When the Federal Trade Commission’s $3 million settlement with Bellevue-Wash.-based adware distributor Zango Inc. was announced earlier this month, we knew immediately that it had the potential to be a landmark for enforcement in the downloadable software space. The settlement held Zango clearly accountable for the actions of its intermediaries; defined for the first time what it means for a consumer to give “express consent” to receive downloadable software; and prevented the company from contacting potentially millions of people who had received the Zango software surreptitiously.

Beyond simply chastising and correcting the behavior of a bad actor, the settlement stands as a signpost for other software distributors as to what is and isn’t acceptable in the downloadable space. In formal comments to the FTC today we praised the agency for its work on the settlement, while also sounding a not of concern about Zango’s continued activities.

In a press release issued on November 3, 2006, Zango claimed that it “has met or exceeded the key notice and consent standards detailed in the FTC consent order since at least January 1, 2006.” In its comments to the FTC, CDT provides substantial evidence that that is simply not the case. In particular CDT documents instances in which Zango failed to properly identify the source of its advertisements as recently as November 10.

Ben Edelman and Eric Howes, two well-known anti-spyware investigators, also filed comments today. Edelman and Howes document evidence from after the settlement showing even more pervasive compliance failures by Zango.

Zango must be made to live up to the terms it reached with the FTC. The settlement is too important to let go to waste.

At the FTC’s recent “Tech-Ade” conference FTC Commissioner Leibowitz said that the commission would be contacting Zango’s advertisers, sending them copies of the settlement and informing them that they had been doing business with a company that had been engaging in questionable practices. This is an excellent step in helping marketers to understand their responsibility for what goes on in the online advertising marketplace. Now the FTC has to make sure that those practices really have ceased.

On a related note, CDT Deputy Director Ari Schwartz will be speaking at the National Advertising Initiative’s Strategic Forum and will be discussing how to clean up and improve affiliate marketing models.

CDT joined a friend-of-the court brief filed yesterday asking the Supreme Court to prohibit federal agencies from applying rules that are kept secret from the public. CDT and other civil liberties organizations joined the Electronic Frontier Foundation (EFF) in encouraging the High Court to review the case of Gilmore v. Gonzales. Brought by activist and Internet pioneer John Gilmore, the case challenges the refusal of the Transportation Security Administration (TSA) to make public the text of a rule that purportedly requires airline passengers to present identification or, alternatively, submit to a more extensive physical search.

Secret law is squarely contrary to the principles of open government that CDT has long advocated. Airline safety is an important national security issue, and CDT has not taken a position on the air-travel ID requirement that originally prompted Gilmore’s suit. We strongly believe, however, that people have a right to know exactly what the law requires of them, even where national security is concerned. Open and accessible rules are necessary in a democratic society so individuals can tailor their behavior to comply with the law — and also keep the government accountable for its actions. The Supreme Court should reject TSA’s assertion that it can keep secret a rule that applies to every single person who travels by commercial aircraft. The case has broad implications. CDT hopes that the Supreme Court, as it has in other areas, will make it clear that the war on terrorism does not trump fundamental values. If allowed to stand, TSA’s conduct could encourage other federal agencies — in the national security context or elsewhere — to secretly make and maintain rules affecting individuals in their daily lives.

Gilmore provides links to all the relevant court documents here.

On November 6, the Federal Communications Commission (FCC) issued its final order finding that the use of certain expletives on broadcast television shows was both “indecent” and “profane.” CDT filed comments with the FCC in the proceeding, and will likely participate in the appeal by the broadcasters to the Second Circuit Court of Appeals.

Under the Supreme Court’s jurisprudence, the government is able to regulate broadcast television more strictly than communications over the Internet. That was a threshold issue decided in the 1997 decision striking down the Communications Decency Act, when the Court found that the Internet was not like the broadcast medium, and thus should not be regulated like broadcast.

Which raises the question of why CDT is getting involved in a broadcast indecency proceeding. The answer is that we believe that technological innovation is changing the nature of the video communications, and the increasing convergence of technology will make the broadcast jurisprudence less and less relevant.

