On Wednesday, I had the opportunity to participate in a discussion hosted by the National Telecommunications and Information Administration (NTIA) regarding the future of Internet governance, and U.S. involvement in overseeing the global Domain Name System (DNS).

At the heart of the discussion was the question of whether the Internet Corporation for Assigned Names and Numbers (ICANN) has progressed enough in its development to be released from its contractual bond to the U.S. Government. NTIA is expected to renew that contract in September.

If the panelists agreed on anything, it was that simply hosting such a discussion was an extremely positive step for NTIA. Much of the Internet community, in international circles particularly, has grown increasingly dissatisfied with the U.S. government’s special role in global Internet governance. It is in everyone’s best interest to address those tensions.

Just how to do that remains the biggest challenge. Asked point blank whether ICANN was ready to stand on its own without any government involvement, all but one member of my panel (myself included) gave a qualified “no.” But everyone seemed to agree that full privatization should continue to be the ultimate goal.

In our comments to NTIA, we expressed concern that if ICANN were to be released from its ties to the U.S. Government, it remains unclear what mechanisms would be in place to insure that the organization would not simply become subsumed by another government, or captured by corporate interests. We suggest that those questions need to be explored before the U.S. Government considers ending its special relationship with ICANN.

A new Government Accountability Office (GAO) report today confirms what many in the open government community have known for some time: government agencies are not living up to their obligations under the Freedom of Information Act.

Earlier this month, we contributed to a report published by OpenTheGovernment.org, that tracked how well agencies had responded to a 2005 presidential order intended to improve the disclosure of information. The results were not good. Many agencies failed to properly respond and others lagged badly in implementing FOIA.

The GAO report offers further confirmation that government agencies haven’t made FOIA a priority. Not only are agencies not meeting their obligations, the GAO report suggests that they probably won’t unless some structure/pressure is applied to make it happen.

From the report: “Without clearly defined baselines, specific objectives, and timetables for reducing backlog, it could be challenging for agency heads, Justice, and the Congress to gauge progress in improving FOIA processes as intended by the Executive Order.”

For an excellent, concise explanation of what’s wrong with the Specter-Cheney “compromise” on warrantless surveillance, check out the lead editorial in today’s Washington Post — Blank Check to Spy.

CDT Policy Director Jim Dempsey goes into considerably deeper detail, but reaches roughly the same conclusion in the testimony he delivered to the Senate Judiciary Committee earlier today.

We also sent the following letter to the Post editors on the subject.

—

Senator Arlen Specter is to be commended for trying to bring the administration’s warrantless surveillance program under some sort of judicial review, but the “compromise” he reached with the White House is a capitulation to presidential power that would greatly increase the warrantless wiretapping of American citizens.

In his op-ed Monday, Chairman Specter stated that the President had personally promised to submit his program to the Foreign Intelligence Surveillance Court. What the Chairman neglects to mention is that his bill does not require the President to stop wiretapping if the court disapproves. Moreover, the Chairman’s bill gives the administration — and all future administrations — a blank check to conduct other, broader surveillance programs without submitting them to any judicial oversight.

If that’s the best compromise the administration can offer, Congress would do well to say “no thanks.” When I testify today before Chairman Specter’s Judiciary Committee, I’ll try to make one thing clear: it would be better for the administration’s invasive, illegal surveillance program to continue than for Congress to pass this drastic affirmation of unchecked presidential power.

In November, the Federal Trade Commission will hold its first significant hearings in ten years regarding the future of consumer protection on the Internet. Yesterday, the Center for American Progress held a daylong event to frame the discussion in the fall, highlighting both issues that have lingered since the 1996 hearings and problems that were not foreseen a decade ago. CDT Deputy Director Ari Schwartz participated on a panel where he discussed the recent CDT-CAP report on consumer privacy and protection.

