It’s a no-brainer that the federal government needs a robust and effective program for protecting its computer networks. However, a new cyber-security initiative being shopped by the White House to Congress and others, including CDT and fellow privacy advocates, raises long-standing concerns over the role of the National Security Agency in securing unclassified computer networks.

The NSA has long had a dual role: Wearing its signals intelligence hat, the agency spies on our adversaries, cracking their computer networks and breaking their codes. Turning that hat around, the NSA also is responsible for protecting U.S. government communications from interception.
(more…)

The E-Government Act of 2002 has been an important law for implementing government moving online. CDT also supported it in 2002. This year, the act will be up for reauthorization in senate bill S. 2321. The bill is a straightforward reauthorization of the E-Government Act, while still offering significant improvements.

This reauthorization includes language that instructs OMB to develop best practices for Privacy Impact Assessments. These are reports completed on new systems that aggregate personal information, required by the original e-Government Act. While these were a great idea, agencies were not given enough guidance and the PIAs were implemented very unevenly. The reauthorization would instruct OMB to create best practices for PIAs, and help agencies conduct them effectively. Effective and thorough privacy assessments help the agency to make decisions that protect privacy, and help the public understand what agencies are doing.

Secondly, this bill will add more robust language to make sure that government information is accessible via commercial search engines. Government Web sites disseminate information and make resources available to the public, and search engines share this mission to help users find appropriate and useful resources. In some cases, it seems that government sites are simply unaware that they can make the information they control more accessible through these search engines. Web sites now see most of their traffic coming from search engines like Google, Yahoo, Live Search, and Ask- or even the USA.gov search engine. The E-Government Act reauthorization will make sure that even more of this information is easy to find through search engines.

Overall, CDT believes that the new language for the E-Government Act reauthorization will help improve the implementation of the act as we move forward.

Combatting malicious spyware and privacy violations on the Internet is a big part of CDT’s mission. So CDT supports strong legal tools to pursue bad actors. But we also want to ensure that those tools don’t provide a broad basis for targeting or threatening people who aren’t doing anything nefarious. A provision in a bill approved by the Senate Judiciary Committee yesterday carries that risk.

The bill, S. 2168, includes a variety of reasonable provisions designed to improve the criminal statute against computer intrusions, including raising criminal penalties against spyware purveyors. But one item is problematic.

Specifically, 18 U.S.C. 1030(a)(5) currently criminalizes accessing or transmitting data to a computer on an unauthorized basis, in a manner that causes damage of at least $5,000. The new bill would eliminate the requirement that prosecutors demonstrate that damages are at least $5,000. Under the new bill:

• Violations without the $5,000 damage showing would be prosecutable — though as misdemeanors rather than felonies;
• Felony status would require either a showing of $5,000 in damages, or a showing that 10 or more computers were affected; and
• The private right of action in 1030(g) would be substantially expanded, becoming available not just when there is $5,000 in damage, but also (like felony status) whenever 10 computers have been affected.

(more…)

Today the FTC kicked off its two-day town hall meeting on behavioral targeting and tracking. CDT President Leslie Harris participated in a roundtable discussion on data collection, use, and protection – an hour and 45-minute long session that ranged across numerous issues.

On the subject of health information and its use in behavioral targeting, Leslie made the key point that the biggest concern that consumers have in digitizing their health information and moving health data management online is privacy. A consumer visiting a health Web site and researching diabetes may not mind viewing advertisements for diabetes-related products at that time. But if those site visits and searches are used to compile a profile of the consumer’s illness and market to him or her across sites and over time, the consumer may begin to feel as though his or her health information is at risk. The great promise of health IT hinges on gaining the trust of consumers, and thus questions about how health data may or may not be used for behavioral targeting in the future must be answered.

