CDT and other advocates sent a letter to President Obama today once again urging greater transparency as the US negotiates a new Anti-Counterfeiting Trade Agreement (ACTA). While the administration has permitted some advocates (including my colleague David Sohn) to review the US-authored Internet portion of the current draft under strict non-disclosure rules, such limited access does not allow for full analyses of the agreement and its implications (even by other CDT staff members, much less the broader public interest community). Some leaks have surfaced which suggest that ACTA could require DMCA-style notice-and-takedown and anti-circumvention laws, or even graduated-response obligations on ISPs (see coverage here and here). The fact remains, though, that we don’t know what we don’t know, and a full discussion of whatever obligations ACTA would impose is impossible unless the Obama administration draws back the curtain on the drafting and negotiations. Any proposal that could lead to the denial of people’s Internet access—even if they have violated copyright law—would raise very serious constitutional problems under our First Amendment, and should not be even considered without a broad and open public discussion.

An eye-opening new study out of Fordham Law’s Center on Law and Information Privacy finds that state educational databases are lacking when it comes to protecting the personal information of K-12 children. Some states hand off the storage of this information to outside firms and do so without any restrictions on use or confidentiality for the children’s information, the study found.

The information on children collected in these electronic data warehouses includes matters related to teen pregnancies, mental health and juvenile crime; the report says that this information is often stored in a manner that “violates federal privacy mandates,” the study says.

From the report’s summary:

“Some striking examples are that at least 32% of the states warehouse children’s social security numbers, at least 22% of the states record children’s pregnancies, at least 46% of the states track mental health, illness, and jail sentences as part of the children’s educational records, and almost all states with known programs collect family wealth indicators.”

The study isn’t all finger pointing, it also outlines several critical recommendations to help increase the privacy, transparency and accountability of these databases. The study comes just as Congress is considering expanding and integrating the data collection process among the 43 states that currently collect this type of information on K-12 children.

CDT’s Sheel Pandya, Policy Counsel for the Health Privacy Project wrote a guest blog post on American Constitution Society’s blog discussing a comprehensive privacy and security framework as the key to health IT’s success. The passage of the American Recovery and Reinvestment Act of 2009 (ARRA) in February has helped shine a brighter spotlight on health IT especially within the overall health care reform debate. The post talks about what is needed to see the marriage of health technology and health policy work to the greatest extent while protecting patient privacy. Check it out and leave your feedback.

A coalition of 20 civil liberties organizations, including the Center for Democracy & Technology, released a letter today endorsing H.R. 3845, the USA Patriot Amendments Act. The bill was introduced by the Chairman of the House Judiciary Committee, Rep. John Conyers (D-MI) and Subcommittee Chairs Rep. Jerrold Nadler (D-NY) and Rep. Bobby Scott (D-VA). The Senate version of the legislation, the PATRIOT Act Sunset Extension Act, S. 1692, has not drawn a similar level of support in the civil liberties community, largely because of the different ways the bills deal with National Security Letters. CDT has prepared a chart that compares the two bills.

An NSL is a simple form document issued by the FBI and other intelligence agencies that requires Internet Service Providers, banks and other financial institutions, and credit agencies to turn over records about their customers. There is no judicial authorization; the letters are issued when the agency seeking the records decides that they are relevant to its own investigation. The letters are usually accompanied by a “gag” order that, with limited exceptions, bars anyone from disclosing that information was sought or obtained with an NSL. Two Inspector General reports have found widespread abuse and misuse of NSLs.

The bill the groups endorsed would require that NSLs issue only when a government official has prepared a statement of specific and articulable facts showing reasonable grounds to believe that records sought with an NSL pertain to a spy, terrorist or other agent of a foreign power. It also retains the requirement in current law that information sought with an NSL also be relevant to an investigation. The Senate version, in contrast, retains the relevance standard, which permits the government to issue the letters to get records about everyone, including those who have no relationship whatsoever to a terrorist or a spy. Under the Senate bill, the issuing agency merely has to satisfy itself that specific facts indicate that the records sought are relevant to an investigation. The requirement in both bills of specific facts showing relevance is new, and marks a slight improvement in the NSL standard. But the real reform is in the House bill, because it requires that the records pertain to a terrorist or spy.
Read the rest of this entry »

Recently, CDT’s Adam Rosenberg authored a guest blog post for Wired.com’s GeekDad blog, a parenting blog for tech-savvy parents. The post is the first in what will be a series of “how-tos” on raising an Internet savvy child and discusses some of the issues parents confront when setting up a child’s first email address. CDT has been outspoken about the importance of child safety online and it’s clear that the tips for keeping children safe could apply to adults as well. The blog post is a timely, informative read and comes a few days after a great New York Times piece on guarding your kids online. Thanks to WIRED for the opportunity.

In the wake of the major decision by the FCC to open up serious and substantial discussion on rule making on Internet neutrality, CDT’s Leslie Harris wrote a guest column for ABC News where she answers the simple question: “Why should you care about Net Neutrality?”

The article offers informative discussion on the basics around the net neutrality debate and is a must-read. Check it out.

Last month, we blogged about how Humana (and maybe some other health plans) sent warnings through letters to its Medicare beneficiaries that they could lose their health care benefits and services due to health care reform legislation pending in Congress. In response, the Centers for Medicare and Medicaid Services (CMS) issued an order to all health plans serving Medicare beneficiaries to stop sending letters. Some reacted to this order by accusing CMS of attempting to censor “free speech.”

