CDT’s OpenCRS project collects and indexes Congressional Research Service (CRS) reports and makes them available to the public free of charge. Each week, PolicyBeta features a CRS report on an important topic. For more reports, or to help contribute new reports to the OpenCRS database, visit the Web site.

This week’s report addresses the use of “National Security Letters,” an extremely powerful tool that law enforcement can use to onbtain criminal suspects’ personal and business records. CDT Policy Director Jim Dempsey testified before Congress on the use of NSLs in March.

National Security Letters in Foreign Intelligence Investigations: A Glimpse of the Legal Background and Recent Amendments
RS22406 - March 20, 2007

CDT’s OpenCRS project makes the Congressional Research Service’s taxpayer funded reports more readily available on the Web. As we have mentioned in the past, these reports are written for Congress and help them make legislative decisions. They are now being sold by commercial vendors regularly for $29.95 a piece.

OpenCRS has been getting a lot of new reports in the our core issue areas and we thought that this would be a good tie to start featuring timely reports that would be of interest to PolicyBeta’s readers

Our inaugural CRS Report of the Week is:

Information Security and Data Breach Notification Safeguards
RL34120 - July 31, 2007

It seems Congress may be getting the message that Internet safety education — rather than mandatory censorship or burdensome regulatory regimes — represents the brightest hope for protecting kids online. In recent weeks, we’ve been pleased to see bills introduced in the House and Senate that direct the Federal Trade Commission to conduct a public awareness and education campaign on Internet safety.

Representative Melissa Bean (D-IL) introduced the SAFER NET Act — “Safeguarding America’s Families by Enhancing and Reorganizing New and Efficient Technologies Act” (H.R. 3461) — that directs the FTC to create a program to educate “families, businesses, organizations and other users” about how safely to engage in e-commerce, and protect “against threats to financial information and privacy, threats from cyber-crime, and threats to juveniles, including cyber-predators and material that is inappropriate for minors.”

Senator Ted Stevens (R-AK) introduced a bill (S. 1965) with nearly identical language. His “Protecting Children in the 21st Century Act” also directs the FTC to conduct a public awareness and education campaign, but with the narrower focus of promoting “safe online activity for children,” protecting “children from cyber-crimes, including crimes by online predators,” and helping “parents shield their children from material that is inappropriate for minors.” (Although CDT supports the education provisions of this bill, we have serious concerns about other parts of the legislation.)

Both the SAFER NET Act and the Stevens bill would provide substantial funding for these education campaigns: approximately $10 million over the next two years.

CDT has consistently advocated educating parents and children about how to be safe and smart online; and about what technological tools are available to help them tailor a family friendly Internet experience. A 2002 study by the National Research Council (National Academy of Sciences) entitled “Youth, Pornography and the Internet” strongly emphasized the need to cultivate media literacy in young people and to specifically teach them “what constitutes safe Internet behavior and how to recognize dangerous, inappropriate situations” (p. 222). Adam Thierer of the Progress and Freedom Foundation recently published a report that similarly focuses on Internet education, and also discusses parental controls for the Internet and other communications platforms.

Teaching kids to make smart decisions for themselves and encouraging parents to become involved in their children’s lives is certain to be more effective than government-mandated website blocking, age verification, parental consent, or other similar web censorship regimes. CDT encourages Congress (and state legislatures) to fund programs aimed at educating parents and minors about the benefits and risks of the Internet, and how they can have positive online experiences.

As my last day at CDT winds down to a close, I found myself with a little spare time at the end of the day on a Friday in August (hard to believe, I know). I decided to take a moment to give public thanks to the folks I’ve worked with both here at CDT, and in the community we work with.

I’m leaving CDT after today to pursue a law degree at American University’s Washington College of Law. It’s been a great two years working with my fellow CDT employees to protect our civil liberties in this digital age, and I’m comforted by knowing that while I’m taking a step back to continue my education (and hopefully return to this area in three years with some new tools), such quality folks as these will continue to work tirelessly for all our benefits. I would be remiss if I did not thank Ari Schwartz in particular, for being kind, patient and an excellent tutor.

I’ve also already said a private “thank you” to the membership of the Anti-Spyware Coalition, but they too deserve a mention here. Each one of them have made it a pleasure to manage the coalition, and to work with them on drafting our important documents. I know their work will continue to be important long into the future, and I wish all of them the best of luck.

Keep on fighting, all of you, and I’ll be back in a few years to rejoin your ranks!

Recently leading search providers announced a series of changes to the way they treat the detailed — and in many cases, personally identifiable — information they collect about users’ Internet search activities. To us, this signaled a small, but significant shift in the privacy landscape, as companies began to compete with one another in the area of privacy.

Earlier today, we issued a report that compares the various revamped privacy policies and offers recommendations to lawmakers, companies and researchers for further steps they can take to give consumers the control they need and deserve over their personal data.

As concerns about search privacy have been heightened over the past year, lawmakers and regulators in the United States and abroad have begun exerting pressure on search companies to address the privacy concerns raised by retaining potentially personally identifiable data about users’ searches. Companies responded by moving to strengthen their privacy policies.

CDT actually had the opportunity to consult with many of these companies over the past year and offer recommendations for how they could strengthen the privacy offerings for Internet search. Not all of our recommendations found their way into the companies’ policies, but we were gratified to be able to play a small role in advocating for polices that protect privacy and give users greater control over their own personal information.

