No, I’m not here to tell you more about the “supersized” FTC. Berin has done yeoman’s work to highlight that issue, among other things with the PFF event you can review here. On TechDirt, Mike Masnick wrote this morning about how the feds are itching to regulate the Internet.

This is about the direct government invasions of privacy likely to occur if S. 3217 passes. On the Cato@Liberty blog I write about the detailed financial market research that new regulatory agencies would do—research aimed at you.

Example:

Section 1071(b) requires any deposit-taking financial institution to geo-code customer addresses and maintain records of deposits for at least three years. Think of the government having its own Google map of where you and your neighbors do your banking. The Bureau [of Consumer Financial Protection] may “use the data for any other purpose as permitted by law,” such as handing it off to other bureaus, like the Federal Bureau of Investigation.

“Washington, D.C. has determined that Washington, D.C. should manage the financial services industry. Your personal and private financial affairs will be managed there too.”

What would I say about my own writing but read the whole thing?

Adam Thierer has been named the new president of the Progress & Freedom Foundation.

TLF readers don’t need to be told that he’s a tireless advocate for technology policies that preserve freedom and innovation. He was the driving force behind creation of this blog, for example, and he is a prodigious writer and commentator.

Adam will do even more to advance those goals and protect the Internet from stifling regulation from his new perch. Congratulations, Adam!

Blogger’s Note: I posted this blog entry over at BroadbandCensus.com earlier in the day. It’s the first of series this week — One Web Week — in which I’m taking a step back to look at the issue of broadband data and broadband transparency from a bit of a longer time frame. And today couldn’t be a more timely day to do so, with Genachowski’s speech highlighting a new sixth principle of Network Neutrality: broadband transparency! -Drew Clark

WASHINGTON, September 21, 2009 – Broadband data is important for the future of our country – and public and transparent broadband data is even more important.

Today, at this moment, new Federal Communications Commission Chairman Julius Genachowski is making a speech in which he is highlighting the vital principle of public and transparent broadband data.

For three years now, this principle has been the core belief animating my efforts as a journalist, and as the entrepreneur founding BroadbandCensus.com. Now, as we enter the fourth year since this saga began, it’s time to take stock and reflect on what BroadbandCensus.com has accomplished.

And with One Web Week having arrived, I’d like to lay out this history from a personal perspective. In this series of blog posts, I’m going to speak about what we’ve been through, who we have worked with to advance the principles of public and transparent broadband data, and what we ultimately aim to achieve at BroadbandCensus.com.

• Today’s topic: The debate begins, with the Freedom of Information Act lawsuit in 2006.
• Tomorrow’s topic, on One Web Day: The founding of BroadbandCensus.com in the fall of 2007.
• Wednesday topic: The Broadband Census for America Conference in September 2008, and our work with the academic community to foster public and transparent broadband data-collection efforts.
• Thursday’s topic, in advance of the U.S. Broadband Coalition’s report to the Federal Communications Commission: BroadbandCensus.com’s involvement with the National Broadband Plan in 2009.
• The concluding topic, on Friday morning: The role BroadbandCensus.com and broadband users have to play in the creation of a robust and reliable National Broadband Data Warehouse.

The Beginnings: Why I Sued Kevin Martin’s Federal Communications Commission

BroadbandCensus.com was founded in October 2007 after I spent nearly a year and a half with the Center for Public Integrity, a non-profit investigative journalism organization based here in Washington. But the quest for public and transparent broadband data goes back further.

For more than 15 years, I have covered the politics of telecom, media and technology. Most of that was spent at the National Journal Group in Washington, a key source of inside information about policy and lobbying. My aim there, as it is now, was to ensure that all the facts are brought to the table, that divergent viewpoints are fairly represented, and that questions asked go to the center of the debate.

When it came to broadband, the looming questions were and still are: where do we have broadband in the United States, and who is offering it? What kind of service is promised, and are carriers delivering on those promises?

In 2006, issues of broadband policy lurked in the background of many major political and media controversies: Net neutrality, online piracy, media ownership and control, the build out of high-speed networks, both wired and wireless, and the role of Web 2.0 in government and society. Whatever the ultimate resolutions for each of these controversies, the first step was better broadband data.

At this time, I headed the Center for Public Integrity’s media and telecommunications project, “Well Connected.” We were expanding its focus on media ownership to the new source of media control: the nation’s broadband infrastructure.

The Federal Communications Commission had a database about the carriers that offer broadband by ZIP code. This database is created from the carriers filing the Form 477 with the FCC. The FCC publishes other databases of the locations of radio and television broadcasters, and of cable companies. We asked for a copy of the Form 477 database in August 2006. At that time, we cited the Freedom of Information Act.

An FCC staff member called me to discuss arrangements for getting our electronic copy. When I called the FCC staffer back, less than 45 minutes later, he told me that he had been instructed not to talk to me further. From that point on, only Kevin Martin’s lawyers would do the talking.

The FCC missed their 20-day deadline to timely respond to our FOIA letter. On September 25, 2006, the Center for Public Integrity filed suit in federal district court , seeking to enforce our FOIA request. We asked the district court to grant us access to the Form 477 database, with information about subscriber numbers redacted (if necessary). The end result would be a database with the names of the carriers that offer broadband on a ZIP code basis.

Even though the FCC has been collecting the Form 477 since 2000, and already has a database of all of this information, they have only ever released the number of providers within a ZIP code, and not the names of the providers. Even then, the agency only released the number if the number was four or more – out of an excessive concern for identifying carrier information.

That’s like saying that the government will restrict the release of information it has about how many gas stations there are in your town if there are not four or more gas stations in town. In any case, the government won’t tell you the names of the gas stations, or where you can find them, so that you can buy gas. And most definitely, they won’t share the prices at which the gas stations sell gas.

“We filed suit against the FCC to obtain the data that the public and policy-makers need in order to get a complete and accurate picture of the current state of broadband,” I said at the time.

Broadband Providers Seek to Forestall Publication of Carrier-Level Broadband Data

I’ve recounted the story of the FOIA litigation at great length, in June 2007, in a story, “Center Spearheads Efforts to Disclose Broadband Data,” and in February 2009 in Ars Technica, “US broadband infrastructure investments need transparency.”

We were seeking something quite straightforward: the identities of broadband carriers that offer service within a particular geographic location. At the time, we were seeking ZIP code information, because that was the best information that the FCC had. I and many others have long recognized that ZIP codes are extremely problematic and coarse unit of measurement. And that is why it is extremely positive that, in July 2009, the NTIA declared that it needed broadband information by Census block.

But in 2006 and 2007, getting carrier-level broadband data by ZIP would have been a good first step. Then-Chairman Kevin Martin, of course, was never a fan of public disclosure. After his agency nixed any sort of collaboration or compromise in approaching our FOIA request, Martin sought to shore up support from industry. On December 15, 2006, the agency issued a “Public Notice to Service Providers Who Filed FCC Form 477s With The Commission And Sought Confidential Treatment Of The Information Submitted.”

AT&T and Verizon Communications, along with the Wireless Communications Association International, intervened in the lawsuit. Others filed as “friends of the court,” on the side of the FCC. The public notice and the interventions forced Judge Rosemary Collyer to recuse herself from the case, as she owned stock in AT&T. The case went to Judge Ellen Huvelle.

“As a non-profit publisher of investigative journalism committed to transparent and comprehensive reporting both in the U.S. and around the world, the Center for Public Integrity believes that making data about the names of the broadband provider on a ZIP code-by-ZIP code basis would allow consumers to ‘truth-check’ the FCC data,” I wrote at the time. “Adding citizen-provided information about the speed, quality and price of such connections would, in turn, create a robust collection of information further informing telecommunications-related public policy debates.”

In their defense, the carriers said that disclosure would cause them competitive harm – the legal standard for denying the disclosure of data under the Freedom of Information Act.

In our legal briefings, the Center noted “that all of the major communications companies – including cable, wireless and telecom players – already provide ZIP code lookup of service availability on their Web sites.” If the information was not available on web site, the information was readily available by calling up the carrier and asking if service was available at that address. Because such information was already readily-discoverable, aggregating the data on a single web site would not cause competitive harm, either.

Among those who intervened in the suit, some sincerely believed that disclosure would have caused them harm. Others litigated merely because of the possibility of a negative FOIA precedent. Whatever the case, Kevin Martin’s FCC certainly went all-out to defend restrictions on data.

In its legal briefings, the FCC argued that releasing the data would lead to competition in communications. “Disclosure could allow competitors to free ride on the efforts of the first new entrant to identify areas where competition is more likely to be successful,” the agency told the federal district court in Washington.