Free speech, however, is not the only issue implicated by Humana’s activity. Humana arguably violated the HIPAA Privacy Rule (the federal health privacy Rule that limits how health plans (and other covered entities) can use and disclose personal health data (including mere demographic information)) when it used beneficiaries’ names and addresses to send the letters. Yet, everyone continues to ignore the privacy issue!

Health care entities do not have unfettered use of individuals’ health data. Should health plans like Humana be able to use this data for whatever reason they find important? The answer is no — and the HIPAA Privacy Rule makes this clear. The Privacy Rule requires Humana and other health plans in general to be good stewards of personal data — the same data that individuals entrust to them to manage their health care. After they share their data, individuals expect the data will be protected, kept confidential, and only used for legitimate purposes — not misused as Humana (and potentially others) have in this case. Now Humana may try to legitimize its action by arguing that sending letters to beneficiaries is permitted under the Privacy Rule as a “health care operation” — a laundry list of business and administrative activities under the Rule for which personal data can be used without needing to get the consent of the individual. However, such an interpretation would only underscore the need to narrow this overly broad category — a recommendation CDT has made in the past.

Regrettably, The Office of Civil Rights (OCR) within the U.S. Dept. of Health and Human Services (HHS), which has the authority to enforce the HIPAA Privacy Rule, has yet to speak up on this issue. As far as we can tell, no further inquiry will be done on this issue. CDT continues to urge OCR (and HHS) to prioritize enforcement of HIPAA rules and make clear that ensuring protections for personal health data is a high priority.

We just got back from an open meeting at the Federal Communications Commission where the Chairman announced a new rulemaking on Internet neutrality. It is too early to know whether we were witnesses to a historic moment in the evolution of the Internet; only time will tell. But we were surely witnesses to the beginning of a serious and substantive drill-down on the issue that is long overdue. After close to a decade of uncertainty, we are finally at the beginning of a process that promises to preserve the core characteristics of the open Internet and give certainty to all of the Internet’s stakeholders.

We applaud FCC Chairman Genachowski for launching a thoughtful and substantive process that will encourage everyone with a stake in the outcome to get past the heated rhetoric, roll up their sleeves, and put facts and technical details on the table. Immediately striking for those of us in the room was the cooperative tone among the Commissioners, the collegiality, and the obvious amount of effort that the Chairman expended in reaching out to his fellow Commissioners. And contrary to the strident efforts by some on the Hill to derail the FCC proceeding before it started, it was striking that all five Commissioners – including the two Republicans – agreed that it was a valuable step to conduct a careful rulemaking that focuses on concrete issues and concerns of both neutrality advocates and network operators.

That doesn’t mean that all of the Commissioners now believe that neutrality rules are appropriate. But it may mean that a more productive tone will finally render a more productive proceeding.

It is not just the FCC that is encouraging dialing down the heat and turning up the light. Last night, Google and Verizon Wireless posted a joint blog post setting out where they found common ground on Internet Neutrality. It’s worth a read. They agree, for example, that “it makes sense for the Commission to establish that these existing principles are enforceable, and implement them on a case-by-case basis.” Although those two companies – as well as the five FCC Commissioners – will not agree on all of the details about neutrality, it is great to see this debate move to a more constructive level.
Read the rest of this entry »

CDT and TRUSTe recently hosted “Social Networking: The Challenges of Privacy and Openness,” a discussion in their continuing Internet Policy Series. A five-minute video recapping the highlights of the event can be found here.

Held on the Google Campus in Mountain View, CA, on Oct. 7, the discussion was moderated by Fred Vogelstein of Wired Magazine and included a potent lineup of speakers: Chris Conley, Technology and Civil Liberties Fellow at ACLU Northern California; David Glazer, Engineering Director at Google and Board member of OpenSocial Foundation; and Tim Sparapani, Director of Public Policy at Facebook.

The speakers discussed the tensions that exist between privacy and openness in a social networking environment that is primarily intended for people to share information.

The discussion touched on trust between users and social networking sites, new definitions of privacy in the social networking world, the continuing evolution of users’ privacy expectations, and the limitations of giving users granular control of their personal information.

I had the honor of participating in my first Oxford-style debate at The Economist’s Media Convergence Forum in New York City on Wednesday. The proposition before us was: Consumers have more to gain than lose from sharing personal information. Dave Morgan, Chief Executive Officer of Simulmedia joined me on the ‘Con’ side of the debate. Matthew Wise, President and CEO of Q Interactive and Jeff Jarvis, author of “What would Google do?’ and the Buzz Machine Blog led the pro side.

Before the debate started the audience was polled and voted 75% to 25% in favor of the proposition. I was not surprised considering that many attendees of the conference were new media marketers. Clearly, Dave and I had our work cut out for us.

Jeff and Matt gave a spirited argument that sharing information was good for business and good for those consumers who willingly chose to share their data. Dave and I responded that we agree that, if users did control their data today, they might be better off choosing to share it, unfortunately, law, technology and corporate policy are often at odds today with providing users anything resembling control. Obviously, I’m vastly summarizing all arguments here, but this gives you a taste.

In the end, there was a revote that went 42% to 58% opposed to the proposition.

A lot of things account for the change of heart of the crowd. First and foremost, Dave Morgan was clearly a good partner as a veteran and well-respected leader in the online behavioral targeting industry who believes that we can have both targeted ads and privacy. Second, I believe that most industry players understand that the Web 2.0 world demands that individuals be granted greater control be given over their information. They know that we have simply outgrown of the 1980s direct marketing world that says that the company owns the consumer’s data.

When presented a coherent argument that is pro-advertising and pro-privacy, even those who earn their money as advertisers but don’t represent the industry in policy debates are willing to support it.