While the FTC cannot confirm that it has an ongoing investigation, it seems pretty clear from some public statements (See Steve Lohr’s article in today’s NY Times - “Google Deal Said to Bring U.S. Scrutiny”) that it is the FTC — and not the Department of Justice — that has taken the lead in reviewing Google’s merger with DoubleClick.

Some experts have suggested that privacy will not play a role in the FTC’s investigation, but CDT disagrees.

Consumer protection issues are not considered as factors in whether the DOJ or the FTC is chosen to review a merger. Rather, the agency that can demonstrate the most expertise on the competition issues at stake is usually the one selected.

However, once the Commission is selected, Section 5 of the Federal Trade Commission Act can be part of the FTC’s review. All of the privacy actions that the Commission has brought to date have been under Section 5 of the FTC Act. The DOJ and FTC 1992 Horizontal Merger Guidelines specify that “mergers subject to section 5 are prohibited if they constitute an ‘unfair method of competition.’”

The FTC has used this power to investigate other consumer protection concerns, such as those that arose out of theAOL/Time Warner Merger in 2000.

As I mentioned in an earlier post on this topic, CDT has been promoting the FTC’s involvement in online advertising privacy issues since before either the Google-DoubleClick merger or Microsoft’s intended purchase of aQuantive were announced.

As I said then:

“Google, today, says that it has no plans to tie past history or search information across Web sites. Google says that it has no plans to match the DoubleClick cookies with any Google cookie. Yet, the possible integration of these two data sets - along with all of the other search data that Google collects - raises issues that the FTC could not have foreseen in 1999 and exemplifies the evolving privacy challenges in the online advertising space. It’s time to deepen the dialogue about behavioral targeting, and an FTC workshop would be a great way to start.”

We still believe that a workshop would be useful for the industry as a whole, but considering that the FTC did get review authority over the merger, we also hope that the FTC can get more assurances from Google in writing on their future plans regarding the privacy of user data.

We recently wrote a policy post highlighting the privacy issues involved in an Internal Revenue Service proposal that would require “brokers” — including online auction sites like eBay — to collect the Social Security numbers of millions of users. It seems that at least one member of Congress shares our concerns. Yesterday, Rep. Thomas Davis (R-VA) wrote a letter to U.S. Treasury Secretary Henry Paulson expressing his concern that the proposal could put the privacy of millions of Americans in jeopardy.

The goal of the IRS proposal is to track down unreported small business income generated by the online sale of goods. It would require “brokers” of transactions involving tangible personal property to file income statements about all sellers who conduct 100 or more separate transactions that generate $5,000 or more in gross income. As Rep. Davis points out, Internet businesses would likely collect SSNs from all users, because there is no easy way to determine beforehand which users will end up meeting the threshold for reporting. With endless recent data breaches and elevated levels of consumer concern about the security of online transactions, constructing massive new private-sector databases of sensitive information seems like a step in the wrong direction.

The IRS proposal is part of the President’s 2008 budget (see page 65 of the general explanation of the budget proposal). While no lawmaker has yet come out in support of the proposal, the measure could easily find its way into a larger legislative package. We are glad to see that Rep. Davis has raised a red flag, and we are hopeful that other members of Congress will follow suit.

The former Deputy Attorney General, Doug Comey, yesterday described a dramatic March 2004 encounter with White House Chief of Staff Andy Card and then-White House lawyer Alberto Gonzales in the hospital room of Attorney General John Ashcroft, in which Ashcroft and Comey stood up to White House pressure to re-approve the President’s program of spying on Americans’ international communications without court orders.

The Comey testimony is significant on many levels, but consider this: As of March 2004, the Attorney General and the Deputy Attorney General had concluded that the President’s Terrorist Surveillance Program was illegal. In essence, John Ashcroft and Doug Comey have weighed in on the side of the plaintiffs in pending cases regarding the legality of the TSP for some period of time prior to the remarkable encounter on March 10, 2004 and for some short period of time thereafter until the program was revised to meet DOJ concerns. (According to Comey, 2-3 weeks after the March 10, 2004 encounter, he approved a revised version of the program.)

Only the courts can decide whether Comey and Ashcroft were correct as to the legality of the program both before March 10, 2004 and when it was approved by DOJ in revised form thereafter, but it is clear from this testimony that the program, from some point in its evolution after September 2001 up until it was revised after the March 10 2004 encounter, was illegal, in the opinion of the Attorney General and the Deputy Attorney General, backed up by an an opinion from the Justice Department’s Office of Legal Counsel, which normally takes a broad view of Presidential power.

Comey’s testimony is also highly relevant to the Administration’s latest request to Congress to radically amend FISA: before going forward with FISA amendments, Congress and the public need to understand how the Administration’s proposed legislative changes relate to the three versions of the warrantless program: before March 2004, after March 2004, and as approved by the FISA court in January 2007. Of course, Congress and the public also deserve to know whether the President will comply with the FISA if it is amended, and whether the President continues to run other surveillance programs outside the statute.