It was supremely ironic that that the FCC and the communications industry were fighting our efforts to obtain public and transparent broadband data at the same time that Congress and the FCC began to clamor for precisely that which we were seeking: better broadband data to address a range of policy concerns.

Together with my friend Scott Wallsten, then of the Progress and Freedom Foundation (later with Technology Policy Institute, and now at the FCC), the Center for Public Integrity organized a Conference on Broadband Statistics on June 28, 2007, at the National Academy of Science.

Scott and I gathered an assemblage of many people, including officials from Comcast, Verizon, AT&T, ConnectKentucky, plus leading academics and policy practitioners in the field, including experts from Information Technology and Innovation Foundation, Pew Internet and American Life Project, and the University of Texas at Austin, to consider precisely these questions. Audio from the June 2007 conference is available here; a transcript of the proceeding is available here.

More recently, Wallsten’s appointment as the economics director of the FCC’s broadband task force has prompted some controversy. But Wallsten has always been supportive of my efforts – and those of others in the field – to push for greater disclosure of broadband data. See “What Disconnect?,” and “Hiding the Broadband Map.”

The Aftermath: Kevin Martin and Me

Unfortunately, the Center lost the lawsuit when Judge Huvelle ruled against the Center in August 2007, and again in October 2007 after a motion for reconsideration. I’ll talk briefly in Tuesday’s blog post about the founding of BroadbandCensus.com in the aftermath of this defeat, and on Wednesday about BroadbandCensus.com’s efforts, in 2008, to advance public and transparent broadband.

But it’s worth fast-forwarding to get to the end of the Kevin Martin story.

Martin’s tenure at the FCC was marked by his repeated jokes about how he led the FCC like the KGB. That would seem to be of a piece with denying Freedom of Information Act requests like the one I initiated.

Yet I never anticipated just how pointed his criticism of public and transparent broadband data could be. I had been invited to speak at the National Association of Regulatory Utility Commissioners’ and the FCC’s joint conference on broadband deployment and data at the FCC, in San Jose, on November 6, 2008 – two days after the presidential election.

In my presentation, on the background to and requirements of the Broadband Data Improvement Act, I referred to the Center’s FOIA lawsuit, quoted in the section above, about how the FCC didn’t want disclosure of carrier data to lead to greater competition. Kevin Martin interrupted my presentation seven times! He disagreed with my characterization of the FCC’s position on broadband data.

“It was actually also because the carriers do not want it to be disclosed, and so it was not provided in a public way,” Martin first interjected. I disagreed with him, saying that “The FCC chose through its discretion over a period of time not to release information about carrier by carrier level.”

To which Martin replied, “I am not going to have an argument with you over it. I think we should move on…. This is not about FOIA litigation. No one is interested in that.”

I came back with, “I am just pointing out that the law does not need to be changed for the FCC to release this data.”

And that still isn’t the end of the story.

Two weeks later, on November 18, 2008, Kevin Martin was back in Washington for what appeared to be his final swan song: accepting an award at the Phoenix Center for Advanced Legal and Economic Public Policy Studies at the National Press Club. Martin gave his remarks, and was praised by the Phoenix Center. After chatting with journalists for a few minutes, we all went our separate ways.

Later, as I was walking over to the elevator to depart, I saw the elevator door closing on Kevin Martin and his long-time chief of staff, Dan Gonzalez.

Martin opened the doors by pushing the open button, and I walked in. Martin asked me what I had in my hands. It was a box with flyers, so I handed him a flyer from BroadbandCensus.com, and told him a bit about our next upcoming activity as the elevator went to the ground floor.

As we stepped into the lobby, I asked Martin if he had a nice trip back from the broadband data conference in San Jose.

He chuckled somewhat under his breath, and then said: “You may not believe this, but I think what you are doing is a good thing. I just can’t end up giving it to you.”

About BroadbandCensus.com

In an earlier post, I mentioned an important new online child safety task force report that has just been released from the “Point Smart. Click Safe.” Blue Ribbon Working Group. It’s a great report and I encourage you to read the whole thing. It was my great pleasure to serve on this task force, and as we started finalizing our conclusions and recommendations, I started thinking about how much of what we were finding and recommending was consistent with what past online safety task forces had also concluded.

By way of background, over the past decade, five major online safety task forces or blue ribbon commissions have been convened to study online safety issues. Two of these task forces were convened in the United States and issued reports in 2000 (“COPA Commission”) and 2002 (“Thornburgh Commission“). Another was commissioned by the British government in 2007 and issued in a major report in March 2008 (“Byron Review“). Finally, two additional online safety task forces were formed in the U.S. in 2008 and concluded their work, respectively, in January (“Internet Safety Technical Task Force“) and July (“Point Smart. Click Safe.“) of 2009. [And yet another task force — the Online Safety Technology Working Group — was recently formed and has now gotten underway.]

In a new PFF white paper, ” Five Online Safety Task Forces Agree: Education, Empowerment & Self-Regulation Are the Answer,” I walk through a chronological summary of each of these past task forces [click on covers of each report below to read them in their entirety] and highlight some of the similar themes and recommendations from them.

Altogether, these five task forces heard from hundreds of experts and produced thousands of pages of testimony and reports on a wide variety of issues related to online child safety. While each of these task forces had different origins and unique membership, what is striking about them is the general unanimity of their conclusions. Among the common themes or recommendations of these five task forces:

• Education is the primary solution to most online child safety concerns. These task forces consistently stressed the importance of media literacy, awareness-building efforts, public service announcements, targeted intervention techniques, and better mentoring and parenting strategies.
• There is no single “silver-bullet” solution or technological “quick-fix” to child safety concerns. That is especially the case in light of the rapid pace of change in the digital world.
• Empowering parents and guardians with a diverse array of tools, however, can help families, caretakers, and schools to exercise more control over online content and communications.
• Technological tools and parental controls are most effective as part of a “layered” approach to child safety that views them as one of many strategies or solutions.
• The best technical control measures are those that work in tandem with educational strategies and approaches to better guide and mentor children to make wise choices. Thus, technical solutions can supplement, but can never supplant, the educational and mentoring role.
• Industry should formulate best practices and self-regulatory systems to empower users with more information and tools so they can make appropriate decisions for themselves and their families. And those best practices, which often take the form of an industry code of conduct or default control settings, should constantly be refined to take into account new social concerns, cultural norms, and technological developments.
• Government should avoid inflexible, top-down technological mandates. Instead, policymakers should focus on encouraging collaborative, multifaceted, multi-stakeholder initiatives and approaches to enhance online safety. Additional resources for education and awareness-building efforts are also crucial. Finally, governments should ensure appropriate penalties are in place to punish serious crimes against children and also make sure law enforcement agencies have adequate resources to police crimes and punish wrong-doers.

The consistency of these findings from those five previous task forces is important and it should guide future discussions among policymakers, the press, and the general public regarding online child safety.  As I note in the paper, the findings are particularly relevant today since Congress and the Obama Administration — including 3 federal agencies (NTIA, FCC, & FTC) are actively studying these issues. So, in light of all that, I hope this short paper can shed some light on the collective wisdom of the past task forces. While more study of online child safety issues is always welcome — including additional task forces or working groups if policymakers deem them necessary — thanks to the work of these five task forces, we now have better vision of what is needed to address online safety concerns.

Five Online Safety Task Forces Agree [PFF – Adam Thierer] http://d.scribd.com/ScribdViewer.swf?document_id=17181137&access_key=key-z6cxfgrjkqaqtxbix&page=1&version=1&viewMode=

PFF Adjunct Fellow Mike Palage, who served on the ICANN board from 2003 to 2006, filed these comments (PDF) on the NTIA’s recent Notice of Inquiry regarding ICANN’s future.  Mike’s four key points were as follows:

1. ICANN’s Periodic Review of its internal operations and supporting organizations has failed, and has become nothing more than a “perpetual motion machine of public comments and documentation producing no meaningful results.” Only a second Evolution and Reform Process can solve ICANN’s current deficiencies;
2. ICANN must hardcode into its policies and its contracts the principle that its policies cannot supersede national laws;
3. ICANN must cease any operational role in technical infrastructure as required by its bylaws and focus instead on its mission as a technical coordinator; and
4. Congress must avoid “kicking the JPA can down the road” and instead provide much-needed leadership by creating a solid foundation for ICANN 3.0 in legislation after proper consultation with the Government Accountability Office.

Internet policy Shame Artist extraordinaire Chris Soghoian has struck again! Chris recently shamed the online advertising industry into improving their privacy practices with his Targeted Advertising Cookie Opt-Out (TACO) plug-in for Firefox. Now Chris has set his sight on the security practices of cloud service providers.