Ten years ago, panelists before the FTC noted that 82 percent of consumers were concerned about their personal privacy on the Internet and warned that the security of personal information was “essential if commerce in cyberspace is to flourish on the Internet.” Although we have seen the consequences of a decade of data breaches and identity theft, one of the most notable developments in the privacy area — praised by many of the yesterday’s panelists, and long sought by CDT — has been the recent show of support for comprehensive privacy legislation by many high-profile companies. Their continued support for a law that codifies fair information practices for businesses will be vital to securing consumers’ online privacy in the future.

Although the FTC has launched an impressive array of consumer protection initiatives since the first round of hearings, several panelists pointed out that some useful tools are still missing. Passage of the U.S. SAFEWEB Act (S. 1608) would allow the Commission to work more effectively with its international counterparts. This cooperation is becoming increasingly vital as the web of parties involved in Internet fraud and abuse spreads across the globe. The bill was approved by the Senate but awaits passage in the House.

Some panelists, including current FTC Commissioners Jon Leibowitz and J. Thomas Rosch, also voiced their support for allowing the Commission to demand civil penalties in their consumer protection lawsuits, believing that such penalties act as strong deterrents to Internet criminals. Although the details involved in granting such authority to the Commission will require careful review, CDT supports investigating this kind of proposal.

All in all, the event was a good opportunity to look back upon the lessons from a decade ago and to look forward to developments down the road. CDT anticipates that the hearings this fall will provide immense insight into the future of consumer protection in the digital age.

• Transcript and staff report of the 1996 FTC workshop
• CAP conference materials (includes video of the panels)

It started with ChoicePoint, and really hasn’t slowed down. Over the last year and a half or so, a string of highly publicized data security incidents raised serious questions about how well companies (and universities, government agencies, etc.) are safeguarding personal data from potential access by thieves and hackers. These breaches of data security became public mainly because California passed a law requiring consumers to be notified when their personal information has been accessed without authorization. Many other states have since followed suit.

Congress has been working on breach notification legislation as well, though a tangle of different proposals in different committees has slowed its progress on the issue. Virtually all of the proposals seek to replace the different state laws with a single, federal notification standard — which could be fine, so long as the federal standard is strong enough to play the same important role.

Unfortunately, there have been reports that the House leadership is considering taking up a weak bill produced by the Financial Services Committee. There hasn’t been any official announcement, and it now appears that nothing will happen until at least September, contrary to rumors last week that action could be imminent. But if the bill were adopted, it would substantially roll back the obligation to notify individuals about security breaches. Specifically, notification would be required only if the company whose system is breached knows that the breach is “reasonably likely” to result in identity theft or account fraud.

What does “reasonably likely” mean? That a reasonable estimate of the chance that identity theft actually will occur is 51 percent? Hackers don’t usually announce their intentions. Even for data breaches that occur under suspicious circumstances, a company might well conclude that (as best it can tell) the chance that the hacker intends identity theft is less than 50-50.

The truth is, this is a bill written to protect financial services companies from the consequences of data security breaches — not to protect the public. Understandably, the companies don’t like having to notify their customers about data breaches, don’t like having to comply with lots of different state laws, and don’t like pesky state A.G.s calling them to account for their data security lapses. But in the end, it’s all about incentives. One of the main benefits of the notification laws passed by California and other states is that they create strong incentives for companies to take whatever measures are necessary to reduce the likelihood of data breaches occurring in the first place. By curtailing notification requirements and eliminating any prospect of state-level enforcement, this bill would reduce those positive incentives.

That doesn’t mean that every low-grade incident warrants full-scale notification. If the risk is truly low, notifying individuals is not productive — and in fact may be counterproductive, since repeated false alarms can lead to “boy who cried wolf” problems. But the House has an alternative bill from the Energy and Commerce Committee that takes a sensible approach: it would require consumer notification unless a breach does not entail significant risk. That seems quite different from requiring that ID theft be “likely.”

So there is a better bill out there. Hopefully, the House won’t choose the wrong one.

After a several-week trial period, we officially launched PolicyBeta today. You can check out our first post to see how this all got started, but beyond that, I think our press release from today describes it best, so without further ado…

For immediate release
July 24, 2006

WASHINGTON — The Center for Democracy & Technology is proud to announce the launch of PolicyBeta, a new blog dedicated to expanding the dialogue about technology policy, civil liberties and preserving democratic values in the digital age.

