Posts Tagged ‘Congress’

Tipping Towards an Opt-In

A few years ago, I became an instant fan of Malcolm Gladwell’s groundbreaking book – “The Tipping Point” – based on an epidemiological theory that says that in aggregate, “little things” can make a big difference.  Since then, I’ve observed the phenomenon play out on the policy stage several times – financial reform and healthcare are two immediate examples that come to mind – and I wonder if the theory has any application in what’s currently happening with online privacy today.  I think it does – particularly if you view a tipping point in scientific terms i.e. the point at which an object is displaced from a state of stable equilibrium due to a series of successive events, into a new equilibrium state qualitatively dissimilar from the first.

To say that online privacy was ever in a state of stable equilibrium is a stretch.  We are however, approaching the end of a current era in online advertising and marketing – an era in which companies captured personal and confidential data from users, and then monetized that data to sell ads back to those very same users, often without the user’s authorization or knowledge. That state of equilibrium has been threatened by many events in the last few months – market developments, consumer outcry and regulatory attention all converging to catapult data privacy and security onto the national agenda and into the mainstream press.  Some commentators, such as Jeff Chester, have characterized these events as a perfect storm; I see them a bit differently – not a storm, but a series of occurrences that finally “tipped” the issue, as companies attempted to push the privacy envelope with various features that compromised a user’s privacy (and in some cases the user’s express wishes to keep their data private).  Each of these features involved sharing data with a third party and not surprisingly, each triggered a privacy outcry – because they provided no meaningful way for users to opt-out of the feature before personal data was exposed.

It’s amazing to think that most of these pivotal events only happened during the last three months.  To recap:

February 9, 2010 – Google launches Google Buzz, and overnight, transforms users’ Gmail accounts into social networking pages, exposing personal contacts.  Google later remedies the situation by making the feature opt-in.

April 27, 2010 – 4 Democratic Senators led by Chuck Schumer of New York, send a letter to Facebook CEO Mark Zuckerberg complaining about the privacy impact of Facebook services, including its instant personalization feature (which exposed user profile data without authorization on launch).  Senator Schumer follows up his letter with a formal request urging the FTC to investigate Facebook.  Facebook eventually announces new privacy controls.

May 5, 2010 – EPIC and a coalition of other advocacy organizations file this complaint, urging the FTC to investigate Facebook.  In the complaint, they assert that “Faceboook’s business practices directly impact more American consumers than any other social network service in the United States.”

May 14, 2010 – Google announces, via a post on their policy blog, that their Streetview cars have inadvertently been capturing payload data from open WiFi networks – in violation of US, European and other global data protection laws – for over 3 years.

May 21, 2010 – The Wall Street Journal reports that a group of social networking sites – including Facebook, MySpace and Digg – routinely share user profile data with advertisers, despite public assurances to the contrary.

The result? With each successive product or feature launch, the privacy debate is now tipping towards a privacy regime that could be much stricter than anything we’ve seen before – a requirement that companies get a user’s affirmative opt-in to any use of personal data for advertising and marketing purposes.

Privacy nerds may want to revisit the words of David Vladeck, head of the FTC’s Bureau of Consumer Protection, in a New York Times interview that took place last August i.e. before the privacy mishaps of the last 3 months.  When asked about whether the FTC would mandate an opt-in standard for user disclosures, Mr. Vladek responded:

“The empirical evidence we’re seeing is that disclosures on their own don’t work, particularly disclosures that are long, they’re written by lawyers, and they’re written largely as a defense to liability cases. Maybe we’re moving into a post-disclosure environment. But there has to be greater transparency about what’s going on. Until I see evidence otherwise, we have to presume that most people don’t understand, and the burden is going to be on industry to persuade us that people really are well informed about this.”

The emphasis on transparency becomes even more important with the  impending rollout of the FTC’s privacy framework this summer.  Will  the FTC make an affirmative opt-in mandatory in all instances where personal data is being shared with a third party?  Clearly, an opt-in is one of the best ways to ensure transparency, and to give users meaningful notice about what data is being collected.  The question is whether an opt-in requirement would be so cumbersome it would turn users off of the service altogether.  For instance, would an opt-in be required once – before the feature is first launched, or each successive time it launches?

Also, it’s unclear whether the FTC’s framework will derive strength (or weakness) from a federal privacy law if such a law does indeed pass this session.  Critics on both sides have mostly panned the House legislation i.e. the Boucher-Stearns bill, but there is news of another, more stringent bill being drafted by Senator Schumer who reached his tipping point with Facebook as outlined earlier.