A letter released this morning, signed by 37 leading online security experts (and organized by Chris), calls on Google to offer persistent SSL (HTTPS) encryption by default for all Google services—or at the very least, to make more visible the option currently given to users to opt-in to use SSL for all communications. Google, in its response, indicated that it was already “looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”

While Google’s response identifies some clear problems with implementing persistent SSL for all users (esp. connection speed), few would deny that it makes sense for webmail providers to encrypt all traffic using SSL, rather than sending email data “in the clear,” which risks interception by hackers. We at PFF hold no brief for Google, in fact we have found ourselves disagreeing with them on many other occasions on a range of issues (most notably net neutrality mandates). Nonetheless, on this front, Google has long been a leader, having offered SSL since Gmail launched and having begun providing the persistent HTTPS option last summer while most of their competitors still use SSL only for the initial authentication that occurs when a user first signs in. While the letter focuses on Google and webmail in particular, this issue has far broader implications for all online cloud service providers.

No Free Lunch: The Costs of Encryption Gmail, Yahoo! Mail, Hotmail, etc. are, of course, “free” ( i.e., ad-supported). Google in particular has lead the way in increasing the functionality offered in Gmail, not just constantly increasing the total storage space provided to every user (now over 7GB), but regularly adding innovative new features—at no charge to users.

Offering persistent SSL is resource-intensive, because encryption requires computing power on the server side. Google currently spends billions on the servers that run all Google’s services, including Gmail — $2.4 billion back in 2007, when the company was much smaller. Google’s pricing for their App Engine offers some insight into cost, putting a cost of $0.10/CPU computing cycle. But without knowing what their actual cost is or how many CPU computing cycles the average Gmail user might consume per year using persistent SSL, it’s difficult to translate this price into an actual estimate of the cost of providing persistent SSL. Thus, while there are no hard numbers on how much Gmail costs Google to provide or how much more it would cost to provide persistent SSL for every user by default, both costs are clearly substantial. Chris himself provides a shot-in-the-dark guess that SSL-encrypted communications might require as much as six times the server resources as unencrypted communications. I’d love to know where Chris came up with that guess, whether the upper-bound might be even higher, and how he thinks smaller operators would pay for that cost.

Indeed, Chris’s letter does not discuss the cost of providing SSL at all, mentioning the word “cost” just once, and in a completely different sense: “Other Google applications demonstrate that security need not come at the cost of performance.” This is perfectly consistent with Chris’s general response to the costs of regulation: “Your broken business model is not my problem” (which sounds more charming in Chris’s elegant British English).

But just as Chris is correct that “Defaults matter,” it is even more true that “Costs matter.” Google appears to take the question of how much it costs to provide SSL off the table: “in this case, the additional cost of offering HTTPS isn’t holding us back.” But this is by no means a dismissal of the importance of costs. Rather, Google is simply saying that it has already decided that the advantage of providing persistent SSL are worth the costs. Every advantage to users in terms of greater security is, of course, also an advantage to Google as it competes for customers. While Gmail may have the highest profile among webmail companies, it still lags far behind Yahoo! Mail and Microsoft’s Hotmail in market share: As of February, Yahoo!’s market share was 56%, Microsoft’s 19% and Google’s 11%. Offering increased security, as Google already does with the full-SSL opt-in, is simply a way for Google to gain a competitive advantage over its rivals. One can only imagine the barrier to entry such an expensive default, if mandated or simply expected, will create for new, smaller competitors to Google, Microsoft, Yahoo! and other web titans across a wide range of cloud services.

Google’s apparent agreement with Chris and his band of cybersecurity experts conceals a more fundamental difference of perspectives. While I consider Chris a good friend, what separates us him, and what separates him from Google, is the question of trade-offs. Chris exemplifies what the economist and philosopher Thomas Sowell called the “Vision of the Anointed.” As the best and brightest in society (“the talented few”), the Anointed are often right, as Chris certainly is here on some level: Persistent SSL is a great thing and most Gmail users would probably be better off with it once Gmail irons out all the kinks in implementing it. (Indeed, I had already opted-in to using persistent SSL reading before Chris’s letter.)

No, the problem with the Anointed is not that they are necessarily wrong, but that they focus on “Solutions” to problems, while those with the “Tragic Vision” focus on the “Trade-offs” inherent in the constraints of reality. For the Anointed, seeking to impose their preferences on others, Sowell notes:

it is simply a question of choosing the best solution, while to those with the tragic vision the more fundamental question is: Who is to choose? And by what process, and by what consequences for being wrong? … it is so easy to be wrong—and to persist in being wrong—when the costs of being wrong are paid by others. (pp. 135-36).

Google’s response focuses on one important trade-off: that made by users deciding between added security and a slower Gmail connection. Individual preferences on this choice might vary, even among fully-informed users: For example, some Gmail power users may prefer speed over security, knowing that the risks addressed by are lessened because they do not take their desktop PCs to unsecure Wi-Fi hotspots at, say, the local coffee shop.

But there is a more fundamental trade-off at stake: While Google already offers persistent SSL for free to all users and says that they intend to make this the default setting in the near future, using SSL for everyone will be expensive and that cost will ultimately be borne by consumers as well as by Google (and other webmail operators that follow suit). The cost of providing SSL might mean, for example, that Google will provide less storage space or other innovative Gmail features than it would otherwise have done, because while the politicians in Washington can simply print more money to put a “chicken in every pot” (and a mortgage in every subprime borrower’s hands), Google’s resources are necessarily limited. In short, even in the world of “Free!” content and services, there is no free lunch! In a world of scarce resources (a/k/a reality, even the reality of the digital economy), we must make trade-offs.

Again, Chris may well be correct that the security benefits of SSL are worth this particular trade-off but it’s important to distinguish between two different kinds of decisions. Again, Sowell makes the point brilliantly:

trade-offs must be incremental rather than categorical, if limited resources are to produce optimal results in any social system as a whole. Despite the importance of incremental trade-offs, the language of politics is filled with categorical rhetoric about ‘setting priorities,” “providing basic necessities.” or “assuring safety” in foods, medicines, or nuclear power. But incremental decisions differ as much from categorical decisions as trade-offs differ from solutions. If faced with a categorical choice between food and music, every sane person would choose food, since one can live without music but not without food. But if faced with an incremental choice, the decision could easily be just the opposite. If food were categorically more important than music, then we would never reach a point where we were prepared to sacrifice resources that could be used to produce food, in order to produce music. Given this premise, Beethoven, Brahms, and Bach should all have been put to work growing potatoes, instead of writing music, if food were categorically more important.

Online “security” (like online “privacy”) is, like food or physical safety, undeniably a good thing. But we must still make trade-offs between security and the other things with which is necessarily competes. Google currently runs vast server farms, but still has only a certain number of CPU cycles to use for a variety of competing purposes. Spending that scarce resource (and the money that ultimately pays for it) on persistent SSL necessarily means being able to offer less of other things across the wide range of services Google offers. It is in recognition of such unintended consequences that Sowell concludes that:

many a sound and beneficial principle becomes a dangerous absurdity when it becomes a fetish. That is why any categorical principle must be assess not only in terms of its soundness as a principle, but also in terms of what happens when that principle is applied categorically.

So, what would happen if this insistence on persistent SSL were “applied categorically?”

Impact on the Competitive Landscape While Google may be able to “eat” the cost of persistent SSL for all its Gmail users, mandating the use of persistent SSL may create a significant barrier to entry that could keep smaller providers out of the market. Even shaming a leading webmail provider like Google into voluntarily increasing their security offering may accomplish the same result by raising consumer expectations. Indeed, this is what competition is all about!

For a large webmail provider like Yahoo!-already struggling to find its way in a rapidly evolving competitive landscape for web content, services and advertising despite its 56% webmail market share-the cost of providing persistent SSL for their enormous installed base of users will necessarily reduce their resources available to compete with Google in webmail and on other fronts. For Microsoft, every dollar spent on upgrading Hotmail security could have been spent on improving Bing, Microsoft’s new search engine, which seems capable of posing a significant challenge to Google in the search market.

In general, increasing the cost of providing a service will necessarily tend to make that service less competitive. If there are fewer companies competing to offer webmail (and other related products like calendar services), there will be less pressure on each of them to compete in non-price terms such as…. security and privacy protection. Thus, in the real world, fetishizing security can actually lead to less security.