The Washington Post reported today that the Department of Defense is now preventing soldiers from accessing several social networking, video and photo sharing, and other popular websites — including MySpace and YouTube — via the Department’s computers and network. This strikes us as a poorly considered decision by military leadership. The blocked websites are invaluable channels of communications — both for military families and the broader public. CDT encourages the Pentagon to reconsider its position given the value that these websites provide.

The value of these globally popular websites can’t be overstated. Soldiers use MySpace, YouTube and other sites to stay connected to family, friends and their communities back home. For many troops, these websites are the primary means of keeping in touch with loved ones. The need for this sort of connection is especially vital in light of the extended and repeated tours of duty that both regular and reserve soldiers now face. At a time when the Pentagon is making more and more demands of our troops, it strikes us as shortsighted to cut those troops off from their families back home. These websites also allow soldiers to keep updated on national and global developments, and let’s not forget — troops use these websites to provide the public with alternative, riveting, and graphic insight into the challenges soldiers face in the wars in Iraq and Afghanistan.

The Pentagon claims that this change in policy is primarily a bandwidth issue: that soldiers viewing videos and photos online, or uploading their own, may so clog DOD pipes that the military will be hampered in performing its core functions. The Department itself admits that this move is simply a preemptive measure, noting “The popularity of the sites has not affected operations yet, but blocking them prevents them from causing such a problem.” Since the site-blocking policy is not responding to an immediate concern, the Pentagon should take the time to reevaluate and develop a better, less restrictive means for addressing bandwidth concerns.

(more…)

Most of the participants at the roundtable Wednesday on the WIPO broadcast treaty were sharply critical of the latest draft, leaving Ben Ivins of the National Association of Broadcasters virtually alone in defending the need for a treaty that gives broadcasters new intellectual property-like rights. The best line of the day was by Ed Mierzwinski of U.S. PIRG, who — drawing on the fact that the current draft is set forth in a document labeled a “Non-paper,” a nice bit of diplomatic double-speak — said that this non-paper should clearly lead to a non-treaty.

The current draft does pare back on the sheer number of exclusive rights that earlier versions would have given to broadcasters. But it still represents an exclusive rights approach, rather than the signal theft approach that has been urged by CDT and a broad coalition of industry and civil society groups. In connection with the roundtable, CDT and over thirty other signatories submitted a document to the U.S. delegation to WIPO expressing opposition to the current draft. Hopefully the U.S. delegation will take it to heart before the important upcoming meeting of the relevant WIPO committee in June.

CDT’s specific concerns with the treaty were laid out in a Policy Post last September.

Should search engines retain a record of search queries? What benefits or harms flow from retaining that data? Should academic researchers be able to get access to “query log” data from search companies? What kinds of research can be done with this data? And — critically — what about the privacy of the search engine users?

All of these questions were debated and discussed in a workshop yesterday at the WWW 2007 conference entitled “Query Log Analysis: Social and Technological Challenges.” WWW is the leading annual academic conference focused on the Web and the Internet. This year the conference is in Banff in the Canadian Rockies (making staying indoors for the sessions quite a challenge).

The Query Log workshop addressed a fascinating set of issues, the foremost of which is the significant privacy risk raised by the retention (or distribution) of logs of search terms on sites such as Google, MSN, Yahoo, Ask etc. As the WWW event is an academic conference, there was much attention to the plight of researchers outside of the search companies. Researchers are frustrated that they have little or no access to actual data – the actual queries entered into search engines.

The companies are hesitant to disclose search data, both out of concern about compromising trade secrets about how they execute and track searches, but also because the backlash about the incident in August 2006 in which AOL released millions of search terms from about 650,000 users. Although AOL replaced user IDs with pseudonyms, it was relatively easy to identify some individual people from their search terms. There was, appropriately, a huge uproar about the harm to privacy, and AOL quickly took the data down.

Although the release of the data was clearly a mistake, AOL’s intentions were in fact honorable – AOL was trying to allow academic researchers access to actual search data. And ironically, the AOL data release did allow researchers to analyze core issues about privacy. In that data, for example, were social security and credit card numbers (raising privacy concerns by themselves), and researchers were able to document how privacy could be breached using the aggregated search of individuals’ searches.
(more…)

To close out CDT’s participation in the Computers, Freedom, and Privacy Conference, I spoke Friday on a panel about notice and consent for downloadable software. The panel really drove home the idea that there is still much ground to be covered in terms of making notice effective.

