- European Commission Proposes Stronger Data Privacy Legislation - 02/02/2012 01:35 PM
After weeks of suspense and rumors, last Wednesday the European Commission finally introduced long-awaited legislation to update the 1995 Data Protection Directive, the primary instrument governing personal privacy in Europe. These changes had been widely anticipated by the privacy community, and were spurred in large part by two distinct motivations: (1) the desire to provide users stronger rights over their personal information, and (2) a wish to harmonize divergent privacy laws across all the European Union.
Ironically, the same goals drove the passage of the first EU Data Protection Directive 17 years ago. At that time, there were few comprehensive privacy laws in Europe (or anywhere else, for that matter). The initial Directive required member states to pass enacting legislation codifying the principles contained within the document, whilst allowing for a margin of interpretation that would prove its limits in practice. In the intervening years, the EU’s 27 member states have all implemented and interpreted the Directive in varying ways, leading to a fair amount of confusion for companies offering services across the internal market. And while each country is slightly different, enforcement has been consistently spotty across the continent, leaving users with the suspicion that their information is not adequately protected as companies utilize increasingly sophisticated technologies to track user behavior.
The Commission has been working on the text of the legislation for over a year and has been consulting stakeholders for more than two years; in December, what was purportedly a near-final version was widely leaked and analyzed. The most significant change in that draft was that the legislation was in the form of a regulation instead of a directive, meaning that it would be automatically binding on member states (rather than a mere instruction to national governments to pass consistent legislation). The draft contained other provisions designed to make complying with European privacy law simpler for companies — such as subjecting companies to the jurisdiction of one lead national data protection regulator, rather than 27 potentially different authorities. The draft legislation also eliminated the burdensome and often costly requirement that companies provide regulators with pro forma (and typically ignored) notification in advance of all data processing activity (and paying filing fees for the privilege).
The legislation provided new protections for users, such as a strict data breach notification standard, a requirement that all consent to collect and use personal data be upfront and explicit, and a “right to be forgotten” — the ability of users to erase (at least some of the) information held about them by others (to some extent, the “right to be forgotten” is to the Commission proposal what “Do Not Track” was to the December 2010 FTC privacy report — a small section that received outsize media coverage and attention from stakeholders). It also called for stronger powers for regulators, including expanded jurisdiction and the ability to obtain fines as high as 5% of global revenues for privacy violations (for a large international company, this could easily run to the hundreds of millions of dollars, though the legislation does include language that the penalty must be “proportional” to the scope of the violation). In response, many (especially in the United States) criticized the heightened user protections as being unworkable and unduly burdensome on industry; the United States Department of Commerce reportedly lobbied extensively to have the legislation revised prior to formal introduction.
Good Faith Effort
The version released by the Commission last week does address many of the criticisms that had been leveled, and appears to be a good faith effort to find middle ground between user’s rights, practical implementation and the costs imposed on businesses. For example, the compromises include a less prescriptive data breach rule and a 60% decrease in the maximum penalties a regulator can levy. The legislation still has its critics from both civil society, industry, and member state Data Protection authorities, and there will be intense lobbying as the bill is debated and amended in the European Parliament and Council over the next two years (at least). CDT supports the aims of the proposed legislation, but there remain significant issues that need to be addressed in the current text. We will be putting out more detailed analysis of the particulars of the bill — along with suggested amendments — in the weeks to come.
(A side note to all this is that many online privacy issues may not be much affected by this new law. In 2002, the European Union passed a specific law on e-Privacy that governs issues like cookies and online behavioral tracking. Of course, the Data Protection Regulation could be revised to specifically supersede the e-Privacy Directive if officials believe the Regulation is sufficiently robust to address the areas the Directive was written to address. For example, Vice-President Neelie Kroes, Commissioner for Europe’s Digital Agenda, has endorsed “Do Not Track” as a possible global solution to clear up the substantial uncertainty around the e-Privacy Directive and potential conflicts among European --and other-- laws governing online tracking.)
Although the particulars are still being worked out, the legislative proposal makes significant progress on the Commission’s primary focus of giving users strong, consistent protections across the Union. It represents a frank admission that the strong principles contained in the 1995 Data Protection Directive haven’t been implemented in a consistent and effective manner in practice to protect users, and that more rigorous laws are needed. If successful, the new regulation will better secure user data while offering companies a clear, predictable path to regulatory compliance; at worst, this same scenario could be playing out in another 20 years, as another Commission tries to find a new legal means to protect personal information across Europe.
- Lungren Cybersecurity Bill Takes Careful, Balanced Approach - 02/02/2012 11:44 AM
Legislation to promote information sharing for cybersecurity purposes was marked up and reported out favorably – and unanimously – on February 1 by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. The bill, sponsored by subcommittee chairman Dan Lungren (R-CA) and formally titled the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act (PRECISE Act, H.R. 3674), balances cybersecurity, innovation, industry and civil liberties concerns, and CDT supports the legislation. I testified about a draft of the bill in December. Amendments adopted by the Subcommittee further improved the bill. In our view, the Lungren bill is far preferable to the Cyber Intelligence Sharing and Protection Act (CISPA, H.R. 3523) reported in December by the House Permanent Select Committee on Intelligence. There is widespread agreement that ISPs and other operators of computer networks need clearer legal authority in order to be able to share with each other – and with the government – signatures and other information about suspected attacks on their networks. However, since we are talking about privately-owned and operated networks that carry personal communications, any sharing of information must be carefully controlled. The core provisions of the PRECISE Act would promote information sharing for cybersecurity purposes by creating a narrow cybersecurity exception to all potentially applicable laws, including all privacy laws. The Act would establish a non-profit, quasi-governmental National Information Sharing Organization to serve as a national clearinghouse for the voluntary exchange of “cybersecurity threat information,” taking in reports, and sharing them back out, among the federal government, state and local governments, and industry. We believe that NISO, a privately-run information sharing hub, is likely to be more effective at quickly responding to cybersecurity threats – and would pose fewer civil liberties risks – than would a government-run information sharing hub. While the NISO board of directors would have governmental representatives and representatives of privacy interests, it would be dominated by industry. The bill promotes information sharing while protecting privacy and civil liberties by: - carefully defining the types of cyber threat information that can be shared through the clearinghouse;
- specifically requiring that personally identifiable information not necessary to describe a cyber threat may not be shared with and by the clearinghouse;
- restricting to cybersecurity purposes the use and disclosure of the information shared with and by the clearinghouse;
- creating a limited private right of action for persons injured by the disclosure or use of information for other than cybersecurity purposes when such conduct is willful or intentional, and is not in good faith;
- limiting law enforcement use of information shared for cybersecurity purposes to prosecute only cybersecurity crimes, thus helping to ensure that cybersecurity information sharing does not become a back door wiretap or surveillance program;
- avoiding giving the government authority to shut down or limit Internet traffic in a cybersecurity emergency; and
- cementing DHS as the lead federal agency for cybersecuirty for the civilian government and private sectors, instead of putting the National Security Agency or DOD’s new Cybercommand in this role.
This approach is far preferable to the one taken in the Cyber Intelligence Sharing and Protection Act, H.R. 3523 about which I blogged in December. Both bills would invite elements of the intelligence community to share classified threat information with cleared companies. But CISPA creates uncertainty for companies, and threatens privacy, by vaguely defining the information that can be shared. CISPA fails to specify that only information pertaining to a known or suspected attack or attack probe can be shared. Therefore, broadly read, CISPA could permit the sharing of an entire communications stream or all of the traffic over a system. CISPA also threatens privacy by failing to limit use of the information shared to a cybersecurity purpose. As amended, once a governmental agency puts to any national security or cybersecurity purpose the communications information it receives under the bill, it can then use those communications for intelligence surveillance, the investigation and prosecution of any crime, and for any other non-regulatory purpose. Moreover, unlike the PRECISE Act, the structure and incentives in the CISPA bill raise a very real possibility that the NSA or DOD’s Cybercommand would become the primary recipient of communications information shared by ISPs and others in the private sector. This would permit a radical change in national cybersecurity policy from civilian control to the military. Congress needs to make a choice: cybersecurity information sharing should be about protecting computers against cyber attacks – it should not also be a back door wiretap and intelligence surveillance tool. By failing to include a meaningful restriction on use of cyber threat information shared with the government, and by failing to make it clear that DHS will remain the focal point of civilian cybersecurity efforts, CISPA invites abuses that protections in the PRECISE Act should prevent. In addition to facilitating information sharing, the PRECISE Act will also help companies and the government do a better job of protecting their networks, but without the heavy handed approach that has characterized cybersecurity legislation in the Senate. The regulatory framework in the PRECISE Act has a light touch, risk-based approach more likely to protect innovation than its Senate counterparts, the Cybersecurity and Internet Freedom Act (S. 413, 112th Cong.) and the Cybersecurity Act (S. 773, 111th Cong.) The PRECISE Act would authorize DHS to work with the private sector and regulatory agencies to identify internationally recognized, consensus developed risk-based performance standards to address cybersecurity risks. DHS would then work with existing regulatory agencies to include risk-based performance standards in the regulatory regimes applicable to the covered critical infrastructure, thus ensuring that companies are not put in the middle between a DHS requirement and a different requirement imposed by a company’s regulatory agency. This approach seems more likely to protect cybersecurity innovation than the more directive approach that has to date characterized the Senate bills. The PRECISE Act is a welcome addition to the growing constellation of cybersecurity bills pending in Congress. While the bill is not perfect and CDT will be working to further improve the legislation, it is off to an excellent start.
- For Twitter, Limiting Tweets Beats No Tweets - 01/27/2012 08:09 PM
Earlier this week, Twitter announced that it will begin making certain Tweets inaccessible to users in countries where the content of those Tweets is illegal. In announcing its new policy, Twitter was acknowledging the challenge that all global social media sites face: governments ask tech companies to comply with local content laws and if these companies refuse to comply, they risk being blocked from the country entirely, further limiting information that citizens can access. If the company has employees on the ground, refusal also risks legal charges against employees. This, of course, raises a well-worn question: are human rights better served when a platform restricts some content in order to remain in a country, or when it resigns itself to a nationwide block of its service?
Reasonable minds will differ on the answer to this question. But it is easy to forget that you need not look as far as China to see how differences in speech laws can complicate things for global user-generated content platforms: France and Germany restrict hate speech in ways that are acceptable under human rights law, and companies cannot simply ignore these legitimate differences in law when operating outside the US.
For those companies that decide that the rights of users in a specific country are better served by allowing some information, even if not all information, to flow, the critical question becomes how these companies comply with local laws. Indeed, the Global Network Initiative (of which Twitter is not a member) has crafted principles and guidelines to help companies sort through these very questions. Twitter's newly announced policies seem consistent with these guidelines so far.
For example, the GNI asks companies to narrowly tailor their responses to government demands that they censor user expression. Rather than deleting a Tweet for the entire world when they receive a government request, Twitter is now limiting the impact of its action to only the local jurisdiction in which the takedown is required. Users in other countries will still be able to view and interact with the Tweet in question. Also, Twitter will only be complying with government requests when the content in question is in fact a violation of local law, and when the request comes through proper legal channels. Finally, we have learned from Twitter that every request will be reviewed, and Twitter will not proactively monitor or delete tweets.
GNI also asks companies to be transparent when they restrict content so that users know that their governments are limiting expression. Here, Twitter is making an effort to be transparent about what Tweets have been withheld, and at what government's request. Twitter is also partnering with Chilling Effects to shed more light on such restrictions. Transparency is vital for empowering citizens to hold their own governments to account. We’d love to see Twitter follow Google’s example here with a more robust transparency tool that enables advocates to better monitor government actions.
It is understandable that Twitter's users may be upset by this week's announcement: Twitter has so far been a stalwart defender of free expression and users may question whether this new policy represents a fundamental shift in Twitter’s values. To be clear, users are right to ask whether Twitter will continue to stand up to illegitimate government demands and it is up to Twitter to credibly demonstrate its commitment to free expression and its users. Tech companies have a responsibility to challenge laws that violate human rights norms, minimize the potential human rights harm that might flow from their business, and to work with civil society and others to change bad laws where they can. But it seems that, faced with real challenges about how to operate in a global legal environment awash with tricky ethical questions, Twitter has adopted a thoughtful, measured policy. Twitter’s users will have to continue to hold Twitter accountable to its core principles as we see how this policy plays out in practice.
- New Book Proposes Open Internet Policies for Latin America - 01/27/2012 01:26 PM
A modified version of this blog post was originally published on Global Voices Advocacy. Last week, the Center for the Study of Free Expression (CELE) at Argentina’s University of Palermo released Towards an Internet free of Censorship: Proposals for Latin America [Hacía una Internet libre de censura: Propuestas para América Latina] . With contributions by leading policy experts from Brazil, Chile, Colombia, Puerto Rico, and the U.S., the book addresses some of the most pressing challenges facing Latin American digital rights advocates today. Drawing on current debates in five of the region’s strongest economies—Argentina, Brazil, Chile, Colombia, and Mexico—all of which boast high Internet penetration rates for Latin America, contributors provide a sketch of legislation, judicial decisions, and policies that affect free expression and privacy online. CDT’s Cynthia Wong, James Dempsey, and Ellery Roberts Biddle co-authored the final chapter of the book, which places current policymaking debates in Latin America into broader international context. Book editor and CELE Executive Director Eduardo Bertoni writes: El debate global sobre la regulación en Internet ha evolucionado desde aquella pregunta inicial acerca de si es necesaria y deseable alguna regulación en la red. […] Los artículos de esta publicación abordan [estos temas] no con la idea de arribar a soluciones últimas, sino con la intención de plantear algunas de las cuestiones legales involucradas en estos temas y pensar el efecto que pueden tener estas políticas sobre la libertad de expresión. The global debate about regulation on the Internet has evolved out of the initial question of whether it is necessary or desirable to regulate the web. […] The articles in this book broach [this issue] not with the goal of finding ultimate solutions, but rather with the intention of posing certain relevant legal questions and contemplating the effect that [regulatory] policies can have on free expression. The book’s authors urge policymakers to rely on international and regional human rights instruments—the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the American Convention on Human Rights—as crucial sources of guiding principles in making policy for the digital age. Underlying much of the analysis and discussion in the text are three fundamental questions: - When Internet users post content, store personal data, and search for information on the web, what are their rights and responsibilities?
