communications transmitted today enjoy some degree of legal protection. Unfortunately, the law’s provisions don’t reflect the reality of modern digital communications, nor do they offer sufficient protections for sensitive items like emails, mobile device locational information, and instant messages.

To remedy these deficiencies, the Digital Due Process coalition has offered four principles for Congress to consider as it revisits ECPA. In essence, they would require that government obtain:

• A search warrant from the court, upon the showing of “probable cause” required by the Fourth Amendment, before compelling “cloud” providers to disclose most kinds of private communications or mobile location information;
• A court order subject to meaningful judicial review before compelling providers to disclose dialed number information or email to and from information; and
• Judicial approval, rather than a mere subpoena, before compelling providers to disclose non-particularized information about individual accounts.

These proposed reforms, if enacted, would go a long way toward ensuring that individuals enjoy the same legal protections online that the Fourth Amendment has long provided in the offline world. The principles would also empower cloud computing and mobile service providers to offer more robust privacy assurances to users. Such assurances will help strengthen user trust in of cloud computing and, consequently, may spur innovation in cloud computing services that involve highly sensitive data like health information.

This call to action is also a reminder that restricting the power of government, not the private sector, is the solution to the privacy challenges of the digital age. Privacy advocates and zealots alike often focus on the risks of private data collection. Yet the greatest, and most demonstrable, of these risks comes not from private firms but from the real Big Brother: the risk that government will get its hands on private data without meaningful judicial oversight.

As we’ve long argued (see Ryan’s essay with Wayne Crews, “Selling Out Online Advertising,” and Berin’s comments to the FTC’s Exploring Privacy Roundtable last November), the consumer benefit of individualized data collection and use is nothing short of spectacular. Without it, services like Gmail, Google search, and Facebook likely wouldn’t exist. (And it’s only 2010—the best is yet to come!) Simply put, there is no free lunch!

But data collection has a real downside: As long as sensitive information remains stored on a provider’s server, there’s a risk that it will end up in the wrong hands. Through smart information security practices and privacy policies enforced both by the FTC and strong reputational forces, the private sector has generally done a good job of safeguarding individual data, with rare exceptions. Yet, today, no amount of security or legalese or good intentions can protect against a government subpoena issued in compliance with ECPA’s outdated, inconsistent and downright byzantine legal standards—which vary widely depending on whether messages have been opened, how long they’ve been on the server, etc.

The reforms proposed by the Digital Due Process Coalition would fix this gaping hole in America’s privacy laws, allowing individuals to rest assured that their personal information won’t end up in the hands of government unless probable cause is shown before a court of law. That’s the promise enshrined in the Fourth Amendment—a promise we seek to restore.

A couple weeks ago the Google Books Settlement fairness hearing took place in New York City, where Judge Denny Chin heard dozens of oral arguments discussing the settlement’s implications for competition, copyright law, and privacy. The settlement raises a number of very challenging legal questions, and Judge Chin’s decision, expected to come down later this spring, is sure to be a page-turner no matter how he rules.

My work on the Google Books Settlement has focused on reader privacy concerns, which have been a major point of contention between Google and civil liberties groups like EFF, ACLU, and CDT. While I agree with these groups that existing legal protections for sensitive user information stored by cloud computing providers are inadequate, I do not believe that reader privacy should factor into the court’s decision on whether to approve or reject the settlement.

I elaborated on reader privacy in an amicus curiae brief I submitted to the court last September. I argued that because Google Books will likely earn a sizable portion of its revenues from advertising, placing strict limits on data collection (as EFF and others have advocated) would undercut Google’s incentive to scan books, ultimately hurting the very authors whom the settlement is supposed to benefit. While the settlement is not free from privacy risks, such concerns aren’t unique to Google Books nor are they any more serious than the risks surrounding popular Web services like Google search and Gmail. Comparing Google Book Search to brick-and-mortar libraries is inapt, and like all cloud computing providers, Google has a strong incentive to safeguard user data and use it only in ways that benefit users and advertisers.

It’s worth noting that while Google has a reasonably strong track record of preventing data breaches and accidental disclosure of data to untrustworthy parties, Google generally does not challenge court-approved criminal or civil subpoenas of data associated with its users. I didn’t properly articulate this in my amicus brief, in which I stated incorrectly that “Google has a history of vigorously resisting government data requests if it deems them invalid.” In fact, Google usually does not attempt to quash subpoenas, although it has done so at least once before (in 2006, Google successfully fought a request from the U.S. Department of Justice seeking logs containing millions of user search queries).