The Cost/Benefit Approach to Security Improvements Indeed, while the full use of SSL is an obvious way to improve the security of webmail, it is not obvious that it is the most cost-efficient way to do so. If the precise costs of using persistent SSL for all users are substantial but unclear, it is impossible to evaluate whether user security might be improved more by prioritizing scarce resources to deal with other threats.

The threat posed by unauthorized account access via cookie stealing and packet sniffing appears to be far smaller than other less obvious security threats, such as permitting the use of weak passwords, duplicating passwords across accounts, reliance on poor secret questions, the accessing of accounts at unsecured public terminals, and the failure of users to log out. Likewise, threats to end-user security and privacy such as cross-site scripting attacks or cross-site forgery requests account for a far greater portion of internet-related security incidents. There may be no technological “silver bullet” for these problems, but they may represent the “low hanging fruit” for improving security at a much lower cost.

Again, the question is not just whether the Anointed are right, but who is to decide among various options such as persistent SSL, user education and changes in user interface design.

HTTPS Über Alles: Where is This Going? Google indicated that they’re exploring turning on persistent SSL (HTTPS) for all Gmail users, but says nothing about other Google services. Chris’s letter, however, asks Google to adopt HTTPS for Google Docs and Calendar, and goes on to mention Facebook and MySpace as companies that leave their users “vulnerable to data theft and account hijacking” because they do not use HTTPS.

So just how far should the adoption of HTTPS go? Chris’s draft “Caught in the Cloud” paper repeatedly argues that all cloud services should adopt persistent SSL. Yet even he recognizes that e-mail may be uniquely sensitive:

While most users’ word processing documents or photo collections may not be that valuable to a fraudster, an email account can have considerable value – due to the fact that inboxes routinely contain passwords and account information for other websites. For example, many Web sites will resend a password to a user’s email address in the event that the user forgets her password. Thus, a poorly secured email account can be leveraged to gain access to a victim’s bank account, brokerage account or online health records. (p. 15)

Here, Chris seems to recognize the need to make real trade-offs. But his coalition letter draws no such distinction, and even if it did, the more important point is that the Anointed think they know better how to draw these distinctions than anyone else —especially the companies who actually offer cloud services.

So what about Facebook messaging, Twitter tweets, and other social networking communication tools? How should “we” decide which of these services really merits persistent SSL? More important, who is this “we,” anyway?
Who’s actually going to make these decisions? Rather than trusting in the “systemic process” of competition among cloud computing companies, for whom security can be an element of non-price competition, the Anointed presume to make these decisions for everyone else.

Paying for SSL In a world of trade-offs, it’s important to look not just at the opportunity cost of providing features like persistent SSL, but also at the additional sources of revenue that could cover the costs of cloud computing features like SSL. If we can “grow the pie,” the trades-offs made to support persistent SSL will not be so painful. Two potential revenue streams seem obvious.

First, Google and other cloud service providers could simply charge for persistent SSL. For instance, Google currently charges $50/year/user for customized, ad-free Google Apps email accounts.

Second, if the advertising that supports webmail and other cloud services were more profitable, Google could afford more “guns and butter”: persistent SSL for everyone and continued expansion of storage space and roll-out of new Gmail features. This is precisely why Google, Yahoo! and other online advertising companies want to offer “Interest-Based Advertising” that is tailored to a user’s interests based on data about their web surfing. Unfortunately, the Anointed have so fetishized “User Privacy” that they are blind to these trade-offs, and fail to recognize that limiting targeted advertising in the name of “Privacy” may compromise “Security,” just as mandating “Security” protections may actually reduce competitive pressures to increase “Privacy” protections.

Thus, as Sowell emphasizes, we must understand that trade-offs cannot be made in isolation because “What can be afforded seriatim vastly exceeds what can be afforded simultaneously.” That is, we must make “trade-offs within an overall system constrained by inherent limitations of resources, knowledge, etc.” It is precisely because that task is so challenging that we must proceed cautiously and resist the insistence of the Anointed that there is an “urgent need for action to avert impending catastrophe.”

Other Options: User Empowerment & Education Chris’s letter calls for persistent SSL by default in the belief that users do not know enough to protect themselves. In the alternative, the letter suggests four steps Google could take to help users make more fully informed choices. These suggestions seem generally reasonable, and it might well make sense to adopt them, but there are other means to address the ignorance of the “Benighted” than by presuming to decide which trade-offs Google should make in how it designs the user interface of Gmail for all users.

First, Google could present more information and a cleaner choice about persistent SSL during the initial account set-up process. In other words, when a user creates a new Google account, they would be told the pros and cons of persistent SSL and could then make a more informed decision about whether to use persistent SSL or SSL only for authentication. Since Gmail currently has only an 11% share of the webmail market, the vast majority of potential users would have to make these decisions at the point of initial sign-up, while the user interface for existing users would not be further complicated. This example illustrates just one way in which Google might be able to able to make better decisions about the trade-offs at issue than the Anointed, however well-deserved their credentials in the field of web security.

Second, Google could add more discussion of SSL to its existing online educational resources about user privacy and security. Google could expand its Privacy Center on YouTube to include detailed discussions about the potential risks of not using persistent SSL and easy-to-follow video tutorials about the pros and cons of HTTPS.

The Politics of Shame A final word about tactics: I call Chris a “Shame Artist” in the best sense of the term. Shaming corporations is a key part of the reputational marketplace —something my colleague Adam Thierer has emphasized in his work [PDF p. 30] on online parental controls and child protection. People like Chris play a critical role in helping to raise public awareness of genuine problems, and to encourage companies to improve their practices. This dynamic has never worked as well, or as quickly, as it does in the online marketplace. But there are two important caveats to the beneficial role played by shame artists.

First, there is a fine line between (i) shining the spotlight of public attention on a problem and bringing reputational pressure to bear on the company responsible, and (ii) threatening such a company with regulation if you don’t get what you want. Here, as is often the case, Chris is playing dangerously close to that line. Chris’s “Lost in the Cloud” paper calls first for companies to change their practices voluntarily, then for mandating disclosure of SSL choices and risks, and then for mandates:

the government [could] regulate providers of cloud computing services, as it has already done in the banking and health industries. Banks are simply not permitted to let customers to make encryption a “choice,” just as car manufacturers are no longer permitted to make seat belts optional. We would prefer that regulators first forced cloud computing providers to display clear educational warnings before regulators go down the path of mandating specific technologies. However, if educational warnings failed to provoke a sufficient market response, stronger regulation might be appropriate.

At the very least, Chris is hanging the regulatory “Sword of Damocles” over the necks of cloud computing providers: The sword hasn’t fallen yet, but it threatens to drop at any moment if industry doesn’t cooperate.

Second, pressuring providers of free (ad-supported) services to offer more features risks increasing the deeply-rooted assumption that users of these services are somehow entitled to them, including whatever specific functionality the Anointed think ought to be included in the service. In fairness to Chris and his coalition, their letter does not specify how persistent SSL should be provided and he seems to be content with the idea that Google might charge for the service—a recognition of a trade-off that separates him from the more extreme among the Anointed. But once Congress, AGs and other government officials start rushing in to do Chris’s bidding, subtly or not-so-subtly coercing cloud service providers, I hope he isn’t surprised when they come back knocking on those same doors asking for more favors in the name of “Internet security.” With one hand they giveth (what Chris wants); with the other they might eventually take away (something Chris and his comrades find important).

But anytime a company is pressured to give away even more of what it’s already giving away for free, the expectation of a getting a “Free Lunch” grows. (“Free dessert, too?
Don’t mind if I do!“) Worse, if companies appear to cave in to this pressure without acknowledging the trade-offs involved, they both add to that expectation and encourage future attacks by shame artists, since they are signaling a willingness to cave-in. This is essentially the same moral hazard problem as created by negotiating with terrorists. I certainly don’t mean to compare either Chris’s goals or his methods to those of violent extremists or to trivialize his arguments. But the dynamic created by weak responses to shaming in this context is nonetheless analogous: Every time a company says “Why not? Cost is no issue!,” they make it that much more difficult for themselves and others to say, in the future, that cost sometimes will require more obvious trade-offs like charging users for the feature demanded by the Anointed. At some point, such “upsells” may become so politically untenable that the practical choices are (i) not offering the feature at all and (ii) offering it to everyone for free (the costs of which will be borne somewhere else). I fear we may already have reached that point.

