I had the great honor of spending the past week in Japan as a guest of the Japanese Broadband Association (BBA) to discuss issues of privacy, spyware and cyber security. The BBA were the most gracious hosts that one could ask for. I hope to return the kindness when they come visit the US.

The best part of the trip was really the information exchange. I offered what I know about spyware issues in the US and Europe and they taught me a good deal about cyber fraud in Japan.

There are many similarities between the two countries. For example, it is very clear that money has become the driving factor for Internet crimes around the world. Even in Japan, where otaku or “nerd” culture has become a national export, hacking purely for the glory of it has been dwarfed by hacking for the purpose of committing fraud. In Japan, this mainly takes the form of auction phishing sites and relatively simplistic billing schemes referred to as one-click fraud. Japan seems to have seen a slight rise in some forms of spyware, like targeted keystroke loggers used for corporate espionage and fake security software like the rogue DriveCleaner (seen here in a Japanese advertisement).

On the other hand, there are major differences. In particular, the US has a much higher prevalence of nuisance or harmful adware and identity theft than Japan. Based on the discussions that I had, I attribute this to four major factors:

1. The crime rate for fraud and property crime in Japan is astoundingly low in general (online and offline) per capita.
2. Unlike English-speaking countries, there is a major language barrier for foreigners to commit online fraud in Japanese because the language is used by so few people in general.
3. The distribution of software in Japan is almost completely controlled by the computer manufacturers (OEMs). I have been told that most Japanese, particularly those with less technical knowledge, have all of their software pre-loaded when they purchase computers. They make choices about which ISP and security software they want and after that they never add or significantly alter settings on the computer. Software companies pay large sums to have their products pre-installed because there are generally no post-purchase online downloads. In the US, as CDT and others have documented, it is precisely this online marketplace for software that has led companies to pay affiliates to install software without adequately monitoring their affiliates’ actions.
4. Advertising distribution also seems to be much less complex in Japan than in the US. As we have detailed in Following the Money I and Following the Money II, the ad structure in the US leads a small but significant number of ads to be placed in nuisance adware without the advertisers’ knowledge. I have been told that most Japanese content providers only have direct relations with their advertisers and the largest content providers seem to vet ads thoroughly.

These factors are not meant to reflect negatively on the US (other than the general crime statistics). In particular, there are major benefits to creating and sustaining more open markets. However, we need to realize that these benefits also come with risks and that responsible market actors should care about the health of the full market and do their part to protect it from fraud.

As Congress moves closer to adjournment, the fate of a proposed criminal law that would require mandatory labeling of “sexually explicit” Internet content remains unclear.

Buried in the Senate State Justice Commerce appropriations bill, the chances for the labeling bill’s passage appear to hinge on how badly the lame duck Congress wants to leave town. The prevailing wisdom is that the Congress will not act on the remaining appropriations bills, and will instead adopt a continuing resolution, which simply extends current government funding levels until the next Congress convenes in late January. That’s a messy way to manage the taxpayers’ money, but it will take the labeling bill off the table for now. But if Congress decides to move ahead with the individual appropriations bills without striking the Internet labeling provision, the mess will take on constitutional proportions.

Earlier this month, the Seventh Circuit struck down the Illinois “Sexually Explicit Video Game” law. It’s a must read for lawmakers deciding the fate of the Internet labeling bill. The Illinois law required game manufacturers and retailers to place large labels with the numeral “18″ on any sexually explicit game. The definition of sexually explicit closely mirrored that found in the Internet labeling bill. The Court found that they law was not narrowly tailored and would interfere with the First Amendment rights of minors. (Yes, minors do have such rights). It further found that the requirement to affix the “18″ label was unconstitutionally compelled speech, directly rejecting the argument (also made by the Department of Justice on Internet labeling) that the label was no different that required nutritional labeling or warning labels on products including ingredients like mercury. Here is some of the relevant discussion:

“The [statute] requires that the ‘18′ sticker be placed on games that meet the statute’s definition of “sexually explicit.” The state’s definition is far more opinion-based that the question of whether a particular chemical is within a given product. Even if one assumes that the state’s definition of sexually explicit is precise, it is the State’s definition … the video game manufacturer or the retailer may have an entirely different definition of this term.”

There is nothing particularly groundbreaking or novel about this decision. It is one of a number of decisions that all reach the same conclusion about mandatory government warning label aimed at limiting minor’s access to sexually explicit material. But for anyone wanting to understand why the Internet labeling bill is plainly unconstitutional, it is well worth the read.

