The Internet has been abuzz in recent days (see the New York Times, Ars Technica, and the Google Public Policy Blog) with the question of whether Internet Protocol (IP) addresses collected by online companies should be considered as “personal data” (in European Union terminology) or “personally identifiable information” (in U.S. terminology) that can be used to identify an individual. A central issue in the debate is whether the same IP address is assigned to the same computer every time the computer connects to the Internet. Some ISPs use “static” IP addresses which are fixed over time, allowing all the Internet traffic generated by a particular computer on the network to be associated with the same IP address. Others use the Dynamic Host Configuration Protocol (DHCP) to assign “dynamic” addresses that change each time a computer connects to the network. Although there are other reasons why a computer’s IP address may change over time, DHCP is certainly one of the most prominent.

Curiously absent from the discussion thus far has been the prospect of transitioning from our current IP addressing structure – known as IPv4 – to the next-generation IPv6 standard. IPv6 was developed over a decade ago to deal with several shortcomings of the IPv4 standard, most notably a potential shortage of IP addresses (only about one third of the original pool of useable IPv4 addresses remain available).

One of the new features in IPv6 is known as “stateless autoconfiguration,” which allows a computer to generate its own IP address and eliminates the need for DHCP. In some implementations of IPv6, the same computer will always generate the same IP address for itself, much in the same way that static IPv4 addresses remain consistent over time. Although not all implementations will necessarily operate this way, from a technical networking perspective there are many reasons why maintaining the same IP address over time may be attractive. Thus, as IPv6 is rolled out on a large scale – which it most certainly will be at some point down the line, perhaps as early as this year in China – it’s possible that many more Internet users will have static IP addresses, and thus many more IP addresses will be more easily relatable to individuals. This is surely important to keep in mind as we navigate future questions about IP addresses as personal data.

The debate about the privacy of IP addresses is far from over. As our thinking on this issue evolves, we continually find ourselves coming back to the EU’s Article 29 Data Protection Working Party opinion on the concept of personal data, issued last summer. As perhaps the most thorough exploration to date of what “personal data” means in an online context, we recommend that anyone interested in this topic give it a close read.

Following revelations that Comcast sometimes interferes with its subscribers’ P2P upload traffic, the Internet neutrality debate is currently focused on “network management” — actions that ISPs take to “manage” traffic on their networks. ISPs say that to make their networks run well for all concerned, they need flexibility to employ network management tools as they see fit. Critics argue that ISPs shouldn’t degrade P2P, or other selected traffic, in the name of network management, because having ISPs play favorites poses risks to competition and innovation.

On the heels of the Comcast news, the FCC was asked by a number of concerned parties to step in and decide the legitimacy of different kinds of network management practices. The FCC, in turn, asked the those interested in the issue to weigh in with their opinions by submitting formal comments to the agency. It also took the unusual step of holding an out-of-town hearing on the topic earlier this week in Boston. Meanwhile, Congressman Markey recently introduced a new Internet neutrality bill.

CDT submitted its second round of comments to the FCC yesterday, which respond to arguments made by others in the first comment round. CDT’s its initial set of comments were submitted February 13.

CDT is skeptical of the FCC’s jurisdiction to regulate the details of ISPs’ network management practices, and our comments caution the agency against launching an effort to write formal rules. At the same time, CDT believes some kinds of network management practices are suspect and could indeed give the ISP increased gatekeeper control.

We’re not talking here about practices aimed at fighting spam, malware, or security threats — as yesterday’s comments emphasize, that’s a different category of activity and it really should be considered separately. For traffic management aimed at dealing with congestion and “bandwidth hogs,” however, certain principles are important. This kind of traffic management should apply evenly to all traffic, based on objective criteria; should be clearly disclosed; and should comply with core internetworking standards. While CDT doesn’t want to see the FCC adopt formal rules, our comments to the agency suggest that it provide some principle-level guidance — for example, by adding the concept of nondiscrimination to its broadband Policy Statement.