That sort of direct engagement with companies, government officials and fellow advocates has been a unique hallmark of CDT’s work, and we’re proud of our track record in helping to facilitate real change, rather than just generating sound bites.

Of course, these sorts of industry self-regulatory efforts are only a part of the privacy puzzle. No amount of self-regulation will ever provide users with the full range of privacy protections they need to be safe and in control of their own information in the digital age. We will continue to call on Congress to enact meaningful privacy legislation that sets baseline standards for how companies may collect, use and share our personal data.

In the recently released State of the Net report for 2007, Consumer Reports noted that spyware infections have dropped. However, the chances of any given computer getting an infection are still quite high — one in three — with about a quarter of the infected computers suffering serious damage from spyware.

The report highlights the practice of online advertising services and Web sites deceptively installing programs on computers, which then pop up advertisements. A Google study estimated that ten percent of the websites it indexes attempt to download potentially unwanted software onto visiting computers. Many large websites have agreed to discontinue use of these advertising services, after several states and the FTC brought action against various sites.

This report serves as a reminder that — while our tools for fighting spyware are advancing — so too is the threat. Anti-virus and anti-spyware analysts say that threats are continuing to emerge, and consumers are at great risk. New tools are available to malware creators, making the creation and distribution of malware easier.

While progress is being made in the fight against malware, technical and legal avenues must continue to be pursued.

I just returned from Vegas and an interesting couple of days at Black Hat and Defcon. The Anti-Spyware Coalition put on the same panel at both conferences. Eileen Harrington, Deputy Director at the FTC, gave a great overview of the Commission’s work on spyware and suggested that they are spending a lot of time helping highlight the criminal aspects of spyware to others in the government — since the FTC is a civil law enforcement agency, they pass criminal matters to the DOJ.

Ben Edelman, now an Associate Professor at Harvard Business School, gave an overview of some of his latest research including his report on several exploits that install Zango software that seem to be pretty clearly in violation of Zango’s settlement agreement with the FTC. Mario Vaksun, Director of Knowledgebase Services at Bit9, showed some interesting research about how malware installers have been issued signatures by the two biggest certificate authorities raising questions about the long term ability of this form of authentication to protect users. It seems that the “Sexy Sexy” dialer was given over 1,700 certificates.

Some of the other top notch policy presentations that I saw were given by Jennifer Granick, now at Stanford Law but soon moving to EFF, who gave an excellent case studies in Disclosure and Intellectual Property Law and by Robert W. Clark, of the Department of the Navy Secretariat, who gave one of the more informational and entertaining “Year in Review on Computer and Internet Security Law” presentations that I’ve ever seen.

And yes, the Defcon badge is as cool as advertised.

With a week to go before recess, the President used his radio address to challenge Congress to amend the law regulating national security surveillance of domestic and international calls. Democrats have responded with a serious proposal that addresses the problems cited by the Administration.

The proposal, however, includes something the Administration viscerally opposes: judicial checks and balances. The Democratic draft calls for reports to the Foreign Intelligence Surveillance Court and requires the Administration to seek a court order when surveillance activities targeted at foreigners begin to intrude on the rights of U.S. citizens.

The Administration wants amendments to the Foreign Intelligence Surveillance Act that would allow the National Security Agency to intercept, without a court order, any international phone calls and emails of American citizens.

The Administration proposal goes further even than the Terrorist Surveillance Program described by the President in January 2006 when the Administration admitted it was intercepting phone calls and email without a court order. Rest assured, the President said at the time, in every case we have reason to believe that a member of al Qaeda is on the line.

Now, the Administration wants to eliminate even that requirement. Its latest proposal would allow it to intercept any call of any citizen, just on the basis that the citizen is talking to someone overseas.

(more…)

The Computer and Communications Industry Association (CCIA) today filed an FTC complaint about inaccurate copyright warnings. If you watch major league sports, chances are you can recite some of the warnings from memory — for example, “accounts and descriptions of this game may not be disseminated without express written consent.” CCIA argues that warnings associated with certain sports telecasts, movie DVDs, and books misrepresent federal law by overstating the copyright holder’s exclusive rights and ignoring key limitations like fair use, exemptions for classroom use, and the legal principle that facts and ideas may not be copyrighted.

It’s true that copyright in general and fair use in particular often turn on subtle and imprecise distinctions, with the result that interpretations of the law differ. So coming up with a completely “objective” copyright warning may be difficult. But it’s equally true that many copyright warnings don’t seem to make any effort whatsoever to paint an accurate picture of the law, under any good faith interpretation.

CDT has argued for some time that public education about copyright is a key component of a sound copyright policy for the digital age. Certainly that means educating citizens about what constitutes infringement and why engaging in infringement is wrong. But the CCIA petition highlights the risk of highly slanted or partial education. A real education campaign should be focused on giving the public a greater understanding of the contours of copyright law and of why copyright matters — not parading around a scary caricature of the actual law. Good faith efforts at education will require an appropriate balance.

Incidentally, the NFL is one of the parties CCIA names in today’s FTC complaint. On the subject of aggressive copyright claims in the football arena, the Green Bay Packers apparently invoke copyright to limit linking to their (public) Web pages, according to this blog post.