Upon receiving a subpoena of a user’s data, Google typically informs the user that his or her data will be handed over in 20 days unless the user successfully moves to quash the subpoena. Most other cloud computing providers have similar policies. In certain rare circumstances, however, subpoenas are issued in secret. In such cases, Google is barred from telling the user about the subpoena, so the user doesn’t have a chance to challenge it in court.

While Google’s policy for disclosing user data is perhaps not as protective of privacy as it could be, it’s still quite reasonable in light of the economic realities of cloud computing. Sure, Google could challenge all subpoenas it receives as a matter of course (as CDT and others have urged) but such a policy would be prohibitively expensive considering the fact that Google that likely processes tens of thousands subpoenas each year (Unfortunately, Google does not disclose how many subpoenas it receives each year, much to my chagrin). Remember, the vast majority of Google users aren’t even paying customers! Expecting Google to bear the legal burden of defending its users — some of whom actually are criminals — from legal proceedings is hardly fair.

Instead of trying to persuade Congress, regulatory agencies, and the courts to regulate Google and other online providers, privacy advocates should focus on the underlying deficiencies in U.S. privacy laws. Under the 1986 Electronic Communications Privacy Act (ECPA), many kinds of potentially sensitive user data can be obtained by government authorities with a mere subpoena, rather than a search warrant. Compounding this problem is the refusal of courts to extend Fourth Amendment protections to sensitive information stored in the cloud on the basis of the seriously flawed “third party doctrine”  To remedy this, Congress should amend ECPA to strengthen privacy protections for sensitive data stored by remote computing service providers. Just as authorities are required to obtain a search warrant if they wish to get hold of files stored in one’s home, warrants should also be necessary to compel cloud computing providers to disclose individual information that users very clearly expect to remain private.

In the meantime, let’s not create burdensome new regulations on online data collection. As Berin, Adam, and others have documented with incredible thoroughness (1, 2, 3, 4), smart data mining has myriad benefits for consumers, and targeted advertising is among the most promising avenues for financing future content production.

Today’s Online Safety Technical Working Group (OSTWG) meeting included some heated debate about whether online intermediaries should be doing more to assist law enforcement to help track down child predators and those producing and distributing child pornography. (It’s not clear whether or when NTIA will actually put the archived video or a transcript online at this point).

Most interesting was the third panel of the day (agenda), which devolved into a shouting match as Dr. Frank Kardasz (resume) of the Arizona Internet Crimes Against Children (ICAC) Task Force basically accused Internet intermediaries of being willing accomplices in crimes of sexual abuse against children—and suggested that they could be charged as co-defendants in child porn prosecutions. A few industry folks in the room expressed their outrage at such slander. A retired law enforcement officer perhaps put it best when he said that he had never dealt with an ISP that didn’t sincerely want to help law enforcement stop this monstrous crime.

Apart from those pyrotechnics, and a superb morning presentation by the Pew Internet Project’s Amanda Lenhart about “Social Media & Young Adults,” the most interesting part of the day concerned data retention mandates. Even as a debate rages in Washington about how much collection and use of online data should be permitted, Dr. Kardasz suggested online service providers should be required to hold user data for 5 years. A number of attendees noted the staggering costs of such a mandate given the sheer volume of information shared every day by use, especially for startups for whom building monitoring and compliance infrastructure can be a significant barrier to entry. Of course, practical objections are always answered with practical counter-solutions—in this case, several attendees asked why we couldn’t just provide tax incentives or stimulus money to defray such costs. One attendee joked that we’d have to devote the entire state of Montana just to house all the necessary server farms.

But the strongest objection came from John Morris of the Center for Democracy & Technology, who rightly noted that no amount of government subsidies for data retention could prevent leakage of sensitive private data. For this reason and because of the basic civil liberties at stake whenever the government has access to large pools of data about its citizens, Morris argued that we need to strike a balance between how we protect children & the values of free society. Dave McClure of the US Internet Industry Association (USIIA) seconded this point powerfully: If such vast data is retained, it will be abused.

Then the riposte from advocates of data retention mandates: Aren’t online intermediaries already retaining huge amounts of consumer information? If they can do that, why can’t they retain the data we need to track down child predators and child porn distributors?

John Morris and the ACLU’s Chris Calabrese patiently explained just how different these two kinds of data retention really are. Advertisers don’t care who you are—just what you’re likely to be interested in. So it simply isn’t worth the cost for them to retain the massive logs of data tracking every site a user has been to and when, or even tying that information to an IP address. All the advertiser wants is to be able to correlate information about likely interests with a cookie that uniquely identifies a computer (which likely, but not necessarily, corresponds to a user). I couldn’t have explained this difference better myself!