Rep. Ed Markey, (D-MA), Chairman of the House Telecommunications Subcommittee, introduced an Internet neutrality bill on Feb. 13th that would establish pro-neutrality principles as expressions of U.S. policy. It also calls on the FCC to do a detailed assessment of how current broadband providers’ practices are consistent or inconsistent with those principles. Unlike some previous bills, Markey’s bill would not establish a binding set of rules or prohibitions for broadband providers.

Enacting this bill would be a good step forward in the neutrality debate. First, the bill makes a strong statement that U.S. policy should favor the continued maintenance of a free and open Internet, with users — rather than network operators — determining what content, applications, and devices will succeed in the marketplace. Second, it expressly writes the objective of a free and open Internet into the Communications Act, the core statute governing national communications policy. And third, in contrast to the “no regulatory action needed whatsoever” lobby, it expressly endorses the adoption of “baseline protections” to guard against the risk of network operators taking a new role as Internet gatekeepers.
(more…)

Administration officials are complaining about House Democrats stalling legislation that would grant immunity to any telecommunications carrier that assisted with its domestic spying program. Without that immunity cloak, the White House says, telecoms will hesitate to cooperate with such programs in the future.

It’s true that telecom assistance is crucial to successful electronic surveillance. But what’s getting lost in all the heated rhetoric is that telecoms, under current law, already have immunity when they assist in lawful electronic surveillance. Congress specifically gave telecoms that legal cover in the Foreign Intelligence Surveillance Act.
(more…)

The heated rhetoric this week of trying to place blame for the expiration of the Protect American Act (PAA) obscures important civil liberties issues surrounding intelligence surveillance.

No doubt: the President is playing politics with national security by trying to corner House Democrats into accepting a deeply flawed Senate bill.

And for what? Most of the government’s intelligence surveillance authorities survive, despite the sunset of the PAA; expiration of that law will have little immediate effect. That’s because the PAA allows surveillance authorizations to continue at least six months after the sunset date. Read that sentence again.

If a new surveillance target is identified after the law sunsets, in most cases intelligence agents will be able to add the target to an existing authorization. Moreover, the Foreign Intelligence Surveillance Act itself – which the PAA amended – is still in place and is no doubt still being used to authorize surveillance. In short, the NSA isn’t “going dark” when the PAA expires.
(more…)

Two recent papers published by the Pew Internet and American Life Project highlight the continued growing concern about privacy.

In Privacy Implications of Fast, Mobile Internet Access, Susannah Fox suggests that consumers are reluctant to share personal information when they are given control over disclosure:

More generally, consumers are now expressing a more consistent interest in control over personal information: for, example, 59% of adults have refused to provide information to a business or company because they thought it was not really necessary or was too personal. Still, many people are uploading their work histories to LinkedIn, or their photos to Flickr, or their personal musings MySpace, choosing to connect their online identities with these key pieces of personal information.

John Horrigan’s report on online shopping reinforces this finding:

Most online Americans have high levels of concern about sending personal or credit card information over the internet.

While the number of e-shoppers continues to grow, there is still widespread concern in the internet population about the safety of financial and personal data online.

75% of Internet users either agree (39%) or strongly agree (36%) with the proposition that they do not like giving out their credit card number or personal information online.

It is becoming clear that new Internet business models are beginning to make online consumers in America even more uneasy about their privacy than they already were.

I read with horror the latest issue (Dec. 2007) of Indiana University’s Federal Communications Law Journal. The leading “article” is a transcript of a November 2005 debate among Federal Communications Commission (FCC) Chairman Kevin Martin and others about expanding the FCC’s regulation of indecency. During the debate, in response to a discussion about radio “shock jocks,” Chairman Martin bluntly said, “If you really want to talk about kids, you could hold parents criminally liable for allowing them access to this . . . that would really protect kids.” (p. 25)

Adam Thierer at the Progress & Freedom Foundation did a good job of analyzing this outrageous proposal, which flies in the face of both the right to freedom of expression and the respected values of individual choice and privacy of the home.

