Happy Dump Day! — There are a few times of the year when the government officials are given extra special clearance to release information that could possibly produce negative public reaction. These usually fall on the day before a holiday such as July 3 or December 31. This ensures that there will be little coverage and little attention to these stories.

Today, the Friday before a three-day Christmas weekend offers a rare opportunity to ensure almost no coverage of a controversial story. Therefore we shouldn’t be too surprised that the US Department of Homeland Security used today as a target to release two long anticipated reports:

• DHS Privacy Office Report to the Public on the Transportation Security Administration’s Secure Flight Program and Privacy Recommendations –This report follows the growth of the Secure Flight (aka CAPPS II) program back to its origins and blames the Transportation Security Agency for breaking both the Privacy Act and the E-Government Act. CDT has long suggested that DHS and the Army violated the Privacy Act. GAO had also suggested that this may be the case. However, until this report, DHS strongly maintained that it was not in violation of the law, citing an Inspectors General report to make their case. To its credit, the Privacy Office at DHS has put together an excellent set of recommendations that apply to many DHS programs.
• DHS Privacy Office Report to the Public Concerning the Multistate Anti-Terrorism Information Exchange (MATRIX) Pilot Project — The office is equally, if not more critical, of the ill-conceived MATRIX project that sought to pull together information sources from public, private, and non-profit entities with little understand of how the data may be used. The report says: “The Privacy Office believes that the MATRIX pilot project lost public support because it failed to consider and adopt comprehensive privacy protections from the beginning. The project lacked a privacy policy that clearly articulated the project’s purpose, how it would use personal information, the types of information contained, and the security and auditing protections governing the project.”

It is refreshing to hear some common sense on these two projects, but it is a shame that the Administration felt the need to hide these lessons by waiting so long to release them on a day designed to limit their audience.

Senator Patrick Leahy (D-Vermont), the incoming chair of the Senate Judiciary Committee, spoke last week at Georgetown University Law Center, sharing his agenda for the 110th Congress. Leahy paid particular attention to the checks and balances that lie at the heart of the Judiciary committee’s historical role.

Senator Leahy’s big-picture agenda calls for “restoration, repair and renewal.” He spoke emphatically about restoring constitutional values and fundamental liberties, repairing a broken oversight process by demanding more accountability from the Administration, and renewing the public right to know what the government is doing. He recognized the importance of making our nation secure but denounced doing so in ways that “undercut the Constitution.” By sacrificing fundamental rights in the name of national security, Senator Leahy said that the Administration is allowing terrorists to win “what they could never win on the battlefield.”

Senator Leahy touched on many specific agenda items, but a major theme was privacy. He said that the Administration must stop “treating the privacy of ordinary Americans as an expendable commodity,” and vowed to have Congress exercise more oversight in an effort to bring checks and balances back to government. In reference to the current state of privacy law, Senator Leahy said that we have “analog rules in a digital world,” and committed to amending key privacy laws that are severely out of date.

In particular, he vowed to update the Foreign Intelligence Surveillance Act (FISA) and the Electronic Communications Privacy Act (ECPA). In so doing, Senator Leahy plans to attack the Administration’s assertions that it can electronically spy on innocent Americans and that individuals have no privacy interests in personal information kept online. He lamented federal programs, such as the Automated Targeting System, that collect personal information on innocent Americans and house it in vast government databases that individuals have no right to know the contents of. Senator Leahy said that the unauthorized collection of digital information is just as bad as a warrantless search of physical file cabinet. CDT also strongly believes that privacy laws must be amended to conform to the current technological landscape. In February of this year, CDT published a report entitled Digital Search & Seizure: Updating Privacy Protections to Keep Pace With Technology. We hope that Senator Leahy follows through on this important agenda item.

Recently, MySpace announced that it was launching a program to monitor its site for child predators. The announcement prompted a discussion on the blogosphere about the potential abuse of active monitoring by social networking operators and law enforcement. In particular, Micah Sifry had a good post on Personal Democracy Forum entitled “Who’s Molesting Whom?” which discusses the dangers of the new policy and describes the potential slippery slope that the announcement portends.

He relates the troubling trend of prosecutors adopting fake identities to register as members of social networking sites in order to investigate low level crimes in the community such as vandalism among high school students and decries the “warrantless tactics” that appear to be proliferating with respect to law enforcement access to information posted on social networking pages.

