This year, North America joins 27 European countries to celebrate Data Privacy Day. Beginning January, 28th, the week-long event is punctuated by several efforts looking to raise the visibility of privacy issues at home and abroad. The International Association of Privacy Professionals has put together some nice resources for the occasion.

CDT will be involved in several relevant events:

CDT is participating by co-sponsoring today’s conference at Duke University entitled Data Privacy in Transatlantic Perspective.

CDT President Leslie Harris will moderate a panel on Health IT discussing medical privacy issues at the Congressional Internet Caucus Advisory Committee’s State of the Net Conference on Wednesday.

On Thursday, CDT will also host the 4th Anti-Spyware Coalition Public Workshop.

Earlier this week, the FTC filed a new brief against notorious spammer/spyware purveyor Sanford Wallace, and his partner Walter Rines, for violating the default judgment against them that was originally based on CDT’s 2004 petition.

Good to see that the Commission is not letting Wallace and Rines slip, but let’s hope that they can collect more than the $50,000 that it did last time around.

The Office of Management and Budget has been quietly ramping up its privacy requirements. Since the security scare of having a Veteran Affairs laptop containing the personal information of 26.5 million veteran and active-duty military stolen was resolved, OMB has offered no less than six memos related to privacy:

M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 25, 2007) (43 pages, 251 kb);

M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) (22 pages, 228 kb);

Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006) (12 pages, 1,903 kb);

M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 17, 2006) (42 pages, 301 kb);

M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006) (2 pages, 41 kb);

M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006) (2 pages, 50 kb).

And on Friday they issued an eighth memo:

M-08-09, New FISMA Privacy Reporting Requirements for FY 2008 (January 18, 2008). Among other things, this guidance requires agencies to report on privacy issues including those that are not covered by the Privacy Act.

While this is a positive step and shows that OMB is indeed beginning to show real leadership on privacy issues (in contrast to GAO’s June 2003 report entitled Privacy Act: OMB Leadership Needed to Improve Agency Compliance), CDT is still urging OMB to move forward, including efforts toward best practices for privacy impact assessments (PIAs) as we explained in our recent testimony on E-Government Act Reauthorization in front of the Senate Homeland Security and Government Affairs Committee. OMB has been supportive of the passage of this legislation, but could move forward with best practices even without it.

The Washington Post reported today that Rep. Henry Waxman (D-CA), Chairman of the House Oversight and Government Reform Committee, is investigating a 473 day gap in White House e-mail storage.

The White House response suggest that they just don’t have a good system in place to preserve e-mail

This should be of great concern considering the fact that the courts ruled 13 years ago that an electronic copy of e-mail needs to be preserved. The precedent here comes from ARMSTRONG v. EXECUTIVE OFFICE OF PRESIDENT , 1 F.3d 1274 (D.C. Circuit Court of Appeals 1993, which originally dated back to 1988 when Reagan was leaving office. Journalist Scott Armstrong and the National Security Archive sued to ensure that the actual electronic versions of federal records were being stored and not just paper print outs. The courts found that a lot of information was lost in the print out and that the President and the National Archive and Records Administration had an obligation under the Federal Records Act to store the electronic copies of e-mail records.

The massive gap in the Bush Administration’s record keeping seems to directly violate this finding.

In 2003, Regulations.gov was unveiled, promising to allow individuals to more easily find and comment on proposed rules being considered by federal agencies. New features promise to allow users more flexible search and open a treasure trove of information to remixing by third parties, thanks to an RSS feed of information from the Federal Register.

Regulations.gov was intended to serve as a one-stop portal for commenting on proposed rules online, hopefully an easier and more efficient method of commenting. However, Regulations.gov has been plagued with usability problems, effectively limiting access to those select few who could spend the time learning to use the system. Luckily for those of us who found the old interface confusing, Regulations.gov has graduated to Regulations.gov 2.0. Search has been drastically improved, and an RSS feed is available for information in the Federal Register.

In a 2003 Policy Post, CDT noted the underpowered Regulations.gov search engine; the site’s update replaces the search with a much simpler, more powerful search. Other features that we hoped for from Regulations.gov have also come along, with easier ways to find recent rules, and rules with comment periods that are closing soon. These features help novice users to browse rules and navigate the site, and the search itself provides a simpler interface to find rules.

Regulations.gov now provides an RSS feed of all information they post from the Federal Register. This includes proposed rules, final rules, and government notices. While the RSS feed is a step forward for accessibility of this information, it is not useful for most users. Few people are interested in every proposed rule under consideration. However, this feed allows third parties to use this information to create more useful applications of the raw data. One example of this is OpenRegulations.org, which has used the RSS from Regulations.gov to provide RSS feeds of regulations and notices from each agency. I am confident that more useful applications of this feed will be implemented; by providing the raw data, Regulations.gov has empowered citizens to use and remix the information in new and useful ways. After all, Regulations.gov doesn’t need to envision every possible useful feature; they just need to make sure that people have the tools to implement that feature. Congratulations on your 2.0, Regulations.gov.

Reports that the music industry is now claiming that it’s illegal to “rip” songs from a CD you own and put them on your hard drive are cropping up all over the Internet. Many of those reports point to a Washington Post article as the source of this news; meanwhile, a posting on Slashdot raised the issue a couple of weeks earlier.

The story feeds quite nicely into the popular perception of the Recording Industry Association of America (RIAA) as overreaching, extreme in its views, and hopelessly out of touch with the realities of the current Internet-based marketplace. And it would indeed be remarkable if the RIAA were to start suing consumers for transferring their lawfully purchased CDs into MP3 format to use on their computers and portable devices. But it’s not happening. The whole story is essentially a red herring.

The truth is, nobody is “going after” any consumer for ripping CDs onto a computer. The alarm stems from a single sentence that appears on page 15 of an RIAA filing in a case focused on peer-to-peer file sharing. The defendant is being sued for allegedly distributing songs to other P2P users by putting the songs in his KaZaA shared folder, not for ripping songs from CDs. The sentence itself may raise questions: “Once Defendant converted Plaintiff’s recording into the compressed .mp3 format and they are in his shared folder, they are no longer the authorized copies distributed by Plaintiffs.” But this lone sentence, taken out of context, hardly represents evidence of a new legal position, much less a new front in the RIAA’s legal campaign.
(more…)