What do disco music, eight-track audio systems and beta videocassette tapes all have in common? They’re all examples of technologies and fads that have come and gone since the Privacy Act of 1974 was last updated. Yesterday, the NIST Information Security and Privacy Advisory Board, tasked with identifying emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy, released a report on working towards federal privacy policies that reflect the 21st century technological environment. CDT Vice President Ari Schwartz sits on the board, and helped develop the report.

It seems clear that federal privacy standards written during a time when “data storage facility� literally referred to file cabinets is due for an update in the digital era.  While the basic framework of the Privacy act has held up well over the past 35 years, changes need to be made to insure that the advent of new technologies do not threaten to undermine the protections that have been put in place.

Today, the Center for Democracy & Technology unveiled an in-depth set of draft amendments to update the federal Privacy Act and address the challenges of the digital age as part of a panel discussion with government and privacy leaders. You can check it out on our UStream Channel here, or see some of the points that were made on our live Twitter feed.

The announcement of our draft E-Privacy Act came as part of a panel discussion featuring government and privacy leaders that coincided with the release of the National Institute of Standards and Technology’s federal Information Security and Privacy Advisory Board’s report on its findings on government privacy rules. ISPAB has also called for significant changes to the existing federal privacy framework, and we think that our amendments address many of these concerns.
(more…)

CDT and the Electronic Frontier Foundation filed a “friend of the court” brief late last week in a case in Washington State challenging a refusal by a local library system to “unblock” or remove content filtering software that blocks library users’ access to lawful Internet websites. We argued that the refusal to unblock violates the First Amendment, as well as a key U.S. Supreme Court decision. We also explained in detail that Internet access in libraries is particularly important in the rural communities at issue in the Washington case.

Back in 2003, the Supreme Court upheld the Children’s Internet Protection Act (”CIPA”), in which Congress required that libraries that receive federal funds must use filtering software to block content thought to be harmful to minors. CIPA was unclear, however, on whether adults would be able to avoid the filters. Three Justices thought that CIPA was unconstitutional in all instances, but the six Justices who voted to uphold CIPA had to strain to find a way to find the law to be constitutional. Since the text of the statute was unclear, the Justices instead – very unusually – directly relied on the statements of the U.S. Solicitor General in oral argument before the court, who assured the court that CIPA did in fact allow adults to avoid the filters.
(more…)

Recently the Minnesota Department of Public Safety sent a seven-page list of off-shore gambling websites to 11 ISPs demanding that all access to those sites by state residents be blocked. This misguided action by the MDPS to scrub the Internet of websites it objects to is purportedly based on Federal law; however, the law cited in the letters doesn’t apply to ISPs or their customers’ access to remote websites. More broadly, like Kentucky’s recent attempt to seize domain names, this kind of state interference with the Internet raises substantial constitutional concerns.
(more…)

It’s been 120 days since President Obama signed a memorandum asking for unprecedented openness in government. This day-one transparency memo required that OMB, GSA, and the federal CTO would provide the president with recommendations for an Open Government Directive today. While the day is not yet over, it looks like these open government recommendations, ironically, aren’t being made public. Fortunately, that’s not the end of the story.

Today the White House is launching a new Open Government initiative, and starting by asking the public questions about what we want from an open government using the current “request for comment” process. In addition, citizens are being asked to “brainstorm” ideas via government site called the “Open Government Dialogue.” However, the site sits on a .COM domain and it’s not all that clear it has the imprimatur of the White House, save for a poorly rendered graphic of Presidential Seal. Go figure. While the origin of the site is opaque, the execution of soliciting public feedback via an interactive environment is excellent.

We welcome this request for comments. A week ago, we signed on to a letter asking Beth Noveck, who has been heading up the Open Government Directive process, to take advantage of the public input processes we already use in government every day. We asked for a formal process for public input on these recommendations, and we are pleased that public input is now formally a part of the process of opening the government, both through the traditional notice in the Federal Register and new online tools. While we are discussing the new tools and innovative uses of the Internet that will make government more transparent and participatory, it’s important not to abandon those proven processes that allow public input today.