- How can governments protect citizens’ rights to privacy and free expression while still upholding defamation and copyright law and ensuring that law enforcement officials can carry out legitimate criminal investigations online?
- What role do Internet intermediaries—ISPs, search engines, or platforms for user-generated content, such as YouTube or WordPress—have in implementing government policy?
Numerous debates surrounding Internet regulation in Latin America focus on copyright violations and threats to honor or reputation (also known as defamation). Many courts in the region take these infractions seriously (both on and offline), and some legislators argue that they justify implementing tighter regulations on Internet activity. In Colombia, the proposed (though currently shelved) Lleras Law would allow copyright holders to demand that Internet Service Providers (ISPs) remove infringing content from the web, a process known as “notice-and-takedown.” Under current Colombian law, ISPs can only be required to remove content if they receive an order from a judge. But Ley Lleras would eliminate this requirement, leaving ISPs with the burden of determining whether or not takedown requests were valid. Internet search engines also have been held liable for providing access to defamatory content. In Argentina, singer Virginia da Cunha filed a defamation suit against both Google and Yahoo! Argentina, after the companies had denied da Cunha’s request that they filter (remove) search results for her name that led to sexually explicit content. A judge initially ruled in the singer’s favor, but an appellate court later overturned the decision. Contributing authors Claudio Ruiz [es] and Juan Carlos Lara, of the Chilean NGO Derechos Digitales, warn that under the Lleras Law, ISPs likely would comply with most takedown requests before fully considering their validity, as the alternative could leave them vulnerable to prosecution. The da Cunha case could have led to a similar result, where search engines would agree to filter results upon request, so as not to risk punishment. These examples illustrate the need to protect intermediaries from liability for content created by their users. Brazilian legal scholar Joana Varon and her co-authors, all researchers at the Centro do Tecnologia e Sociedade, discuss these issues in a chapter on content filtering. Although there is little evidence that Latin American governments (with the exceptions of Cuba and Venezuela) engage in widespread filtering, legislators have considered various filtering mandates that would combat copyright violations and defamation online. But the authors note that there is a problem with this approach: …técnicas de filtrado no son precisas…es casi imposible bloquear solo un determinado contenido sin afectar otros…[A]demás, muchos de esos mecanismos utilizados para regular y censurar información son cada vez más sofisticados, utilizando…muchas camadas de control que generalmente están escondidas del usuario común, quien probablemente ni se dará cuenta de que la información a la que accede ha sido objeto de filtrado. …filtering techniques are not precise…it is nearly impossible to block only one type of content without affecting others. Furthermore, many of the mechanisms used to regulate and censor information are becoming more sophisticated every day, employing technical control methods that are generally hidden from the common user, who probably doesn’t even realize that the information she accesses has passed through a filter. Other contributors include Universidad de los Andes scholar Lorenzo Villegas, who describes the challenges of protecting personal data in the digital age, and Eduardo Bertoni, who discusses the issue of jurisdiction in defamation cases where the poster of the defamatory content is located in one jurisdiction and the offended party is in another. Towards an Internet free of censorship also features articles by George Washington University Professor of Law Dawn Nunziato, Derechos Digitales' Alberto Cerda, and University of Puerto Rico legal scholar Hiram Meléndez Juarbe. The book’s final chapter, authored by CDT staff, notes that the issues being debated in Latin America are very similar to those raised elsewhere in the world, a convergence that is not surprising given the global nature of the medium. However, while policymakers around the world are confronting the issues of free expression, privacy, copyright protection, defamation, and government power, approaches vary substantially from region to region, and country to country. Some have turned towards repression, jeopardizing not only human rights but also economic innovation and human development. As the book shows, Latin American policymakers have looked to both Europe and the U.S. when debating these issues. But they also have the unique advantage of working in a region where country-to-country relations are generally friendly, and legislators often are able to “borrow” policy solutions from one country and apply them in another. Towards an Internet free of censorship aims to take advantage of this cooperative dynamic by initiating new conversations, collaborations, and policy initiatives that will help to protect and strengthen online free expression, freedom of information, and privacy throughout Latin America. Note: Towards an Internet free of censorship is currently available for download at the CELE website. An English translation will be complete and available for download in the coming months.
- The Danger of Caricaturing Opposition to PIPA and SOPA - 01/26/2012 04:05 PM
Last Friday, two days after the massive January 18th online strike protesting PIPA and SOPA, CDT Senior Policy Counsel David Sohn appeared on TechCrunch TV to debate Viacom General Counsel Michael Fricklas in a segment entitled “Can SOPA Be Fixed Or Should It Stay Dead?” Viacom has been a proponent of PIPA and SOPA, while CDT has been a steadfast opponent. In his opening remarks, Fricklas stated, "I've never, in my experience, seen such a disinformation campaign, and a disconnect between what is being said about [SOPA], and what's actually in the bill." In the discussion that followed—which TechCrunch published in three parts (Part I, Part II, Part III)—Sohn explained point by point why the bills imperiled the open Internet, are likely to be ineffective at stopping piracy, and why they would be detrimental to cybersecurity. Without employing any of the hyperbole the bills’ supporters have ascribed to the opposing side, Sohn convincingly demonstrated why such an enormous swath of the Internet community—from engineers, to VCs, conservative and liberal advocacy groups, and millions of Internet users—have opposed the bills. Has there been heated rhetoric? Sure. But concerns with this legislation are real and fundamental. The debate displayed a major disconnect of its own. On one hand, you had a nuanced argument of why the bills are ill conceived (and, therefore, why so many people and organizations have stood against them). On the other hand, there was a dismissal of the opposition as a byproduct of a “disinformation campaign.” Taking this argument a step farther, Michael O’Leary, Senior Executive Vice President for the MPAA—the leading crusader in the push to get PIPA and SOPA passed—recently said in an interview with Entertainment Weekly: I think it’s not a big secret that [the negative response to the bills] was driven mostly by Google. When this debate moved from Congress to the Internet, they control the platform there. They control the means of communication in that space. They used it without any discretion or without any restraint. What you had was this campaign of misinformation which, frankly, caused the reaction that you saw. This isn’t the first time we’ve heard this talking point, and it probably won’t be the last. But it’s just not tenable to credit the vast opposition over the past months to a top-down, misinformation campaign emanating from one company. For one thing, it fails to acknowledge substantive arguments from scores of Internet experts on why PIPA and SOPA are bad ideas. For example, does the MPAA mean to imply that Sandia National Labs was conspiring with Google when it wrote this letter? It also completely misrepresents the nature of the opposition. There’s no denying the impact of Google’s participation on January 18th . According to Google, the company received over seven million signatures on its petition that day. But let’s consider some other numbers. According to Fight for the Future, that organization, combined with EFF and Demand Progress (all three of which are nonprofits), generated more than three million emails to Congress on the 18th. These kinds of contacts really matter—you can bet Congressional offices are more responsive to direct messages from constituents as opposed to petition signatures. Further, Fight for the Future estimates that 115,000 websites participated in the strike. Then there was Wikipedia, which made public its deliberation regarding whether to black out its site long before Google’s plans were known. In a press release, Wikimedia Foundation stated, “More than 8 million U.S. readers looked up their Congressional representatives through Wikipedia to protest [PIPA and SOPA on the 18th].” Reddit was the first site to officially announce it would go dark on the 18th, and it was on Reddit that users organized a boycott of Go Daddy that eventually forced the company to flip its support of SOPA. There was also the NY Tech Meetup rally outside the offices of Senators Chuck Schumer and Kirsten Gillibrand; the 87,000 phone calls Tumblr generated to Congressional offices on November 16th; and the 2.6 million tweets with the hashtags #SOPA and #PIPA that were sent out on January 18th alone. The list goes on. I’m not sure it is possible to thoroughly document all the numbers, all the ways in which people have protested PIPA and SOPA, from YouTube videos, to blog posts, to social media messages. The movement was too diverse, with calls to actions originating from an untold number of sources. But that’s the nature of a grassroots movement. It’s not top down—it can’t be fully organized, controlled, or even attributed to a single set of motives. In a blog post published on January 16th, CDT wrote: In the long fight to try to preserve the open Internet… a fight that preceded PIPA and SOPA and will continue far into the future—politicians and content companies may one day look back on this as the moment the open Internet woke up and decided to fight back. The implications are clear: Anyone who attempts to stifle the open Internet must contend with the millions of Internet users prepared to defend it. The MPAA would be wise to embrace the fact that there is a commonality of interest in protecting the open Internet among an extraordinarily diverse set of actors that includes millions of Internet users and transcends political divides. It is far bigger than any single company, and to pretend otherwise is to risk repeating the same mistakes that were made with PIPA and SOPA.
- Global Policy Weekly - January 26, 2012 - 01/26/2012 03:13 PM
CDT's Global Policy Weekly highlights the latest Internet policy developments and proposals from around the world, compiled by CDT's Global Internet Freedom Project. Subscribe to Global Policy Weekly by clicking the RSS icon on the right. FREE EXPRESSION INDIA: Internet giants contest censorship order
Twenty-one Internet companies have been asked by an Indian court to censor objectionable content. The companies, which include Google and Facebook, have petitioned the Delhi High Court to rule on the case. Their hearing will take place in February. POLAND: Officials to sign onto ACTA, despite public outcry
Polish officials will soon sign the copyright treaty known as ACTA, or the Anti-Counterfeiting Trade Agreement, in spite of protests by digital rights advocates and attacks on government websites carried out by hacker organizations. Read Global Voices' coverage of protests against the agreement. TUNISIA: Internet Agency challenges order to filter pornography
A court in Tunis has ordered that the Tunisian Internet Agency (ATI) begin filtering pornographic websites. ATI has contested the order, arguing that Tunisians already have adequate tools for removing pornography from their online searches. "[D]esperate to to put an end to its old image as an Internet censor during the rule of Ben Ali, [ATI] prefers to raise the awareness of Internet users, and especially parents by giving them practical tips on the use of parental control software instead of blocking websites." Read Global Voices coverage of the debate. INTERNET OPENNESS US/Hong Kong/New Zealand: Jurisdiction and the MegaUpload case
After last week's public uproar over SOPA/PIPA, the FBI seized the servers and domain names of the file locker site, MegaUpload. Ars Technica explains how jurisdictional norms allowed the FBI to seize the servers of a Hong Kong-based website. Ireland: Irish SOPA? Not quite.
A new law in Ireland, which has been dubbed "Irish SOPA," will allow copyright holders to file injunctions with a high court if they suspect that their property has been infringed upon. Courts will then be able to order ISPs to block the offending websites. Coverage from Wired here. PRIVACY EU: Reding releases data protection draft bill
EU Justice Commissioner Viviane Reding released the much-anticipated draft bill that will overhaul the EU's 1995 Data Protection Directive. The draft bill proposes a general framework for data protection in the EU, as well as a "separate directive on safeguarding personal data that is processed by judicial authorities for purposes that include investigation of criminal offences." It also includes a "right to be forgotten" provision. The response from businesses has been mixed thus far, with several UK companies criticizing the bill, calling the reforms "impossible to enforce." Read The Register's draft summary here. Read more on the 'right to be forgotten' provision here. EU/US: Commerce Department criticizes DPD reforms
The US Department of Commerce has criticized reform proposals for the EU Data Protection Directive, arguing that prospective regulations could "hinder commercial interoperability and be even counter-productive for consumer privacy protection." Read more here. EU: Neelie Kroes likes "Do Not Track"
Neelie Kroes blogged this week on why 'Do Not Track' (DNT) is good for the EU. She writes: "I am convinced that DNT can become a very successful standard, along with the other standards that have made the web what it is today: global, open and interoperable and in keeping with the generative end-to-end principle that has made the web such a phenomenal success. This is about empowering the citizen, by putting control in the hands of the user in a way that is fair and transparent." EU: The Art. 29 Data Protection Working Party will hold its 84th meeting on the 1st and 2nd of February in Brussels. A draft agenda for the meeting is summarized here. Spain: Spain's data protection authority is holding a public consultation on cloud computing that will remain open until January 27. Service providers and users are welcome to submit comments. Read more about the consultation here. The consultation form is available (in Spanish) here.
- Google's Privacy Policy Change: Initial Thoughts, Broader Issues - 01/25/2012 03:40 PM
There's a lot that could be said about Google's new privacy policy, which the company announced yesterday. Here are some initial thoughts about the policy and the broader issues raised by the integration of Google's products:
Google's decision to consolidate its privacy policies and drastically reduce the number of policies it uses across its products is a good step toward greater transparency. The new policy is explicit: many Google products have been functionally merged. It is our understanding, however, that Google is maintaining the Chinese wall between data it collects from logged-in users and data collected by DoubleClick -- a wall that deserves to be maintained. It is also worth noting that the new policy does not change users' current privacy settings - whether on YouTube, Google+, or Picasa.
