Earlier today the Commerce Department’s Internet Policy Task Force issued its expected privacy report. Commerce waded into shark-filled privacy waters and produced a report that overall is thoughtful, comprehensive and has lots of meat for strengthening the nation’s privacy framework. Of course, we have our quibbles too. On first read, here’s what I like and what concerns me:
Like:
- “Dynamic policies”. The report appropriately proposes what it calls “dynamic policies.” We agree that technology and information flows are constantly changing, so a privacy policy regulatory framework should not be static, nor should it be proscriptive.
- Privacy Policy Office. Because it would be located within Commerce, the office would be a vital advocate for online companies doing business overseas. It could help outreach with European regulators and coordinate certification procedures to enable cross-border data flows.
- Transparency through purpose specification and use limitation (NOT collection limitation and data minimization). The report proposes consumer assurances principles that would require data collectors to specify all the reasons for collecting personal information and then specify limits on the use of that information. This is a flexible approach compared to proscriptive regulations limiting data collection and requiring data minimization.
- Encourage Global Interoperability. In our comments, NetChoice advocated strongly for international privacy reciprocation, and where appropriate, harmonization.
- ECPA Review. We like how the report calls for a review of the Electronic Communications Privacy Act (ECPA). The law is outdated and doesn’t do a good job of clarifying the roles of online companies when responding to law enforcement requests.
Concerns: Continue reading →
The Sixth Circuit ruled on Tuesday that criminal investigators must obtain a warrant to seize user data from cloud providers, voiding parts of the notorious Stored Communication Act. The SCA allowed investigators to demand providers turn over user data under certain circumstances (e.g., data stored more than 180 days) without obtaining a warrant supported by probable cause.
I have a very long piece analyzing the decision, published on CNET this evening. See “Search Warrants and Online Data: Getting Real.” (I also wrote extensively about digital search and seizure in “The Laws of Disruption.”) The opinion is from the erudite and highly-readable Judge Danny Boggs. The case is notable if for no other reason than its detailed and lurid description of the business model for Enzyte, a supplement that promises to, well, you know what it promises to do…. Continue reading →
Every once and awhile it’s worth taking a step back and looking at the long view of how Internet policy developments have unfolded and consider where they might be heading next. We’ve reached such a moment as it pertains to efforts to police the Internet for copyright piracy, objectionable online content, privacy violations, and cybersecurity. We’re at an interesting crossroads in this regard since the prospects for successful cracking down on copyright piracy and pornography appear grim. Seemingly every effort that has been tried has failed. The Net is awash in online porn and pirated content. I am not expressing a normative position on this, rather, I’m just stating what now seems to be commonly accepted fact.
In the meantime, the United States is in the process of creating new information control regimes and this time its access to personal information and cybersecurity that are the focus of regulatory efforts. The goal of the privacy-related regulatory efforts is to help Netizens better protect their privacy in online environments and stop the “arms race” of escalating technological capabilities. The goal of cybersecurity efforts is to make digital networks and systems more secure or, more profoundly as we see in the Wikileaks case, it is to bottle up state secrets.
These efforts are also likely to fail. Simply stated, it’s a nightmare to bottle-up information once it’s out there. Continue reading →
This is a response to Nick Carr’s recent piece, “The Attack on Do Not Track,” in which he goes after me for some comments I made in this essay about the trade-offs at work in the privacy and online advertising debates. In his critique of my essay, he argues:
What the FTC is suggesting is that the unwritten quid pro quo be written, and that the general agreement be made specific. Does Thierer really believe that invisible tradeoffs are somehow better than visible ones? Shouldn’t people know the cost of “free” services, and then be allowed to make decisions based on their own cost-benefit analysis? Isn’t that the essence of the free market that Thierer so eloquently celebrates?
My response to Nick follows. Continue reading →
The ACLU of Northern California says it’s time for a privacy check-in on location based-services. Their handy chart compares several of the most popular location-based services along a number of dimensions.
Little of what they examine has to do with civil liberties—cough, cough, ahem (this is a favorite critique of mine for my ACLU friends)—but the report does find that five out of six location-based providers are unclear about whether they require a warrant before handing information over to the government. Facebook is the winner here. Yelp, Foursquare, Gowalla, Loopt, and Twitter are unclear about whether they protect your location data from government prying.
As part of what Politico’s
Tony Romm calls this week’s “all-out online privacy blitzkrieg,” Rep. Ed Markey (D-Mass) announced he would be proposing legislation aimed at better protecting kids from the supposed evils of online “tracking” and marketing. Apparently, Rep. Markey’s effort will build on the “Do Not Track” proposal that is garnering so much attention this week.
Lost in the smoke surrounding that privacy blitzkrieg is an important distinction between these two proposals: There is a very big difference between re-engineering browsers and websites to comply with a “Do Not Track” mandate and a new regulatory scheme aimed at identifying the ages or identities of individuals using certain online sites or services. Namely, the latter likely necessitates some sort of mandatory age verification or online authentication regime for the Internet.
Let’s take a step back for some context. Markey helped author the Children’s Online Privacy Protection Act (COPPA) of 1998, which dealt with the collection of information for kids under 13 online. But COPPA wasn’t a strict age verification or online authentication regime for the Internet. Instead, COPPA mandated a “verifiable parental consent” regime which the Federal Trade Commission (FTC) later enforced using a so-called “sliding scale” approach. Essentially, sites that are “directed at” kids under 13 are supposed to get parental consent using a variety of mechanisms (credit cards, sign and fax forms, phone calls, etc) before any collection of information takes place. Of course, there are some devilish details here regarding what counts as “directed at” or “collection,” but the crucial point here is that COPPA does
not require the formal authentication of web surfer identities or ages — whether they kids or parents.
