Back in April, I blogged about how Department of Homeland Security Secretary Michael Chertoff was “dead wrong” when he testified before the Senate that personal information can’t be “skimmed” from an unencrypted barcode, which all driver’s licenses will have under the REAL ID program. Chertoff completely denied that there are any privacy risks associated with the REAL ID card’s “machine-readable zone.”

Sen. Feingold, D-WI, was right to question Chertoff’s testimony that day and followed up with a letter asking the Secretary to further explain why he thought citizens’ personal information wasn’t at risk or why they couldn’t be tracked by scanning REAL ID cards during a multitude of transactions. Just this week, DHS responded to Sen. Feingold via letter. The Department again shirked responsibility for ensuring that Americans’ personal information stored on REAL ID cards is protected and not accessible by unauthorized parties – businesses and government agencies alike.

As with virtually all REAL ID privacy issues, DHS has punted the security of the machine-readable zone (i.e., barcode) to the states. CDT has consistently highlighted this as a key privacy issue (among many), arguing that the REAL ID program in total should be scrapped. Or, at the very least, the privacy and security shortfalls should be addressed by new legislation. Congress must act soon because DHS clearly can’t be trusted to meaningfully protect personal privacy.

Chertoff did not sign the DHS response letter. This saved the Secretary the embarrassment of admitting that he was the one who was wrong on this matter and not the privacy advocates seeking to protect the security of Americans from identity theft and other threats by raising the issue.

There’s an appealing simplicity to “all-you-can-eat” service plans. But at the buffet, there’s a natural limit to how much any individual can consume. Just think what would happen if a few large-volume eaters with virtually limitless appetites started slurping up virtually all the food at the buffet as fast as the restaurant could put it out. The rest of the diners either would face slim pickings, or would have to pay a lot more for the ticket to the buffet line, essentially subsidizing the mega-eaters, so the restaurant could afford to put out a lot more food. All of a sudden, “all-you-can-eat” wouldn’t seem like such an appealing arrangement.

Broadband Internet service in the United States has been sold as an all-you-can-eat offering, but that pricing system is showing some cracks. Time Warner Cable in January announced a trial of usage-based pricing, albeit in just one town. This week BroadbandReports.com was reported that Comcast is considering implementing a monthly usage cap, with overage charges for those who exceed the cap more than once. Usage caps are common in other countries.
Read the rest of this entry »

Earlier this week, I had the pleasure of participating on a panel about location-based services at the FTC’s town hall meeting, Beyond Voice: Mapping the Mobile Marketplace. Now that the number of U.S. consumers who own a mobile device has outpaced the number of U.S. Internet users, the policy issues in the mobile space are taking on increased importance. And with numerous new technologies that can determine the location of a mobile device – not to mention a government mandate that mobile phones should be locatable for 911 emergency purposes – location privacy issues are sure to be front and center.

In a separate proceeding at the FTC, the Commission recently asked for input about what kinds of data should be considered “sensitive” in the behavioral advertising context, where consumers’ online activities are tracked for the purposes of displaying relevant advertisements to them. CDT suggested that geographic location information should be considered as a sensitive data category that deserves special protections, in part because of the unique privacy challenges that location information presents.
Read the rest of this entry »

Today, CDT posted an updated memorandum on the most recent version of the Global Online Freedom Act (”GOFA”). GOFA was first introduced by Rep. Christopher Smith (R-NJ) several years ago in response to troubling reports of company complicity in Internet censorship and cooperation in prosecutions of dissidents who posted political material online. The late Rep. Tom P. Lantos, (D-Ca) took up the cause last year and the bill was reported out of the Committee on Foreign Affairs late last year. Industry opposition to the bill has been fierce and efforts to bring the bill to the floor on suspension have thus far been thwarted.

CDT strongly believes that technology companies doing business in countries that broadly surveil and censor the Internet must take serious steps to identify and minimize the human rights risks associated with providing services and technology solutions in those countries. For several years, we have been co-facilitating a multi-stakeholder initiative aimed at developing global principles to guide ICT companies facing free expression and privacy challenges. We remain hopefully that these principles will grow into a global industry standard that will give the industry a road map for collective action in this area.

We also believe that companies must not hide from these challenges. They should advocate for changes in public policy that protect the rights of their users, challenge laws where possible and collaborate with human rights groups and other stakeholders to build support for an open Internet that supports human rights. Read the rest of this entry »

A federal appellate court ruled that the government can freely search and save the files travelers maintain on their laptops when coming back to the U.S. from an out of country trip. The case, United States v. Arnold, No. 06-50581, 2008 U.S. App. LEXIS 8590 (9th Cir., April 21, 2008) has put business travelers in a tizzy and may pique the attention of members of Congress.

The case turns on the travails of Michael Arnold. As Arnold was re-entering the U.S. from a trip to the Philippines, he was pulled out of line at the checkpoint, questioned about his travels, and directed by an official of U.S. Customs and Border Patrol (CBP) to turn on his computer so they could verify that it was functioning. CBP officials opened files that appeared on the computer’s desktop screen, discovered that they contained pictures of nude women, then opened other files and found images depicting what they believed to be child pornography. Arnold was arrested and his computer was seized.
Read the rest of this entry »

Early Bird Registration for the Computers, Freedom and Privacy Conference is up on Friday and, if you’re like me, you probably haven’t registered yet. So here is your reminder… go register!