Earlier this week we released a special “lame-duck” edition of our Internet Watch List, which identifies the legislative efforts that we believe to be the most dangerous to the Internet and civil liberties. We had hoped, following the election, that lawmakers wouldn’t be in the mood to do anything more than pass the necessary spending bills and head home for a long holiday rest.

Unfortunately, it appears there is at least some likelihood that lawmakers could try to move a range of troubling bills — probably by burying them in large must-pass legislative packages. The most troubling among these are bills aimed at legalizing the President’s warrantless domestic snooping program. Other measures would impose stifling filtering requirements on Web site operators, ban access to social networking sites in schools and libraries and force ISPs to retain massive amounts of customer data.

Even if the measures we identify in the Watch List weren’t fatally flawed, there is something deeply dangerous about making sweeping changes to how the Internet works, or worse, to our underlying civil liberties, in the hectic final days of a Congress.

When the Federal Trade Commission’s $3 million settlement with Bellevue-Wash.-based adware distributor Zango Inc. was announced earlier this month, we knew immediately that it had the potential to be a landmark for enforcement in the downloadable software space. The settlement held Zango clearly accountable for the actions of its intermediaries; defined for the first time what it means for a consumer to give “express consent” to receive downloadable software; and prevented the company from contacting potentially millions of people who had received the Zango software surreptitiously.

Beyond simply chastising and correcting the behavior of a bad actor, the settlement stands as a signpost for other software distributors as to what is and isn’t acceptable in the downloadable space. In formal comments to the FTC today we praised the agency for its work on the settlement, while also sounding a not of concern about Zango’s continued activities.

In a press release issued on November 3, 2006, Zango claimed that it “has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006.” In its comments to the FTC, CDT provides substantial evidence that that is simply not the case. In particular CDT documents instances in which Zango failed to properly identify the source of its advertisements as recently as November 10.

Ben Edelman and Eric Howes, two well-known anti-spyware investigators, also filed comments today. Edelman and Howes document evidence from after the settlement showing even more pervasive compliance failures by Zango.

Zango must be made to live up to the terms it reached with the FTC. The settlement is too important to let go to waste.

At the FTC’s recent “Tech-Ade” conference FTC Commissioner Leibowitz said that the commission would be contacting Zango’s advertisers, sending them copies of the settlement and informing them that they had been doing business with a company that had been engaging in questionable practices. This is an excellent step in helping marketers to understand their responsibility for what goes on in the online advertising marketplace. Now the FTC has to make sure that those practices really have ceased.

On a related note, CDT Deputy Director Ari Schwartz will be speaking at the National Advertising Initiative’s Strategic Forum and will be discussing how to clean up and improve affiliate marketing models.

CDT joined a friend-of-the court brief filed yesterday asking the Supreme Court to prohibit federal agencies from applying rules that are kept secret from the public. CDT and other civil liberties organizations joined the Electronic Frontier Foundation (EFF) in encouraging the High Court to review the case of Gilmore v. Gonzales. Brought by activist and Internet pioneer John Gilmore, the case challenges the refusal of the Transportation Security Administration (TSA) to make public the text of a rule that purportedly requires airline passengers to present identification or, alternatively, submit to a more extensive physical search.

Secret law is squarely contrary to the principles of open government that CDT has long advocated. Airline safety is an important national security issue, and CDT has not taken a position on the air-travel ID requirement that originally prompted Gilmore’s suit. We strongly believe, however, that people have a right to know exactly what the law requires of them, even where national security is concerned. Open and accessible rules are necessary in a democratic society so individuals can tailor their behavior to comply with the law — and also keep the government accountable for its actions. The Supreme Court should reject TSA’s assertion that it can keep secret a rule that applies to every single person who travels by commercial aircraft. The case has broad implications. CDT hopes that the Supreme Court, as it has in other areas, will make it clear that the war on terrorism does not trump fundamental values. If allowed to stand, TSA’s conduct could encourage other federal agencies — in the national security context or elsewhere — to secretly make and maintain rules affecting individuals in their daily lives.

Gilmore provides links to all the relevant court documents here.

On November 6, the Federal Communications Commission (FCC) issued its final order finding that the use of certain expletives on broadcast television shows was both “indecent” and “profane.” CDT filed comments with the FCC in the proceeding, and will likely participate in the appeal by the broadcasters to the Second Circuit Court of Appeals.

Under the Supreme Court’s jurisprudence, the government is able to regulate broadcast television more strictly than communications over the Internet. That was a threshold issue decided in the 1997 decision striking down the Communications Decency Act, when the Court found that the Internet was not like the broadcast medium, and thus should not be regulated like broadcast.

