Happy Dump Day! — There are a few times of the year when the government officials are given extra special clearance to release information that could possibly produce negative public reaction. These usually fall on the day before a holiday such as July 3 or December 31. This ensures that there will be little coverage and little attention to these stories.

Today, the Friday before a three-day Christmas weekend offers a rare opportunity to ensure almost no coverage of a controversial story. Therefore we shouldn’t be too surprised that the US Department of Homeland Security used today as a target to release two long anticipated reports:

• DHS Privacy Office Report to the Public on the Transportation Security Administration’s Secure Flight Program and Privacy Recommendations –This report follows the growth of the Secure Flight (aka CAPPS II) program back to its origins and blames the Transportation Security Agency for breaking both the Privacy Act and the E-Government Act. CDT has long suggested that DHS and the Army violated the Privacy Act. GAO had also suggested that this may be the case. However, until this report, DHS strongly maintained that it was not in violation of the law, citing an Inspectors General report to make their case. To its credit, the Privacy Office at DHS has put together an excellent set of recommendations that apply to many DHS programs.
• DHS Privacy Office Report to the Public Concerning the Multistate Anti-Terrorism Information Exchange (MATRIX) Pilot Project — The office is equally, if not more critical, of the ill-conceived MATRIX project that sought to pull together information sources from public, private, and non-profit entities with little understand of how the data may be used. The report says: “The Privacy Office believes that the MATRIX pilot project lost public support because it failed to consider and adopt comprehensive privacy protections from the beginning. The project lacked a privacy policy that clearly articulated the project’s purpose, how it would use personal information, the types of information contained, and the security and auditing protections governing the project.”

It is refreshing to hear some common sense on these two projects, but it is a shame that the Administration felt the need to hide these lessons by waiting so long to release them on a day designed to limit their audience.

Senator Patrick Leahy (D-Vermont), the incoming chair of the Senate Judiciary Committee, spoke last week at Georgetown University Law Center, sharing his agenda for the 110th Congress. Leahy paid particular attention to the checks and balances that lie at the heart of the Judiciary committee’s historical role.

Senator Leahy’s big-picture agenda calls for “restoration, repair and renewal.” He spoke emphatically about restoring constitutional values and fundamental liberties, repairing a broken oversight process by demanding more accountability from the Administration, and renewing the public right to know what the government is doing. He recognized the importance of making our nation secure but denounced doing so in ways that “undercut the Constitution.” By sacrificing fundamental rights in the name of national security, Senator Leahy said that the Administration is allowing terrorists to win “what they could never win on the battlefield.”

Senator Leahy touched on many specific agenda items, but a major theme was privacy. He said that the Administration must stop “treating the privacy of ordinary Americans as an expendable commodity,” and vowed to have Congress exercise more oversight in an effort to bring checks and balances back to government. In reference to the current state of privacy law, Senator Leahy said that we have “analog rules in a digital world,” and committed to amending key privacy laws that are severely out of date.

In particular, he vowed to update the Foreign Intelligence Surveillance Act (FISA) and the Electronic Communications Privacy Act (ECPA). In so doing, Senator Leahy plans to attack the Administration’s assertions that it can electronically spy on innocent Americans and that individuals have no privacy interests in personal information kept online. He lamented federal programs, such as the Automated Targeting System, that collect personal information on innocent Americans and house it in vast government databases that individuals have no right to know the contents of. Senator Leahy said that the unauthorized collection of digital information is just as bad as a warrantless search of physical file cabinet. CDT also strongly believes that privacy laws must be amended to conform to the current technological landscape. In February of this year, CDT published a report entitled Digital Search & Seizure: Updating Privacy Protections to Keep Pace With Technology. We hope that Senator Leahy follows through on this important agenda item.

Recently, MySpace announced that it was launching a program to monitor its site for child predators. The announcement prompted a discussion on the blogosphere about the potential abuse of active monitoring by social networking operators and law enforcement. In particular, Micah Sifry had a good post on Personal Democracy Forum entitled “Who’s Molesting Whom?” which discusses the dangers of the new policy and describes the potential slippery slope that the announcement portends.