In addition to the launch of the Open Government Initiative, several new tools, websites, and ideas are being released today, some of which we will be discussing in future blog posts. Here are a few:

–The White House Open Government Initiative;
–An exchange on how e-Rulemaking can be improved;
–The much-anticipated Data.gov;
–A rundown of a few of the ways that the Executive Branch is using new media;
–Open Government Innovations gallery, highlighting open government tools

South Carolina Attorney General Henry McMaster learned an important lesson today: You don’t push Craigslist into a corner and then poke it with a sharp stick because Craigslist will bite back.

Tired of being harassed, browbeat and legally threatened, Craigslist today sued McMaster asking a federal court seeking declaratory relief and a restraining order with respect to the criminal charges; essentially Craigslist is asking the court to tell the S.C. AG to shut up and go away forever.

Meanwhile, last Friday McMaster said he had “no choice” but to open a criminal investigation involving Craigslist after the online classified ad site refused to roll over on its Constitutionally protected rights and do McMaster’s bidding, a move Craigslist said would require it “to take down the craigslist sites for South Carolina in their entirety.”

Now we hear that McMaster is calling the Craigslist suit “good news,” which is befuddling because the S.C. taxpayers are likely going to have to pony big bucks to pay for the Craigslist legal bills (unless McMaster backs down right away), which can easily run $250,000 or more.

The bottom line here hasn’t changed since McMaster decided to start his grandstanding: Craigslist is constitutionally protected from having liability for content placed on its site by users. It has to be that way otherwise the chill thrown over free expression on the Internet would be devastating.

The Anti-Spyware Coalition (ASC), National Cybersecurity Alliance (NCSA), and StopBadware.org led a public workshop yesterday to launch a new collaborative effort to combat malicious software.  The “Chain of Trust� initiative is built on the fundamental principle that the only way to combat a global problem like this is to bring everyone involved to the table and create a united front against a growing threat.

The workshop featured discussion from representatives from government agencies, Internet companies, network providers, security vendors, researchers and advocacy groups.  Keynote speakers included Shawn Henry, assistant director of the FBI’s computer crime unit, Jeff Fox, editor, Consumer’s Union, and Brian Krebs, reporter, Washington Post, where he writes the Security Fix blog.   The discussion focused on how best to identify, educate and combat today’s cyber threats.
(more…)

Perhaps federal prosecutors in Los Angeles are starting to get the message that not every bad act should be a federal crime. At what was meant to be a sentencing hearing, a federal judge indicated yesterday that he needs more time to weigh dismissing the indictment against Lori Drew, the St. Louis woman convicted under the Computer Fraud and Abuse Act—an anti-hacking law—for cyberbullying. “Using this particular statute in the particular way is so weird,” said Judge George Wu, according to an online Wired article. CDT couldn’t agree more, as we and others argued in an amicus brief last August.

Drew created a fake MySpace profile to flirt with and taunt her daughter’s classmate, who tragically killed herself after being rejected by Drew posing as the teenage boy “Josh Evans.� As reprehensible as her conduct was, the theory prosecutors used to hold her responsible was nothing short of absurd—that by violating MySpace’s terms of service (lying about her identity) she had gained unauthorized access to the MySpace servers, a misdemeanor under a statute aimed at combating computer hacking. While the suicide was tragic and it is regrettable that Missouri’s harassment law did not at the time allow a state prosecution of Drew, allowing this conviction to stand would set a precedent that would turn any terms-of-service violation into a federal crime. Under the government’s theory, anyone who uses a false name, age or address to protect his or her privacy, avoid spam, or just joyride on a social media service under an assumed name and identity, commits a federal crime. Thankfully, it seems Judge Wu is catching on: During the proceeding yesterday, he challenged the government by asking whether “conduct . . . done every single day by millions and millions of people� really is a misdemeanor. Well, it shouldn’t be.

