Two privacy bills are already up for consideration. And at yesterday’s Senate Commerce hearing on Consumer Online Privacy, we heard Senator Kerry announce that he will be working on new legislation to regulate online privacy. While we wait to see what Kerry will offer, NetChoice has concerns over the bills we do know about: Rep. Rush’s “Best Practices Act” and the Boucher/Stearns Discussion Draft. Our side-by-side comparison identifies four concerns:
- Both proposals would regulate small websites that don’t even collect PII. Boucher-Stearns would regulate a tiny online startup that is adding just 100 users a week, even where its users provide only a made-up user name and password. As defined, “covered information” would overly restrict the flow of useful information and harm the development of ad-supported content and services. Continue reading →
If I ever had any hope of “keeping up” with developments in the regulation of information technology—or even the nine specific areas I explored in The Laws of Disruption—that hope was lost long ago. The last few months I haven’t even been able to keep up just sorting the piles of printouts of stories I’ve “clipped” from just a few key sources, including The New York Times, The Wall Street Journal, CNET News.com and The Washington Post.
I’ve just gone through a big pile of clippings that cover April-July. A few highlights: In May, YouTube surpassed 2 billion daily hits. Today, Facebook announced it has more than 500,000,000 members. Researchers last week demonstrated technology that draws device power from radio waves.
Continue reading →
Check out national security reporter Shaun Waterman’s report on lapses in security using techniques that only recently became known as “social engineering.”
Ms. Sage’s connections invited her to speak at a private-sector security conference in Miami, and to review an important technical paper by a NASA researcher. Several invited her to dinner. And there were many invitations to apply for jobs.
“If I can ever be of assistance with job opportunities here at Lockheed Martin, don’t hesitate to contact me, as I’m at your service,” one executive at the company told her.
Then there’s former DHS policy official Stewart Baker’s unusually harsh attack on the “privacy lobby” and Wired reporter Ryan Singel at Volokh.com. The comments are good-quality and interesting.
Knowing how canny Baker is, I would guess that his unusually shrill tone is a ploy to start a fight that helps him sells more copies of his book. But maybe he’s just losing his cool.
Adam and I have been pretty hard on the FTC’s current leadership for pushing to dramatically expand regulation of online data use with little thought to the impact on ad-supported media, while in the next breath opening the door to dramatic expansion of direct government support of media, and all the while seeking sweeping new regulatory powers from Congress.
After all that complaining (and bashing their Soviet Realist-style statue, “Man Controlling Trade”), you might think we had it in for the agency. But as I’ve said repeatedly, we’re actually big fans of the FTC’s core consumer protection mission: holding companies to their promises. (Indeed, we want to make sure they stay focused on that mission, and have the staff, resources and technological tools to pursue it effectively—which might mean, as I’ve pointed out, increased funding rather than increased powers.) We’ve also repeatedly praised the FTC’s efforts to educate kids, parents, and Internet users in general about things like online privacy, advertising, spyware, user empowerment tools, online scams, etc.
But I don’t want to be accused of being only a fair-weather friend of the agency. So I wanted to point out a particularly good concrete example of the FTC doing what we talk about in the abstract: holding companies to their promises. Grant Gross notes that the FTC sent a stern letter earlier this month to the company that is seeking to buy the subscriber info and photos and other assets of the now-defunct XY Magazine, which served primarily gay U.S. teens, warning them that the FTC would hold them to the terms of the privacy policy under which XY collected information from its subscribers.
This is a great example of how the FTC can effectively use its existing authority to protect consumers against clear harms involved in the disclosure of truly sensitive data, sometimes even prophylactically—in this case, outing around 100,000 gay youths and young adults—collected by companies that make unambiguous promises to protect users’ data. This incident also illustrates how privacy law can evolve in an organic fashion from a growing body of such well-justified preemptive warnings, enforcement actions brought against truly bad actors, and ultimately court decisions that decide whether the FTC has properly weighed the interests at stake. In other words, just because we don’t have a privacy code enforced by a Data Protection Authority as in Europe doesn’t mean our legal system doesn’t protect privacy!
Continue reading →
Better late than never, I’ve finally given a close read to the Notice of Inquiry issued by the FCC on June 17th. (See my earlier comments, “FCC Votes for Reclassification, Dog Bites Man”.) In some sense there was no surprise to the contents; the Commission’s legal counsel and Chairman Julius Genachowski had both published comments over a month before the NOI that laid out the regulatory scheme the Commission now has in mind for broadband Internet access.
Chairman Genachowski’s “Third Way” comments proposed an option that he hoped would satisfy both extremes. The FCC would abandon efforts to find new ways to meet its regulatory goals using “ancillary jurisdiction” under Title I (an avenue the D.C. Circuit had wounded, but hadn’t actually exterminated, in the Comcast decision), but at the same time would not go as far as some advocates urged and put broadband Internet completely under the telephone rules of Title II.
