Chinese authorities today delayed implementation of the much-disparaged Green Dam-Youth Escort filtering mandate, just one day before the July 1 implementation deadline.

Since the Green Dam directive was made public, we have learned that the filtering software does not work as proposed or publicized, may create serious security vulnerabilities, may contain stolen code, and likely violates China’s WTO obligations. The filter targets far more than sexually explicit material and is capable of shutting down a variety of applications when politically sensitive keywords are triggered. Independent analysis has also revealed that security flaws in the software could make millions of PC users in China vulnerable to a variety of malicious attacks
(more…)

Happy Conclusion to Remote DVR Case

I noted at the beginning of the month that the Solicitor General had advised the Supreme Court not to reconsider the important Second Circuit case giving the green light to Cablevision’s “remote storage digital video recorder” (RS-DVR). I’m very happy to report that the Supreme Court has followed that advice. Yesterday the Court “denied cert” — meaning that it won’t take the case and that the Second Circuit’s decision will remain the final word on the matter.

This effectively puts an end to the serious threat posed by the original 2007 District Court decision, which held that the RS-DVR would infringe copyright based on the physical location of data storage. As CDT explained in a 2007 policy post and legal brief (http://www.cdt.org/copyright/20070608cdt-cablevision.pdf), the implications of that ruling for cloud computing could have been hugely damaging. Ditto the court’s finding of liability based on transitory buffering — something all digital devices do.

CDT and its allies spent a great deal of time to make sure the Second Circuit Court of Appeals and later the Solicitor General’s office would understand and appreciate what was at stake here. Thankfully, the final outcome is a strong appeals court decision rejecting the idea that using remote storage and buffers should expose service providers to extensive copyright liability. This was a big win, and a major bullet dodged!

The Congressional Research Service is a $100 million a year think tank that researches and writes informative and non-partisan reports on topics suggested by members of Congress. The catch–and the reason you might not have read their work–is that CRS reports are only made easily available to members of Congress. Citizens can request these reports from lawmakers, but without a public index, they can’t request something they don’t know exists. The CRS Reports currently rank first on CDT’s Most Wanted Government Documents. In an ongoing effort liberate these documents, CDT runs Open CRS, an online repository of public CRS Reports. To spotlight these reports, I will be writing “CRS Report of the Week” posts and feature a relevant report each week. These reports are informative in both that they serve as excellent primers to political issues and that they offer a degree of insight into what information is circulating around Congress.

Comprehensive National Cybersecurity Initiative: Legal Authorities, Policy Considerations
#R40427
March 10th, 2009

A standing question about cybersecurity is the respective roles of the executive and legislative branches. President Obama has made cybersecurity a priority in the White House; his commitment to the issue came early when he asked for top-to-bottom governmental review of cybersecurity efforts. Another example of Obama’s interest in making cybersecurity a primary issue is his announcement to create a “Cybersecurity Czar” in the White House. Meanwhile, some in Congress have gone their own way, for example, with the introduction of the Cybersecurity Act of 2009. Although the executive branch might seem like the logical place to have cybersecurity authority, this CRS Report suggests that the President’s cybersecurity authority could be disrupted (or reaffirmed) by Congressional action.
(more…)

Yesterday the U.S. Court of Appeals for the Ninth Circuit issued an excellent decision in a focused-but-important appeal dealing with “Section 230,� which provides vital protections to service providers who facilitate online speech and users’ ability to control their Internet experiences.

The case involved a less familiar aspect of Section 230, which is commonly applied in free speech rulings that shield (for example) a social network from liability based on content posted by its users. Section 230 also protects service providers from liability from efforts to control offensive content. The Zango v. Kaspersky decision, however, dealt with a third and lesser well-known component of 230 – protection afforded to companies that make tools that users can use to control their own online experiences (such as filtering software).

The Zango case raised the question of whether an anti-spyware vendor (Kaspersky) would be shielded from liability under this third part of Section 230. Zango had argued that 230 only applied to tools that filter adult content, rather than more broadly applying to tools that allow users to control content such as spyware.
(more…)

An article in the Washington Post today outlines how some senior U.S. officials are leaning on trade issues to pressure China on its recent mandate that all computers sold in that country must come pre-installed with Web-filtering software.

Computer experts that have examined the Chinese developed Web-filtering software have found a laundry list of problems, from security holes to questions about the breadth of the filtering process. U.S. computer makers are rightly concerned about having to pre-install a piece of virtually unknown and untested software that could damage their product on every machine sold into China.

In letters to the Chinese government, both the U.S. Trade Representative Ron Kirk and Commerce Secretary Gary Locke linked China’s mandate to install the web filtering software, known as “Green Dam,” to U.S. trade policy.

USTR Kirk is quoted in the Post piece saying the Chinese demand “poses a serious barrier to trade.”

We have long held the position that there is an important role for Congress to play in ensuring that Internet freedom be fully incorporated into U.S. human rights and foreign policy and that it is a central focus of diplomacy, trade and foreign aid. However, there is considerable “policy incoherence” between the U.S. positions on human rights and its policies on trade and aid.

A good example of this “policy incoherence” is giving “most favored nation” trade status to countries such as China and Vietnam, both with poor human rights records that relentlessly pursue state-sponsored campaigns of Internet surveillance and censorship.