The integration of Google's products re-emphasizes the importance of educating users about taking full advantage of the privacy controls the company offers: how to use "Incognito Mode" in the Chrome browser to keep logged-in sessions distinct from logged-out ones, how to change privacy settings through the privacy dashboard, and how to opt out of interest-based advertising. Google needs to continue developing user control tools and make them easy to find and use, and it should get those tools out to users as soon as this new privacy policy goes into effect.
We are concerned that the integration of Google services includes the Chrome browser. Moreover, Google has not promised to cabin off the Android web browser and Android OS. Special caution should be exercised with data from Chrome and Android because these two products see a lot and users are using them as platforms to connect with other services outside Google. We have similar questions about how sensitive data collected from Gmail could be correlated in the future.
In terms of future use, the drive toward simplicity may have made the new policy too broad. It talks about what Google may do with its integrated user data, meaning it does not foreclose future uses.
Google's announcement serves as a reminder that privacy is not just about privacy policies - it is about data collection and use. All companies should be minimizing collection and correlation of data that doesn't truly need to be collected or correlated.
Finally, Google and other companies should ensure it remains easy for individuals to continue to take advantage of services as unidentified, logged-out, users. In addition to protecting the logged-out experience, Google has also said that it is committed to maintaining the pseudonymous Internet experience.
- Report from the Internet Privacy Workshop - 01/23/2012 01:44 PM
It’s been a long time coming, but last week saw the publication of RFC 6462, the Report from the Internet Privacy Workshop. The workshop, which was jointly hosted by the Internet Architecture Board (IAB) and others in December 2010, brought together experts from industry and the Internet standards community to better understand the role of privacy in Internet standardization work. The workshop report provides a useful overview of fundamental privacy design challenges that appear again and again: the increasing ease of user/device/application fingerprinting, unforeseen information leakage, difficulties in distinguishing first parties from third parties, complications arising from system dependencies, and the lack of transparency and user awareness of privacy risks and tradeoffs. The report also identifies a number of barriers to successful deployment and analysis of privacy-minded protocols and systems, including the difficulty of using generic protocols and tools to defend against context-specific threats; the tension between privacy protection and usability; and the difficulty of navigating between business, legal, and individual incentives. The IAB has been leading an effort within the Internet standards community to better conceptualize how privacy is addressed within Internet standards development. By exploring privacy challenges as they exist on the Internet today, the workshop report provides a foundation for this and other efforts to build on.
- Global Policy Weekly - January 22, 2012 - 01/22/2012 09:43 PM
CDT's Global Policy Weekly highlights the latest Internet policy developments and proposals from around the world, compiled by CDT's Global Internet Freedom Project. Subscribe to Global Policy Weekly by clicking the RSS icon on the right. INTERNET OPENNESS AND FREE EXPRESSION India: A private citizen in New Delhi has filed a lawsuit alleging that Internet intermediaries such as Google and Facebook have illegally hosted material that offends India's religions and demanding that Internet intermediaries pre-screen and filter user-generated content. The punishment for such crimes is financial penalty or jail time. Google and Facebook have petitioned to quash the suit and the Delhi High Court recently postponed hearings on these petitions until February. The companies have pointed out that India's Information Technology Act of 2008 states that Internet intermediaries cannot be held liable for information posted by 3rd parties. Under the law these companies must, however, remove specific content that is "ethically objectionable," blasphemous," or "grossly harmful" where they have been notified of its existence. A judge reviewing the case did state that "like China," India might decide to block websites that host offensive content. Germany: The Administrative Court of Dusseldorf has ruled that German ISPs are not required to block access to foreign gambling sites that are illegal under German law. The Court's finding was based on its interpretation of Europe's E-Commerce Directive, which offers protection from liability for certain Internet intermediaries. Netherlands: A Dutch Court has ordered two ISPs to block Pirate Bay, a site where users share (sometimes illegally distributed) film and music files. The two ISPs, Ziggo and XS4ALL, had refused to accommodate copyright holder organizations that were pressuring them to block access to Pirate Bay. The Court held that due to the "reciprocal" nature of the Bit Torrent protocol, users who were downloading copyrighted files (which is not illegal under Dutch law) were also uploading such files (which is illegal). Global: Recent protests against two proposed US copyright laws, SOPA and PIPA, received international attention. The Sydney Morning Herald gave space to the protests and the fate of the bills, and even Chinese bloggers are discussing the blackouts on sites across the web. PRIVACY Europe: Europe is preparing for a Wednesday announcement of new data protection regulations. While the regulations are expected to be similar to the draft regulations that were leaked in December, some of the details of the regulation are expected to have changed. Hungary: The European Commission has launched enforcement actions against Hungary, where a new constitution has gone into effect. The Commission believes alleges the data protection authority under the new constitution is not sufficiently independent.
- The Open Internet Fights Back - 01/16/2012 03:53 PM
UPDATES BELOW Major developments have been coming fast and furious in the battle over PIPA and SOPA, the highly controversial online piracy legislation that proponents have been trying to hurry through Congress. Senate Majority Leader Harry Reid (D-NV) still says he wants to bring PIPA up for a vote on the Senate floor next week. But with the White House now joining the online community in urging caution, it should be clear that it’s time for both the Senate and the House to step back and reconsider some fundamental issues. Let’s review what has transpired in the past week. For a number of weeks now, opposition to the bills has been spreading like wildfire on the Internet, with major social media websites and communities spreading the word and thousands upon thousands of Internet users contacting their elected representatives. It has been a historic mobilization. On Saturday, the White House officially weighed in. In an official response to two anti-SOPA petitions hosted on Whitehouse.org, each of which received over 50,000 signatures, the Administration stated that it would oppose any IP legislation that risks online censorship of lawful activity, inhibits innovation, or creates new cybersecurity risks. It warned that DNS filtering provisions, featured in both SOPA and PIPA, “pose a real risk to cybersecurity and yet leave contraband goods and services accessible online.” It offered important principles for legislation in this area, such as being “narrowly targeted only at sites beyond the reach of current U.S. law” and “prevent[ing] overly broad private rights of action.” And it called for additional online discussion and public input concerning how best to proceed. Meanwhile, in the House, Judiciary Chairman and SOPA author Lamar Smith (R-TX) announced that he would drop DNS-filtering from SOPA. And Rep. Darrell Issa (R-CA), who along with Sen. Ron Wyden (D-OR) coauthored the OPEN Act as a more sensible alternative to PIPA and SOPA, announced he would postpone a scheduled hearing examining problems with SOPA after receiving assurance from House Majority Leader Eric Cantor (R-VA) that SOPA would not move to the floor without the House first addressing outstanding issues and building a more consensus-based approach. “The voice of the Internet community has been heard,” noted Issa. In the Senate, PIPA author and Senate Judiciary Chairman Patrick Leahy (D-VT) released a statement proposing the bill’s cosponsors amend PIPA so the effects of DNS-blocking could be studied before it is implemented. But even as he did so, six Republican Senators—Chuck Grassley (IA), Orrin Hatch (UT), Jeff Sessions (AL), John Cornyn (TX), Mike Lee (UT), and Tom Coburn (OK)—wrote a letter to Reid requesting he delay his attempt to move PIPA to a Senate floor vote. Grassley and Hatch are listed among the bill’s 40 cosponsors. Sen. Pat Toomey (R-PA) went on record saying he is unlikely to support PIPA as it now stands. And Sen. Mark Udall (R-CO) declared he would oppose the passage of PIPA if it were not improved, as did Sen. Ben Cardin (D-MD). In short, it should be clear that the ground has shifted. Serious concerns have been raised about PIPA and SOPA. Those concerns can no longer be dismissed. It’s time to take a step back. Legislation may well be possible, as the White House statement suggests, but it needs to start with a fresh look. Nonetheless, Reid has said he will attempt to move PIPA to a floor vote on January 24th. To do this, he needs 60 votes; if he succeeds, PIPA will almost certainly receive the 51 votes on the floor it needs to pass. (For more on this legislative process, read this post from Public Knowledge.) It should be noted that on Meet the Press this Sunday, Reid said he expected a manager’s amendment that would make some changes to the bill, but at this stage it is unknown exactly what changes would be made. This Week - “Going Dark” The concerns that have been expressed are too serious to try to address on the fly in a hurried manager’s amendment, without the benefit of any further hearings or the kind of input the White House statement suggests. In an effort to pressure the Senate to postpone its premature action—and to protest the slanted process by which PIPA and SOPA have advanced through Congress—CDT and a host of major websites are planning to “go dark” on January 18th. This extraordinary event, which was kicked off by Reddit and will include Wikipedia among its participants, is a rallying cry. Momentum is on our side; the next step is applying pressure on the Senate to ensure that on January 24th PIPA, as it currently stands, does not move to a Senate floor vote. In the long fight to try to preserve the open Internet and resist calls to compel online intermediaries to police their content and suppress free expression—a fight that preceded PIPA and SOPA and will continue far into the future—politicians and content companies may one day look back on this as the moment the open Internet woke up and decided to fight back. The implications are clear: Anyone who attempts to stifle the open Internet must contend with the millions of Internet users prepared to defend it. But this particular fight is not yet over. Everyone who cares about the future of the Internet must keep the pressure up and let the Senate know, before January 24th, that they oppose PIPA. UPDATE I -- January 17th CNET reports that Google will throw its weight behind the day of protest tomorrow by posting a link on its home page to notify users of the company's opposition to PIPA and SOPA. And we can now add Sen. Scott Brown (R-MA) to the growing group of Senators who've said they will vote "No" on PIPA as it currently stands. UPDATE II Smith announced today that the markup of SOPA, which was delayed last month, will resume in February. UPDATE III Sen. Robert Menendez (D-NJ) said in a tweet that he is "working to ensure critical changes are made to [PIPA]." UPDATE IV -- January 18th Four more Senators have come out today against PIPA, as it currently stands. On Facebook, Sen. Marco Rubio (R-FL) posted that he was withdrawing his cosponsorship of the bill. Sen. Jim DeMint (R-SC) announced on Twitter that he opposes PIPA. In a press release, Sen. Mark Kirk (R-IL) stated, "I stand with those who stand for freedom and oppose PROTECT IP, S.968, in its current form." Sen. Roy Blunt (R-MO) announced the following on Facebook: "Senate Leader Harry Reid is pushing forward with legislation that is deeply flawed and still needs much work. That is why I’m withdrawing my co-sponsorship for the Protect IP Act." UPDATE V Sen. Jeff Merkley (D-OR) tweeted the following: "Thanks for all the calls, emails, and tweets. I will be opposing #SOPA and #PIPA. We can't endanger an open internet." UPDATE VI Sen. John Boozman (R-AR) just posted a statement on Facebook: "I am announcing today that I intend to withdraw my support for the Protect IP Act." Boozman was a cosponsor. UPDATE VII The Hill reports that Hatch is the latest to drop his cosponsorship of the bill. The Senator says he will also vote against moving it to a floor vote on January 24th. UPDATE VIII -- January 19th For the latest developments in the Senate, visit OpenCongress, where we are helping to keep a detailed whip count.
- Global Policy Weekly - January 12, 2012 - 01/12/2012 01:07 PM
CDT's Global Policy Weekly highlights the latest Internet policy developments and proposals from around the world, compiled by CDT's Global Internet Freedom Project. Subscribe to Global Policy Weekly by clicking the RSS icon on the right. INTERNET OPENNESS AND FREE EXPRESSION Iran: new ID regulations for Internet users; national intranet to launch in February
Iranian government officials announced new regulations this week that will require Internet cafe owners to collect and store customer information including a user's name, his or her father's name, contact information, and national ID number. According to WSJ, "The Iranian judiciary announced last week that any calls to boycott elections, delivered on social-networking sites or by email, would be considered crimes against national security." By February, the government will have launched its national intranet, which reports hold will eventually take the place of the global Internet, which will be shutdown in Iran once the intranet is fully functional. Spain: US pushed Spanish lawmakers to pass the "SOPA of Spain"
Under Spain's new Sinde Law, which was enacted on December 30, 2011, copyright holders can file infringement claims with a government commission that will identify and hold responsible the infringing party, but can go as far as to block the website where the infringing content was posted. El Pais reports that Spanish officials received considerable pressure to pass the law from the Office of the US Trade Representative, which had threatened to return Spain to a 'priority watch' list of intellectual property rights violators. PRIVACY South Korea may overhaul resident registration number ID system
Korean legislators are working to repeal a law passed in 2007, requiring that websites with over 100,000 users collect the names and resident registration numbers of their users. Resident registration numbers can be used to track personal information ranging from credit card numbers to one's blood type. The policy has led to a series of massive data breaches, causing anger among citizens, and moving legislators to reconsider the merits of the law. EU: 2012 Priorities for European Data Protection Supervisor
A press release from the office of European Data Protection Supervisor Peter Hustinx identifies four major priorities for 2012: the revision of the EU data protection framework; technological developments in the digital agenda; IP rights and the Internet; and continued development in the area of freedom, security and justice, and financial sector reform. COE
The COE Consultative Committee held a meeting on the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, from November 29-December 1 in Strasbourg. The report from the meeting is available here. GOVERNMENT SURVEILLANCE Argentina: National ID system to incorporate biometric data
Argentina's Federal System of Biometric Identification, created by decree in December by President Cristina Fernandez de Kirchner, will allow authorities to cross-reference biometric data, mainly digitized fingerprints and photographs, with the country's national ID system. The decree authorized federal law enforcement authorities to employ facial recognition technologies when searching the national ID database, in order to more easily identify suspected offenders appearing in photographs or surveillance camera footage. The EFF has joined Fundación Vía Libre, an Argentine NGO, in a campaign against this new policy. OTHER OECD
The OECD has created an Observatory of Public Sector Innovation, which "aims to systematically collect, categorise, analyse and share innovative practices from across the public sector, via an online interactive database." Information about this project is available here. COE in 2012
More in-depth look at the COE's 2012-2013 Programme and Budget: The Programme and Budget introduces a new program under the Rule of Law pillar called "Information Society and Internet Governance." "The standard-setting work of the Council of Europe in this field focuses on freedom of expression, the right to receive and impart information regardless of frontiers, and its corollary freedom of the media, a pre-requisite for democracy as enshrined in Article 10 of the European Convention on Human Rights (ECHR)." This program will also focus on data protection issues, and will develop the COE's strategy for Internet governance for 2012-2015. The fifth and sixth editions of the European Dialogue on Internet Governance (EuroDIG) will be organized prior to the 2012 and 2013 IGFs. (The report from the 2011 EuroDIG meeting is available here.)