He relates the troubling trend of prosecutors adopting fake identities to register as members of social networking sites in order to investigate low level crimes in the community such as vandalism among high school students and decries the “warrantless tactics” that appear to be proliferating with respect to law enforcement access to information posted on social networking pages.

But the news is even more complicated. Late last week, Sen. McCain introduced a bill: the “Stop the Online Exploitation of our Children Act” that would significantly expand an existing obligation by ISPs to report possible child pornography to the National Center for Missing and Exploited Children (NCMEC). The bill would:

• apply the reporting requirement to a broad range of social networking, blogging, and conversation sites;
• impose very significant fines on any service provider that fails to report possible child pornography; and
• require the service provider to retain any reported information for at least 180 days.

(more…)

This morning we joined with StopBadware in filing a Federal Trade Commission complaint against spyware purveyor FastMP3Search.com.ar. I would first like to thank StopBadware for all the time and effort they put into investigating and documenting this particularly malicious software distributor. We are always pleased to be able to join forces with other organizations working to achieve our shared goal of protecting consumers online.

With so much malicious software out on the Internet today, it can be difficult for CDT to determine where its focus should lie. The FastMP3Search Plugin, however, was a no-brainer. This software bundle engages in so many illicit behaviors and bogs down users’ computers with so many junky extras that it clearly tops the list for worst actors in this space. Perhaps its worst offense is disabling consumers’ firewall software without providing any notice or attaining consent. Disabling the firewall leaves such consumers’ computers completely unprotected and open, allowing additional software to secretly install itself without the users’ knowledge or consent. This single act could effectively ruin consumers’ computers in the long run if their unprotected Internet connections are later used to install even more malicious software. Add in the installation of adware and Trojan horse applications, changing homepage settings, causing intermittent crashes, impairing computer performance, and sabotaging valid Web addresses for security companies, and you can see what havoc the FastMP3Search Plugin has caused for consumers.

The final behavior listed above – sabotaging valid Web addresses for security companies – may be even more damaging than it seems at first due to recent increased distribution of rogue anti-spyware products. Installing the Plugin changes thirty-two Web addresses belonging to major anti-virus and anti-spyware software vendors. As a result of these modifications, any attempt by the user to reach these Web sites through a Web browser results in an error page. Thus, users may end up turning to rogue security vendors – whose Web sites are not blocked – in order to get some relief from the malicious Plugin bundle. These rogue products require payment from consumers but provide no such aid in cleaning up their computers. This creates an incredibly harrowing environment for consumers, and it shows one more reason why we are urging the FTC to shut down this dangerous operation.

Yesterday’s U.S. Chamber of Commerce event, Minding Your Business: The Future of Privacy, brought together speakers from across the private and public sectors to engage in a discussion about upcoming privacy trends. In attendance were several high-profile companies who earlier this year voiced their support for the development of a comprehensive consumer privacy law. At the event several of these firms re-iterated their determination to see the creation of a national consumer privacy law and expressed their desire for the new Congress to put the issue high on its list when legislators return next year.

Although the event focused on the future of privacy, one of the most provocative issues of the day referred to the history of privacy and law enforcement. Mike Vatis of Steptoe & Johnson LLP noted that in recent years the Federal Trade Commission, with its broad mandate to protect consumers from unfair and deceptive trade practices, has had to chart its own course in the privacy space. FTC Chairman Deborah Platt Majoras explained how the commission has adopted its own “reasonableness” standard for determining whether companies are doing enough to protect consumers’ privacy. The commission also recently proposed some new language regarding notice requirements as part of its consent agreement with adware firm Zango, Inc.. These developments show that when no law exists, the FTC standard becomes the de facto law.

The FTC plays an absolutely essential role in protecting the privacy of American consumers, but it is Congress that should be in the business of defining a general privacy law. Doing so will help the FTC and so many other enforcement bodies be all the more effective.

Last week the Department of Homeland Security sponsored the International Conference on Biometrics and Ethics. Attendees included U.S. and foreign representatives of government agencies, public interest organizations, academic institutions, and industry. On November 28, I attended the speech by Stewart Baker, DHS Assistant Secretary for Policy, and the panel on “Privacy and Ethics Under Normal and Extraordinary Circumstances.” There was an unchallenged assumption that using biometric identifiers allows for better identification, and better identification ensures more security. However, several cautionary points were made.