But the news is even more complicated. Late last week, Sen. McCain introduced a bill: the “Stop the Online Exploitation of our Children Act” that would significantly expand an existing obligation by ISPs to report possible child pornography to the National Center for Missing and Exploited Children (NCMEC). The bill would:

• apply the reporting requirement to a broad range of social networking, blogging, and conversation sites;
• impose very significant fines on any service provider that fails to report possible child pornography; and
• require the service provider to retain any reported information for at least 180 days.

(more…)

This morning we joined with StopBadware in filing a Federal Trade Commission complaint against spyware purveyor FastMP3Search.com.ar. I would first like to thank StopBadware for all the time and effort they put into investigating and documenting this particularly malicious software distributor. We are always pleased to be able to join forces with other organizations working to achieve our shared goal of protecting consumers online.

With so much malicious software out on the Internet today, it can be difficult for CDT to determine where its focus should lie. The FastMP3Search Plugin, however, was a no-brainer. This software bundle engages in so many illicit behaviors and bogs down users’ computers with so many junky extras that it clearly tops the list for worst actors in this space. Perhaps its worst offense is disabling consumers’ firewall software without providing any notice or attaining consent. Disabling the firewall leaves such consumers’ computers completely unprotected and open, allowing additional software to secretly install itself without the users’ knowledge or consent. This single act could effectively ruin consumers’ computers in the long run if their unprotected Internet connections are later used to install even more malicious software. Add in the installation of adware and Trojan horse applications, changing homepage settings, causing intermittent crashes, impairing computer performance, and sabotaging valid Web addresses for security companies, and you can see what havoc the FastMP3Search Plugin has caused for consumers.

The final behavior listed above – sabotaging valid Web addresses for security companies – may be even more damaging than it seems at first due to recent increased distribution of rogue anti-spyware products. Installing the Plugin changes thirty-two Web addresses belonging to major anti-virus and anti-spyware software vendors. As a result of these modifications, any attempt by the user to reach these Web sites through a Web browser results in an error page. Thus, users may end up turning to rogue security vendors – whose Web sites are not blocked – in order to get some relief from the malicious Plugin bundle. These rogue products require payment from consumers but provide no such aid in cleaning up their computers. This creates an incredibly harrowing environment for consumers, and it shows one more reason why we are urging the FTC to shut down this dangerous operation.

Yesterday’s U.S. Chamber of Commerce event, Minding Your Business: The Future of Privacy, brought together speakers from across the private and public sectors to engage in a discussion about upcoming privacy trends. In attendance were several high-profile companies who earlier this year voiced their support for the development of a comprehensive consumer privacy law. At the event several of these firms re-iterated their determination to see the creation of a national consumer privacy law and expressed their desire for the new Congress to put the issue high on its list when legislators return next year.

Although the event focused on the future of privacy, one of the most provocative issues of the day referred to the history of privacy and law enforcement. Mike Vatis of Steptoe & Johnson LLP noted that in recent years the Federal Trade Commission, with its broad mandate to protect consumers from unfair and deceptive trade practices, has had to chart its own course in the privacy space. FTC Chairman Deborah Platt Majoras explained how the commission has adopted its own “reasonableness” standard for determining whether companies are doing enough to protect consumers’ privacy. The commission also recently proposed some new language regarding notice requirements as part of its consent agreement with adware firm Zango, Inc.. These developments show that when no law exists, the FTC standard becomes the de facto law.

The FTC plays an absolutely essential role in protecting the privacy of American consumers, but it is Congress that should be in the business of defining a general privacy law. Doing so will help the FTC and so many other enforcement bodies be all the more effective.

Last week the Department of Homeland Security sponsored the International Conference on Biometrics and Ethics. Attendees included U.S. and foreign representatives of government agencies, public interest organizations, academic institutions, and industry. On November 28, I attended the speech by Stewart Baker, DHS Assistant Secretary for Policy, and the panel on “Privacy and Ethics Under Normal and Extraordinary Circumstances.” There was an unchallenged assumption that using biometric identifiers allows for better identification, and better identification ensures more security. However, several cautionary points were made.

Mr. Baker said that because such bodily indicators (fingerprint, handprint, iris, retina, facial features, gait, DNA) are immutable, a person can be easily identified in all circumstances. Records tied to a person via biometrics become very difficult to “shake.” Some panel attendees agreed that biometrics should not be used to create a universal unique ID precisely because they are so permanent. People have a right to create different social identities for themselves, and even be anonymous. However, countries like Mexico and the UK are tying biometric data like DNA to their ID cards.