What’s also shocking about Chairman Martin’s statement is that he wasn’t referring to prosecuting parents for allowing their minor children to access indecent broadcast radio programming, but instead to satellite radio programming. It’s no secret that the FCC wants to get its regulatory hands on satellite, cable, and even Internet content, but so far Congress and the courts have failed to find a justification for such expanded FCC jurisdiction.
(more…)

Many kind words have been said in the last 24 hours about the life and legacy of Congressman Tom Lantos, a champion of human rights who died over the weekend. It’s difficult to add anything meaningful to those tributes. But since this is an Internet policy blog, it is worth adding a postscript about Rep. Lantos’ role in the last few years of his life as an advocate for global Internet freedom. Lantos understood that the Internet was a transformative tool for human rights and he insisted that government and industry use every available means to keep the medium from being twisted into an instrument of government repression.

To be sure, he was sometimes harsh in the tactics and rhetoric he used with respect to the conduct of the U.S. Internet industry in China, as well as in the policy prescriptions he advocated, most importantly H.R. 275, the Global Online Freedom Act (“GOFA”). While CDT believes that some provisions of GOFA are unworkable and unwise (CDT analyzed the law when it was introduced in 2006), there is no question that Lantos’ passion and resolve made a difference. Indeed, the Bush Administration has already embraced key parts of GOFA. The State Department launched a Global Online Freedom Initiative and human rights country reports now include assessments of Internet freedom. Countries like China are on notice that at least some leaders in the United States government are ready to take this issue seriously.

More importantly, the attention he brought to the issue of global Internet freedom. His ideas added fuel the ongoing dialogue among Internet companies, human rights groups, social investors and others, aimed at drafting robust human rights principles to guide the sector when faced with government demands to censor content or access users’ personal information. That process, facilitated by CDT and Business for Social Responsibility, should reach a conclusion in the next few months, and there is hope that it will produce principles that will take root as a global standard and help companies respond more effectively to threats to Internet freedom around the world.

Last month, after almost three years, the Department of Homeland Security released its much-anticipated final regulations to implement the controversial REAL ID Act of 2005.

In light of DHS’ final rules, CDT released an analysis of the REAL ID program, concluding that REAL ID will do little to make the driver’s license a more reliable identity document, but will create huge privacy and civil liberties risks for hundreds of millions of Americans.

We listed five main criticisms of REAL ID:

• The REAL ID card will become a de facto national ID card, particularly if it becomes required for more purposes. We recently blogged about such “mission creep.”
• REAL ID will likely result in the creation of a central ID database, which will threaten the privacy and security of 240 million Americans. I recently wrote an op-ed piece about this issue, which DHS has for the time being left unresolved. And when DHS is finally ready make a decision about what technical architecture will be built to implement REAL ID, the Department will likely not solicit public input.
• DHS is mandating a standardized and unencrypted Machine-Readable Zone (MRZ), which will facilitate intrusive tracking by both government and commercial entities, thereby exacerbating a serious existing problem.
• Following a lack of explicit Congressional authority under the Act, DHS failed to adopt meaningful privacy and security standards for the protection of personal information in the REAL ID system.
• In a related initiative, DHS is creating driver’s licenses with imbedded, insecure RFID chips (”Enhanced Driver’s Licenses”) that will threaten the personal privacy and security of American citizens, without Congressional oversight or an administrative rulemaking.

(more…)

In May, we wrote a widely circulated policy post highlighting the privacy issues involved in an Internal Revenue Service (IRS) proposal that would require “brokers” — including online auction sites like eBay — to collect the Social Security numbers of millions of users. The plan was part of the Bush budget proposal to Congress last year. Fortunately, Congress did not take it up last year, thanks in part to the leadership of retiring Rep. Tom Davis, (R-VA).

It seems that the Administration got the message and has not included the same proposal in this year’s budget. Since the Administration has been the main proponent of the proposal, it seems unlikely that it will pop up this year without that budget push. We can hope, this being the last budget of the Bush Administration, that this spells the death of this proposal, but we always have to be alert for zombies that rise from the dead, no?