Which raises the question of why CDT is getting involved in a broadcast indecency proceeding. The answer is that we believe that technological innovation is changing the nature of the video communications, and the increasing convergence of technology will make the broadcast jurisprudence less and less relevant.

In the Internet context, the courts have looked to the availability of parental empowerment tools like filtering software as a “less restrictive alternative” to governmental regulation. We already see the emergence of parental empowerment tools for broadcast — such as the V-chip — and as technology converges parents will have more and more ability to use technology to decide what their kids should view.

Communications media are proliferating and converging. More and more Americans are accessing video programming via cable and satellite subscriptions, and via the Internet. “Broadcast” content is merging with new media, as evidenced by its availability on Google Video, YouTube, the networks’ own websites, and the DVD-rental service Netflix. Ever improving user-empowerment technologies are making it easier for parents to protect their children from unseemly content.

All of these technological changes are making the body of law the FCC relies on to regulate broadcast increasingly irrelevant. As broadcast fades into history, so should the broadcast focused jurisprudence. It is important that courts begin to recognize that parental empowerment tools will be a hallmark of the converged world, and thus communications in that converged world should receive the highest level of constitutional protection.

CDT has been arguing for some time that federal surveillance laws fail to adequately protect privacy in light of changing technology. While Congress has been lowering the standards in laws like the PATRIOT Act, and while the President has been arguing that he should not be subject to any statutory constraints, the digital revolution has given the government unprecedented opportunities to to collect information about our daily lives. Rather than further weakening the surveillance laws, Congress should be strengthening the Electronic Communications Privacy Act , the Foreign Intelligence Surveillance Act and other statutes to require the government to better focus its surveillance and to set standards for “data mining” and other techniques.

As one starting point in this serious process, the shift in control of the Congress offers important opportunities for oversight of issues at the intersection of national security, privacy and technology. Carefully done, oversight can pave the way for improvements in the laws that benefit both national security and civil liberties.

First and foremost, Congress should get the full facts on the government’s electronic surveillance activities as they affect Americans, not only the Terrorist Surveillance Program but also the collection of information identifying domestic calls and emails. The House and Senate should conduct, through the Intelligence and Judiciary Committees working together, a deep, objective inquiry into what the NSA has been doing inside the US and how FISA may or may not be outdated, including the ways in which it fails to adequately protect privacy.

National Security Letters should also be near the top of the oversight list - how many are issued, for what kinds of data, and especially whether they are being issued for large datasets as opposed to individual records.

Another major issue that merits oversight is the domestic intelligence and security role of the military - clearly, the military has expanded domestic intelligence gathering, without clear limits.

Some constructive oversight could break the logjam on passenger name records from Europe. If the Administration agreed to use the information only for screening and not to build a long-term database, they could get cooperation of the Europeans and start screening in-bound flights before they take off. Too often, the Administration has let the perfect be the enemy of the good, trying to get large sets of information and keep it forever, rather than getting only what it needs for the specific problem at hand (in the case of air passenger data, keeping terrorists off airplanes).

Bottom line: any investigations should be conducted with the long view, with a focus on substance, and without the “gotcha” element.

As part of a wrap-up of this week’s FTC Tech-ade hearings, CDT President Jerry Berman participated in a panel on consumers’ perspective. Jerry was present at the last FTC hearings in 1995, and as he said today, this set of hearings seem like “deja vu all over again.” Ten years ago, the FTC heard a lot about privacy, and over the next ten years they proceeded to delve deeply into the privacy implications of the Internet and how best to approach them. That work has evolved into the current push for general privacy legislation that CDT has been advocating in recent years, and that prominent Internet companies have endorsed this year. What this week’s hearings have shown is that a number of new issues have surfaced – for example, DRM and ubiquitous computing – that are sitting at the same stage where privacy was ten years ago. And into these areas we must delve deeper.

In order to gain that depth, Jerry urged the FTC to take on the task of convening interested parties to drill down on these emerging issues. As a government agency, the FTC is uniquely suited to mediate the concerns of both consumers and corporate interests. Parties can gather together to set benchmarks for achieving certain consumer protections and standards, and reporting mechanisms can be used to track progress and re-assess what further improvements need to be made. This kind of forum will be different (and more effective) than lobbying on the hill or filing comments on FCC proceedings. We don’t have a federal Internet commission, and we don’t want one, but the FTC could be an extremely useful vehicle in convening the Internet community around a vision of a healthy, open Internet.

Jerry commended the FTC for making the Tech-ade hearings happen. But as FTC Director of Consumer Protection Lydia Parnes noted in her wrap-up, there is much work left to do. Let’s hope that these hearings will serve as a start, not an end, to the FTC’s work in engaging the Internet community.