Panel attendees noted how gathering biometrics uniquely threatens an individual’s “dignity.” People literally give up pieces of themselves, which is more threatening and intrusive than revealing a name, address or SSN — labels that can be changed. Thus the concept of ethics is even more appropriate in this context. Ethics is different than law. It provides a more expansive framework of inquiry, necessarily considering dignity, and how humans can be free to flourish. Governments might seek to push the limits of law, but governments have an ethical responsibility to do more than be legally opportunistic. The use of biometrics uniquely changes the relationship between citizens and the state. Some panel attendees expressed the fear that biometrics will create nations of suspects. Considering ethics in the context of biometric technology forces us to ask the broad question, What kind of society do we want to create?

Mr. Baker said that limitations on the use of biometrics and preventing “mission creep” constitute the most important privacy issue. Panel attendees similarly emphasized that because biometrics change the balance of power between government and the individual, more democratic controls must be instituted. The collection and use of biometric data must be transparent. Individuals have a fundamental right to know what biometrics are collected and how they are used. Laws must limit the use of biometrics to select purposes, and prohibit their use for other undisclosed purposes. Laws must allow for redress, whereby citizens may challenge the collection, accuracy and use of biometric data, conclusions drawn from or decisions made based on that data, and the accuracy of records tied to that data.

An article in yesterday’s Wall Street Journal (”Cellphone Carriers Let Others Sell Mobile Content to Users,” by Amol Sharma and Li Yuan) reports that mobile phone carriers are starting to let third-party content providers sell content to mobile phone users. That may well be a positive development for users. But it also highlights how different the mobile phone model is from the Internet, and offers a good illustration of what’s at stake in the Internet neutrality debate.

Initially, mobile phone carriers provided “mobile content” (ringtones, games, etc.) exclusively through their own portals. Verizon Wireless customers who wanted to download content to their mobile phones had to buy it directly from Verizon Wireless. The Wall Street Journal article reports that this is changing — carriers are striking deals with third parties such as MLB.com, which will then be able to offer on their own websites content for download to users’ phones.

I suppose that’s a step in the direction of openness, but the limits described in the article are striking. Users’ choices are still limited to content providers who have “partnered” with the mobile carriers by agreeing to a revenue sharing deal. The mobile provider generally keeps a hand in the transaction by arranging for charges to be added to the monthly bill, and may actively discourage direct credit card or PayPal transactions between the user and the content provider. About 75 percent of all mobile content sales are still through the carriers’ own portals. And some content is available to subscribers of certain mobile carriers but not others; for example, Verizon subscribers can’t get access to online mobile content by World Wrestling Entertainment, Inc., while subscribers of other carriers can.

Maybe all of that is ok in the fledgling and spectrum-constrained market for mobile content. But whatever you may think about it, it is very different from the Internet. Internet users download content, services, and applications from whomever they choose — not just “partners” of their ISPs. The sites and services users can access don’t depend on which ISPs they get their Internet connections from. Users and content providers enter into payment transactions with one another directly, using credit cards and PayPal, with no ISP involvement and without the ISP taking a cut. The result has been a hyper-competitive environment with unparalleled innovation and diverse choices for users. Innovation by untold numbers of entrepreneurs of all stripes and sizes turns out to yield a lot more interesting stuff than the product development divisions of a limited number of “content partners.” Given all those entrepreneurial content providers, the idea of an ISP providing 75 percent of the content its users buy online is virtually unthinkable.

The differences between these models — and the consequences of those differences — are a big part of what’s at issue in the net neutrality debate.

I had the great honor of spending the past week in Japan as a guest of the Japanese Broadband Association (BBA) to discuss issues of privacy, spyware and cyber security. The BBA were the most gracious hosts that one could ask for. I hope to return the kindness when they come visit the US.

The best part of the trip was really the information exchange. I offered what I know about spyware issues in the US and Europe and they taught me a good deal about cyber fraud in Japan.

There are many similarities between the two countries. For example, it is very clear that money has become the driving factor for Internet crimes around the world. Even in Japan, where otaku or “nerd” culture has become a national export, hacking purely for the glory of it has been dwarfed by hacking for the purpose of committing fraud. In Japan, this mainly takes the form of auction phishing sites and relatively simplistic billing schemes referred to as one-click fraud. Japan seems to have seen a slight rise in some forms of spyware, like targeted keystroke loggers used for corporate espionage and fake security software like the rogue DriveCleaner (seen here in a Japanese advertisement).