Google’s new “Interest Based Advertising” (IBA) program represents the company’s first foray into what is generally called “Online Behavioral Advertising” (OBA):  In order to deliver more relevant advertising, Google will begin tailoring ads delivered through AdSense on the Google Content Network (GCN) and YouTube.com (but not Google.com).  This tailoring will be based on a profile of each user’s interests created by tracking their browsing activity across sites that use AdSense-but not search queries or other user information.  Until now, (i) AdSense has delivered essentially “contextual” advertising by choosing which ad to display on a page based on an algorithmic analysis of keywords on that page; and (ii) Google has tracked users’ browsing only for analytics purposes-to limit the number of times a user sees a particular ad (to prevent overexposure) and to allow sequencing of ads in campaigns where one ad must follow another. 

Google is sure to be attacked for crossing a “line in the sand” drawn by some privacy advocates between contextual and behavioral advertising-even though Google’s closest competitor, Yahoo!, already offers a similar program, and the concept in general is hardly new.  Google’s position as the leading search engine and third party ad-delivery network will no doubt cause paroxysms of privacy hysteria among those who consider targeted advertising inherently invasive, unfair or manipulative.

But those whose first priority is advancing consumer privacy, not advancing a political or regulatory agenda, should applaud Google for excluding sensitive categories and for putting the new Ad Preference Manager at the core of the company’s new IBA program.  The Ad Preference Manager sets a new “gold standard” for implementing the principles of Notice and Choice, which have formed the core of both OBA industry self-regulation and the various regulatory proposals made in recent years.  Indeed, Google has done precisely what Adam Thierer and I have called for:  giving consumers more granular control over their own privacy preferences by developing better tools.

How Google’s Ad Preference Manager Works

For years, debates about how OBA should be regulated (whether by industry or by government) have revolved around two key questions: 

• Notice: How should consumers best be informed about the data that’s being collected about them, how it’s being used, by whom, and so on?
• Choice: How should consumers be given the ability to opt-out of tracking for OBA purposes?

While there are significant philosophical disagreements about some aspects of these debates-such as whether the default should be opt-in or opt-out-much of the debate has come down to questions of implementation that may seem trivial or easily-solved to lay people:  Where should notice be provided?  If notice is provided in ads themselves, what should the link say and how big should it be?  By what technological means should users be able to opt-out of tracking?  Google has provided an elegantly simple solution to these questions. 

Google provides “notice” to users in two ways:

• In the ads.  In the bottom left corner of each AdSense ad on sites in the GCN, users will see the URL for the advertiser’s website.  This is already the case for all text ads, but not for display ads.  In the bottom right corner of both display and text ads, users will see an “Ads by Google” link.  Thus, the ad itself provides the user notice of (i) who’s paying for the ad and (ii) who’s serving it. 
• In the Ad Preference Manager.  If the user clicks the “Ads by Google” link, they will see which of the ~20 categories and ~600 subcategories have been associated with the tracking cookie in their browser.  Thus, Google provides notice to the user of what’s in their so-called “digital dossier.”

Google provides “choice” to the user in two ways:

• Editing categories.  The Ad Preference manager not only shows the profile that has been algorithmically assembled of their likely interests, but it lets them decide for themselves which categories they’re really interested in.  If a user finds that they have been placed in the “Automotive > Motorcycles” category but actually owns a SUV, they could select “Automotive > Trucks & SUVs”-or no Automotive category at all.  
• A persistent opt-out.  Users can decide to opt-out completely from having their data collected for IBA purposes.  That choice will be respected in the future, and will therefore be “persistent.”

The Persistent Opt-Out Plug-in

For roughly a decade, the OBA industry has operated under a self-regulatory scheme developed by the Network Advertising Initiative (NAI).  NAI lets users opt-out of receiving ads based on OBA targeting.  But privacy advocates have objected on three grounds:

First, privacy advocates argue that it’s currently too hard for users to find the NAI opt-out tool since users don’t know which ad network is serving which ads and there’s no obvious way to get from an ad to the opt-out option.  Google moots this argument by making its opt-out easily accessible to anyone who clicks on the “Ads by Google” link that appears beneath every IBA-targeted ad.

Second and most importantly, privacy advocates decry NAI’s opt-out because it isn’t “persistent”- i.e., it requires the placement of a special “opt-out cookie” on the user’s computer, which may be inadvertently deleted when users delete all their cookies.  Indeed, many users do precisely that on a regular basis through either their browser or antivirus software-thus erasing their own opt-out choice.  Google moots this argument too:  While Google’s opt-out also relies on a special opt-out cookie, Google has created an easily installed plug-in for the two most common Web browsers, Internet Explorer and Firefox, that ensures that the opt-out cookie is automatically recreated even if a user deletes their cookies.  For the Chrome and Safari Web browsers (which do not support plug-ins), Google has outlined a simple procedure whereby users can achieve the same result.

Third, many critics worry that any cookie-based opt-out mechanism still involves sending data to ad networks that the ad networks could use to track users-despite promises in their privacy policies not to do so.  Even though the FTC can enforce such policies, it may be difficult for users to determine what the ad networks are doing with the data they receive from users that have opted out of tracking.  Although Google’s system seems to be no different in this regard from how other NAI member companies handle opt outs, truly privacy-sensitive users could easily address this concern by configuring their Web browser to not send any data to these networks and/or not allow any persistent cookies, as we’ve discussed in our Privacy Solutions Series.   

A Superior Solution to a “Do-Not-Track” Registry

The privacy advocates who lambaste the inadequacies of the NAI opt-out system have demanded the creation of a government-run “Do-Not-Track” registry loosely modeled on-but very different in practice from-the FTC’s Do-Not-Call registry, by which over 170 million Americans have opted out of receiving telemarketing calls.  Google’s Ad Preference Manager provides a better system.

First, it proves that the “persistency” problem can be solved.  In fact, since Google’s plug-in is open source, these privacy advocates may be able to use it to create a browser plug-in that works for opt-out cookies from other NAI member companies.  Indeed, given how simple Google’s plug-in is, one wonders why they didn’t do this when NAI’s Opt-Out Tool was first made available.  Perhaps the technologists at these organizations have spent a little too much time developing elaborate regulatory solutions and too little time focusing on empowering users.  Or perhaps these organizations simply decided that creating such a tool would undercut their argument that only government intervention could protect users’ privacy.  Ironically, some of the organizations pushing Do-Not-Track have joined us in emphasizing the effectiveness of user empowerment tools in other contexts-such as online child protection, where parental control software offers a more effective alternative to government regulation of Internet content that also does less to restrict constitutionally protected speech.  Even more ironically, their Do-Not-Track proposal specifically calls for the development of browser-based tools to implement the government-maintained Do-Not-Track database.  In an era when anyone can write a browser plug-in that can achieve wild popularity (such as the roughly 43 million downloads of the Firefox plug-ins AdBlock Plus and NoScript), these advocacy organizations have little excuse for not practicing what they preach. 

Second, Google has set a new standard in both Notice-by including a link to the opt-out in every ad-and Choice-by respecting user’s opt-out preferences.  Other ad networks now face intense pressure to catch up with, or outpace, Google by implementing the same kind of Notice and Choice.  Indeed, NAI will now be expected to improve its own opt-out system with a browser plug-in capable of preserving opt-out preferences for all of its members’ ad networks.  To the extent that this plug-in might work better with cooperation from the ad networks, that cooperation should now be more forthcoming than ever. 

Third, if these privacy advocates’ real objection to any cookie-based opt-out system-whether the NAI opt-out tool or Google’s plug-in-is uncertainty as to whether opt-out preferences would really be respected by ad networks that continue to collect tracking data (as discussed above), who better than Google to lead the market in setting higher standards for privacy protection?  Ultimately, these standards will be, and should be, enforced by the FTC under its existing authority to punish unfair and deceptive trade practices.

What This Episode Says About Google

Some privacy advocates will argue that Google is just too big-and therefore too “scary”-to be allowed to engage in OBA, and may try to paint Google’s entry in the OBA marketplace as a net loss to privacy, notwithstanding the extremely pro-privacy way in which Google has implemented its “IBA” service.  But if this incident demonstrates anything about Google, it’s the following:

First, it’s no accident that Google is now leading the pack of third party ad networks by developing innovative solutions that respect consumer privacy.  Unlike most third party ad networks, Google is directly focused on the demands of consumers:  In addition to the ad network they acquired from DoubleClick, of course, Google offers consumers a wide array of other online services (search, email, maps, etc.).  Because these services (and their competitors) are all free, Google has to compete in what economists call “non-price terms”-such as privacy.  So, Google has a lot to lose by alienating its users and a lot to gain by being seen as a leader in privacy protection.  Would an independent DoubleClick have taken so much care to address privacy concerns?  As the developer of a competing search engine once said about the Internet search industry, ”you earn your right to be in business every day, page view after page view, click after click.”  