They didn’t specifically get into this example, but even a company like Phorm, which offers behavioral advertising based on inspecting packets sent back and forth by an Internet user doesn’t actually retain the kind of “digital dossier” of a user’s browsing activity that some advocates of increased data regulation fear–or that law enforcement wants. Instead, Phorm examines certain kinds of pages visited by users (e.g., no HTTPS or email) and looks for keywords (excluding sensitive things like phone numbers, social security numbers and credit card numbers) that suggest the user might be interested in a particular marketing category. The data about where the user has visited is then discarded, leaving only the marketing categories matched to that user’s unique ID (e.g., dog-owner, fly-fisher).

So even when it comes to the much-feared “Deep Packet Inspection,”what advertisers want is profoundly different from the kind of data retention mandates proposed by Kardasz and others in law enforcement. Moreover, given the costs entailed in data storage and processing, the mere fact that something is theoretically possible doesn’t mean advertisers are willing to pay for it just to try to tell you about their product! That critical point has been missing from most of the ongoing conversation about regulating “targeted” advertising, which tend to focus on the theoretical possibility of a particular data collection/use/aggregation practice rather than whether it’s actually being done or even whether it would make economic sense to do so. So I’m glad to see John Morris and Chris Calabrese making these vital points.

I don’t mean to pull a “gotcha!” on them as representatives of two organizations that have also been outspoken in calling for restrictions on the private use of data (especially since I can’t do justice them by quoting them precisely here without a transcript of the event or the ability to go back and listen to this fascinating exchange again). I’m sure they would respond that the potential for abuse still exists when private companies collect data about users for advertising purposes: Some companies might collect so much data that it could be tied back to a particular user and cause actual harm if released, which is always a possibility. That would be a fair response, but it would at least place us in a constructive debate between reasonable people about the costs and benefits of data sharing and whether government regulation is really the best way to address privacy concerns.

The important point is that they recognize the difference in kind between the collection of limited amounts of data for advertising purposes and the kind of comprehensive data mandates proposed by Kardasz and others. If nothing else, that difference means that one can take a principled stance—as I do—against data retention mandates as a governmental invasion of our privacy but also in favor of reliance on user empowerment, education, targeted enforcement of existing laws, etc. as less restrictive alternatives to government regulation of private data use, just as with parental control and empowerment over parentalist censorship.  As Adam Thierer and I have argued, because there are significant costs to regulation for consumers, free speech and culture, any government mandates should be narrowly tailored to addressing real, demonstrable harms rather than vague, unsubstantiated fears or amorphous concepts like “dignity interests.”

The other critical part of our “layered approach” to privacy concerns is building a higher “Wall of Separation Between Web and State.” Concretely, that means opposing such onerous data retention mandates and reforming ECPA—a subject mentioned only at the end of today’s meeting. In the comments I filed recently on the Notice written by CDT for the FCC, I praised CDT’s work in this area and look forward to working with them (and the ACLU and groups like EFF) on that cause in the future, despite our differences on private data use regulation.

Unlike with wiretaps, law enforcement agents are not required by federal statutes to obtain search warrants before employing pen registers or trap and trace devices. These devices record non-content information regarding telephone calls and Internet communications. (Of course, “non-content information” has quite a bit of content – who is talking to whom, how often, and for how long.)

The Electronic Privacy Information Center points out in a letter to Senate Judiciary Committee Chairman Patrick Leahy (D-VT) that the Department of Justice has consistently failed to report on the use of pen registers and trap and trace devices as required by law:

The Electronic Communications Privacy Act requires the Attorney General to “annually report to Congress on the number of pen register orders and orders for trap and trace devices applied for by law enforcement agencies of the Department of Justice.” However, between 1999 and 2003, the Department of Justice failed to comply with this requirement. Instead, 1999-2003 data was provided to Congress in a single “document dump,” which submitted five years of reports in November 2004. In addition, when the 1999-2003 reports were finally provided to Congress, the documents failed to include all of the information that the Pen Register Act requires to be shared with lawmakers. The documents do not detail the offenses for which the pen register and trap and trace orders were obtained, as required by 18 U.S.C. § 3126(2). Furthermore, the documents do not identify the district or branch office of the agencies that submitted the pen register requests, information required by 18 U.S.C. § 3126(8).

EPIC has found no evidence that the Department of Justice provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008. “This failure would demonstrate ongoing, repeated breaches of the DOJ’s statutory obligations to inform the public and the Congress about the use of electronic surveillance authority,” they say.

It’s a good bet, when government powers are used without oversight, that they will be abused. Kudos to EPIC for pressing this issue. Senator Leahy’s Judiciary Committee should ensure that DoJ completes reporting on past years and that it reports regularly, in full, from here forward.