The FTC Tech-ade hearings have brought out a wealth of questions surrounding privacy issues, and today I would like to highlight two of them.

We have never had a universally accepted definition of “personally identifiable information,” and the rapid evolution of technology only seems to be plunging this debate into further confusion. Michael Geist of the University of Ottawa (among others) noted yesterday that even systems that appear to protect users from being identified –- usually by correlating users to pseudonymous unique identifiers instead of to their own names or data — are vulnerable to data mining techniques that can reveal users’ identities. Today’s panel on computing power brought this discussion to a whole new level. As part of a discussion about sensor networks, Deirdre Mulligan of U.C. Berkeley mentioned a project she was involved in that used sensor networks within the home with the ultimate goal of finding ways to reduce power usage. By reading data gathered by sensors about things like heat and light, she was able to infer when a house’s inhabitants came home from work, when they got up in the night to tend to their small child, and other similar information. We certainly don’t currently consider this kind of data as personally identifiable, but consumers may justly feel that their privacy is at risk if this type of data can be made publicly available (or even available to the power company). In the coming decade our policies and self-regulatory structures concerning data privacy will have to take these kinds of issues into account.

The second question that has come up repeatedly thus far concerns whether consumers’ notions of privacy and are changing as technologies change. If millions of consumers are willing to divulge intimate details about their lives on blogs and social networks, does that mean they no longer value their privacy? The answer depends on whom you ask. Wall Street Journal technology columnist Kara Swisher gave her take on privacy as she moderated a panel yesterday: “There is none.” Several other speakers agreed that evolving technology can drastically diminish our standards and expectations for privacy, and as more and more personal information is made available over the next decade, these will continue to change even further. On the other side of the debate, Marcia Hoffman of EFF and several other speakers expressed their belief that the increased availability of personal information does not necessarily mean that consumers don’t value their privacy. Revealing information on one site or in one context does not necessarily indicate a willingness to reveal information everywhere, or a generally lax attitude about data security. As the technologies that we learned about at today’s hearings – sensor networks, artificial intelligence, RFID, highly targeted marketing – continue to evolve, so too will consumers’ conceptions about what privacy means them in all kinds of contexts.

This morning the FTC kicked off Protecting Consumers in the Next Tech-ade, a three-day series of hearings about technology and consumer protection during the next ten years. Today’s sessions covered a wide range of topics, from broadband access and device convergence to advertising and content delivery.

One major theme that emerged at the hearings today was the idea of consumer control. Jon Bates, Director of Market Research at the Consumer Electronic Association described it as the “what I want, where I want, when I want it” philosophy. He envisions that in the future consumers will increasingly have access to uniquely tailored information and content on the device or at the location of their choosing. This will also carry over into the marketing space, where advertisers will be forced to take advantage of new, individualized delivery channels as traditional broadcast networks lose ground to new communications mediums. As Alan Schulman of the marketing firm Brand New World noted, consumers gain control as Hollywood loses it. Perhaps most importantly for CDT, this control may also extend to consumers’ own information that they share in the course of their online experiences. Microsoft’s Peter Cullen put forth the premise that in the future access to information will have to be designed with consumer control in mind. Let’s hope that one proves to be true.

The Tech-ade event also brought some great news on the adware front. Following the FTC’s landmark settlement with adware distributor Zango, FTC Commissioner Jonathan Leibowitz announced that the agency will be sending letters to many of the CEOs of companies that have used Zango to display ads, with copies of the settlement attached. This will be a key step in encouraging marketers to take responsibility for where their ads show up online. As the Commissioner noted, the letters will surely be effective, but perhaps not as effective as a front page news story highlighting advertisers that use nuisance or harmful adware (or as reports such as Following the Money I). This is just one more step in the process of identifying advertisers fueling the adware problem and compelling them to take more responsibility.

In the afternoon, CDT Deputy Director Ari Schwartz participated on a panel concerning the future of communications and how privacy and security will be impacted by changes in the way people communicate. Ari stressed that the future of communications is going to involve in large part the ability to sync data together across a variety of devices and platforms. While we are experiencing device convergence – phones that are also MP3 players, game consoles that can also be used to chat on the Internet – we will still need to coordinate our lives across several devices in the future. Despite these changes, new privacy and security threats will be based on old threats. Old scams that we are all now familiar with will be updated to take advantage of new technologies, but at their base they will operate on the same principles.

More to come tomorrow, as the Tech-ade delves deeper into upcoming issues such as RFID.