- Is Regulating 'Indecent' Broadcast Unconstitutional? SCOTUS Hears Case - 01/10/2012 11:53 AM
Today the Supreme Court will hear arguments in FCC v. FOX to determine whether regulation of "indecent" content on broadcast television violates the First Amendment. This case has been up to the Supreme Court before; in 2009, the Court held that the FCC's decision to fine FOX for broadcasting profanity (called "fleeting expletives") during live award shows (the 2002 and 2003 Billboard Music Awards) was not "arbitrary and capricious", and so did not violate the Administrative Procedures Act that governs how federal agencies can make and change their policies. (CDT filed a brief in both the 2009 and 2011 cases.) This time around, the Court is addressing a different question: whether FCC regulation of indecent (but not illegal) over-the-air content is consistent with the First Amendment. In the 1978 Pacifica case, the Court held that because broadcast media was "uniquely pervasive" in American culture, serving as the principle source for news and entertainment in a time before 500-channel cable packages, and acted as an uncontrollable "intruder" into the home, it was appropriate for the government to put some limits on what type of content could travel through the airwaves. Regardless of whether this rationale made sense in 1978, it no longer applies in the media environment of 2012. As we argue in our coalition brief, the centrality of broadcast content has waned in the face of other content sources (including cable, video-on-demand, and the Internet). At the same time, parents have never had a greater ability to set their own limits and controls on the type of content they believe is most suitable for their families. As the court recognized in Reno v ACLU, user empowerment tools that give individuals the power to set their own content restrictions are a less restrictive means to achieve the goal of protecting children than broad government content regulations of constitutionally protected speech. As the Court considers the arguments it hears today, we urge it to consider the changed technological circumstances of the past three decades, and extend to broadcast content the same level of First Amendment protection afforded to other speech.
- Global Policy Weekly - January 6, 2012 - 01/06/2012 03:30 PM
CDT's Global Policy Weekly highlights the latest Internet policy developments and proposals from around the world, compiled by CDT's Global Internet Freedom Project. Subscribe to Global Policy Weekly by clicking the RSS icon on the right. FREE SPEECH UK: In response to an open letter published by a set of free expression groups, UK Foreign Secretary William Hague has issued a statement of the Coalition Government's position on freedom of expression and the Internet. INTERNET OPENNESS Spain passes anti-Internet piracy law Spain's new law, known as the Sinde law, empowers rights holders to report websites that allegedly host infringing content to a government-run "intellectual property commission." According to the BBC, the Commission will have ten days to "decide whether it wants to take action against an infringing site or the ISPs providing infrastructure to it, and the case will then be passed to a judge to rule on whether the site should be shut down."
Iran: With parliamentary elections approaching in March, Iran has imposed measures that seek to curb Internet expression. New regulations require that Internet cafés store personal information about customers and associate this information with a list of the websites visited by each customer; Internet cafés are additionally required to install security cameras. Internet users have also observed severe slowdowns in Internet speed. Iran also appears to be testing a nationwide intranet, raising concerns that it might be seeking to remove itself from the global Internet. Belarus: Belarus has issued new regulations that both restrict the use of the Internet by local businesses and create new monitoring obligations for internet cafés. SECURITY AND SURVEILLANCE Europe: Europe's "Clean IT Project," whose participants include Europol, the UK's Home Office, Germany's Ministry of the Interior, and national counter-terrorism coordinators for the Netherlands, Belgium, and Spain, is working to develop plans for combatting terrorism online. A draft document issued by the Project recommends that users, ISPs, websites, search engines, and others voluntarily adopt measures that will facilitate law enforcement efforts. For example, the document recommends that service providers "offer users easy to use flagging systems." GRAB BAG
OECD: On December 13th, the Council made a formal Recommendation on the Principles for Internet Policymaking, which incorporated the full communiqué from the June 2011 meeting. The OECD also released a report on broadband access in OECD countries, finding that the continuing increase in broadband subscriptions over the past year has been driven largely by wireless broadband. The OECD Directorate for Science, Technology, and Industry also released a paper entitled Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present, and Future. Additionally in this series of papers on the Digital Economy is a paper on Digital Identity Management for Natural Persons: Enabling Innovation and Trust in the Internet Economy - Guidance for Government Policy Makers. Council of Europe: The Council of Europe has released its 2012-2013 Budget and Action Plan. Under the Rule of Law pillar, within the Common Standards and Policies subject, they will pursue a "new programme line [that] will group the activities relating to media and freedom of expression together with those relating to the Internet." The Plan further states that "[i]n the biennium the priority will be given to the development of standards and policies related to the information society including Internet governance, data protection and media which form a new programme line entitled Information Society and Internet Governance." See pages 86-90 of the linked document.
- The Drones Are Coming - 12/21/2011 02:53 PM
Americans are used to reading about unmanned aircraft flying over the Middle East in search of militants. Soon those eyes will be over American skies as well. This coming spring, the Federal Aviation Administration (FAA) plans to propose rules that will enable civilians to obtain permits to fly drones over the national airspace. Non-military drones can be very useful in a variety of ways – from dusting crops to inspecting dangerous disaster sites – but drones are also powerful surveillance tools. Before unleashing this technology, the FAA must establish basic privacy and transparency rules for domestic use of drones. The FAA should require applications for drone licenses to include a description of how the drone operator intends to handle any information the drone will collect about individuals, and the FAA should make approved drone licenses, along with the licensee’s privacy statement, publicly available. The largest initial U.S. market for drones is our roughly 20,000 civilian law enforcement agencies. Drones with video recording equipment allow law enforcement to patrol the nation’s borders, hunt down suspects, and even monitor “antisocial" driving. From high above, drones are capable of watching an entire town at once, with no need to refuel for a day or more. Drones can be outfitted with facial recognition cameras, license plate scanners, thermal imaging cameras, open WiFi sniffers, and other sensors. Of course, law enforcement agencies will not be the only ones using drones. Potentially anyone from media companies to homeowners’ associations might one day obtain a permit to send a flying video camera into the air and stream the footage onto the Internet. Drones are not terribly expensive – some law enforcement models cost roughly as much as a police cruiser. The combination of effectiveness, low cost, and industry pressure is likely to spur widespread drone use in coming years. The U.S. Supreme Court declared long ago that individuals have no “expectation of privacy” in public places, making people on city streets or open fields fair game for aerial surveillance. The Supreme Court also held that individuals on their own property have no expectation of privacy from police observation from public airspace, meaning that police do not presently need a warrant to peer into a fenced-in backyard with a drone. However, police do need a warrant to use a unique sensory device – such as a thermal imaging camera – on an individual’s home, and some state privacy laws offer weak protection against video surveillance of individuals on private property. Taken as a whole, though, American law currently affords few clearly defined privacy protections when it comes to drones. That is why it is important that the FAA’s upcoming rules for civilian drones include fundamental privacy and transparency standards. The FAA’s current, interim guidelines for unmanned aircraft are silent on these issues. The FAA is charged with managing flight within the domestic airspace “in the public interest.” When aircraft are being used not for transport, but expressly to conduct aerial surveillance, the “public interest” should include basic privacy and transparency considerations. When the FAA proposes new regulations in the spring, the agency should establish – at minimum – two basic requirements: - All applications for an FAA drone license should include a data collection statement defining whether the drone will collect information about individuals and, if so, the circumstances under which it will be used and how the drone operator will handle any information collected about individuals. To establish the outlines of a data collection statement, the FAA does not need to come up with its own privacy framework – it can use the one adopted by the Department of Homeland Security (DHS) in 2008, which spells out the key questions in the planning of any information collection system. Using the DHS framework, an applicant should describe 1) the purpose for which the drone will be used and the circumstances under which its use will be authorized and by whom, 2) the specific kinds information the drone will collect about individuals, 3) the anticipated uses and disclosures of that information, 4) the possible impact on individuals’ privacy, 5) the specific steps the applicant will take to mitigate the impact on individuals’ privacy, such as protections against unauthorized disclosure, 6) the individual responsible for safe and appropriate use of the drone, and 7) an individual point of contact for citizen complaints.
- The FAA should make all approved licenses, with the associated privacy statement of the drone operator, available online to the public in a searchable format. This requirement may have an exception for national security, but not for law enforcement. (Transparency does not require disclosure of the names of targets or the exact times or places of deployment; rather it requires disclosure of the criteria and supervisory controls under which drones will be deployed.)
Law enforcement agencies and their contractors should be subject to extra disclosure requirements. In addition to the above items, law enforcement agencies and their contractors should also disclose 1) the officials who can authorize use of the drone, 2) the applicable data minimization policies barring the collection of information unrelated to the investigation of crime and requiring the destruction of information that is no longer relevant to the investigation of a crime, and 3) the applicable audit and oversight procedures that ensure agencies and their contractors use drones only as authorized, within the scope of the data collection statement, and in compliance with data minimization policies. These requirements alone will not fully protect Americans' privacy from drones. Drone surveillance – whether it is carried out by law enforcement or not – raises significant legal and constitutional issues that deserve serious discussion. However, it is highly unlikely that the FAA will thoroughly address these issues in its proposed rulemaking, nor does the FAA have adequate authority to solve them. The baseline recommendations CDT outlines above are, by comparison, less complex and controversial – essentially we are urging the FAA to require drone users to have a public privacy policy. Considering the magnitude of the privacy risks posed by drones, there is scarcely any good reason not to include such basic requirements in the FAA rulemaking. Drones represent just one of many emerging technologies that pose critical challenges to privacy and for which current U.S. law provides inadequate protection. One area ripe for reform is the Electronic Communications Privacy Act (ECPA), which sets standards for government surveillance of digital communications. CDT has organized a coalition – called Digital Due Process – that is urging Congress to update ECPA by clarifying and strengthening standards for government tracking of cell phones, as well as government access to email and private documents stored in the cloud. Unless Congress and the courts update the law, Americans will find themselves with virtually no privacy protection in any practical sense. In the meantime, the FAA should do what it can with its rulemaking this spring. Without going so far as to say what legal standard should apply to the use of drones, and without awaiting legislative or judicial action, the FAA can establish a basic framework for domestic use of drones, providing some transparency into the practices of those proposing to put eyes in the sky over our homes.
- Best Practices for Mobile Applications Developers - 12/21/2011 10:31 AM
Today, CDT and the Future of Privacy Forum publicly released a beta version of their “Best Practices for Mobile Application Developers.” We have been working on this guidance over the past year in consultation with stakeholders from industry and civil society, both in the United States and abroad. We hope that this document can serve as a primer for developers who are interested in preserving their customers’ privacy but who aren’t necessarily privacy experts themselves. We started on this project because of heightened privacy issues in the mobile environment. Application developers can access a considerably broader range of information about users than traditional web developers. Last year, the Wall Street Journal reported that of the top 101 apps, most were transmitting personal information about users, such as unique device identifiers, age, gender, and precise geo-location information to third parties. Research from the Future of Privacy Forum has shown that even in the most popular applications, less than half have privacy policies detailing what they do with customer data. The best practices are based on long-established privacy principles that we believe should apply to everyone who collects and processes individual information, not just mobile developers. Among the recommendations that we make to developers are: - Be completely transparent about how you are using or transmitting customer data
- Don’t access more data than you need, and get rid of old data
- Give your customers control over uses that users might not expect
- Use reasonable and up-to-date security protocols to safeguard data
- As the app developer, you need to be responsible for thinking about privacy, and taking privacy into consideration during the various stages of your app life cycle
This is not a final pronouncement on our view as to what app developer best practices are. We’re soliciting public comment on this draft — if you have feedback, please send your thoughts to apps@cdt.org
- SOPA Delay Provides Time to Reflect on Expert Warnings - 12/20/2011 04:00 PM
It was announced today that the House Judiciary Committee markup of the Stop Online Piracy Act (SOPA) would not proceed tomorrow, as previously planned. This comes after two contentious markup days last week of the Committee debating and voting down all but five in a cascade of proposed amendments. Ultimately, delay is not synonymous with victory in this instance, and it is likely that SOPA will pass out of Committee early next year once the House reconvenes. It is uncertain what amendments, if any, will be made to the bill before it faces a floor vote. Going forward, and with the benefit of more time, CDT hopes Members will take to heart the legitimate objections raised about SOPA by both Republicans and Democrats during the markup. In particular, CDT shares the concerns articulated by Representative Jason Chaffetz (R-Utah) regarding the lack of expert consultation we've seen thus far in the legislative process. It is worth quoting Rep. Chaffetz at length here: I was trying to think of a way to try to describe my concerns with this bill, but basically, we're going to create - we're going to do surgery on the Internet, and we haven't had a doctor in the room tell us how we're going to change these organs. We're basically going to reconfigure the Internet and how it's going to work, without bringing in the nerds. Without bringing in the doctors. And again, I worry that we did not take the time to have a hearing, to truly understand what it is we're doing. And to my colleagues, I would say, if you don't know what DNSSEC is, you don't know what you're doing. And so my concern is that there is a problem but this is not necessarily the right remedy. [A video clip of Rep. Chaffetz' comments is at the bottom of this post.] On November 16, 2011, the House Judiciary Committee held its only hearing on SOPA. The witness list included five representatives from organizations supporting the bill: the Register of Copyrights, MPAA, Pfizer, MasterCard, and AFL-CIO. A lawyer from Google was the lone witness to oppose SOPA. Stacking the deck like that not only obscures the controversial nature of the legislation. It also means the Committee has failed to give any serious consideration to the technical analysis and concerns of the expert engineers—the “nerds”—who have opposed SOPA on cybersecurity grounds. Brushing aside such technical questions without calling in independent experts seems reckless. A letter signed by Dr. Leonard Napolitano, Jr., Director of Computer Sciences and Information Systems at Sandia National Labs, a private company contracted by the Department of Energy to run the national laboratories, addresses the potential cybersecurity vulnerabilities that SOPA would create: [We have reviewed SOPA and the Protect IP Act] and believe that the DNS filtering/redirection mandates . . . 1) are unlikely to be effective, 2) would negatively impact U.S. and global cybersecurity and Internet functionality, and 3) would delay the full adoption of DNSSEC and its security improvements over DNS. Last May, a group of leading DNS designers, operators, and researchers expressed similar concerns about DNS filtering in the Protect IP Act, writing: [DNS filtering requirements in the bill] would weaken this important effort to improve Internet security. It would enshrine and institutionalize the very network manipulation that DNSSEC must fight in order to prevent cyberattacks and other malevolent behavior on the global Internet, thereby exposing networks and users to increased security and privacy risks. Dozens of other Internet engineers have written to Congress expressing concern about SOPA and Protect IP; they join a formidable list of experts, companies, civil society and human rights groups opposing the bills. It’s understandable that some Members of Congress are not entirely familiar with the intricacies of how the Internet works; what is not acceptable, in our view, is rushing to pass a bill that could profoundly impact the Internet without first consulting the experts.