Many other questions about behavioral targeting remain. FTC Commissioner Jon Leibowitz discussed how he already noticed new great ideas popping up – including the Do Not Track List idea proposed by CDT and eight other groups yesterday. Commissioner Leibowitz provided a few good ideas of his own, including promoting innovation in the online privacy sphere to build on the search privacy competition we’ve seen this year, and working to make notices shorter and more understandable notices for consumers.

And just to clarify on the details of yesterday’s Do Not Track proposal (which we also blogged about yesterday to clearly articulate and illustrate how it might work) – we are not suggesting that the FTC or any government agency build any kind of technology to help stop the tracking. Some clunky technology already exists to use such a list in most browsers. Should the Do Not Track idea take hold, that would be up to browser makers, or, if browser makers are unwilling, perhaps even CDT.

A couple of weeks ago, a group of commercial copyright owners and operators of several user-generated content (UGC) services issued a set of Copyright Principles for UGC Services. To their credit, these principles include “the accommodation of fair use” among the goals. The main thrust of the principles, however, is to call on UGC sites to take more active responsibility for preventing users from posting infringing content — and in particular, to implement filtering technologies to identify unauthorized copyrighted content automatically. The principles go into significant detail about how UGC sites should combat infringement, while the nods to fair use consist of little more than bare references. For example, the shortest of the fifteen principles is number six, which reads in its entirety: “When sending notices and making claims of infringement, Copyright Owners should accommodate fair use.”

Stating a general commitment to accommodating fair use is certainly welcome. But it doesn’t provide any guidance on the tricky practical questions concerning what such a commitment actually means and how to make it real and effective. Accommodating fair use is not a straightforward task, particularly where companies are relying on automatic filtering tools. Filtering tools may be able to identify unauthorized copyrighted content, but they can’t parse the nuances of fair use.

Today, EFF and several other organizations released a set of principles aimed squarely at providing more detailed guidance for the fair use side of the UGC equation. These Fair Use Principles for User Generated Video Content call for granting a “wide berth” for uses that are creative and noncommercial in nature (e.g., using a clip as part of an original video, as opposed to just posting a verbatim copy of the clip); targeting any automatic, technology-based blocking to cases that appear to involve verbatim copying, while providing for human review of cases where the content appears more mixed; and providing effective ways for content creators to dispute the conclusions of automatic filters or content owner takedown notices. Clearly these are important ideas. In particular, human review of close cases and meaningful mechanisms for individuals to challenge erroneous takedowns or blocking seem like essential elements of any serious scheme to leave room for fair use.
(more…)

Earlier today CDT joined eight other privacy and consumer groups in urging the Federal Trade Commission (FTC) to take proactive steps to protect consumer privacy in light of the growth of “behavioral targeting” — the practice of collecting and compiling a record of individual consumers’ activities, interests, preferences, and/or communications over time for the purposes of serving advertising based on the information collected. Marketers and advertising networks generally accomplish this sort of tracking by placing a persistent, unique identifier (such as a cookie ID) on a consumer’s computer that can help identify that consumer as he or she visits sites across the Web and over time. As part of the groups’ proposal, we asked the FTC to implement a “Do Not Track List” intended to protect consumers from having their online activities unknowingly tracked, stored, and used by marketers and advertising networks. The idea for the Do Not Track List is reminiscent of the extremely popular Do Not Call list maintained by the FTC. That program allows consumers to submit their phone numbers to the FTC to avoid being called by telemarketers. The FTC maintains these phone numbers in a list, and telemarketers can pay the FTC to get a copy of the list so they know which consumers not to call. (more…)

The last few weeks have seen two scuffles relevant to the Internet neutrality debate. Verizon Wireless initially refused to facilitate certain automatic text messages from the abortion rights group NARAL on the ground that they were “controversial,” even though the messages would only go to opt-in NARAL supporters. More recently, the Associated Press and others have reported that Comcast impairs some of its broadband subscribers’ P2P communications by sending “reset” packets that effectively terminate individual communications (though Comcast claims the communications can be restarted later).