In the Internet context, the courts have looked to the availability of parental empowerment tools like filtering software as a “less restrictive alternative” to governmental regulation. We already see the emergence of parental empowerment tools for broadcast — such as the V-chip — and as technology converges parents will have more and more ability to use technology to decide what their kids should view.

Communications media are proliferating and converging. More and more Americans are accessing video programming via cable and satellite subscriptions, and via the Internet. “Broadcast” content is merging with new media, as evidenced by its availability on Google Video, YouTube, the networks’ own websites, and the DVD-rental service Netflix. Ever improving user-empowerment technologies are making it easier for parents to protect their children from unseemly content.

All of these technological changes are making the body of law the FCC relies on to regulate broadcast increasingly irrelevant. As broadcast fades into history, so should the broadcast focused jurisprudence. It is important that courts begin to recognize that parental empowerment tools will be a hallmark of the converged world, and thus communications in that converged world should receive the highest level of constitutional protection.

CDT has been arguing for some time that federal surveillance laws fail to adequately protect privacy in light of changing technology. While Congress has been lowering the standards in laws like the PATRIOT Act, and while the President has been arguing that he should not be subject to any statutory constraints, the digital revolution has given the government unprecedented opportunities to to collect information about our daily lives. Rather than further weakening the surveillance laws, Congress should be strengthening the Electronic Communications Privacy Act , the Foreign Intelligence Surveillance Act and other statutes to require the government to better focus its surveillance and to set standards for “data mining” and other techniques.

As one starting point in this serious process, the shift in control of the Congress offers important opportunities for oversight of issues at the intersection of national security, privacy and technology. Carefully done, oversight can pave the way for improvements in the laws that benefit both national security and civil liberties.

First and foremost, Congress should get the full facts on the government’s electronic surveillance activities as they affect Americans, not only the Terrorist Surveillance Program but also the collection of information identifying domestic calls and emails. The House and Senate should conduct, through the Intelligence and Judiciary Committees working together, a deep, objective inquiry into what the NSA has been doing inside the US and how FISA may or may not be outdated, including the ways in which it fails to adequately protect privacy.

National Security Letters should also be near the top of the oversight list – how many are issued, for what kinds of data, and especially whether they are being issued for large datasets as opposed to individual records.

Another major issue that merits oversight is the domestic intelligence and security role of the military – clearly, the military has expanded domestic intelligence gathering, without clear limits.

Some constructive oversight could break the logjam on passenger name records from Europe. If the Administration agreed to use the information only for screening and not to build a long-term database, they could get cooperation of the Europeans and start screening in-bound flights before they take off. Too often, the Administration has let the perfect be the enemy of the good, trying to get large sets of information and keep it forever, rather than getting only what it needs for the specific problem at hand (in the case of air passenger data, keeping terrorists off airplanes).

Bottom line: any investigations should be conducted with the long view, with a focus on substance, and without the “gotcha” element.

As part of a wrap-up of this week’s FTC Tech-ade hearings, CDT President Jerry Berman participated in a panel on consumers’ perspective. Jerry was present at the last FTC hearings in 1995, and as he said today, this set of hearings seem like “deja vu all over again.” Ten years ago, the FTC heard a lot about privacy, and over the next ten years they proceeded to delve deeply into the privacy implications of the Internet and how best to approach them. That work has evolved into the current push for general privacy legislation that CDT has been advocating in recent years, and that prominent Internet companies have endorsed this year. What this week’s hearings have shown is that a number of new issues have surfaced – for example, DRM and ubiquitous computing – that are sitting at the same stage where privacy was ten years ago. And into these areas we must delve deeper.

In order to gain that depth, Jerry urged the FTC to take on the task of convening interested parties to drill down on these emerging issues. As a government agency, the FTC is uniquely suited to mediate the concerns of both consumers and corporate interests. Parties can gather together to set benchmarks for achieving certain consumer protections and standards, and reporting mechanisms can be used to track progress and re-assess what further improvements need to be made. This kind of forum will be different (and more effective) than lobbying on the hill or filing comments on FCC proceedings. We don’t have a federal Internet commission, and we don’t want one, but the FTC could be an extremely useful vehicle in convening the Internet community around a vision of a healthy, open Internet.