With daily posts on issues ranging from domestic surveillance to spyware, PolicyBeta provides CDT experts an opportunity to discuss in detail the latest trends and developments affecting the technology policy debate. PolicyBeta can be found from the CDT home page by clicking on the “blog” tab or by visiting http://blog.cdt.org .

“PolicyBeta provides us an exciting opportunity, not just to discuss the developments we’re observing, but also to expand the dialog on tech policy beyond the beltway and into cyberspace,” CDT Executive Director Leslie Harris said. “For an organization founded on the principle of bringing a wide variety of voices together at the same table, this represents an invaluable addition to our communications strategy.”

CDT is encouraging journalists, technologists, academics and interested individuals to visit the blog regularly and participate in the discussion. To foster a civil, focused discussion tech policy issues, comments will be moderated for tone, focus and relevancy.

Our policy director, Jim Dempsey testified today before the House Intelligence Committee on warrantless domestic wiretapping and a proposed “compromise” between Vice President Cheney and Senate Judiciary Chairman Arlen Specter (R-Pa.) on the issue.

We’re a bit mystified as to why the Cheney-Specter proposal is being called a compromise at all. If passed, it would be an outright capitulation by Congress, giving the administration free reign to conduct wiretaps inside the United States without warrants or judicial review. Contrary to press reports, Cheney-Specter would not subject the warrantless surveillance program to judicial review. If Congress wants to ensure judicial review of the current warrantless surveillance program, it should facilitate challenges by those who were targeted or harmed by the surveillance instead of allowing the President to use his claims of inherent power to avoid ever seeking judicial approval and ever notifying Congress.

Furthermore, it is absolutely premature at this point for Congress to be granting the White House broad new surveillance powers, when most lawmakers and the American people remain completely in the dark as to the nature of the administration’s domestic spying programs, and what, if any, steps are being taken to ensure that innocent Americans aren’t inadvertently targeted.

We joined with a broad coalition of groups, representing views from across the political spectrum to issue a statement opposing rash changes to the Foreign Intelligence Surveillance Act (FISA), which governs domestic surveillance for foreign intelligence purposes.

According to this story in GovExec.com, the White House Office of Management and Budget (OMB) has advised government agencies to report data breaches regardless of whether they are “confirmed” or merely “suspected.” A copy of the OMB memo is here .

The memo comes on the heels of an incident in which a Department of Veterans Affairs employee inadvertently exposed the personal information of more than 26 million veterans by taking home an unsecured laptop computer loaded with the information. The computer was taken from the employee’s home by a burglar and later recovered, but the incident helped to highlight the lax standards protecting the personal information that we entrust to the government.

In our Policy Post on the VA breach, we noted that the OMB had to take the lead in issuing strong Privacy Act-based guidance to agencies. The OMB still has a long way to go. We hope that this memo is a sign that OMB is taking more seriously its responsibility to manage data security across agencies.

For those who didn’t get a chance to read our paper on Internet Neutrality, we’ve synopsized our findings in a Policy Post published earlier today.

In a related development, BusinessWeek columnist Stephen H. Wildstrom gave a favorable nod to our position in his latest column on the topic, which will obviously be in the news for some time.

Last week was the 40th anniversary of the Freedom of Information Act (FOIA), a landmark law that greatly expanded the ability of ordinary citizens to learn about government activities. FOIA has been of incalculable value to students, government watchdogs, ordinary citizens and journalists who have used the law to obtain a wealth of important data about their government.

It’s distressing, therefore, that on the anniversary of this landmark law, we find that many government agencies simply aren’t living up to their basic obligations under the measure. CDT joined with several other public interest groups in contributing to a report on the topic published by OpenTheGovernment.org. The report tracks the manner in which agencies responded to a 2005 presidential order intended to improve disclosure of information. It found that many agencies failed to properly respond or are lagging in implementing FOIA.