If Internet freedom is to be given a high priority in foreign policy and trade, as we believe it should (Secretary Locke and USTR Kirk’s statement to China are encouraging steps), then it will be critical for the U.S. to have the political will to take on its current culture of “policy incoherence” and deliver a message that doesn’t reprimand with one hand and reward with the other.

The Privacy Act of 1974—the law designed to protect your rights as the government collects, uses, and shares your data—fails to consistently protect of citizens’ privacy because circuit courts disagree on how to interpret its language. Different interpretations and decisions based on this law have come out of circuit courts and have helped support the notion that a consistent and updated set of federal privacy regulations is needed. The Eleventh Circuit’s recent ruling against two Vietnam veterans who sued under the Privacy Act is a prime example of a claim that could have prevailed if it were brought elsewhere, highlighting the need for a clear and consistent set of privacy rules across the board.

In January 2007, a hard drive containing the unencrypted names, social security numbers, birth dates, and health records of over 198,000 living veterans went “missing” from a Department of Veterans Affairs (VA) medical center in Birmingham, Alabama (a different incident than the Spring 2006 theft of a laptop from a VA employee’s house in Maryland). The United States Court of Appeals for the Eleventh Circuit and the VA both agree that security in the facility was inadequate and that the VA violated both the Privacy Act and the Health Insurance Portability and Accountability Act (HIPAA) through its failure to adequately supervise the IT Specialist in charge of the hard drive. Yet the court affirmed last week in Fanin v. U.S. Dep’t of Veterans Affairs that two veterans whose data was stolen have no recourse under the Privacy Act.
(more…)

On Monday night, a website called HealthDataRights.org went live.  The site promotes better access to one’s own health data, and serves as a portal where individuals and entities can endorse/support A Declaration of Health Data Rights.

“We the people,� the site asserts: 1) Have the right to our own health data; 2) Have the right to know the source of each health data element; 3) Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be available in that form; 4) Have the right to share our health data with others as we see fit.

Having access to one’s own health data is already a right – just not one that is well known or enforced.  Under the HIPAA Privacy Rule, individuals have a right to obtain a copy of their health data.  They can also get this copy “in the form or format requestedâ€? (e.g. electronic format), if it is “readily producibleâ€? in that format.  There are some exceptions to this right, including health data compiled for the purpose of a civil or criminal proceeding.  Also under the Rule, covered entities have 30 days to comply with an individual’s request (and this can be extended to 60 days).  Entities can charge a reasonable fee for copying the health record, the limits of which are set by state law.  Notwithstanding this legal right, failure to provide individuals with access to their data is one of the top 5 HIPAA-related complaints received by the U.S. Department of Health and Human Services (HHS) — the agency responsible for enforcing the HIPAA Privacy Rule.
(more…)

At the urging of CDT, the 9th U.S. Circuit Court of Appeals issued an “amended” decision in the Barnes v. Yahoo! Case, correcting two serious errors that had been included in the court’s initial decision. In May, CDT and others had filed a “friend of the court” brief urging the court to delete language that limited service providers’ ability to be protected by “Section 230,” a provision which enhances free speech online by protecting service providers from liability for content posted by their users.  The court made the exact changes that both Yahoo! (as a party) and CDT, Public Citizen, and others that had signed onto the original brief had urged.

zfqe435knb

This post was originally made on the PrivacyCamp Blog.

PrivacyCampDC is in the books and it was fantastic! A collection of people representing interests in both the public and private sector gathered together to share knowledge and expertise on a number of topics including (but certainly not limited to) the future of privacy rights in a Government 2.0 world, surveillance technologies, digital signage, updating the 1974 federal Privacy Act (something CDT is pushing for citizen feedback on with their Privacy Act Wiki if you want to check it out), and how we achieve a greater level of transparency and openness without compromising ones privacy. With attendees representing privacy organizations, federal agencies, security companies, information technology and even Congress, there were a lot of great ideas shared during the event.

One of the most important takeaways that nearly everyone walked away with was the notion that collaborative discussion is vital to protecting privacy in the digital age. The more voices and interests at the table from the beginning, the more likely concerns will be addressed as legislation is crafted, regulations are made, and the intersection between government and new and emerging technologies grows.

The event was tweeted under the hashtag #privacydc and a video slideshow featuring photos from the event’s Flickr page is available. Can’t wait for the next one!

At the Department of Homeland Security’s Workshop Government 2.0: Privacy and Best Practices this morning, the Federal CIO, Vivek Kundra, spoke about a range of issue regarding the federal government’s use of new technologies. In particular, Kundra strongly emphasized the important message that innovation, privacy and security are not competing values.

Kundra’s main strategy to address these values simultaneously is to bake all of them into the technology early in the process. Part of his solution is to better utilize the procurement process for privacy and security. One questioner asked if this meant strengthening Part 24 of the Federal Acquisition Regulations, which oversees privacy and freedom of information compliance. Kundra said this was part of the discussion. It is interesting to point out that Part 24 only uses the antiquated definitions from the Privacy Act to identify privacy risks and does not specifically require privacy impact assessments. These are issues that CDT is working to address in our E-Privacy Act Amendments Wiki, which is now in its last official week.

Another example that came up in the Q&A was the use of authentication technology. Kundra mentioned that too much authentication was being aimed at “military grade” identity. He urged for a more “progressive credentialling” by which he meant finding a full range of authentication solutions from anonymity to psuedonymity. This is the same principle that CDT calls “proportionality” in our Privacy Principles for Identity.