Second, it’s no accident that Google was a late-comer to the OBA market, lagging behind Yahoo! in particular.  The most likely reason Google has taken its time in rolling out an OBA product is that Google is subject to a unique level of scrutiny by privacy advocates by virtue of its size.  Being the “big kid on the block,” Google has to be especially careful not to appear to be “Big Brother.”  This reputational check on Google should allay some concerns about Google’s size.

Third, this episode also demonstrates the advantages of having a player like Google large enough to be able to singlehandedly set a new paradigm in privacy protection.  Google risks alienating some advertisers and publishers with its bold empowerment of users, but was willing to take those risks because of its incentives as a consumer-facing company and able to do so because of its leadership in the marketplace.  Uncomfortable as this reality may be for those who fret about antitrust issues and indeed for Google itself, the simple reality is that sometimes it takes “big dogs” to make self-regulatory systems truly effective.  For example, the video game industry’s highly effective content rating system has worked because the titans in that field were big enough to push through a tough system and keep it working.  Similarly, Microsoft has led the way for years in empowering users by offering in Internet Explorer the most sophisticated cookie management tools available in any browser, as we’ve discussed.  In a nutshell, privacy leadership requires scale. 

Conclusion

Google’s Ad Preference Manager, with its persistent opt-out plug-in, offers precisely the kind of robust opt-out that privacy advocates have always demanded.  Google deserves a rousing “Amen!” from privacy advocates.  But those who respond to this program by insisting that “more needs to be done on how to educate people and tell them how to opt out,” are right in two senses.  First, Google has shown other ad networks how to do more to empower users.  I am confident that they will rise to that challenge by continuing to refine self-regulation through technological innovation.  Second, this is by no means the last word in privacy protection from Google, which operates in the midst of continually-evolving privacy standards.  I expect Google and competing ad networks will continue to innovate in developing technologies that empower users to manage their own privacy-and that this competitive “race to the top” will improve online privacy protection in a broader sense beyond just advertising by putting pressure on other online service providers to improve their privacy practices and policies.

But I fear that too many privacy advocates will instead see this as just another reason for the government to intervene-perhaps because of fear of Google engaging in OBA or  because they think the government, not Google, should be developing privacy solutions.  Or perhaps they think Google’s system shows that a system of government-mandated solutions really could work.  To the contrary, Google’s approach is precisely the kind of innovation that would be discouraged by pre-emptive government regulation.  Worse, those who would freeze privacy protection in place would also freeze in place much of the Internet itself, precluding development of new business models that would compete with Google, allaying concerns about competition and benefiting consumers.  Why preclude broadband providers, for example, from figuring out how to deploy ad-targeting technologies in a manner that does as much to empower users with better privacy controls as Google has-especially when this could create a new source of funding for “free” content and services and even discounts on broadband? 

I hope instead that the effectiveness of Google’s approach will shift the policy debate about protecting user privacy back to an emphasis on the layered approach Adam Thierer and I have outlined, supplementing consumer education, industry self-regulation, existing state privacy tort laws, and  FTC enforcement of corporate privacy policies with increasingly powerful technological “self-help” tools that allow privacy-wary consumers to take privacy into their own hands.

There was a hearing today in the House Energy and Commerce Committee on “Reauthorization of the Satellite Home Viewer Extension and Reauthorization Act,” which got into the sticky of issue of whether must carry mandates should be applied to satellite television (DBS) operators. My boss, Ken Ferree, president of the Progress & Freedom Foundation, testified in opposition to that notion. Here’s what he had to say about proposals that would require satellite operators to carry local broadcast TV stations from even the smallest markets:

Because Congress cannot repeal the laws of physics, there are only two ways in which a satellite company might comply with such a mandate: 1) it may add capacity (i.e., launch new satellites and build associated ground equipment), or 2) it may convert capacity currently used for other purposes to local television carriage in the most sparsely populated parts of the country. Neither approach makes economic sense. That is, these proposals, if they were to become law, would impose considerable costs on satellite operators while generating no appreciable revenue.

Building and launching new satellites in order to carry local television stations in the smallest markets would of course cost hundreds of millions of dollars, while the return on such an investment, without any doubt, would be negligible. On the other hand, satellite television operators make capacity decisions in order to maximize net revenue. If they are required to delete program services that are profitable to make room for those that are less so, they necessarily lose in the transaction. Indeed, if delivering local television signals in the smallest markets made sound business sense, the satellite companies would be doing so already and no legal mandate would be necessary. Moreover, and fatally for any such proposal, requiring DBS companies to provide local signals (effectively adopting a satellite must-carry requirement) would almost certainly be unconstitutional. Cable must-carry was upheld by the Supreme Court by a bare majority only because there was a voluminous record suggesting that weaker broadcast stations would fail absent a cable must-carry requirement, thus depriving over-the-air viewers of additional video programming choices. There is no similar record, nor any reason to believe that one might be assembled, suggesting that the same would hold true absent some enhanced satellite carriage rule. Carriage requirements impose significant burdens on the commercial and First Amendment rights of those bound by them. In the current environment, imposing enhanced carriage mandates on DBS operators would be unwarranted, economically indefensible, and unconstitutional.

Ken Ferree and I just filed an amicus brief with the D.C. Circuit in what could be among the most important First Amendment cases involving economic regulation in years:  Comcast’s challenge to the FCC’s cap on the maximum size of a cable operator’s nationwide subscriber-audience.  While few may feel righteous indignation at limitations targeted at large corporations such as Comcast or Time Warner, the larger principle at stake here is deeply important: Will the First Amendment provide a meaningful check on what USC law professor Chris Yoo has called “architectural censorship” (i.e., so-called “structural” regulations that “have the unintended consequence of reducing the quantity, quality, and diversity of media content”).

In a nutshell, we argue that that:

1. The provisions of the 1992 Cable Act authorizing the FCC to impose a “cable cap” are outdated in world of media abundance and vibrant platform competition.
2. Because cable is no longer the unique “bottleneck” or “gatekeeper” that it was in 1992, these statutory provisions (not just the FCC’s 30% rule) must be subject to strict scrutiny under the First Amendment as a limitation on free speech.
3. Because there are “less restrictive means” of ensuring cable operators do not impede the flow of video programming to consumers, the court should strike down these provisions.
4. Even if the court upholds the statute, it should nonetheless strike down the cap issued by the FCC in December 2007 (30% of all Multichannel Video Programming (MVPD)  subscribers as based on an outdated model of the video marketplace.

I encourage you to read our brief (below).  I’ve provided a summary below, along with some additional commentary we just couldn’t cover under our 3500 word limit.

Strict Scrutiny.  Yoo’s article Architectural Censorship and the FCC is essential reading for anyone who believes that government regulations on the size and shape of the “soapbox” can have huge effects on speech itself.   Yoo argues that the First Amendment should check this kind of regulation–however “content-neutral” it might seem–under “strict scrutiny”, which requires that the government show that a regulation is the “least restrictive means” available for advancing a “compelling government interest.”  But Yoo ultimately concludes (pp. 713-718, PDF pp. 45-50) that, under existing precedent, most “architectural censorship will be effectively insulated from meaningful judicial review.”  Yoo explains that the Supreme Court’s 1983 decision in Minneapolis Star & Tribune Co. v. Minnesota Commissioner of Revenue, “appeared to entertain the possibility of subjecting structural restrictions to strict scrutiny even in the absence of facial content discrimination or content-based motive.”  But in its 1991 Leathers v. Medlock decision, the Court “foreclose[d] any prospect that Minneapolis Star and its progeny would serve as a check on architectural censorship” by limiting the Minneapolis Star line of precedents to cases where “a statute of general application affects a small number of speakers.”  The Court reaffirmed this position in its 1994 Turner I decision, when it applied intermediate, rather than strict, scrutiny to the Cable Act’s “must-carry provisions,” which require nearly all cable operators to carry certain television broadcast signals.  Intermediate scrutiny requires only that important governmental interests that are furthered by “substantially related means.”

Unfortunate as the Leathers/Turner I line of cases is for those concerned about architectural censorship, the cable cap is exactly the sort of regulation that falls within the reduced scope of Minneapolis Star as “affect[ing] a small number of speakers” because, unlike the Cable Act’s must-carry provisions, the cap limits the speech of only the very largest cable operators.  So the question of whether the Court should default to intermediate scrutiny as it did in its 2000 Time Warner I decision (when the cap was first challenged) should turn entirely on the question of whether cable still has the “special characteristic” of “bottleneck” or “gateekeeper” power despite all the changes in the media marketplace since 1992 and even in just the last eight years.