Mr. Baker said that because such bodily indicators (fingerprint, handprint, iris, retina, facial features, gait, DNA) are immutable, a person can be easily identified in all circumstances. Records tied to a person via biometrics become very difficult to “shake.” Some panel attendees agreed that biometrics should not be used to create a universal unique ID precisely because they are so permanent. People have a right to create different social identities for themselves, and even be anonymous. However, countries like Mexico and the UK are tying biometric data like DNA to their ID cards.

Panel attendees noted how gathering biometrics uniquely threatens an individual’s “dignity.” People literally give up pieces of themselves, which is more threatening and intrusive than revealing a name, address or SSN — labels that can be changed. Thus the concept of ethics is even more appropriate in this context. Ethics is different than law. It provides a more expansive framework of inquiry, necessarily considering dignity, and how humans can be free to flourish. Governments might seek to push the limits of law, but governments have an ethical responsibility to do more than be legally opportunistic. The use of biometrics uniquely changes the relationship between citizens and the state. Some panel attendees expressed the fear that biometrics will create nations of suspects. Considering ethics in the context of biometric technology forces us to ask the broad question, What kind of society do we want to create?

Mr. Baker said that limitations on the use of biometrics and preventing “mission creep” constitute the most important privacy issue. Panel attendees similarly emphasized that because biometrics change the balance of power between government and the individual, more democratic controls must be instituted. The collection and use of biometric data must be transparent. Individuals have a fundamental right to know what biometrics are collected and how they are used. Laws must limit the use of biometrics to select purposes, and prohibit their use for other undisclosed purposes. Laws must allow for redress, whereby citizens may challenge the collection, accuracy and use of biometric data, conclusions drawn from or decisions made based on that data, and the accuracy of records tied to that data.

An article in yesterday’s Wall Street Journal (”Cellphone Carriers Let Others Sell Mobile Content to Users,” by Amol Sharma and Li Yuan) reports that mobile phone carriers are starting to let third-party content providers sell content to mobile phone users. That may well be a positive development for users. But it also highlights how different the mobile phone model is from the Internet, and offers a good illustration of what’s at stake in the Internet neutrality debate.

Initially, mobile phone carriers provided “mobile content” (ringtones, games, etc.) exclusively through their own portals. Verizon Wireless customers who wanted to download content to their mobile phones had to buy it directly from Verizon Wireless. The Wall Street Journal article reports that this is changing — carriers are striking deals with third parties such as MLB.com, which will then be able to offer on their own websites content for download to users’ phones.

I suppose that’s a step in the direction of openness, but the limits described in the article are striking. Users’ choices are still limited to content providers who have “partnered” with the mobile carriers by agreeing to a revenue sharing deal. The mobile provider generally keeps a hand in the transaction by arranging for charges to be added to the monthly bill, and may actively discourage direct credit card or PayPal transactions between the user and the content provider. About 75 percent of all mobile content sales are still through the carriers’ own portals. And some content is available to subscribers of certain mobile carriers but not others; for example, Verizon subscribers can’t get access to online mobile content by World Wrestling Entertainment, Inc., while subscribers of other carriers can.

Maybe all of that is ok in the fledgling and spectrum-constrained market for mobile content. But whatever you may think about it, it is very different from the Internet. Internet users download content, services, and applications from whomever they choose — not just “partners” of their ISPs. The sites and services users can access don’t depend on which ISPs they get their Internet connections from. Users and content providers enter into payment transactions with one another directly, using credit cards and PayPal, with no ISP involvement and without the ISP taking a cut. The result has been a hyper-competitive environment with unparalleled innovation and diverse choices for users. Innovation by untold numbers of entrepreneurs of all stripes and sizes turns out to yield a lot more interesting stuff than the product development divisions of a limited number of “content partners.” Given all those entrepreneurial content providers, the idea of an ISP providing 75 percent of the content its users buy online is virtually unthinkable.

The differences between these models — and the consequences of those differences — are a big part of what’s at issue in the net neutrality debate.