Jerry commended the FTC for making the Tech-ade hearings happen. But as FTC Director of Consumer Protection Lydia Parnes noted in her wrap-up, there is much work left to do. Let’s hope that these hearings will serve as a start, not an end, to the FTC’s work in engaging the Internet community.

The FTC Tech-ade hearings have brought out a wealth of questions surrounding privacy issues, and today I would like to highlight two of them.

We have never had a universally accepted definition of “personally identifiable information,” and the rapid evolution of technology only seems to be plunging this debate into further confusion. Michael Geist of the University of Ottawa (among others) noted yesterday that even systems that appear to protect users from being identified –- usually by correlating users to pseudonymous unique identifiers instead of to their own names or data — are vulnerable to data mining techniques that can reveal users’ identities. Today’s panel on computing power brought this discussion to a whole new level. As part of a discussion about sensor networks, Deirdre Mulligan of U.C. Berkeley mentioned a project she was involved in that used sensor networks within the home with the ultimate goal of finding ways to reduce power usage. By reading data gathered by sensors about things like heat and light, she was able to infer when a house’s inhabitants came home from work, when they got up in the night to tend to their small child, and other similar information. We certainly don’t currently consider this kind of data as personally identifiable, but consumers may justly feel that their privacy is at risk if this type of data can be made publicly available (or even available to the power company). In the coming decade our policies and self-regulatory structures concerning data privacy will have to take these kinds of issues into account.

The second question that has come up repeatedly thus far concerns whether consumers’ notions of privacy and are changing as technologies change. If millions of consumers are willing to divulge intimate details about their lives on blogs and social networks, does that mean they no longer value their privacy? The answer depends on whom you ask. Wall Street Journal technology columnist Kara Swisher gave her take on privacy as she moderated a panel yesterday: “There is none.” Several other speakers agreed that evolving technology can drastically diminish our standards and expectations for privacy, and as more and more personal information is made available over the next decade, these will continue to change even further. On the other side of the debate, Marcia Hoffman of EFF and several other speakers expressed their belief that the increased availability of personal information does not necessarily mean that consumers don’t value their privacy. Revealing information on one site or in one context does not necessarily indicate a willingness to reveal information everywhere, or a generally lax attitude about data security. As the technologies that we learned about at today’s hearings – sensor networks, artificial intelligence, RFID, highly targeted marketing – continue to evolve, so too will consumers’ conceptions about what privacy means them in all kinds of contexts.

This morning the FTC kicked off Protecting Consumers in the Next Tech-ade, a three-day series of hearings about technology and consumer protection during the next ten years. Today’s sessions covered a wide range of topics, from broadband access and device convergence to advertising and content delivery.

One major theme that emerged at the hearings today was the idea of consumer control. Jon Bates, Director of Market Research at the Consumer Electronic Association described it as the “what I want, where I want, when I want it” philosophy. He envisions that in the future consumers will increasingly have access to uniquely tailored information and content on the device or at the location of their choosing. This will also carry over into the marketing space, where advertisers will be forced to take advantage of new, individualized delivery channels as traditional broadcast networks lose ground to new communications mediums. As Alan Schulman of the marketing firm Brand New World noted, consumers gain control as Hollywood loses it. Perhaps most importantly for CDT, this control may also extend to consumers’ own information that they share in the course of their online experiences. Microsoft’s Peter Cullen put forth the premise that in the future access to information will have to be designed with consumer control in mind. Let’s hope that one proves to be true.

The Tech-ade event also brought some great news on the adware front. Following the FTC’s landmark settlement with adware distributor Zango, FTC Commissioner Jonathan Leibowitz announced that the agency will be sending letters to many of the CEOs of companies that have used Zango to display ads, with copies of the settlement attached. This will be a key step in encouraging marketers to take responsibility for where their ads show up online. As the Commissioner noted, the letters will surely be effective, but perhaps not as effective as a front page news story highlighting advertisers that use nuisance or harmful adware (or as reports such as Following the Money I). This is just one more step in the process of identifying advertisers fueling the adware problem and compelling them to take more responsibility.