- A 'Distributed Access' Model for Health Data Analytics - 12/19/2011 11:30 AM
The Affordable Care Act of 2010 directed the Center for Medicare and Medicaid Services (CMS) to establish an insurance risk adjustment program. The basic point of the program is to more evenly allocate the risk of loss for insurers serving the individual and small group market by compensating insurers with higher than expected costs and ensuring that insurers with lower than expected costs are not unjustly enriched. Several months ago CMS proposed a regulation to initiate the risk adjustment program. In the proposed rule, CMS set forth a “centralized” model for the program: all individual and small-group insurers would be required to submit health claims to federal or state government agencies so that those agencies can perform the required risk adjustment analyses.
Health care claims are sensitive data, and the requirement of claims submission prompted some House Republicans and some health insurance companies to argue that CMS’ model – under which the government collects and stores raw copies of the claims data – threatened the privacy of individuals’ health care information. In comments on the proposed rule, some insurance companies urged CMS to consider a “distributed” model whereby insurers would analyze the claims data themselves and send agencies the results. By not providing a copy of the claims to the government, the insurers reasoned, the bulk of the privacy and security issues were mitigated.
Last week, the Center on Budget and Policy Priorities (CBPP) released a paper arguing that the insurers’ distributed model would make the risk adjustment program susceptible to inaccuracy and fraud. CBPP’s paper pointed out that many insurers in the individual and small group market would make errors due to a lack of experience in conducting risk adjustment analysis, while others might intentionally submit falsified results to maximize their profits – and CMS would have to rely on retroactive audits of outdated data to ensure insurers were not gaming the system. CBPP urged CMS to proceed with the centralized approach it articulated in the proposed regulations.
The Center for Democracy & Technology (CDT) agrees with CBPP that government agencies should have access to the claims data in order to execute the risk adjustment program in an accountable and accurate fashion. However, we agree with the insurers that submitting raw copies of health claims to government agencies for this and numerous other programs weakens data security – especially in the long term, as large databases of claims pile up – and puts patient privacy at risk. The two interests are not mutually exclusive, and debate over the technical architecture of programs using health claims data should not be binary: one centralized model versus one distributed model. There are multiple models.
In our comments on the risk adjustment program, CDT recommended that CMS adopt a model that provides agencies with access to claims without requiring a copy to be sent to the government. CDT’s proposed model is one of “distributed access.” Under this model, CMS should require each plan to set aside a structured, de-identified copy of claims and encounter data in a secure system (such as on an edge server or in a secure cloud storage center). CMS should require plans to make their respective systems accessible to state or federal agencies responsible for operating risk adjustment programs. The data is not duplicated and sent to the government – but is still made available for the government to perform the necessary risk analysis. CMS and states would retain the results of their analyses, rather than keep full copies of the claims data. Accountability mechanisms – such as, perhaps, audit logs and random audits – could ensure the claims data made available to the agencies are accurate. CBPP’s paper briefly mentions CDT’s recommended model, noting that we – like CBPP – are calling for the data to be accessible to agencies, and that the agencies themselves should conduct the analyses. CBPP suggests that CMS evaluate the approach recommended by CDT to ensure it is reliable and supports the goals of reform of the health care market. We completely agree.
Unfortunately, despite the fact that distributed access networks of the sort we advocate are already in use in other commercial sectors, state and federal government agencies have not yet indicated a willingness to even give plans the option of exploring this model for analytic programs using health claims. Instead, in numerous instances health plans are required by state and federal regulations to send whole copies of patients’ claims to multiple programs seeking to crunch the data – such as OPM’s Health Claims Data Warehouse, states’ All-Payer Claims Databases, and now the risk adjustment program. But, as CDT has said before, continually building huge repositories of medical data for new research or policy needs is risky, inefficient and a poor long-term strategy. Maintaining copies of sensitive information in various locations for long periods of time sharply worsens the risk and severity of data breaches. It is burdensome for plans to set up and secure multiple data feeds to different entities in various locations, and the unnecessary collection of patients’ claims by government weakens public faith in the confidentiality of digital medical records.
CDT looks forward to working with CMS, technology vendors, state agencies, and consumer groups to further strengthen support for models of health claims analysis that do not require data to be copied and stored in multiple databases. The goal is to give government agencies and health plans greater flexibility to use distributed access over the purely centralized solution that is today’s trend. A first step, though, is to think beyond the binary debate – one type of centralized model versus one type of distributed model – and earnestly explore better options.
- Global Policy Weekly - December 16, 2011 - 12/16/2011 04:12 PM
CDT's Global Policy Weekly highlights the latest Internet policy developments and proposals from around the world, compiled by CDT's Global Internet Freedom Project. Subscribe to Global Policy Weekly by clicking the RSS icon on the right. FREE EXPRESSION Russia: Threats to social networks, online anonymity as protests continue
Post-election protests continued this week in Russia. Several protest-focused websites have undergone DDoS attacks, and government authorities have ordered the social network Vkontakte to block pages used by protesters. The country's Interior Minister has also suggested banning online anonymity, reasoning that “social networks, along with advantages, often bring a potential threat to the foundations of society.” Global Voices has launched a special page dedicated to protest coverage. India: Communications Minister denies asking search intermediaries to pre-screen online content
News outlets reported last week that government officials in India had asked Google, Microsoft, Yahoo, and Facebook to develop a system for pre-screening content before it appears online, with the goal of censoring defamatory and degrading speech. India's Communications Minister has since denied these allegations, explaining that the government asked companies to propose a mechanism for filtering online content after it is posted. Thorough discussion on PC World. Thailand: UN joins global opposition to Thailand's lèse majesté
The UN High Commissioner for Human Rights has denounced Thailand's lose majesté law, which prohibits speech seen as degrading or offensive to the king. A spokesperson for the High Commissioner said, “guidelines should be issued to the police and public prosecutors to stop arresting and charging individuals under these vaguely worded laws.” Canada: BC court hearing on hate speech
At an upcoming hearing in British Columbia, advocates will debate whether or not the country's Human Rights Commission should retain its jurisdiction to investigate online hate speech. INTERNET OPENNESS Malaysia: Parliament may vote to regulate tech workers
The Computing Professional Bill, still in draft form, would require Malaysia's IT workers to register with a government authority. The Bill would establish a Board of Computing Professionals, a federal trade agency that would set professional standards for IT workers. A spokesperson for the Ministry of Science, Technology, and Innovation said that "BCP’s mission is to elevate the standing, visibility and recognition of computing professionals to ensure that computing services are in compliance with appropriate legislation and policies." EU: Regulators back VoIP companies
Voice over IP companies recently issued a complaint alleging that telecommunications providers interfere with the functionality of their services. EU ministers have vowed to investigate the claims in an effort to protect VoIP companies' interests. UN: UN, IMF, and others oppose changes in top-level domain naming system at ICANN
In a letter to ICANN, lawyers for the intergovernmental organizations wrote that their concerns "relate to the increased potential for the misleading registration and use of IGO names and acronyms in the domain name system under ICANN's significant expansion plans." PRIVACY EU: Critics respond to leaked draft of Data Protection Regulation
Last week, a draft general privacy regulation meant to harmonize and update Europe's data protection framework was widely leaked. The regulation is meant to create a new paradigm, whereby a single consumer privacy law governs Europe rather than 30 different laws that all accord with a single, less specific, directive. Privacy International has posted a detailed analysis of the leaked document. Other reactions can be found at Forbes, and The Register. OTHER DEVELOPMENTS EU: Neelie Kroes proposes revisions to open data policy
Kroes, the EU digital agenda commissioner, has called for a revision to the 2003 directive on reuse of public information that would make public data more easily and more cheaply accessible, a move that would benefit web and app developers. "I am proud to present an Open Data package that can drastically increase the possibilities for those web entrepreneurs; the opportunities of businesses, journalists, academics and all citizens, in fact, to generate new and rich content," Kroes said. More from The Register here. EU: Neelies Kroes announces EU plan to distribute "Internet survival packs" to human rights activists
According to PC World, the packs will include, "currently available technology as well as potential new software aimed specifically at allowing activists to use the Internet to get their message across while at the same time remaining safe from persecution." Creative Commons to update copyright license suite
Creative Commons has announced that they will release version 4.0 of their licensing suite this Spring. the organization has made an open call for proposals and concerns; the submission period begins now and will continue through mid-February 2012. OECD: Internet policy plan needs careful interpretation
CDT President Leslie Harris blogs about the OECD's recent adoption of the Communique on Principles for Internet Policy Making.
- Data Retention More Complicated, Expensive Than Previously Understood - 12/16/2011 10:39 AM
UPDATE: On February 1, 2012, we issued a revised and updated version of our memo analyzing the costs of data retention. The link to the right takes you to the revised memo. For several years, the Justice Department and some Members of Congress have been pushing for federal legislation that would require ISPs to retain extensive records of the IP addresses they assign to users. The idea was to be able to link Internet communications back to individual users months or years after being sent. CDT and others have warned about both the privacy risks and the costs of collecting and retaining so much data. Recently, CDT has concluded that changes in the Internet addressing practices of ISPs and mobile carriers make data retention far more complicated and much more expensive than previously understood, while at the same time reducing the reliability of IP addresses in identifying individual users. We've issued a memo detailing this new perspective on the data retention mandate. The problem is this: The IP addresses associated with communications traversing the Internet no longer uniquely identify end-user devices. Because of the shortage of IP addresses, Internet access providers are beginning to use a technique called Network Address Translation to share addresses among multiple users. Three related problems arise from IP address sharing: - The public-facing IP address associated with a particular communication is no longer unique; instead, it may be shared among dozens, hundreds, or even thousands of users. To match public-facing addresses with individual customers, carriers use a second data element, called a port number. Immediately, this doubles the amount of data required to link addresses with user devices.
- Moreover, particularly in the mobile context, the addressing information associated with a particular device can change as frequently as once every minute and possibly even more frequently. With this wrinkle, the volume of data associated with addressing becomes truly enormous, as does the task of retaining and retrieving it, with real cost implications. Imagine re-issuing a copy of a small townʼs White Pages as often as once a minute but still having to maintain all of the old copies. For some entities the costs become prohibitive; for others, they clearly will detract from growth and may even impede other forms of cooperation with law enforcement.
- Destination servers probably do not store the port numbers required to make the match, and, even if they did, their time stamps may not be synchronized with those of the ISPs precisely enough to yield reliable matches.
On top of this, coffee shops, trains, buses, planes, hotels, and public venues that offer Internet access also use NAT address sharing, making it even less likely that the data obtained at the end point of a communication can be used to identify individual end-user devices. A new addressing system developed for the Internet may or may not relieve these problems, but full use of that system (IPv6) is still many years away. In sum, it appears that what looked fairly simple and effective a couple of years ago is now immensely more complicated. Based on these developments, it seems that data retention is an idea whose time has passed.