I saved my most important “little thing” for last. Even if you don’t believe that the privacy debate has yet to reach a tipping point, consider this: in June, the Supreme Court will issue its decision in City of Ontario v. Quon. This is the first time that the Supremes have considered the crucial question of what expectation of privacy users have in their electronic communications.  Their decision will most likely impact any regulatory or legislative scheme around privacy currently being proposed by the federal agencies or Congress.  Most importantly, a Supreme Court decision that finds an expectation of privacy in electronic communications will most certainly translate into increased obligations on companies that deal in these types of electronic communications and data.  A tipping point?  Absolutely.  In fact, such a decision would definitely signal something much bigger (to quote another popular book title) – a Game Change for advertising and marketing on the web.


Filtering and Sniffing after FCC v. Comcast

The topic du jour is definitely the DC Circuit’s decision in FCC v. Comcast – and what it will mean for net neutrality, and the FCC’s plan to regulate broadband access and consumer protections on the Internet. The decision – which states that the FCC does not have the authority under current law to regulate how ISPs police traffic on their networks – will most certainly impact the FCC’s implementation of its recently announced broadband plan.  Already, the agency has decided not to pursue certain cybersecurity, privacy and consumer protection policies in the wake of yesterday’s decision.

The DC Circuit crafted a careful and narrow decision, which will probably survive appeal (if indeed the FCC chooses to take that route).  The ruling focuses predominantly on the question of whether the FCC had explicit or implicit jurisdiction to regulate Comcast.  It leaves open however, the question of when and how ISPs can use filtering technologies to detect content.

All ISPs employ filtering technologies to some degree.  These technologies filter or “sniff” data packets while they are en route to their final destination.  The packets usually consist of two parts: control information and user data (also known as the payload). Shallow packet inspection involves examination of the control data – to allow an ISP to route content to the right server for example.  A deeper form of packet inspection allows the ISP to check for viruses and other malware that might be attached or embedded in content.  But it’s deep packet inspection that concerns most privacy advocates.  This is a more intense process that allows the ISP to literally peer in and scan the payload portion of the packet – to serve ads, or track user behavior.  The NSA uses the technology in its terrorism surveillance efforts. Certain governments –such as China – use deep packet inspection to censor content.

The FCC complaint which led to yesterday’s decision was filed against Comcast by Free Press, Public Knowledge, and several other advocacy groups and academics.  It suggested that the company was using some sort of deeper detection technology to “throttle” consumers’ use of P2P applications like BitTorrent. Comcast defended its actions, stating that it had a right to slow access in instances when network resources are scarce, because applications like BitTorrent consume large amounts of bandwidth.  In their FCC petition, the Free Press / Public Knowledge coalition disagreed, stating that Comcast had violated FCC policy which entitles consumers to “access lawful Internet content… and run applications and user services of their choice.”

The FCC investigated the matter and sought public comment.  Its investigation showed that Comcast was restricting user downloads of large files 24/7 – even when network resources were not scarce.  There was no suggestion by the FCC that Comcast used deep packet inspection technology to restrict downloads – although some have noted the company’s relationship with Sandvine, a company specializing in “network policy control solutions.”

After concluding its investigation, the FCC issued an Order, stating that it had the jurisdiction to regulate Comcast’s network management practices.  Furthermore, the agency decided to resolve the issue through adjudication – and not through the notice and comment cycle of typical FCC rulemaking.  In his press release announcing the Order, then FCC Chairman Kevin Martin analogized the situation to the US Postal Service opening your mail and then deciding, based on the contents contained therein, that it was either going to delay sending your mail or not send it altogether.

Comcast challenged the Order successfully in District Court; the FCC appealed, resulting in yesterday’s decision.  Where does the agency go from here? FCC Chairman Genachowski has stated that the agency will find other legal authority to pursue its stated goals if it loses its case against Comcast.  With a precedent like yesterday’s decision on the books, the agency will most certainly need Congress to pass a law giving it that explicit authority.  Enabling legislation of this type could take years – particularly given the special interests involved in this particular debate.  In the meantime, perhaps the FCC should think about reversing its 2002 decision deregulating broadband – a suggestion made by Public Knowledge’s Gigi Sohn on the PBS News Hour earlier this evening.

Until these issues are resolved, the legality of using filtering or sniffing technologies to block or slow down questionably large files on networks remains unclear. Comcast, in its muted response to the DC Circuit decision, indicates that it intends to keep working with the FCC to “…preserve a vibrant and open Internet.”  Will this intention change if its merger with NBC Universal is approved?  Would the merged entity employ such techniques to ensure that its own content is not being downloaded illegally?  Active network management can rob an ISP of its safe harbor for copyright infringement under the DMCA – but what happens if the network provider and the copyright owner are one and the same?