In the afternoon, CDT Deputy Director Ari Schwartz participated on a panel concerning the future of communications and how privacy and security will be impacted by changes in the way people communicate. Ari stressed that the future of communications is going to involve in large part the ability to sync data together across a variety of devices and platforms. While we are experiencing device convergence – phones that are also MP3 players, game consoles that can also be used to chat on the Internet – we will still need to coordinate our lives across several devices in the future. Despite these changes, new privacy and security threats will be based on old threats. Old scams that we are all now familiar with will be updated to take advantage of new technologies, but at their base they will operate on the same principles.

More to come tomorrow, as the Tech-ade delves deeper into upcoming issues such as RFID.

The inaugural Internet Governance Forum closed last Thursday in Athens, Greece after 4 days of panel discussions and workshops that attracted over 1,000 government officials, business representatives, and non-governmental organizations from around the world.

I was there, representing CDT and the Global Internet Policy Initiative (GIPI), our joint project with Internews. In two workshops and a plenary session, I highlighted GIPI as a proven model for working locally to reform national laws and policies in order to foster expanded Internet access in developing countries. Everything you need to know about GIPI can be found here.

Also present was GIPI executive director George Sadowsky, who, over the past 12 years, has educated and advised a generation of Internet technologists and policymakers in the developing world. As a special advisor to the Chair of the IGF, Sadowsky had a major role in planning the Forum.

The unstated question at the IGF was “What is Internet governance?” Based on our experience with GIPI, both George and I stressed repeatedly that 90% of Internet governance is local: telecommunications policy (especially enforcement of competition and interconnection), licensing requirements, limits on use of wireless technology, the privacy framework, and management of country-code Internet domains.

Overall, it seems as though the initial misperceptions that equated ICANN with Internet governance have been replaced with a more sophisticated view. Although some speakers continued to express vague complaints about Western dominance of the Internet, many speakers from developing talked about problems at home and what they are doing to create a framework more conducive to Internet growth.

In comments at the closing plenary, I urged participants to follow the adage “Think globally, act locally.” I recommended that each country present should convene at the national level an ongoing multi-stakeholder dialogue — local businesses, government officials, academics and users — to identify specific barriers and specific solutions that can be implemented through national strategies.

The session closed with the announcement that the next IGF will be in Rio de Janeiro, Brazil, November 12-15, 2007.

The IGF Website, with transcripts, is here.

As we approach election day, fear of voting irregularities due to faulty machines or partisan shenanigans grow. The Internet, however, makes it easier than ever for those concerned about proper voting to coordinate with one another and investigate incidents of concern. The people behindVoterStory.org have done exactly that. have done exactly that. They are collecting the nation’s stories about voting experiences and passing them on to those who can hopefully help in each case.

On October 16, the Internet Corporation for Assigned Names and Numbers (ICANN) asked the online public to provide input for how to improve the transparency and accountability of the organization’s operations. This is a very good thing. Unfortunately, the deadline ICANN set for members of the Internet community to submit comments was October 31. This is a major problem.

We applaud ICANN for attempting to address its historic deficiencies in providing adequate transparency and accountability. No issue has been more damaging to ICANN’s credibility in the Internet community. But the artificially constrained timeframe ICANN has laid out for addressing the problem has left many observers to wonder if ICANN understands the scope of the problem or the challenges the organization will face in addressing it.

ICANN’s first notice gave the Internet public two weeks to provide recommendations, and was premised on the assumption that ICANN’s board would enact new policies at the organization’s December meeting in Sao Paulo, Brazil. ICANN later issued a second notice clarifying that it was seeking only “preliminary” responses by October 31, and announcing that the board would now take up the issue in March 2007.

That still seems like an awfully short timeframe to fix what appear to be a systemic problems with ICANN’s policies and institutional culture. In our preliminary comments to ICANN we offer some suggestions for fixing the most glaring instances of opaque and unaccountable practices, but also urge ICANN to step back and commit to devoting the time and resources needed to address these issues in a way that makes the organization truly stronger and more stable.

ICANN has taken a worthy and important step in throwing these issues open for review and improvement. Now it must make sure it follows through on what it started.