The Modern Media Marketplace.  The subscriber limitation provisions of the Cable Act were intended to prevent cable operators from “unfairly impeding the flow of video programming.”  Yet each of the key premises behind these provisions has been disproven:

1. Increased horizontal concentration of the cable industry has, far from reducing media choices, been accompanied by an explosive growth in the amount and diversity of video content available to consumers.
2. The rate of “vertical integration” (i.e., ownership of cable programmers by cable operators), which Congress feared would cause cable operators to discriminate against unaffiliated programmers, has plummeted.
3. Cable’s share of the MVPD market has also plummeted dramatically, with the two DBS providers now sharing 1/3 of the MVPD market and representing the second and third largest MVPDs

Two charts say it all.  First, from Adam Thierer’s excellent book Media Metrics, the number of programming services (cable channels) has grown by nearly six-fold by 1992, while the rate of vertical integration has plummeted:

(That chart stops in 2006 (based on 2005 data) because the FCC still has not released the 2007 Video Competition Report, which it approved in December 2007.  Since then, Time Warner Cable has been spun off of Time Warner’s content empire, so the actual affiliation rate today is likely less than 10%.)

Second, cable’s share of the MVPD market has fallen from 95% in 1992 to ~64% today:

In 1992, when consumers had only a single MVPD option, cable might fairly have been considered a “bottleneck” or “gatekeeper.”  But today, every American has at least three MVPD choices (their local cable franchisee + two DBS operators), and can also subscribe to a Telco video service such as Verizon’s FiOS.  (“Over-building” where two cable operators serve the same area is rare.)

Internet Video.  We also describe how the availability of TV content online provides yet another distribution channel for programmers:

The last two years have seen growing numbers of Americans increasingly substituting consumption of online video for MVPD video and the Internet driving popularity of MVPD content, rather than vice versa.  But only in the last year, since the adoption of the [FCC’s December 2007 order issuing the 30% cap], has the large-scale delivery of television  content online become a reality, as large numbers of programmers have begun distributing increasing numbers of complete episodes and entire series through their own websites and/or through a new class of rapidly-growing Internet Video Programming Distributor (IVPD) websites such as Netflix, Hulu, Amazon Video on Demand, iTunes, Vuze, Sony Playstation Store, the Microsoft Xbox 360 Marketplace, Joost and Veoh.  These IVPDs already offer a staggering, and growing, library of currently-airing and archived content—as much as 90% of broadcast shows and 20% of cable shows.  These sites are supported by a growing number of set-top devices (e.g., Netflix Player by Roku, TiVo) and wildly popular game consoles (e.g., Microsoft Xbox 360, Sony PlayStation 3) that allow users to play IVPD content from broadcast and cable programmers on demand on their television, while TiVo allows users to seamlessly switch between IVPD, MVPD and OTA content.

The FCC’s decision to exclude Internet video from its analysis is hardly surprising when one considers that the economic model behind the new 30% cap comes from a 2005 study based on cable market data from 1984-2001 and that the last official data released by the agency about the video marketplace date to June 2005.  But nine months later, the agency waxed ecstatic about the promise of IVPDs when doing so supported Kevin Martin’s attempts to enforce the FCC’s non-binding 2005 “Net Neutrality” policy statement:

In August 2008, the FCC even cited [the rapid emergence of IVPDs] in support of its claim of jurisdiction over Comcast’s broadband network management practices (because of alleged harm to an IVPD that distributes content through peer-to-peer file sharing):  “consumers with [broadband] service will have available a source of video programming (much of it free) that could rapidly become an alternative to cable television.”  But the immediate competitive impact of IVPDs comes not from the fact that some IVPD users are already canceling their MVPD subscriptions, but in the ease with which IVPDs can supplement an MVPD subscription—because most IVPDs are free, while those that charge for content do so on a per-episode/show basis.  Furthermore, IVPDs have little—if any—incentive not to offer a particular program because they are not subject to the same capacity constraints as MVPDs.  Thus, even if IVPD video consumption remains relatively small in its early years, IVPDs already offer programmers a strong alternative distribution channel capable of reaching all broadband users.

Less Restrictive Means. Of course, the fact that cable no longer has a special characteristic of gateekeeper or bottleneck power does not automatically render the Cable Act’s subscriber limits provisions unconstitutional; this merely means that the government must show that no less restrictive means are available to satisfy a compelling government interest.  We suggest a variety less restrictive means that could ensure competitive video distribution and programming markets.  These include dispute resolution assisted by the FCC, enforcement of existing antitrust laws, and crafting “special obligations on cable operators with more than 30% of the MVPD market to ensure that they do not unfairly impede the flow of video programming.”

Challenging The FCC’s Rule. Besides attacking the statute, we argue that the 30% cap imposed by the FCC last year is even more obviously unconstitutional than when the D.C. Circuit struck down the same limit seven years ago in Time Warner II. To many lay observers, this argument may seem like a “no-brainer” given how much more competitive the video marketplace is than it was in 2001.  But one must understand that when the Court struck down the 30% cap the first time, it did so on the grounds that the FCC’s own rationale justified not a 30% cap but a 60% cap.  The FCC had decided that the average video programmer (network) needed an “open field” of 40% of the MVPD market to be viable.  The FCC leapt from that conclusion to a 30% cap so that even if the two largest cable companies denied carriage, the programmer would still have the required 40% “open field.”  The court found that there was no evidence that the leading two cable operators would collude to deny carriage and that the statute did not “protect programmers against the risk of completely independent rejections by two or more companies.”  In other words, the purpose of the statute was not to guarantee carriage even if, for example, a cable operator decided (exercising the same constitutionally-protected “editorial discretion” enjoyed by all media) spend part of its limited system capacity carrying a network with questionable appeal, or to raise subscription rates to cover the marginal cost of carrying the network.

But the FCC has since come up with a new “open field” model that the court must consider anew.  This time, the model more clearly supports a 30% cap–but only if one accepts the premises underlying the model and the accuracy of the data put into the model, which we do not.  We argue that their model is “based on flawed assumptions about the nature of competition for video programming” and is thus incapable of “accurately reflect[ing] cable’s present (or future) bottleneck power.”

Click the button at the top right of Scribd’s handy iPaper display to switch to full page display of the brief–or click on the top left to download the PDF itself.

PFF Amicus Brief – Cable Ownership Cap http://documents.scribd.com/ScribdViewer.swf?document_id=8630011&access_key=key-2obr4z2ohtozi1gabbay&page=1&version=1&viewMode=

As TLF readers may know, I took over in July as Chairman of the Board of the Space Frontier Foundation.  As I explained in my recent interview on The Space Show, SFF has been the leading citizens’ advocacy group for space commercialization since 1988.  Dedicated to promoting Princeton physicist Gerard O’Neill‘s vision of space settlement, as described in his 1976 masterpiece The High Frontier, the Foundation has always argued that “space is a place, not a program.”

We sent out the following press release on October 28, calling for a major transformation of the U.S. government’s space program by which the U.S. government would buy commercial transportation to the International Space Station.  We’ll have more to say about this in the coming weeks.

Space Frontier Foundation Finds Funding Source for COTS-D

The Space Frontier Foundation today called upon Presidential candidates Barack Obama and John McCain to invest the $2 billion in new funds they have promised to NASA for reducing the “Gap” in U.S. human spaceflight (after the Space Shuttle is retired in 2010) to spur innovation and competition in America.

Foundation Chairman Berin Szoka said “It’s time that our national leaders give American entrepreneurs a shot at closing this gap. Let’s take the two billion dollars in the candidates’ plans and fund up to five winners of COTS-D.”

The NASA Authorization Act of 2008, recently signed into law by the President, directs NASA to “issue a notice of intent [by mid-April 2009] … to enter into a funded, competitively awarded Space Act Agreement with two or more commercial entities’ for transporting humans to the ISS”-the “Capability D” of NASA’s Commercial Orbital Transportation Services program (or COTS-D for short). But that directive is not yet funded.

Szoka continued, “Let’s have an American competition in space – to create good jobs, fuel innovation, and close the gap more quickly. With private funds matching government’s investment, we can dramatically leverage the $2 billion to produce breakthroughs in a new American industry – commercial orbital human spaceflight.”

By investing in several different approaches, the government will win no matter who wins this new race, and also benefit from the resulting price competition.

Many American companies, including Boeing, PlanetSpace, SpaceDev, SpaceX, and t/Space have each previously submitted credible COTS-D proposals to NASA. Each of these firms has reached the semi-finals of one of the previous NASA COTS competitions. Increasing funding for COTS by $2 billion would allow NASA to fund all five of these promising companies’ proposals with COTS agreements, and in so doing, build redundancy into the human spaceflight capability available to NASA and other customers.