- Proposed Revision to SOPA: Some Welcome Cuts, But Major Concerns Remain - 12/13/2011 05:02 PM
Yesterday afternoon, House Judiciary Committee Chairman Lamar Smith released a proposed substitute amendment for SOPA, the sweepingly broad anti-piracy bill introduced in October. The amended version is scheduled to be considered by the Judiciary Committee on Thursday. Based on an initial read – and the amended bill still clocks in at over seventy pages, so further lurking issues may emerge with more analysis – it appears that Chairman Smith has addressed some of the bill's most egregious faults. However, he was starting from a very low baseline; the original bill contained many hugely problematic elements, which is why it has drawn such a massive outpouring of opposition. The amended bill still fails to fully embrace a narrowly targeted, follow-the-money approach. (Senator Wyden and Representative Issa recently issued a concrete proposal showing what that might look like.) Thus, the revised version of SOPA continues to raise major concerns. Let’s review the improvements first. On the plus side, the amended version of SOPA: - Drops the ill-conceived idea of empowering private rights holders to demand that websites be cut off from financial and ad networks, based on mere allegations.
- Drops the language that effectively required online service providers to constantly monitor user behavior, by declaring them “dedicated to theft” if they “avoid confirming” infringing user behavior.
- In the section creating a private right of action, reworks the key definition so that sites need to have bad intent to be considered “dedicated to theft.”
- Adds language to ensure that court orders under this legislation don’t eliminate the practical availability of the safe harbor set forth in section 512 of the DMCA. (The safe harbor is not available to parties with knowledge of specific infringement – so if every court order under SOPA were deemed to give service providers such knowledge, safe harbor protections would cease to be meaningful and all websites would need to engage in constant proactive monitoring for sites targeted by court orders.)
On the negative side, serious problems remain. SOPA would still carry dangerous consequences for innovation in online communications tools, for online free expression, and for cybersecurity. - The bill still includes domain-name filtering – the very tactic CDT warned the Committee against in our March hearing testimony and in much of our writing on the topic ever since. The new version may not strictly require ISPs to engage in domain-name filtering, but it does demand that they take steps to “prevent access” to targeted websites. And it states that if they employ domain-name filtering, they get “safe harbor” certainty that they have sufficiently complied. So it’s pretty clear what any competent general counsel would recommend that the ISP do. It’s worth noting, too, that this obligation can be put on any “service providers,” a term defined in the bill as “an operator of a nonauthoritative domain name server” – a pretty strong signal that DNS filtering is what’s really on the table. And really, what other viable tactics would an ISP have at its disposal? Other means of “preventing access” involve constant surveillance of the bitstream of the ISP’s entire user base in order to identify communications with rogue sites. That’s not an appealing option from a cost perspective or from a privacy perspective.
In short, the practical result of requiring ISPs to “prevent access” will be domain-name filtering. And that carries all the negative consequences that CDT has previously described. It undermines cybersecurity, sets a dangerous international precedent towards further balkanization of the Internet, and risks inadvertent impact on lawful content.
- The amendment tries to sidestep the cybersecurity problems of domain-name filtering in a few different ways. All are unsuccessful. First, it states that ISPs need not re-direct traffic (the bill previously had contemplated re-directing users to a DoJ warning page, but re-direction is blatantly inconsistent with the emerging security upgrade known as DNSSEC). But simply not answering domain name requests leaves users in limbo, with the impression that something is broken. ISPs can’t afford a new barrage of service calls from confused subscribers. If they have to do domain-name filtering, they’re going to want to provide re-direction to some kind of explanation. They can’t do that and implement DNSSEC too. So the bottom line is, the bill would create a strong incentive for ISPs not to move forward with DNSSEC. That’s a blow to security.
Moreover, domain-name filtering causes significant security problems even without re-direction. Top domain name system (DNS) engineers have made this point directly; DNSSEC can’t play its intended role as a valuable security platform if government creates a gaping ambiguity and loophole by demanding that ISPs take actions that, from the technical DNSSEC perspective, are indistinguishable from true attacks. And as Sandia National Labs described in its discussion of the cybersecurity threat posed by DNS filtering, the tactic’s security risks are not limited to the negative impact on DNSSEC.
Second, the amendment tries to brush off cybersecurity problems by saying that nothing in the bill shall be construed to create obligations that would impair the security or integrity of the domain name system. But courts, tasked with ruling in particular cases, won’t have the relevant evidence or expertise to draw conclusions about the overall impact on the domain name system. Domain-name filtering is expressly cited in the bill as a way for ISPs to comply with the legislation; would a court really conclude that the bill’s general statement about DNS security and integrity is intended to override the explicit approval of domain-name filtering? Moreover, court orders are likely to direct ISPs to “prevent access” and then leave to ISPs the question of how to do it. Since the court isn’t ordering specific action, it’s unlikely to feel it is in any position to analyze specific consequences for DNS security.
Third, the amendment calls for a study of the effects of the ISP obligation to “prevent access.” This is shoot first, ask the tough questions later. The impact of imposing filtering obligations on ISPs should be fully considered before it is written into federal statute. After all, the bill does not contain any sunset provision; the measures it proposes would, if enacted into law, likely be with us for a long, long time.
- The amendment’s modified definition of sites that can be targeted for suits by the Attorney General remains entirely open-ended. Any site is subject to prosecution as an “infringement site” if its domain name, were it domestic, would be eligible for seizure. Seizure law allows for seizure of any property that is used “in any manner or part” to commit or facilitate illegal activity. That means a website with 99% lawful activity and no bad intent can qualify as an infringement site based on a small amount of infringing activity by users. End result: The A.G. would have carte blanche to go after virtually any user-generated content site, whenever it wants to. They are all punishable as “infringement sites” by the terms of this bill.
- By including a private right of action, the amendment still undermines the predictable legal environment that the DMCA sought to create for online services. Under current law, a site that complies with section 512 of the DMCA gets safe harbor protection against copyright suits seeking monetary damages. But under SOPA, that same site could still face lawsuits seeking to cut off its sources of revenue. In effect, a litigious rights holder gets a second bite at the apple, this time without having to worry about that pesky safe harbor. That’s bad for online innovation, as it gives rights holders a powerful club with which to threaten emerging online services.
- That risk might be reduced if the private right of action were strictly limited to foreign entities that would otherwise be outside U.S. jurisdiction. But the bill would allow suits against any website registered to a non-U.S. domain name, even if the parent company is U.S.-based. So U.S. Internet companies with sites registered in foreign country domains would be fair game. That’s evident from the fact that the bill, in both sections 102 and 103, talks about “in personam” actions – it envisions actions against parties that are fully subject to U.S. jurisdiction, even though such parties are already subject to strong legal tools to address infringement.
As a final note, the amendment specifies that nothing in the bill shall be construed to impose a duty to monitor or a technology mandate. While perhaps well intentioned as efforts to address concerns that have been raised, the likely protection these provisions offer is marginal. That’s because SOPA was never about creating an explicit, statutory duty to monitor or to build technology a certain way. The threat has always been that it imposes new legal risks and gives rights holders new tools to bully online service providers – with the result that service providers feel the need to monitor or to implement certain technologies in order to self-protect. That’s an outcome that would be bad for innovation and online expression, but it’s not a black-and-white statutory mandate. So it’s an outcome that isn’t addressed by a statement that the law creates no affirmative duty.
UPDATE: Opponents of the bill are looking to Internet users to weigh in today, before the Thursday markup. Click here for more info.
- OECD Internet Policy Plan Needs Careful Interpretation - 12/13/2011 04:35 PM
Today the Organization for Economic Cooperation and Development (OECD) formally adopted as Recommendations the OECD’s Communiqué on Principles for Internet Policy Making. The Communiqué, agreed to by the OECD’s thirty-four member nations in June 2011, sets out a series of overarching commitments and principles intended to guide the development of Internet policy in member states. While neither the June Communiqué nor today’s newly adopted Recommendations are legally binding, the OECD’s Recommendations have a strong track record as normative pillars that serve as strong influences on national and international debates and policymaking. Additionally, the OECD uses adherence to the Recommendations as one factor for evaluating nations seeking membership in the organization.
Back in June, the specific principles laid out in the Communiqué generated considerable controversy. Questions arose about how they might implicate a number of the specific policy challenges that Internet policymakers face: cybersecurity, online child safety, intellectual property protection, privacy, and so on. Indeed, the civil society delegation to the OECD (of which CDT was not a member) chose not to endorse the document.
But today, by adopting as Recommendations not only the full set of principles in the Communiqué but also the document’s preamble, the OECD sent a clear signal that faithful adherence to the new Recommendations requires a complete reading and interpretation of the principles in context. The principles cannot be divorced from either each other or from the preamble, which sets out the goals of the document. Each individual principle needs to be interpreted in a manner that is consistent with both the preamble and with the other principles; they are mutually reinforcing. Any ambiguity must be resolved in favor of internal consistency.
Just as important, even as different member states pursue different approaches for confronting challenging issues presented by the growth of the Internet economy, they should strive for ways that are consistent with the three overarching commitments, or “framework conditions,” that can be drawn from the preamble and the principles:
- Openness: The principles document is framed by a strong commitment to maintaining the openness of the Internet; it is a “framework condition” that is echoed throughout the document. Individual principles need to be read in a manner that respects this framework condition of openness; the development of public policy solutions in signatory nations to address specific concerns such as privacy, online child safety, or intellectual property protection must be consistent with an open Internet.
- Respect for Human Rights & Rule of Law: The principles also insist that “policymaking associated with [the Internet] … be grounded in respect for human rights and rule of law." CDT believes that interpretations of the principles must be consistent with the norms articulated in these seminal human rights instruments and must comport with the plain language and the jurisprudence developed under these widely adopted instruments.
- Multi-stakeholder approach to policy development: The Recommendations clearly favors the use of decentralized multi-stakeholder governance mechanisms to develop Internet policy, recognizing that addressing emerging policy challenges while preserving the Internet’s open nature is not a simple task: technology moves quickly and tensions between equally legitimate rights and interests will arise.
As member states, and potential member states, review these Recommendations and continue to develop their policies around crucial Internet issues – from the protection of intellectual property to the protection of children – it is evident that they must do so in ways that are consistent with Internet openness, respect for human rights and the rule of law, and the multi-stakeholder approach to Internet policy development.
- The Impact of a Health Data Breach - 12/09/2011 04:44 PM
Since the breach notification requirements applicable to entities covered by HIPAA went into effect almost two years ago, we have seen numerous reports of large health information breaches. These reports identify the entities involved in the breach, the number of patient records breached, and the type of data believed to be potentially at risk. But rarely do those reports go into much detail on the impact (both financial and psychological) of the breach on either the patients whose data was part of the breach, or the provider entities experiencing the breach. My friend Micky Tripathi, the President and CEO of the Massachusetts eHealth Collaborative, has written a blog post on a recent breach experienced by his company that provides a very complete and thoughtful account of the incident and how they handled it. Overall, I was very impressed (and heartened) by the degree of care and concern in the Massachusetts eHealth Collaborative’s response to this incident – but two other thoughts came to mind: - The breach occurred due to the theft of a laptop containing patient identifiable data. The company had instituted an encryption policy and was seeking an encryption technology solution when the theft occurred. Although the files were not encrypted, the laptop was password protected, as were the patient files within the laptop. Nevertheless, the company concluded that there was a significant risk of harm for those individuals whose sensitive personal information (such as a social security number) had the potential to be accessed. I wonder how many other entities covered by the HIPAA breach notification provisions would have reached the same conclusion? (Recall that under currently applicable law, notification to individuals is only required when there is a significant risk of harm to the individuals whose information is involved in the breach.)
- Micky notes that the Office for Civil Rights (OCR) has proposed regulations to enable OCR to hold downstream subcontractors accountable for potential violations of HIPAA privacy and security regulations and the HITECH breach notification requirements, but these regulations are not yet final and enforceable. Had the parties not been so responsible in responding to this breach, this uncertainty regarding the ability of OCR to hold downstream actors accountable could have been a significant problem. We really, really do need the final HITECH rules to be issued.