This case started with consumer complaints.  Yet the court’s decision does not provide any guidance for consumers who believe that they are being denied efficient broadband access due to their web surfing appetites. Professor Paul Ohm of the University of Colorado has an interesting approach – in this delightful article on net neutrality and privacy.  In it, he suggests that consumers look to the ECPA to address concerns with ISP discrimination against large file downloads.  ECPA of course, is the focus of its own reform effort – the move to secure digital due process.  Many of the same companies that support ECPA reform also support net neutrality.  Perhaps the move to reform ECPA will provide a way to obtain some legal guidance on how and when packet sniffing technologies can be used by ISPs to filter content.  But even with such clarity, the question of which agency should regulate the Internet – FCC, FTC or even the Department Commerce – will remain open.

Categories: Uncategorized Tags: , , ,

Digital Due Process and the 3rd Branch

April 1, 2010 1 comment

This week, we welcome a new member to the tech policy family – Digital Due Process, a concept conceived and birthed by an extensive coalition of academics, corporations and think tanks.  The goal of the effort is to reform certain aspects of our electronic surveillance laws, specifically the Electronic Communications Privacy Act (ECPA), that regulate how the government gains access to private data.  By doing so, the coalition hopes for legislation that will guarantee a certain amount of due process and privacy protection for the vast amounts of data – emails, photos, music – that private citizens upload to the cloud every day through email and social networking services.

A group of notable academics, companies (AOL, Google and Microsoft) and think tanks (EFF, CDT, PFF) working together is news in and of itself.  It’s clear however that the time has come to reform ECPA, a statute that was first passed in 1986, several years before commercial Internet activity was a reality (for more, check out the coalition’s white paper or my previous blog on the subject).  The law has simply become – in the words of both Senator Patrick Leahy and the EFF’s Kevin Bankston – “woefully outdated.”

Senator Leahy weighed in of course, because the goal of this effort is to get Congress to pass legislation that will reform the ECPA provisions having to do with government access to data.  According to his press release, Senator Leahy welcomes the opportunity to explore the privacy and law enforcement concerns with the current version of ECPA. It’s unlikely, however, that ECPA reform legislation will be enacted this year – with the mid-term elections looming, and with other tech policy issues such as net neutrality still simmering on Congress’ back burner.  It’s also uncertain what support, if any, the coalition’s proposals will have from law enforcement. For the most part, the coalition’s proposals focus on stored data – and will not interfere with the government’s ability to gain access to real-time communications under the Wiretap Act.

But, as Declan McCullagh points out, law enforcement’s position may differ from the administration’s position, as echoed by Candidate Obama in his campaign promise to strengthen privacy protections in the digital age.

By the way, the coalition’s proposals, which you can read in depth here, focus on government access to both electronic communications and important data such as subscriber information.  It also proposes to update ECPA’s requirements for access to location data – particularly important given the DOJ’s argument, made recently, that it does not need a warrant to track cell phone location data.

What I find intriguing is the precedent this effort could establish in defining a right to privacy for data – regardless if access is by the government or by a third party. In his campaign promise on privacy, the President also talked about using “the power of technology to hold government and business accountable for violations of personal privacy.”  Indeed, if the coalition’s efforts are successful, some of its members may themselves be subject to lawsuits with ECPA-based claims.  Congressional legislation will likely include some provision for regulating access to data by private parties, not just government.  This could lead to expanded causes of action against some of the very companies that are advocating for ECPA reform. Perhaps these companies realize and accept this inevitability– because even with the threat of additional litigation and regulatory actions in the near term, the ultimate goal is a reality where people are aware of the value of their personal data and are also willing to entrust that data to the provider who guards it most carefully.  As many of the coalition member companies argue, user trust is the keystone to a functional digital ecosystem.

Congress has not really tackled the issue of data privacy (yet), but the other two branches of government have encountered it in some form or the other. The administration continues to forge ahead with its ideal of individualized control over personal data – as seen most recently in the FCC’s Broadband plan, which contains a number of provisions aimed at giving private citizens more control over their online data profiles.  On the other end of the spectrum, courts continue to wrestle with the 4th Amendment third-party doctrine, and whether there is an expectation of privacy in data that an individual creates, and then hands over to a third party (ISP, etc.) for distribution or storage.

How will Congress handle the issue?  Painfully and slowly, I suspect.  At least the debate has started.  Let the shaping begin.

Categories: Uncategorized Tags: , ,

Congressional Gridlock & the Threat to our Cybersecurity

February 19, 2010 Leave a comment

A country is under daily threat of invasion from seemingly invisible enemies located outside of its borders.  Surprisingly, the country remains unprepared – its government has instituted no policies or procedures to respond to the imminent threat; policy makers and legislators struggle to define how such attacks should be treated under the laws of the land.