On the other hand, there are major differences. In particular, the US has a much higher prevalence of nuisance or harmful adware and identity theft than Japan. Based on the discussions that I had, I attribute this to four major factors:

1. The crime rate for fraud and property crime in Japan is astoundingly low in general (online and offline) per capita.
2. Unlike English-speaking countries, there is a major language barrier for foreigners to commit online fraud in Japanese because the language is used by so few people in general.
3. The distribution of software in Japan is almost completely controlled by the computer manufacturers (OEMs). I have been told that most Japanese, particularly those with less technical knowledge, have all of their software pre-loaded when they purchase computers. They make choices about which ISP and security software they want and after that they never add or significantly alter settings on the computer. Software companies pay large sums to have their products pre-installed because there are generally no post-purchase online downloads. In the US, as CDT and others have documented, it is precisely this online marketplace for software that has led companies to pay affiliates to install software without adequately monitoring their affiliates’ actions.
4. Advertising distribution also seems to be much less complex in Japan than in the US. As we have detailed in Following the Money I and Following the Money II, the ad structure in the US leads a small but significant number of ads to be placed in nuisance adware without the advertisers’ knowledge. I have been told that most Japanese content providers only have direct relations with their advertisers and the largest content providers seem to vet ads thoroughly.

These factors are not meant to reflect negatively on the US (other than the general crime statistics). In particular, there are major benefits to creating and sustaining more open markets. However, we need to realize that these benefits also come with risks and that responsible market actors should care about the health of the full market and do their part to protect it from fraud.

As Congress moves closer to adjournment, the fate of a proposed criminal law that would require mandatory labeling of “sexually explicit” Internet content remains unclear.

Buried in the Senate State Justice Commerce appropriations bill, the chances for the labeling bill’s passage appear to hinge on how badly the lame duck Congress wants to leave town. The prevailing wisdom is that the Congress will not act on the remaining appropriations bills, and will instead adopt a continuing resolution, which simply extends current government funding levels until the next Congress convenes in late January. That’s a messy way to manage the taxpayers’ money, but it will take the labeling bill off the table for now. But if Congress decides to move ahead with the individual appropriations bills without striking the Internet labeling provision, the mess will take on constitutional proportions.

Earlier this month, the Seventh Circuit struck down the Illinois “Sexually Explicit Video Game” law. It’s a must read for lawmakers deciding the fate of the Internet labeling bill. The Illinois law required game manufacturers and retailers to place large labels with the numeral “18″ on any sexually explicit game. The definition of sexually explicit closely mirrored that found in the Internet labeling bill. The Court found that they law was not narrowly tailored and would interfere with the First Amendment rights of minors. (Yes, minors do have such rights). It further found that the requirement to affix the “18″ label was unconstitutionally compelled speech, directly rejecting the argument (also made by the Department of Justice on Internet labeling) that the label was no different that required nutritional labeling or warning labels on products including ingredients like mercury. Here is some of the relevant discussion:

“The [statute] requires that the ‘18′ sticker be placed on games that meet the statute’s definition of “sexually explicit.” The state’s definition is far more opinion-based that the question of whether a particular chemical is within a given product. Even if one assumes that the state’s definition of sexually explicit is precise, it is the State’s definition … the video game manufacturer or the retailer may have an entirely different definition of this term.”

There is nothing particularly groundbreaking or novel about this decision. It is one of a number of decisions that all reach the same conclusion about mandatory government warning label aimed at limiting minor’s access to sexually explicit material. But for anyone wanting to understand why the Internet labeling bill is plainly unconstitutional, it is well worth the read.

Earlier this week we released a special “lame-duck” edition of our Internet Watch List, which identifies the legislative efforts that we believe to be the most dangerous to the Internet and civil liberties. We had hoped, following the election, that lawmakers wouldn’t be in the mood to do anything more than pass the necessary spending bills and head home for a long holiday rest.

Unfortunately, it appears there is at least some likelihood that lawmakers could try to move a range of troubling bills — probably by burying them in large must-pass legislative packages. The most troubling among these are bills aimed at legalizing the President’s warrantless domestic snooping program. Other measures would impose stifling filtering requirements on Web site operators, ban access to social networking sites in schools and libraries and force ISPs to retain massive amounts of customer data.

Even if the measures we identify in the Watch List weren’t fatally flawed, there is something deeply dangerous about making sweeping changes to how the Internet works, or worse, to our underlying civil liberties, in the hectic final days of a Congress.