So, the really tricky question here is how one goes about expanding the COPPA regulatory regime without stumbling into the legal thicket that tied up the Child Online Protection Act (COPA) of 1998, a law which did mandate such an authentication regime and, as a result, witnessed a grueling decade-long legal battle over its constitutionality. Ultimately, the courts rejected COPA as inconsistent with America’s tradition of anonymous speech, something central to our evolution as a democracy, pre-dating even the First Amendment that protects it from government interference. Thus, we have, at least for now, closed the book on COPA. But are we about to re-open it with COPPA expansion a la the forthcoming Markey bill? Continue reading →
In his essay today, “Go On, Opt Out. Just Don’t Come Cryin’ To Me …,” John Battelle has some very sensible thinking on the “Do Not Track” idea and privacy regulation more generally:
Look, if you want to, you can put yourself on a “do not track” list in the Real World. As you walk around in our Real World, where small shopkeepers and Starbucks alike attempt to lure you into their stores, you can simply decide to ignore their come ons. You can refuse to get a grocery card, and forego the discounts they offer. You can forego the countless coupons, come ons, and catalogs that come through your newspaper, browser, or your community mailer, and if you work at it, you can even opt out through some specialized services (with more coming soon, if the FTC gets its way). And you can turn off your television (cause lord knows even the shows are trying to influence you now), and you can ignore your friends when they talk about the latest, coolest promotion that Verizon or ATT has pushed them through their cell phones. If folks insist on talking about stuff that might smack of someone selling you something, heck, you can start to dress like the Unabomber and withdraw entirely from our obviously commercial culture. You might look weird, but at least folks will leave you alone. And if you do, your world will either be better, or it will suck more. Your call.
But don’t come crying to me when you realize that in opting out of our marketing-driven world, you’ve also opted out of, well, a pretty important part of our ongoing cultural conversation, one that, to my mind, is getting more authentic and transparent thanks to digital platforms. And, to my mind, you’ve also opted out of being a thinking person capable of filtering this stuff on your own, using that big ol’ bean which God, or whoever you believe in, gave you in the first place. Life is a conversation, and part of it is commercial. We need to buy stuff, folks. And we need to sell stuff too.
Amen, brother. This is a point Berin Szoka and I have made repeatedly here in the past:
The debate over privacy regulation is fundamentally tied up with the future of online content and culture. The idea of a cost-free opt-out model for the all online data collection / advertising may sound seductive to some, but we must take into account the opportunity costs of regulation. The real world is full of trade-offs and, despite what the Federal Trade Commission seems to think, there is no such thing as a free lunch.
This morning, the Federal Trade Commission (FTC) released its eagerly-awaited Preliminary FTC Staff Report on Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. As expected, the agency has generally endorsed an expanded regulatory regime to govern online data collection and advertising efforts in the name of protecting consumer privacy. More specifically, the agency endorsed a so-called “Do Not Track” mechanism that would supposedly help consumers block unwanted data collection or advertising. Here’s how the agency describes it:
Such a universal mechanism could be accomplished by legislation or potentially through robust, enforceable self-regulation. The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements. To be effective, there must be an enforceable requirement that sites honor those choices. (p. 66)
I’m sure we’ll have plenty more to say here about the issue in coming weeks and months (comments on the FTC report are due by Jan. 31), but we’ve already commented on this proposal here before. See 1, 2, 3. To briefly summarize a few of those concerns: Continue reading →
Inspired by thoughtful pieces by Mike Masnick on Techdirt and L. Gordon Crovitz’s column yesterday in The Wall Street Journal, I wrote a perspective piece this morning for CNET regarding the European Commission’s recently proposed “right to be forgotten.”
A Nov. 4th report promises new legislation next year “clarifying” this right under EU law, suggesting not only that the Commission thinks it’s a good idea but, even more surprising, that it already exists under the landmark 1995 Privacy Directive.
What is the “right to be forgotten”? The report is cryptic and awkward on this important point, describing “the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they [that is, the data] are no longer needed for legitimate purposes.”
Continue reading →
Rob Pegoraro’s article in yesterday’s Washington Post is a worthy read, if only because it puts into context what is and isn’t a privacy breach.
Recently, there’s been a lot of noise–started by a Wall St Journal article–about a supposed privacy breach by Facebook surrounding the misuse of user data by applications installed on the user’s page. But as Pegoraro relates, this information was all public anyway, much like a phone book displays your identity. Here’s what he says is the difference between what is and isn’t a breach:
Privacy breach: Exposes private information you tried to keep confidential, in ways that risk the loss of money or security or otherwise fairly earn the adjective ‘Orwellian.’”
NOT a privacy breach: Information about you that is already made public to users of a website, including the “basic parameters of people’s accounts: their name, picture, gender and networks….”
The point is that we shouldn’t conflate the use (or misuse) of public information with the breach of private information. Doing so elevates a lesser offense at the expense of something that is much more serious.
But as much as I like the article, I also have a few quibbles. Pegoraro says that if users are still offended by Facebook, they should blame the site for its default settings and switch to a competitor. And while losing customers is the ultimate penalty for any business, he misses the point in a couple of ways. First, we want to encourage innovation in social media and information sharing, which means companies need the freedom to set and change default settings (I’ve blogged on this before). Second, instead of switching sites users can just adjust their privacy settings! This simple, less drastic measure wasn’t even mentioned.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.