“It’s popular in Washington to use ‘The Gap’ to cynically justify continued funding of an expensive jobs program,” concluded the Foundation’s co-founder, Bob Werb. “We’re using ‘The Gap’ to advocate a policy that will bridge a gap that matters much more: the chasm between a dying government Human spaceflight monopoly and an emerging, free and competitive marketplace that can open the space frontier to everyone.”

The Federal Circuit significantly limited the patentability of software and business methods today.  Mike Masnick at TechDirt summarizes the holding of the case as follows:

the court has said that there’s a two-pronged test to determine whether a software of business method process patent is valid: (1) it is tied to a particular machine or apparatus, or (2) it transforms a particular article into a different state or thing. In other words, pure software or business method patents that are neither tied to a specific machine nor change something into a different state are not patentable.

I’m sure several of my TLF colleagues will have a great deal to say about this.   Tim Lee has already written about this on Ars Technica:

The Bilski decision, then, is a clear signal that the pendulum has begun to swing back toward tighter limits on software and business patents. However, it remains to be seen how far the court will go in this direction. Bilski was a relatively easy case. The applicant made little effort to hide the fact that he was seeking to patent a mental process, something the Supreme Court has clearly said is not allowed. Therefore, the Federal Circuit’s rejection of this patent doesn’t tell us how it will rule when confronted with software or business method patents that are tied more directly to a physical machine or a transformation of matter. And indeed, the Federal Circuit reiterated that some software and business method patents are valid, so we are unlikely to return to the near-prohibition on such patents that prevailed until the early 1980s.

Thoughts?

Debates about online privacy often seem to assume relatively homogeneous privacy preferences among Internet users.  But the reality is that users vary widely, with many people demonstrating that they just don’t care who sees what they do, post or say online.   Attitudes vary from application to application, of course, but that’s precisely the point:  While many reflexively talk about the “importance of privacy” as if a monolith of users held a single opinion, no clear consensus exists for all users, all applications and all situations.  

If a picture is worth a thousand words, this picture makes the point brilliantly—showing:

locations where [Flickr] users are more likely to post their photos as “public,” which is the default setting, in green. Places where Flickr users are more likely to put privacy controls on their photos show up in red.

Of course, geography is just one dimension across which users may vary in their attitudes about privacy, but the map makes the basic point about variation very well.  Seeing what users actually do in real life says a lot more about their preferences than merely polling them about what they think they care about in the abstract—as my colleagues Solveig Singleton and Jim Harper argued brilliantly in their 2001 paper With A Grain of Salt: What Consumer Privacy Surveys Don’t Tell Us (SSRN).

Google has just announced that it is now accepting applications from undergraduate, graduate and professional students for its summer 2009 Google Policy Fellowship.  Three think tanks employing TLFers are among the host organizations participating in the program: The Progress & Freedom Foundation, the Cato Institute and the Competitive Enterprise Institute. 

Applications are due by December 12, 2008.  The program will run for ten weeks during the summer of 2009 (June-August). Apply today!

The Progress & Freedom Foundation has just launched the new Center for Internet Freedom.  CIF offers an alternative to the proliferation of advocacy groups calling for government intervention online by offering timely analyses and critiques of proposals that diminish the vital role of free markets, free speech and property rights.  We aim to drive the Internet policy debate in new directions by emphasizing a layered approach of technological innovation, user education, user self-help, industry self-regulation, and the enforcement of existing laws consistent with the First Amendment.  Such an approach is a less restrictive—and generally more effective—alternative to increased regulation.  

Here are some of the issues I’ll be working on as CIF’s Director in conjunction with my esteemed colleagues Adam Thierer, Adam Marcus, and adjunct fellows: 

• Defending online advertising as the lifeblood of online content & services, especially in the “Long Tail”;
• Emphasizing market solutions to problems of privacy protection, especially regarding the use of cookies and packet inspection data;
• Protecting online speech and expression both in the U.S. and abroad;
• Defending Section 230 immunity for Internet intermediaries;
• Opposing online taxation and legal barriers to e-commerce and digital payments, especially at the state and local levels; and
• Ensuring that Internet governance remains transparent and accountable without hampering the evolution of the Internet.

Congress has very wisely cancelled the National Reconnaissance Office’s proposed Broad Area Space-Based Imagery Collection (BASIC) satellite system. The proposal to build two new imaging satellites at a cost to taxpayers of $1.7 billion would have represented a major break from what is possibly the U.S. government’s most successful effort to promote space commercialization to date: buying the imagery it needs from commercial providers, who can also sell imagery to other buyers.

Five years ago, the idea that Internet users could pull up a satellite image of just about any location on the planet at a whim would have seemed ludicrous. Yet that’s precisely what websites like Google Maps and Microsoft’s Live Search offer today—for free! Desktop applications like Microsoft’s Virtual Earth and Google Earth offer even more advanced geospatial tools—again, for free. But of course this library of incredibly rich imagery didn’t just “fall out of the sky,” as they say. It was collected by a handful of expensive commercial remote sensing satellites whose construction was made possible by the National Geospatial-Intelligence Agency‘s (Wikipedia) extraordinarily successful “Nextview” program implemented under the Commercial Remote Sensing Policy of 2003.  Rather than having the Federal government build its own satellites—and pay for the entire cost of the satatellites—the NGA very wisely chose to buy imagery from commercial providers in two ~$500 million, 4-year contracts with U.S. satellite imagery companies:  DigitalGlobe in 2003 and OrbImage (now GeoEye) in 2004.  

These long-term purchase agreements essentially made the U.S. Government the “anchor tenant” in a new class of remote sensing satellites, providing the initial funding for both companies to build and operate their satellites. But because the companies sell roughly half of imagery to foreign governments and commercial buyers like Google and Microsoft, these deals have saved U.S taxpayers money for the purchase of imagery for a wide variety of needs, ranging from agricultural monitoring to military intelligence. At the same time, the Nextview contracts have given birth to a vibrant geospatial industry whose immediate benefits should be obvious to anyone who’s ever pulled up a satellite map online and whose macroeconomic impact is potentially enormous. 

So why mess with success?  If the U.S. Government thinks it needs more satellite imagery, why not simply award another long-term purchase agreement to a commercial provider? Besides reducing the burden on the taxpayers, continuing the NextView approach would support the construction of a new generation of commercial satellites like GeoEye-1, which was launched just last month, and DigitalGlobe’s WorldView-1, launched last year.  Rather than rolling back NextView in favor of building its own systems, the U.S. Government should be looking for other space services it can buy on a commercial basis as a way of building industries rather than programs, ranging from sending crew & cargo to the International Space Station to communications and navigation services for NASA’s planned Return to the Moon.

Rather than giving up on the NextView approach in the area where it has already produced spectacular results, the U.S. government should be looking for other areas in which to apply the NextView model by buying space services from commercial providers.

Full disclosure: I was proud to handle FCC matters for GeoEye while practicing law at Latham & Watkins LLP. I currently have no greater personal interest in their success than should any American who wants to see the private sector succeed where the government has failed in opening up the space frontier to all mankind.

A few weeks ago, I outlined the amazing keynote address that Harvard University law professor Laurence H. Tribe delivered at PFF’s annual Aspen Summit. Now you can read it for yourself. PFF has just published the transcript of his speech, which was entitled, “Freedom of Speech and Press in the 21st Century: New Technology Meets Old Constitutionalism.”

Professor Tribe provides a 14-part indictment of new government proposals to regulate “excessively violent” content. But he also speaks more broadly about the importance of defending the First Amendment from attacks on many different platforms, and for many different types of content. Here’s one of my favorite passages from the concluding section of his remarks:

The broad lesson of this discussion of television violence is the centrality of the First Amendment’s opposition to having government as big brother regulate who may provide what information content to whom, whether or not for a price. The large problem that this exposes is that especially in a post-9/11 world, where grownups understandably fear for themselves and for their children and worry about the brave new world of online cyber reality that their kids can navigate more fluently than they can, it is enormously tempting to forget or to subordinate the vital principles of constitutional liberty. Even if, after years of litigation and expenditure, the First Amendment prevails, it can be worn down dramatically by having to wage that fight over and over and over.

Amen to that. And that, in a nutshell, describes what much of my research agenda at PFF has been focused on. It is a pleasure to add Prof. Tribe’s address to our growing body of research on the sanctity of freedom of speech and centrality of the First Amendment to our democratic republic as we continue “to wage that fight over and over and over.”