I was pleased to be joined on the panel by David Fewer from the Canadian Internet and Public Policy Clinic (CIPPIC). Back in November 2005, CDT and CIPPIC jointly filed a complaint against Canadian spyware company Integrated Search Technologies (IST) at both the Federal Trade Commission in the U.S. and Competition Bureau Canada. David explained that the Competition Bureau has unfortunately declined to take up the complaint, but he is still working to interest the provincial authorities in Quebec to take up the issue. We are hopeful that the authorities in Quebec will realize how egregious IST’s practices were and decide to pursue an investigation.

As a counterpoint to the lack of enforcement action we have seen in Canada, I spoke briefly about some of the good developments we have seen at the FTC in the U.S. Starting with the Seismic Entertainment case — which addressed the practice of downloading software without any notice or consent — the FTC has steadily upped the ante on the what kind of notice should be required. If we fast forward to the FTC’s most recent enforcement actions, against Zango and Direct Revenue, we see the Commission requiring that the material terms about software downloads be displayed outside of any End-User License Agreement (EULA). Although this may seem like an obvious requirement, having a regulatory agency issue this requirement makes a strong statement to the software industry: burying material terms in a EULA does not work and does not qualify as adequate notice.

CDT Executive Director, Leslie Harris, and I had the privilege to serve on The Open House Project — nonpartisan collaborative effort launched by the Sunlight Foundation to provide suggestions to House Speaker Nancy Pelosi (D-CA) on how to make the House of Representatives more open in the Web 2.0 age.

Today, the project issued a report offering 10 common sense suggestions to Pelosi:

• Legislation Database-publish legislative data in structured formats
• Preserving Congressional Information-protect congressional information through archiving and distribution
• Congressional Committees-recognize committees as a public resource by making committee information available online
• Congressional Research Service-share non-partisan research beyond Congress
• Member Web-Use Restrictions-permit members to take full advantage of internet resources
• Citizen Journalism Access-grant House access to non-traditional journalists
• The Office of the Clerk of the House-serve as a source for digital disclosure information
• The Congressional Record-maintain the veracity of a historical document
• Congressional Video-create open video access to House proceedings
• Coordinating Web Standards-commit to technology reform as an administrative priority

If you’re still not sure that you should read the whole report, watch this video promoting the project. You’ll be convinced:

What is happening at NIST?

The usually reliable National Institute of Standards and Technology (NIST) at the Department of Commerce really went off the deep end in its certification review of the State Department’s new PASS card system which plans to use the EPC Global GEN-2 long range RFID standard as its base.

The agency lists a number of so called “best available practices and non-ISO standards for the protection of personal identification documents” — none of which are written for government use of identity documents — to justify its analysis.

How can CDT, which has been vocally opposed to the use of the standard in the PASS card including in our comments to the State Department on their draft, be so sure that this was not the intent of these documents?

Well, one of those cited is the product of a CDT Working Group: Privacy Best Practices for Deployment of RFID Technology. These Best Practices specifically state:

This document is targeted at commercial and private sector consumer applications. It is not intended to address government applications of RFID or applications of RFID deployed internally by companies in the employer-employee context, business-to-business applications, or uses of RFID for personal identification systems.

How much clearer do we need to make this to ensure that it is not misused?

On Thursday, I had the opportunity to moderate a session on behavioral profiling in online advertising at the Computers, Freedom, and Privacy Conference in Montreal. Due to delays in the morning, the session lasted only just over an hour rather than an hour and half, but even with the fully allotted time I don’t think we could have addressed all of the complexities of this subject –- much more discussion is necessary.

Chris Hoofnagle from the Samuelson Law, Technology, and Public Policy Clinic at Berkeley started things off with an overview of the advertising landscape, noting that advertising is regulated in many mediums -– billboards, TV, radio — so the idea of advertising regulation is nothing new. What is new, however, is the range of technologies and systems available that allow individuals to be profiled and targeted.

Kim Howell of Microsoft followed up on Chris’s introduction. Kim discussed some of the technical details of how behavioral profiling can work and how Microsoft’s advertising products work. She noted, for example, that only Internet users who sign into Microsoft’s Windows Live system have behavioral profiles developed about them. This is the kind of detail that CDT thinks should be more involved in the public debate about behavioral targeting, and it’s the sort of thing we would like to see discussed at an FTC workshop on the issue.

For the second half of the session I moderated a discussion between Mike Zaneis of the Internet Advertising Bureau and Jeff Chester of the Center for Digital Democracy. There weren’t too many points of agreement between these two, but the discussion managed to raise many questions that we hope will continue to fuel this dialogue: When is an opt-in regime necessary? How can notice be crafted in an understandable and functional way? What constitutes “sensitive” information? What should the standards be for granting Internet users access to the profiles built about them? Our session was too short to answer these and many of the other questions that were raised, but as the online advertising landscape continues to grow and evolve, so too will the debate about behavioral profiling.