If you guessed that this country is the United States of America, you are right. The attacks are those that happen in cyberspace – ranging from cyberwarfare to the list of threats from “compromised” web applications in this McAfee report.  Countries already engage in cyberwarfare – Russia launched a cyber attack against the Republic of Georgia in August 2008; China has allegedly used cyberwarfare for years against India.  But now we are seeing frequent attacks against private enterprise too.  Just yesterday, we learned that the recent cyber attacks against Google and several other technology companies were mounted from unlikely battle stations, two universities in China, both of which receive funding from the Chinese government.   We also learned about the existence of the massive Kneber botnet that has infected 75,000 computers at over 2,500 corporate and government entities.  Was Congress paying attention?

Cyber attackers come in all shapes and sizes, and exist on a global scale, just like the Internet.  At a recent NAAG Presidential Initiative looking at cybercrime and other issues, Fred Huntsberry of Paramount Pictures stunned his audience with a presentation on Russian and Eastern European cybercriminals.  These guys run online websites that manage to violate content piracy and identity theft laws at the same time, and on a massive scale.  First, they provide pirated, just released theatrical content for download or streaming.  Then, as many are also members of identity-theft rings, they misappropriate the credit card information you stupidly provide for subscription access to all that great (pirated) content.

The size of the cybercrime operation does not necessarily dictate the impact of the activity.  Take for example, the cybercrime ring composed of 3 people – Albert Gonzalez and his two Russian partners, responsible for the biggest data breach in US history (Heartland Payment Systems, implicating over 130 million credit and debit card accounts).  This was on top of the Gonzalez team’s other enormous breaches – including hacking into the payment systems of some of the country’s top retailers (Barnes & Noble, Office Max, Sports Authority, etc.)

The US has been on notice about the need for a comprehensive framework – to deal with cyber attacks and cyberwarfare – for many years now.  In 2001, Chinese hackers shut down; amazingly, almost 10 years later, we still lack a national plan of action to deal with cyber security, or a national data security law that defines both the issue and an offensive strategy to deal with its concerns.  Why do we lack the ability to deal with this very real and imminent threat?

A sobering white paper, recently published by former House Representative Thomas McMillen, provides some possible answers as to why there is no “political or corporate will” to enact cyber security legislation: an aggressive private sector lobby that has “resisted change” while paying “lip service” to the issues, a disengaged federal government (let’s add congressional gridlock to this category), and a public that fails to see the link between identity theft and cyber attacks (even though an estimated 40 million Americans are “cyber victims”). McMillen advocates for more public awareness – along the lines of what happened in the environmental movement – to catalyze the private sector to compete on security.  He also advocates for government regulation to give the industry the direction it needs on developing technologies and practices around cyber security.

If you believe McMillen’s report, there’s been little effective coordination between the public and private sector on cybersecurity – something that must happen for the government to effectively respond to a cyber attack.  For instance, imagine a situation where malware on smart phones (delivered through an innocuous March Madness application) is remotely activated to shut down the country’s telecom and broadband networks, paralyzing them during a hurricane.  How would the government and telecom providers resolve the issue? This was the scenario imagined by the Bipartisan Policy Center this week during their CyberShockWave mock attack exercise – featuring real former government officials in pretend government roles. After going through the exercise, the Center concluded that the US is “unprepared” for cyber threats (you can actually view the mock attack on a CNN special this weekend). And surprisingly, we do not yet have guidelines for how the government should communicate with private industry – like the telecom industry – in the case of such an emergency.

The lack of an effective cybersecurity framework is troubling.  But even more worrisome is the fact that the US is already losing the philosophical battle here against some formidable opponents.  Today’s cyber warriors are ideologically disposed towards cyber attacks – in China, hacking is often viewed as a patriotic activity.  They are intelligent – Shanghai Jiaotong University, one of the two universities identified as a source of the recent attacks against Google, recently beat out Stanford to win IBM’s prestigious Battle of the Brains competition.  And they are sophisticated – NPR’s interviews at this week’s Black Hat conference reveal a world where hacking is viewed as a business – complete with mission statements, budgets and continuing education programs.

It’s unlikely that cybersecurity legislation will be enacted in an election year when Congress already has so much on its plate.  Yet not doing so has severe consequences. Cyber attacks are behind one of the leading consumer complaints faced by federal and state regulators – identity theft.  Nearly 12 million consumers were affected by this crime in 2009 (according to a recent study by Javelin Research), making this a very real threat, not a policy issue that should be left for debate.   This reason alone should give Congress the political will to act; yet the gridlocked body continues to ignore the issue.

I hope it doesn’t take a real cyber attack to get their attention.