In many ways, these two incidents are very different. The Verizon Wireless incident concerned text messages on a mobile phone network, not the Internet. Moreover, Verizon Wireless reversed course, blaming the initial decision to reject NARAL’s messages as a mistaken application of a “dusty internal policy.” In Comcast’s case, the issue concerns broadband Internet service and the company shows no inclination to back down from what it defends as important network management activity. Another difference is that the carrier’s decision in the Verizon Wireless case turned on the specific content of the communications (i.e., the controversial topic of abortion), whereas Comcast’s policies appear to target protocols viewed as bandwidth hogs.

But both cases highlight the need for more transparency. This is something on which all sides of the neutrality debate ought to be able to agree. It’s one thing to argue about whether carriers should be subject to some type of government rules limiting discrimination. But it’s quite another to argue that it’s just fine for carriers to discriminate in secret, with no public disclosure of their policies. After all, opponents of regulation generally say that competition in the marketplace, together with the backstop of antitrust law, will provide a sufficient check against harmful types of discrimination. But the marketplace can’t provide any discipline, and the public can’t express its marketplace preferences, if there is no public access to information about what different carriers actually do.
(more…)

Fox News has apparently sent Sen. John McCain a cease and desist letter for his campaign’s use of 19 seconds of video of the Senator taken from a debate hosted by Fox News in a campaign ad (available here). Fox’s claim that the political ad violates its copyright strains credulity. If the use of a 19 second clip from a 90 minute televised debate incorporated into a political ad is not fair use, then what is?

The question to Fox News is, are there any circumstances where the network would acknowledge fair use of debate footage? Is there something about this particular advertisement that they contend is distinguishable from other uses of short clips for political debate and commentary? Or are they making an argument that candidates who participated in televised political debate (as compared to ordinary citizens) are not entitled to claim fair use of short clips for political purposes? If so, why?

Because frankly we can’t see it. Yes, the clip did make its way into a political ad. And yes, he did cherry pick one of the few “newsworthy” (or at least entertaining) moments in the debate. But if Senator McCain can’t use 19 seconds from that debate in a political ad, it’s difficult to imagine that anyone can claim fair use of any one of the 5400 seconds from that debate.

The only good thing that may come from this incident is that members of Congress may finally begin to grasp the importance of fair use to a democratic society. Nothing focuses the mind of a politician like a cease and desist letter aimed at a political advertisement.

Adware vendor DirectRevenue has officially shut down. According to a notice posted on its Web site, the company has “ceased operations” and is maintaining the site only to provide uninstall instructions to legacy users of its adware products. This is good news from a company that engaged in some of the most egregious behaviors in the spyware space — sending “torpedoes” to remove anti-spyware software and showing a pop-up ad every minute, for example.

This will not be the last that we hear from DirectRevenue, however. Although the company settled with the Federal Trade Commission for $1.5 million earlier this year, the New York Attorney General’s lawsuit against DirectRevenue and its owners is still pending. As CDT noted when the FTC announced its settlement, $1.5 million is chump change for a company whose owners earned $20 million by deceiving consumers. Thankfully, the state attorneys general have the authority to pursue these kinds of deceptive operations, and the folks in New York have been vigilant about enforcing against the Internet’s nastiest spyware schemes. DirectRevenue may be finished online, but certainly not in court.

A story published today by the Associated Press explains that:

The New England Patriots have won a bid to get the names of all the fans who bought or sold — or tried to buy or sell — tickets to home games through online ticket reseller StubHub Inc., a move one technology group sees as an invasion of privacy.

That “technology group” is CDT.

Here is a little more detail:

CDT is concerned about the breadth of the of the Patriot’s discovery request. If the request were only for the names and contact information of those who had clearly broken the law, we would have little issue. However, the order would include information of individuals that bid on the game for under ticket price, but did not win and may never even have gone to a game. That is simply too much information. The Patriots, having just gone through the recent spygate scandal, should be more sensitive to the privacy of law abiding Internet users.