It’s a no-brainer that the federal government needs a robust and effective program for protecting its computer networks. However, a new cyber-security initiative being shopped by the White House to Congress and others, including CDT and fellow privacy advocates, raises long-standing concerns over the role of the National Security Agency in securing unclassified computer networks.

The NSA has long had a dual role: Wearing its signals intelligence hat, the agency spies on our adversaries, cracking their computer networks and breaking their codes. Turning that hat around, the NSA also is responsible for protecting U.S. government communications from interception.
(more…)

The E-Government Act of 2002 has been an important law for implementing government moving online. CDT also supported it in 2002. This year, the act will be up for reauthorization in senate bill S. 2321. The bill is a straightforward reauthorization of the E-Government Act, while still offering significant improvements.

This reauthorization includes language that instructs OMB to develop best practices for Privacy Impact Assessments. These are reports completed on new systems that aggregate personal information, required by the original e-Government Act. While these were a great idea, agencies were not given enough guidance and the PIAs were implemented very unevenly. The reauthorization would instruct OMB to create best practices for PIAs, and help agencies conduct them effectively. Effective and thorough privacy assessments help the agency to make decisions that protect privacy, and help the public understand what agencies are doing.

Secondly, this bill will add more robust language to make sure that government information is accessible via commercial search engines. Government Web sites disseminate information and make resources available to the public, and search engines share this mission to help users find appropriate and useful resources. In some cases, it seems that government sites are simply unaware that they can make the information they control more accessible through these search engines. Web sites now see most of their traffic coming from search engines like Google, Yahoo, Live Search, and Ask- or even the USA.gov search engine. The E-Government Act reauthorization will make sure that even more of this information is easy to find through search engines.

Overall, CDT believes that the new language for the E-Government Act reauthorization will help improve the implementation of the act as we move forward.

Combatting malicious spyware and privacy violations on the Internet is a big part of CDT’s mission. So CDT supports strong legal tools to pursue bad actors. But we also want to ensure that those tools don’t provide a broad basis for targeting or threatening people who aren’t doing anything nefarious. A provision in a bill approved by the Senate Judiciary Committee yesterday carries that risk.

The bill, S. 2168, includes a variety of reasonable provisions designed to improve the criminal statute against computer intrusions, including raising criminal penalties against spyware purveyors. But one item is problematic.

Specifically, 18 U.S.C. 1030(a)(5) currently criminalizes accessing or transmitting data to a computer on an unauthorized basis, in a manner that causes damage of at least $5,000. The new bill would eliminate the requirement that prosecutors demonstrate that damages are at least $5,000. Under the new bill:

• Violations without the $5,000 damage showing would be prosecutable — though as misdemeanors rather than felonies;
• Felony status would require either a showing of $5,000 in damages, or a showing that 10 or more computers were affected; and
• The private right of action in 1030(g) would be substantially expanded, becoming available not just when there is $5,000 in damage, but also (like felony status) whenever 10 computers have been affected.

(more…)

Today the FTC kicked off its two-day town hall meeting on behavioral targeting and tracking. CDT President Leslie Harris participated in a roundtable discussion on data collection, use, and protection – an hour and 45-minute long session that ranged across numerous issues.

On the subject of health information and its use in behavioral targeting, Leslie made the key point that the biggest concern that consumers have in digitizing their health information and moving health data management online is privacy. A consumer visiting a health Web site and researching diabetes may not mind viewing advertisements for diabetes-related products at that time. But if those site visits and searches are used to compile a profile of the consumer’s illness and market to him or her across sites and over time, the consumer may begin to feel as though his or her health information is at risk. The great promise of health IT hinges on gaining the trust of consumers, and thus questions about how health data may or may not be used for behavioral targeting in the future must be answered.

Many other questions about behavioral targeting remain. FTC Commissioner Jon Leibowitz discussed how he already noticed new great ideas popping up – including the Do Not Track List idea proposed by CDT and eight other groups yesterday. Commissioner Leibowitz provided a few good ideas of his own, including promoting innovation in the online privacy sphere to build on the search privacy competition we’ve seen this year, and working to make notices shorter and more understandable notices for consumers.

And just to clarify on the details of yesterday’s Do Not Track proposal (which we also blogged about yesterday to clearly articulate and illustrate how it might work) – we are not suggesting that the FTC or any government agency build any kind of technology to help stop the tracking. Some clunky technology already exists to use such a list in most browsers. Should the Do Not Track idea take hold, that would be up to browser makers, or, if browser makers are unwilling, perhaps even CDT.