The Copyright Office recently held its triennial hearings on exemptions to the Digital Millennium Copyright Act’s prohibition on circumventing technical protection measures for copyrighted works.  The Office is charged under the DMCA with issuing exemptions for specific classes of works where non-infringing uses will be adversely affected by the prohibition.  For most of the classes of works under consideration this year, it seems the Copyright Office would be in familiar territory, focusing on users’ ability to read, view, listen, or interact with creative works.  However, with one class—cell phone unlocking—the questions raised seem more at home in telecommunications and network neutrality policy than copyright policy.

The Office is reconsidering an exemption it granted in 2006 that protected individuals from liablity for breaking a firmware lock on a cell phone and using it on another phone network. At that time, no one opposed the exemption in time for their objections to be considered; this time, CTIA – The Wireless Association, Virgin Mobile, and others have voiced opposition, in part because of copyright-related concerns, but primarily to preserve a business model built around recouping hardware subsidies that some argue limits consumer choice.

While it’s true that phone–network locks do protect copyrighted firmware, I have a hard time seeing a compelling copyright interest in their use.  There is hardly a market for such firmware independent of the handsets themselves that circumvention would undermine.  Moreover, the 2006 exemption narrowly applies to those cases when the circumvention is only accomplished to use a phone on a particular network that it has been locked out of.

(more…)

Three of the world’s leading cybersecurity groups are launching a new initiative to combat malicious software or “malware” by establishing a “Chain of Trust” among all of the organizations and individuals that play a role in securing the Internet.

Developed by the Anti-Spyware Coalition (ASC), National Cybersecurity Alliance (NCSA) and StopBadware.org, the Chain of Trust Initiative will link together security vendors, researchers, government agencies, Internet companies, network providers, advocacy and education groups in a systemic effort to stem the rising tide of malware. Applying many of the same approaches used to bring nuisance adware under control, the Chain of Trust Initiative aims to establish a united front against a growing threat.

To help facilitate discussion around the initiative, the ASC is holding a public workshop on May 19 featuring moderated panels and keynotes from leaders in the cyber security and consumer privacy field.  The FBI’s assistant director, Shawn Henry, who oversees the bureau’s computer crime unit, will be giving a morning keynote along with CDT Vice President, Ari Schwartz and Jeff Fox of Consumer’s Union.

Those who are unable to physically attend the conference can follow along with CDT’s live twitter feed (@CDT_LIVE) using the hashtag #asc09.  There will be discussion on the feed and reaction and comments as the workshop unfolds.  Additionally, portions of the conference will be streamed through our UStream Channel, CDT TV.

More information on attending the workshop, including registration and agenda info is available here:

http://antispywarecoalition.org/events/may2009.php

So, South Carolina Attorney General Henry McMaster, who had threatened to bring criminal charges against Craigslist by last Friday if the company failed to comply with his request to eliminate content he deemed objectionable to the fair citizens of his state, has apparently blinked.
Meanwhile, Craigslist CEO Jim Buckmaster has fired back with a blog post on the company web site demanding an apology from McMaster for singling-out Craigslist as a high-profile target:

Have you fully considered the implications of your accusations against Craigslist? What’s a crime for Craigslist is clearly a crime for any company. Are you really prepared to condemn the executives of each of the mainstream companies linked above, and all the others that feature such ads, as criminals? Craigslist may not matter in your world view, despite our popularity among your constituents, but mightn’t you want an endorsement from any of the SC newspapers for your gubernatorial campaign, whose publishers you’ve just labeled as criminals? Do you really intend to launch a criminal investigation against the phone company?
-Craigslist CEO, Jim Buckmaster on his blog, 5/18/09

As we foreshadowed in our blog post last week, Section 230 protects companies like Craigslist from being held liable for content created by users and the actions by McMaster are flatly wrong.