- Global Policy Weekly - December 9, 2011 - 12/09/2011 03:49 PM
CDT's Global Policy Weekly highlights the latest Internet policy developments and proposals from around the world, compiled by CDT's Global Internet Freedom Project. Subscribe to Global Policy Weekly by clicking the RSS icon on the right. PRIVACY Europe: draft Data Protection Regulation leaked
Although it is not expected to be released in final form until January, a draft general privacy regulation, meant to harmonize and update Europe's data protection framework, has been widely leaked. The regulation is meant to create a new paradigm, whereby a single consumer privacy law governs Europe rather than 30 different laws that all accord with a single, less specific, directive. Here is a quick overview of the leaked draft. Lithuania: New data breach notification
Hunton & Williams reports that Lithuania has updated its Law on Legal Protection of Personal Data and its Law on Electronic Communications to include a breach notification requirement. In the event of a data breach, certain communications providers are now required to report the breach to the data protection authority. Where the breach will likely adversely effect the privacy of individuals, the entity may ultimately be required to notify those individuals. CDT's work on data breach legislation in the US can be found here. Europe: EU regulators are investigating Carrier IQ's tracking software
Regulators throughout Europe have begun investigating the use of Carrier IQ by mobile phone vendors and operators and the privacy implications of this software. Carrier IQ was recently identified as a tracking software that appears to come pre-installed on many mobile devices. INTERNET OPENNESS Italy
In Italy, cybercrime police have used DNS blocking to prevent access to websites that offered links to content available through BitTorrent, cyberlockers, and eDonkey. According to EDRi, at least two innocent websites were blocked by this action. Germany: Internet blacklist law officially repealed
In 2009, Germany passed a law that would have given the federal police power to compile a blacklist of sites that they alleged contained child abuse images; ISPs would have been required to block the sites on the blacklist. The law created storms of controversy and, though passed, was never implemented. Germany has now officially repealed the law. Switzerland: Government issues a report finding that existing Swiss laws are sufficient for dealing with unauthorized file sharing
The Swiss Government recently issued a report concluding that unauthorized file sharing is not a cause for great concern. Ars Technica reports that the document "considers and rejects three proposed changes: a French-style 'three strikes' law, Internet filtering, and a mandatory collective licensing regime that would impose a fee on all Internet users that allowed unlimited file-sharing." SECURITY & SURVEILLANCE China: Beijing offers free wi-fi for registered users
Beijing is expanding the availability of free wi-fi in shopping malls, subway stations, and other highly-trafficked areas. However, users must register with their phone numbers before they can log on to the wi-fi, prompting questions about the privacy of their communications on these networks. FREE EXPRESSION Russia
On election day in Russia, websites that exposed violations at polling stations found themselves victims of massive DDoS attacks. To learn more about how DDos attacks can be used to silence activists, see the Berkman Center's paper on the topic. US: Secretary of State Hillary Clinton makes Global Internet Freedom speech
Opening a conference on Internet Freedom at the Hague, Secretary Clinton gave a third speech on the importance of global Internet freedom and the need for companies to act in ways that promote, rather than restrict, that freedom. India
Unhappy about online criticism of government officials, Indian government officials have reportedly demanded that large Internet companies, including Google, Facebook, Microsoft and Yahoo, begin pre-screening content before it is made available to Indian Internet users. The government, while reportedly vague about the type of content that would need to be filtered to satisfy government requests, did specify that it wants human reviewers prescreening all content before it is posted. These demands do not appear to accord with India's Information Technology Act and, given the scale of communications implicated, would be impossible to implement in practice. Kazakhstan, Turkmenistan, and Uzbekistan: New Report
European and Central Asian non-profit organizations have issued a new report on online censorship and control in Kazakhstan, Turkmenistan, and Uzbekistan. OTHER ITU: Considering the implications of potential UN regulation of the Internet
As countries look to expand the ITU's power to regulate the Internet, Ambassador David Gross and Ethan Lucarelli of Wiley Rein LLP lay out some of the possible implications of UN regulation of the Internet. Europe: European Commission to work with technology firms to protect children online
Twenty-eight technology companies are working with the European Commission to develop age-based online ratings system, improve online parental controls and privacy settings, and facilitate efficient cooperation with law enforcement on matters of child abuse images.
- New Anti-Piracy Proposal Shows There’s a Better Way - 12/08/2011 03:03 PM
Sen. Ron Wyden and Rep. Darrell Issa today unveiled a legislative proposal which shows that effective anti-piracy measures need not risk extensive collateral damage. The Wyden-Issa discussion draft appears to focus carefully on true bad actors – sites whose function and purpose is to foster large scale infringement. And once bad actors are identified, it takes the “follow the money” approach of cutting them off from payment and advertising networks, thus starving them of their financial lifeblood. The draft bill therefore avoids the serious pitfalls of SOPA and PIPA, the legislation being aggressively pushed by rights holders. In particular, it doesn’t put at risk every general-purpose service with social networking or cloud-based storage functions. It also doesn’t make the mistake of taking a page from the playbook of China and Iran by directing ISPs to mess with the Internet’s addressing system – an ultimately futile technique that risks undermining cybersecurity, privacy, and the U.S. foreign policy aim of a single, global, open Internet. I’m sure there is room for discussion and debate about the details of the proposal; for example, the use of the International Trade Commission to investigate complaints is an interesting new wrinkle. With further discussion in mind, Wyden and Issa have taken the unusual step of posting the bill on a public site designed to solicit input. There is plenty of evidence, though, that a “follow the money” approach indeed offers the most fruitful avenue for making a meaningful difference in the fight against online piracy. Back in May, computer scientists analyzing spam found that credit card payment systems offer a viable chokepoint for controlling spam; cutting off the shady financial companies that spammers rely on could succeed where technical filtering/blocking efforts have failed. And this fall, WikiLeaks announced that financial woes are forcing it to suspend publishing. Technical efforts to censor WikiLeaks had little lasting impact, but being cut off from major financial networks has brought the site to its knees. These examples point in a clear direction: The most effective way to fight hard-to-prosecute online perpetrators is to “follow the money.” It costs real money to host large volumes of content and buy bandwidth to serve a large user base. If websites can’t make money – through payments from either users or advertisers – it’s hard to see how they can operate on a substantial scale. In short, the ability to cut off a site’s revenue would be a very powerful and effective enforcement tool. Of course, if what the proponents of anti-piracy legislation really want is a new set of legal tools to go after mainstream online services – witness MPAA chairman Chris Dodd saying that Google is akin to the bank robbery accomplice who drives the getaway car – then they won’t be satisfied with the Wyden-Issa approach. Nor will they be satisfied if – again as suggested by Dodd (“When the Chinese told Google that they had to block sites . . . they managed to figure out how to block sites”) – they want Internet services to start doing the kind of blocking demanded in China. But treating Google and other basic, general-purpose online services as bad actors who should be lumped in with true “rogue sites” is a big part of what has prompted so much opposition to SOPA. And messing with the Internet’s addressing system in an effort to wall off U.S. users from parts of the Internet is what makes SOPA and PIPA such damaging potential precedents for international free expression. In sum, with this discussion draft, Wyden and Issa have made a very important contribution to this ongoing debate. The draft offers a concrete suggestion for how to create strong anti-piracy tools that don’t throw the Internet baby out with the bathwater. Their proposal deserves to be taken very seriously.
- House Tweaks Video Privacy Law for Frictionless Sharing - 12/07/2011 04:48 PM
Yesterday, the House of Representatives passed H.R. 2471, a proposed revision to the Video Privacy Protection Act (VPPA), the law that prohibits companies from disclosing information about your movie-viewing habits without your affirmative consent. Privacy advocates consider the VPPA one of the high-water marks of privacy legislation — video records are one of the few categories of personal information for which there exist strong protections under the law. For this reason, a lot of privacy groups are understandably wary about efforts to cut back on its protections. From CDT’s point of view, the suggested revision is reasonable and justifiable, though there are considerably more important privacy issues that Congress should be addressing (notably, the lack of basic protections around most other consumer data). The call to revise the VPPA started this summer when Facebook announced its latest generation of “social apps” that allow users to passively share their music listening or news reading habits on an ongoing basis. Install one of these apps (like Spotify or the Washington Post Social Reader), and whatever you listen to or read through those apps will automatically be published to your Facebook friends, without the bother of having to affirmatively ask to share each song or story. Netflix apparently wanted to take advantage of these apps as well but there was one problem: The VPPA says that consent must be obtained from a consumer whenever the disclosure is sought. Thus, users of a Netflix social app can’t give the app permission in advance to publish in real time whenever they watch Transformers 3 or The Notebook (again) — instead, they have to give a new permission each time they watch a movie. The language of H.R. 2471 is designed to allow for consumers to grant a permanent permission to disclose movie-watching habits on an ongoing basis. That’s a reasonable enough goal — if people want to tell all their friends every single thing they watch without the bother of clicking “Okay” each time, that should be their prerogative. At the same time, the time-of-disclosure permission requirement in the original law was crafted for a reason — to make sure that consumers didn’t unwittingly sign away permission in advance and then find out later that their viewing habits were public knowledge. Allowing companies to get permission all at once could result in companies putting disclosure permission in a long Terms of Service agreement or privacy policy that no one’s actually likely to read. For this reason, Representative Nadler introduced language at the October mark-up to ensure that any ongoing disclosure will be permitted only after a company obtains the informed, written consent of a consumer “in a form distinct and separate” from any other financial and legal obligations. We had suggested slightly different language based on a comparable provision in location privacy legislation introduced by Senator Franken that would also require the language to be clear and prominent, but the Nadler language probably does the trick — it’s hard to envision how a company could trick a consumer into opting in if the permission isn’t buried in a bunch of other language. Despite this improvement, some privacy groups such as EPIC have strongly opposed the bill, and 116 members eventually voted against H.R. 2471 yesterday. We share the general concern that the VPPA should remain a model for other privacy legislation and should not be weakened, but we do not believe that this particular revision undermines the fundamental purpose of the law. As a final note, however, while we believe this bill does not pose a threat to consumers’ privacy interests, it is unfortunate that this is the only privacy legislation that seems likely to move anytime soon — a minor tweak that merely allows consumers to passively share more data about themselves. If some Facebook users are glad for the change, that’s great, but it’s hardly something that most consumers have been actively clamoring for. We would feel stronger about the bill if it offered some benefit to consumers who don’t plan to take advantage of automatic sharing, such as by clarifying that the law applies to online streaming of movies — something that wasn’t envisioned when the VPPA was passed in 1988. More broadly, there’s a lot more consumer interest in generally improving privacy protections to make sure they understand what data is being collected and used about them, and to give them stronger controls around that data. While several promising bills have been introduced, there has been little action on those bills over the last several months. Hopefully next year, we’ll see progress on the more pressing need for more comprehensive privacy legislation.
- Facial Recognition and Privacy - 12/06/2011 02:32 PM
Facial recognition technology is increasingly used in a variety of ways – from security and authentication to photo tagging on social networks and targeted advertising on digital signs in stores. Facial recognition software packages are freely available online, and the technology is fast making its way into mobile phones. Facial recognition poses complex privacy issues that do not fit squarely with present laws. Today CDT released “Seeing is ID’ng,” a report on facial recognition and privacy. The report describes the state of facial recognition technology and its commercial applications, the lack of laws that address facial recognition, and policy approaches to preserving consumer privacy. CDT’s report comes a day in advance of a Federal Trade Commission (FTC) workshop exploring the privacy implications of facial recognition and potential policy solutions. I will present the CDT report at the workshop. The FTC workshop was prompted by a letter from Sen. Jay Rockefeller (D-WV), Chairman of the Senate Commerce Committee, directing the FTC to develop recommendations on privacy protection for facial recognition. CDT’s report urges the FTC to consider a mix of government regulation, industry self-regulation, and privacy enhancing technologies that can give consumers more control over how facial recognition is used without unduly limiting the benefits of the technology or burdening free expression. The key privacy interest that commercial facial recognition affects is, of course, identification of an individual through facial features alone. Without facial recognition technology, it is very difficult for a stranger to easily and quickly identify an individual on this basis. Individuals in public currently expect that most businesses and passersby cannot recognize their faces, fewer still can connect a name to their faces, and few – if any – can associate their faces with internet behavior, travel patterns, or other personal information. Facial recognition technology fundamentally changes this dynamic, enabling any marketer or random stranger to collect – openly or in secret – and share the identities and associated personal information of any individual in public. Deployed widely enough, a network of facial recognition cameras can track millions of individuals as they move from place to place. Unlike other tracking methods, such as GPS or RFID, facial recognition does not require the tracked individual to carry any special device or tag, reducing consumers’ ability to thwart unwanted tracking. Once built, databases assembled with facial recognition for commercial use can be accessed or re-purposed for law enforcement surveillance. Although the issue is growing more serious, CDT does not believe that Congress should seek legislative solutions for facial recognition alone. Establishing privacy laws for facial recognition in isolation will likely be ineffective – if consumer tracking via facial recognition or other biometrics were prohibited, consumers would still be tracked through numerous alternative methods. Instead, as CDT has long advocated, Congress should pass a comprehensive consumer privacy law that includes biometrics and is based on the Fair Information Practice Principles. As the U.S. Dept. of Commerce proposed in its “Green Paper,” Federal agencies should play a crucial role in developing and enforcing voluntary self-regulatory privacy codes that cover facial recognition – like the DSF Digital Signage Privacy Standards. Any self-regulatory process must offer businesses tangible incentives, the development of the rules must include input from consumer groups, and the rules must be consistently enforced. In terms of specific policy stipulations, CDT believes companies should generally obtain informed, affirmative consent prior to identifying individuals via facial characteristics in public places or in places open to the public, such as stores. CDT also believes companies should provide consumers with clear, prominent notice of their use of “anonymous” facial detection in public places. The lack of adequate protection in current law and the limitations of self-regulation when not backed by an enforcement mechanism highlight again the point that CDT has been making consistently about consumer privacy: The only effective way to address privacy is with a mix of baseline consumer privacy legislation, industry self-regulation, and privacy by design. Publicly available facial recognition is a transformative technology that demands nuanced solutions to preserve consumer privacy and free expression. At the FTC workshop and through other activities, CDT will be seeking to move policy in the right direction.
- Testimony: Privacy Protections Needed for Cybersecurity Info Sharing - 12/06/2011 12:29 PM
Congress is accelerating its consideration of cybersecurity legislation, and this morning, CDT’s Greg Nojeim testified before a key House subcommittee regarding a draft bill from Subcommittee Chairman Dan Lungren (R-CA). CDT’S testimony focused primarily on information sharing, a critical element of improved cybersecurity, but one fraught with risks to privacy. Chairman Lungren’s bill would establish a National Information Sharing Organization (NISO), a non-profit, quasi-governmental organization that is intended to serve as a clearinghouse for the exchange of “cyber threat information” among owners and operators of critical and non-critical networks and systems in the private sector, government, and educational institutions. We like the fact that the sharing entity in the Lungren bill is not government-centric. In this regard, we prefer Chairman Lungren’s approach to the Administration’s proposal and to legislation recently reported by the House Intelligence Committee. However, we stressed that the information sharing provisions in the Lungren bill need to be clarified. We offered some concrete suggestions, and the Chairman asked for further input, which we will be providing. CDT's testimony applauded the light regulatory touch Chairman Lungren’s bill offers. The bill generally relies on market incentives rather than government mandates, and thus would be more likely to strengthen cybersecurity without inhibiting security innovation. We also applauded the provisions of the bill that cement the Department of Homeland Security’s role as the lead federal agency for cybersecurity for the civilian government and private industry. CDT believes DHS is best suited for this role—as opposed to an element of the Defense Department, such as Cyber Command or the NSA—because a civilian agency will ensure greater transparency for the cybersecurity program and thereby generate the trust needed for the program to succeed.