It looks like a great conference — John Morris and I are speaking from CDT. Here are all the details:

COMPUTERS, FREEDOM, AND PRIVACY: TECHNOLOGY POLICY ‘08
http://cfp2008.org/
18th Annual CFP conference
May 20-23, 2008
Omni Hotel
New Haven, CT

Conference Blog
Facebook Group
Conference Wiki
LinkedIn Group

Hotel Conference Discount Deadline: May 1, 2008
Early Bird Registration: Fri., May 2, 2008
Yale Journal of Law and Technology Tech Policy Essay Contest: Mon., May 5, 2008

Read the rest of this entry »

Following on its earlier announcement of plans to collaborate with BitTorrent, Comcast this week issued a press release signaling its intention to collaborate with another peer-to-peer (P2P) technology provider, Pando Networks. There are two main parts to the Pando announcement.

First, Comcast and Pando hope to lead an “industry-wide effort” to create a “P2P Bill of Rights and Responsibilities” for P2P users and ISPs. We’ll have to see how this evolves, but establishing a set of best practices in this area could well be useful. It is important, for example, to ensure that users have control over how their P2P applications work, as in what files get shared, how and when the P2P application uses computer resources, etc.; the press release suggests that the question of “what choices and controls” consumers should have will be a central focus. So if Comcast and Pando succeed in getting broad buy-in to their ideas, this could be a productive discussion.
Read the rest of this entry »

Nine days ago, Sophia Cope blogged about how Homeland Secretary Secretary Michael Chertoff suggested that REAL IDs cannot be skimmed, in sharp contrast to DHS REAL ID Regs, which clearly say that the REAL ID is at risk of skimming. Today, CDT Fellow Peter Swire blogged on the Center for American Progress Web site about a new Chertoff statement where he said that “fingerprints aren’t ‘Personal Data.’” Swire shows that this comment lies in sharp contrast to DHS’ stated policy that fingerprints are “personally identifiable information.”

It is now time for DHS to make clear, is Chertoff purposely suggesting changes to existing policy or are these both misstatements?

Department of Homeland Security Secretary Michael Chertoff has a hard job. Among other things, it’s his responsibility to make sure that our country isn’t attacked by terrorists and that undocumented immigrants don’t cross our borders. So it’s understandable when he vociferously defends his Department’s efforts at “protecting the homeland.” But it’s inexcusable when the guy is simply factually (and vociferously) wrong on an important policy issue.

On April 2, Chertoff, testifying before the Senate Judiciary Committee during a hearing on DHS oversight, had the gall to say that public interests groups have been putting out “misinformation” and are “dead wrong” about the privacy and civil liberties risks of REAL ID. Yet it was the Secretary who put out misinformation and was dead wrong about the risk of the wrong people gaining access to personal information stored in the REAL ID card’s “machine-readable zone” (MRZ).

Specifically, Chertoff said – in response to a question from Sen. Feingold – that it would be impossible to “skim” personal information off REAL ID cards, all of which will have a DHS-mandated two-dimensional (2D) barcode as the MRZ. An MRZ is a section of an ID card that stores digitized personal information that can be quickly scanned and collected by an electronic reader. Other MRZ examples are the common magnetic stripe or the one-dimensional bar code like those seen on grocery packages. Chertoff asserted that the skimming of personal information can only happen with RFID chips. He also said that DHS is not mandating that REAL ID cards have an RFID chip (this actually is true).

While CDT is glad that DHS is not mandating an RFID chip for REAL ID cards, the Secretary is nevertheless – in his words – dead wrong. The RFID chip isn’t the only “machine-readable zone” that can be scanned and from which personal information can be collected. Police officers regularly scan the various MRZs of state driver’s licenses, as do businesses such as bars that seek to verify that patrons are over 21.

Read the rest of this entry »

Last week, a federal trial court in New Hampshire held that a website that enables singles and “swingers” to find sexual partners may be sued by a woman who was the subject of a fake profile created by an unknown imposter. The New Hampshire District Court in Jane Doe v. Friendfinder Network (No. 07-CV-286) ruled that Section 230 of the Communications Decency Act (47 U.S.C. § 230), which generally protects website operators from being held responsible for illegal content posted by others, doesn’t bar Doe’s claim against AdultFriendFinder.com for violating her “right of publicity” under New Hampshire law.

While I have sympathy for the woman – I certainly wouldn’t want a fake profile of me on such a site – CDT is concerned with the legal precedent that might be created in this case. If Section 230 doesn’t bar state right-of-publicity claims against Internet intermediaries, popular user-generated-content sites – like YouTube.com where thousands of videos are posted each day, undoubtedly without the consent of many of the people in the videos – could soon face a wave of costly lawsuits.

Read the rest of this entry »