Continue reading →
. . . when you realize how much data it can give up to law enforcement and phone thieves. Or maybe one of you smarties will write an app that wipes your iPhone clean, restoring your control over personal and private communications information.
I haven’t said a lot about Google picking up wifi signals as it gathered imagery for its helpful Street View service, but the group “Consumer Watchdog” is doing cartwheels and handstands to try and generate interest in it. In my opinion, they’ve gone a little too far, and now—as have so many before—they will learn to fear my blog post.
This release from CW’s “corporateering” section is misleading in several ways. Take this, for example:
Google now admits that its Street View cars snooped on private WiFi networks as they prowled streets in thirty countries photographing people’s homes over the last three years. The company acknowledges it recorded communications it picked up from unencrypted WiFi networks.
To say “Google now admits” suggests that Google covered it up. Wrong. Google came forward with the information as soon as it discovered its mistake.
Is it “private WiFi networks” from which Google picked up data? The concepts and terminology are unclear to many, but the “private” characterization is misleading.
Many of these networks were privately owned, no doubt, but the question is whether they were configured to conceal the data being transmitted on them. They were not. Information was sent out in the clear (i.e. unencrypted) on these networks. And it was sent out by radio.
We should go into that: Continue reading →
Reliable national security reporter Siobhan Gorman at the Wall Street Journal has broken a story about an Internet surveillance program called “Perfect Citizen” to be managed by the National Security Agency.
Reading about it is frustrating, and for me blame quickly settles on Congress. Our legislature is utterly supine before the national security bureaucracy, which exaggerates cybersecurity threats and consistently uses the secrecy trump card to defy oversight.
If there is to be a federal government role in securing the Internet from cyberattacks, there is no good reason why its main components should not be publicly known and openly debated. Small parts, like threat signatures and such—the unique characteristics of new attacks—might be appropriately kept secret, but no favor is done to any potential attackers by revealing that there is a system for detecting their activities.
A cybersecurity effort that is not tested by public oversight will be weaker than ones that are scrutinzed by private-sector experts, academics, security vendors, and watchdog groups.
Benign intentions do not control future results, and governmental surveillance of the Internet for “cybersecurity” purposes may warp over time to surveillance for ideological and political purposes.
These abstract criticisms of “Project Citizen” are all that publicly available information allows. Far better would come from me and others more qualified if Congress were to do its job.
Congress owes it to us, the United States’ true citizens, to have public hearings on “Perfect Citizen.” Congress should reject broad assertions of secrecy so that the whole body politic can participate in securing our country from all threats.
Congressional and public oversight—searching oversight that tests assumptions and asks hard questions—would strenghten any government cybersecurity effort we find warranted. It would also ameliorate the threat of such programs to our civil liberties, democratic processes, and privacy.
Common Sense Media (CSM) is a media “watchdog” group that provides a terrifically useful service to the public through independent reviews of popular media content (movies, music, TV, games, and more). As a parent, I find their service indispensable and, as a policy analyst, I have praised their rating system and their media literacy / digital citizenship programs again and again, including numerous endorsements in my special report on Parental Controls & Online Child Protection and other testimony and filings before Congress and federal regulatory agencies.
Thus, being such a big fan of CSM, I was quite dismayed to see the comments they just submitted to the Federal Trade Commission (FTC) as part of the agency’s review of the Children’s Online Privacy Protection Act (COPPA). They advocate not just expanded educational efforts, which are great, but also expanding COPPA’s age scope to cover all kids under 18 as well as opt-in mandates for the collection and use of any “personal information” or “behavioral marketing.” For all the background on the law and the FTC’s resulting COPPA rule, see this beefy paper Berin Szoka and I authored last year and this testimony and follow-up submission Berin did for the Senate Commerce Committee. And then read the joint submission made by PFF, CDT, and EFF in the same FTC proceeding that CSM just filed in.
Sadly, it’s clear to me that Common Sense Media didn’t take anything we warned about in those papers or filings seriously—or perhaps that they just didn’t bother to read them very carefully, if at all. Their filing is a classic example of good intentions gone wrong. I understand that they want to take additional steps to protect children online, but they completely ignore the practical realities of COPPA expansion and its associated trade-offs:
Continue reading →
I was interviewed yesterday for the local Fox affiliate on Cal. SB 1411, which criminalizes online impersonations (or “e-personation”) under certain circumstances.
On paper, of course, this sounds like a fine idea. As Palo Alto State Senator Joe Simitian, the bill’s sponsor, put it, “The Internet makes many things easier. One of those, unfortunately, is pretending to be someone else. When that happens with the intent of causing harm, folks need a law they can turn to.”
Or do they?
The Problem with New Laws for New Technology
SB1411 would make a great exam question of short paper assignment for an information law course. It’s short, is loaded with good intentions, and on first blush looks perfectly reasonable—just extending existing harassment, intimidation and fraud laws to the modern context of online activity. Unfortunately, a careful read reveals all sorts of potential problems and unintended consequences.
Continue reading →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.