- Update on the BART Shutdown
- 12/06/2011 08:20 AM
After Bay Area Rapid Transit (BART) authorities shut down some underground cell service in a misguided response to a planned protest in August, CDT signed onto an emergency petition for the FCC to declare that such arbitrary network shutoffs violate the Communications Act. Subsequently, the BART board has quietly adopted a new policy addressing when it may turn off the towers. The policy contains some good language describing just how rare the “extraordinary circumstances” are that could lead to a disruption in service, and affirms the Agency’s commitment to “all state and federal regulatory laws.” But we remain concerned that neither BART’s policy nor a national patchwork of such statements will be sufficiently protective of free expression and the public interest in a reliable communications networks. The policy also leaves unanswered the larger question of what state and federal laws have to say about deliberate temporary disruptions. Indeed, no individual network operator’s policy could answer this question. This is why we and other public interest organizations have asked the FCC to weigh in. The FCC issued a short statement calling the policy “an important step” and indicated that the Commission would begin a open public process to examine the status of temporary shutdowns under communications law. This is an encouraging step, and we look forward to engaging in the FCC's further inquiries into this important issue.
- Global Policy Weekly - December 1, 2011 - 12/01/2011 11:48 AM
CDT's Global Policy Weekly highlights the latest Internet policy developments and proposals from around the world, compiled by CDT's Global Internet Freedom Project. Subscribe to Global Policy Weekly by clicking the RSS icon on the right. FREE EXPRESSION Russia: Legislators vote to decriminalize defamation
The OSCE issued a statement announcing that OSCE Representative on Freedom of the Media, Dunja Mijatović, applauded amendments to the Criminal Code of the Russian Federation that will "decriminalize libel and insult, and specifically punish threats or violence against journalists as a professional group." Pakistan: 1,100 terms banned from text messages
The Pakistani Telecommunication Authority has ordered mobile communications operators in the country to block 1,100 different words and expressions on its networks. According to Ars Technica, "mobile phone companies…were handed the list of words with a letter explaining that they have to block those words on their networks within seven days, or face the threat of legal action. Operators also need to submit monthly reports on the implementation of the block." Read Global Voices coverage here. UK/COE: As the UK assumes chairmanship of the COE, Foreign Secretary William Hague has said they will seek "to ensure that the Council of Europe's internet governance strategy is adopted, and that the principles it has adopted to uphold freedom of expression on the internet are implemented, to ensure that all member states live up to their international obligations in this area." PRIVACY France: Consent now required for some cookies
As part of their implementation of Directive 2009/136/EC, French lawmakers have ratified new rules regarding the placement of cookies. The rules require that consent be given before cookies are placed, but made exceptions for specific types of cookies for which consent would not be required. Read English summary here. EU: Viviane Reding Proposes Streamlined Approach on Data Protection In a recent speech, European Commission VP Viviane Reding promoted a streamlined data protection policy for the EU, under which ISPs would be required to follow only the data protection laws in their base country, rather than the EU's 27 unique national data protection laws. Reding noted that "[ISPs] need - the same as consumers - to have a "one-stop-shop" when it comes to data protection matters - one law and one single data protection authority for each business; that of the Member State in which they have their main establishment." INTERNET OPENNESS Australia
Five of Australia’s largest ISPs, in partnership with the country's Communications Association trade group, have issued a proposal to institute an "education and warning" notice system with the aim of curbing illegal filesharing by users on their networks. Read Ars Technica coverage here. EU: ISP Filtering Mandate Would Violate EU Law, Court Rules
On November 24, the European Court of Justice ruled in Scarlet v. SABAM that the E-Commerce Directive, read together with the directives on privacy and on intellectual property, precluded an injunction against an ISP that would have required installation of a system to filter all customer communications in order to block copyright infringement. Read BBC coverage here. COE: Last week marked the 10th anniversary of the Council of Europe's Convention on Cybercrime. The COE held a conference on implementation of the convention last week. OTHER COE: The Council of Europe and the Federal Ministry of European and International Affairs of Austria hosted a joint conference, “Our Internet – Our rights, Our freedoms” in Vienna on November 26-27. The conference examined a broad range of questions touching on privacy, free expression, cybercrime, child safety, and user empowerment. See Conference webpage. US/EU: In joint statement issued after a US-EU joint summit held at the White House, Obama administration and EU officials commented on global Internet freedom: "We share a commitment to a single, global Internet, and will resist unilateral efforts to weaken the security, reliability, or independence of its operations— recognizing that respect for fundamental freedoms online, and joint efforts to strengthen security, are mutually reinforcing. We welcome the progress made by the U.S.-EU Working Group on Cybersecurity and Cybercrime, notably the successful Cyber Atlantic 2011 exercise. We endorse its ambitious goals for 2012, including combating online sexual abuse of children; enhancing the security of domain names and Internet Protocol addresses; promotion of international ratification, including by all EU Member States, of the Budapest Convention on Cybercrime ideally by year’s end; establishing appropriate information exchange mechanisms to jointly engage with the private sector; and confronting the unfair market access barriers that U.S. and European technology companies face abroad."
- Cyber Intelligence Bill Threatens Privacy and Civilian Control - 12/01/2011 08:59 AM
A bill unveiled yesterday by Reps. Mike Rogers (R-MI) and C.A. “Dutch” Ruppersberger (D-MD), the Chairman and Ranking Member of the House Intelligence Committee, would authorize Internet service providers and other companies to share customer communications and other personally identifiable information with governmental agencies. The intent of the bill is to enhance information sharing for cybersecurity purposes, a goal that CDT strongly supports. However, we have four main concerns with the specifics of the Rogers-Ruppersberger bill: - The bill has a very broad, almost unlimited definition of the information that can be shared with government agencies notwithstanding privacy and other laws;
- The bill is likely to lead to expansion of the government’s role in the monitoring of private communications as a result of this sharing;
- It is likely to shift control of government cybersecurity efforts from civilian agencies to the military;
- Once the information is shared with the government, it wouldn’t have to be used for cybesecurity, but could instead be used for any purpose that is not specifically prohibited.
The bill, titled the Cyber Intelligence Sharing and Protection Act, is on a fast track – the House Intelligence Committee has scheduled the bill for mark up today. Relationship to the “DIB Pilot:” The legislation is being billed as an expansion of a collaboration between the National Security Agency (NSA) and major ISPs dubbed the Defense Industrial Base Pilot. Under the DIB Pilot, the NSA shares classified cyberattack signatures and information about cybersecurity threats with large ISPs that provide Internet service to major defense contractors. Under their service agreements with those contractors, the ISPs use the NSA signatures, and other cyberattack signatures that the ISPs have developed or otherwise obtained, to scan communications to the defense contractors in order to screen out malware and other attacks. Under the DIB Pilot as initially implemented, the ISPs tell the defense contractors what communications have been blocked or flagged as suspicious, but the ISPs do not share traffic with the NSA. If the bill merely extended to other companies the opportunity to receive classified attack signatures from the NSA so they could better defend their networks, CDT would actively support the legislation. Indeed, we have called this aspect of the DIB Pilot an “elegant solution” that unlocks NSA knowledge to help the private sector defend itself. However, the bill goes much further, permitting ISPs to funnel private communications and related information back to the government without adequate privacy protections and controls. The bill does not specify which agencies ISPs could disclose customer data to, but the structure and incentives in the bill raise a very real possibility that the National Security Agency or the DOD’s Cybercommand would be the primary recipient. Unlike the DIB Pilot, the bill thus has two major implications that would radically change national cybersecurity policy: (i) It could shift the center of cybersecurity efforts from the private sector to the government, making the government the hub for information sharing and analysis. (ii) It could shift control of the government’s cybersecurity efforts from civilian control (now centered at the Department of Homeland Security) to the military. Because the military cybersecurity agencies (NSA and Cybercommand) operate in secret, the bill could also undermine the transparency that is essential to public support for any cybersecurity program. Indeed, the bill would even permit the Director of National Intelligence to condition the sharing of classified cyberattack signatures and threat information on a company’s agreement to share information back to the elements of the intelligence community. How the bill would work: The bill encompasses three quite different kinds of information sharing, which pose very different considerations: sharing government information (attack signatures and other threat or vulnerability knowledge) with the private sector; sharing attack, threat and vulnerability information, including private communications data, among private sector companies for mutual self-protection; and sharing attack, threat and vulnerability information, including private communications data, with the government. The first type of sharing is addressed in the section of the bill that authorizes the Director of National Intelligence to establish procedures through which companies could apply to become certified to receive cyberattack signatures and threat information from elements of the intelligence community. Once certified, a company could use that information for any purpose (except to gain an undefined “unfair competitive advantage”), including to protect its own network or the network of a company that had hired it to provide cybersecurity services. The second and third kinds of information sharing are addressed in the provisions of the bill authorizing companies, whether certified or not, to use “cybersecurity systems” to obtain “cyberthreat information” and to share that information: (i) with other companies of their choosing subject to any limits the company authorizing the sharing might place; (ii) with any agency of their choosing in the Federal Government, but without any such use limits. Such sharing would be authorized even if otherwise barred by the electronic surveillance laws, other privacy statutes, or any other statutes at all. Under the bill, when communications data is shared with the government, it could be used to prosecute an individual for any crime, used to target him or her for intelligence surveillance, and shared among governmental agencies to the extent permitted by current law and used by those agencies for any lawful non-regulatory governmental purpose. Data shared with other entities in the private sector could be used and redisclosed for any purpose, subject only to restrictions placed on such sharing by the entity authorizing the information to be shared – whether the authorizing entity is “self protected” or hires a “cybersecurity provider” such as an ISP. The bill itself places no limits on secondary use or dissemination of unclassified cyber threat information. Under the bill, the data can even be used to target advertising. Companies that in good faith share information impermissibly, or in good faith fail to act on information shared with them that reveals a vulnerability they leave unaddressed, are completely insulated from liability. Much of the bill turns on definitions. The “cyber threat information” that a company is authorized to share is broadly defined as information … directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of the system or network from—(A) efforts to degrade, disrupt or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property or personally identifiable information. This includes not only meta-data, but also the content of communications themselves. The information does not have to be limited to that pertaining to a known or suspected attack or activity indicative of a probe or attempted attack. Instead, it encompasses any information “pertaining to the protection of” a system or network. All systems and networks are included, not just those that hold classified information or control critical infrastructure. Since any message could contain an attack, and since carriers routinely scan all their traffic in “protecting” their networks, this could allow all of that traffic to be shared with the government. Since all log-in information retained by a social networking site or an online merchant “pertains” to protecting that system, all that information could be disclosed to the government as well. The bill would permit companies to share this information without a court order for cybersecurity purposes with the National Security Agency, the FBI and any other government agency, which could then use the information for any purpose not otherwise illegal. Inadequate privacy protections: In theory, there are three privacy protections in the bill, but each is toothless. The first is a restriction on purpose: information can only be shared for a “cyber security purpose.” But this protection is toothless because the definition of what can be shared is so broad and because cybersecurity does not have to be the sole or even primary purpose of the sharing. Moreover, once shared even for a legitimate cybersecurity purpose, the information could then be used for other non-regulatory purposes. The second theoretical protection is that a company authorizing the sharing of information can put restrictions on further sharing that include anonymization and minimization of such information. This is toothless because it is voluntary with the company, and not enforceable by the users whose data can be shared. The third is an annual report from the Privacy and Civil Liberties Oversight Board, which does not exist and hasn’t existed for over three years. At any rate, a reporting requirement is no substitute for meaningful standards for information sharing. Relationship with Republican Task Force Recommendations: Rather than faithfully implement the recommendations of the House Republican Cybersecurity Task Force, the bill in some ways stands in strong contrast to them. - There is no requirement to minimize the personally identifiable information that is shared with the government, even though the Task Force called for such minimization.
- The Task Force, recognizing that overbroad legal protections for sharing information could harm privacy, said that “protection of personal privacy should be at the forefront of any limited legal protection proposal.” Instead, there is no requirement in the bill to impose restrictions on information sharing that protect privacy. In fact, because companies are given blanket immunity if they share information in good faith, and are authorized to share that information notwithstanding any other law, their incentive to protect privacy is severely diminished.
- The information sharing would occur without the creation of the information clearinghouse outside of the government that the Task Force called for, and through which enforceable rules governing information sharing could be implemented.
Conclusion: We appreciate that the bill meets many of the needs that companies have been raising: it permits sharing between companies with very few restrictions while at the same time allowing companies to impose the restrictions they choose; it prohibits using shared information to regulate companies; and it provides immunity. However, these features are outweighed, significantly, by the extent to which the bill permits essentially unfettered sharing with the government and in particular with the military side of the government and by the fact that the DNI can use the certification process for government-to-private sharing in order to incentivize the private sector to share more with the military side of government without restrictions, thus expanding the role of the DOD in private sector cybersecurity. CDT has long recognized that there may be a need for a limited exception to the surveillance laws to permit companies to share information to protect other companies and their users. We have called for a targeted, incremental approach that preserves the role of DHS as the locus of civilian cybersecurity efforts, and preserves existing privacy and other protections while creating limited exceptions to facilitate the sharing of carefully defined cybersecurity information. Though we oppose this bill, we look forward to working toward these goals with both the companies affected by the legislation and members of Congress who will consider it.
|
